bluetooth: switch to AES library · tjh.dev/kernel@28a220a

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

bluetooth: switch to AES library

The bluetooth code uses a bare AES cipher for the encryption operations.
Given that it carries out a set_key() operation right before every
encryption operation, this is clearly not a hot path, and so the use of
the cipher interface (which provides the best implementation available
on the system) is not really required.

In fact, when using a cipher like AES-NI or AES-CE, both the set_key()
and the encrypt() operations involve en/disabling preemption as well as
stacking and unstacking the SIMD context, and this is most certainly
not worth it for encrypting 16 bytes of data.

So let's switch to the new lightweight library interface instead.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

authored by

Ard Biesheuvel and committed by

Herbert Xu 6 years ago 28a220aa 0a5dff98

+33 -73

2 changed files

expand all

net

bluetooth

Kconfig

smp.c

+2 -1

net/bluetooth/Kconfig

··· 10 10 select CRC16 11 11 select CRYPTO 12 12 select CRYPTO_BLKCIPHER 13 - select CRYPTO_AES 13 + select CRYPTO_LIB_AES 14 + imply CRYPTO_AES 14 15 select CRYPTO_CMAC 15 16 select CRYPTO_ECB 16 17 select CRYPTO_SHA256

+31 -72

net/bluetooth/smp.c

··· 23 23 #include <linux/debugfs.h> 24 24 #include <linux/scatterlist.h> 25 25 #include <linux/crypto.h> 26 + #include <crypto/aes.h> 26 27 #include <crypto/algapi.h> 27 28 #include <crypto/b128ops.h> 28 29 #include <crypto/hash.h> ··· 89 88 u8 local_rand[16]; 90 89 bool debug_key; 91 90 92 - struct crypto_cipher *tfm_aes; 93 91 struct crypto_shash *tfm_cmac; 94 92 struct crypto_kpp *tfm_ecdh; 95 93 }; ··· 127 127 u8 dhkey[32]; 128 128 u8 mackey[16]; 129 129 130 - struct crypto_cipher *tfm_aes; 131 130 struct crypto_shash *tfm_cmac; 132 131 struct crypto_kpp *tfm_ecdh; 133 132 }; ··· 376 377 * s1 and ah. 377 378 */ 378 379 379 - static int smp_e(struct crypto_cipher *tfm, const u8 *k, u8 *r) 380 + static int smp_e(const u8 *k, u8 *r) 380 381 { 382 + struct crypto_aes_ctx ctx; 381 383 uint8_t tmp[16], data[16]; 382 384 int err; 383 385 384 386 SMP_DBG("k %16phN r %16phN", k, r); 385 387 386 - if (!tfm) { 387 - BT_ERR("tfm %p", tfm); 388 - return -EINVAL; 389 - } 390 - 391 388 /* The most significant octet of key corresponds to k[0] */ 392 389 swap_buf(k, tmp, 16); 393 390 394 - err = crypto_cipher_setkey(tfm, tmp, 16); 391 + err = aes_expandkey(&ctx, tmp, 16); 395 392 if (err) { 396 393 BT_ERR("cipher setkey failed: %d", err); 397 394 return err; ··· 396 401 /* Most significant octet of plaintextData corresponds to data[0] */ 397 402 swap_buf(r, data, 16); 398 403 399 - crypto_cipher_encrypt_one(tfm, data, data); 404 + aes_encrypt(&ctx, data, data); 400 405 401 406 /* Most significant octet of encryptedData corresponds to data[0] */ 402 407 swap_buf(data, r, 16); 403 408 404 409 SMP_DBG("r %16phN", r); 405 410 411 + memzero_explicit(&ctx, sizeof (ctx)); 406 412 return err; 407 413 } 408 414 409 - static int smp_c1(struct crypto_cipher *tfm_aes, const u8 k[16], 415 + static int smp_c1(const u8 k[16], 410 416 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat, 411 417 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16]) 412 418 { ··· 432 436 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1); 433 437 434 438 /* res = e(k, res) */ 435 - err = smp_e(tfm_aes, k, res); 439 + err = smp_e(k, res); 436 440 if (err) { 437 441 BT_ERR("Encrypt data error"); 438 442 return err; ··· 449 453 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2); 450 454 451 455 /* res = e(k, res) */ 452 - err = smp_e(tfm_aes, k, res); 456 + err = smp_e(k, res); 453 457 if (err) 454 458 BT_ERR("Encrypt data error"); 455 459 456 460 return err; 457 461 } 458 462 459 - static int smp_s1(struct crypto_cipher *tfm_aes, const u8 k[16], 463 + static int smp_s1(const u8 k[16], 460 464 const u8 r1[16], const u8 r2[16], u8 _r[16]) 461 465 { 462 466 int err; ··· 465 469 memcpy(_r, r2, 8); 466 470 memcpy(_r + 8, r1, 8); 467 471 468 - err = smp_e(tfm_aes, k, _r); 472 + err = smp_e(k, _r); 469 473 if (err) 470 474 BT_ERR("Encrypt data error"); 471 475 472 476 return err; 473 477 } 474 478 475 - static int smp_ah(struct crypto_cipher *tfm, const u8 irk[16], 476 - const u8 r[3], u8 res[3]) 479 + static int smp_ah(const u8 irk[16], const u8 r[3], u8 res[3]) 477 480 { 478 481 u8 _res[16]; 479 482 int err; ··· 481 486 memcpy(_res, r, 3); 482 487 memset(_res + 3, 0, 13); 483 488 484 - err = smp_e(tfm, irk, _res); 489 + err = smp_e(irk, _res); 485 490 if (err) { 486 491 BT_ERR("Encrypt error"); 487 492 return err; ··· 513 518 514 519 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk); 515 520 516 - err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash); 521 + err = smp_ah(irk, &bdaddr->b[3], hash); 517 522 if (err) 518 523 return false; 519 524 ··· 536 541 rpa->b[5] &= 0x3f; /* Clear two most significant bits */ 537 542 rpa->b[5] |= 0x40; /* Set second most significant bit */ 538 543 539 - err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b); 544 + err = smp_ah(irk, &rpa->b[3], rpa->b); 540 545 if (err < 0) 541 546 return err; 542 547 ··· 763 768 kzfree(smp->slave_csrk); 764 769 kzfree(smp->link_key); 765 770 766 - crypto_free_cipher(smp->tfm_aes); 767 771 crypto_free_shash(smp->tfm_cmac); 768 772 crypto_free_kpp(smp->tfm_ecdh); 769 773 ··· 951 957 952 958 BT_DBG("conn %p", conn); 953 959 954 - ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp, 960 + ret = smp_c1(smp->tk, smp->prnd, smp->preq, smp->prsp, 955 961 conn->hcon->init_addr_type, &conn->hcon->init_addr, 956 962 conn->hcon->resp_addr_type, &conn->hcon->resp_addr, 957 963 cp.confirm_val); ··· 977 983 u8 confirm[16]; 978 984 int ret; 979 985 980 - if (IS_ERR_OR_NULL(smp->tfm_aes)) 981 - return SMP_UNSPECIFIED; 982 - 983 986 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave"); 984 987 985 - ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp, 988 + ret = smp_c1(smp->tk, smp->rrnd, smp->preq, smp->prsp, 986 989 hcon->init_addr_type, &hcon->init_addr, 987 990 hcon->resp_addr_type, &hcon->resp_addr, confirm); 988 991 if (ret) ··· 996 1005 __le64 rand = 0; 997 1006 __le16 ediv = 0; 998 1007 999 - smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk); 1008 + smp_s1(smp->tk, smp->rrnd, smp->prnd, stk); 1000 1009 1001 1010 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags)) 1002 1011 return SMP_UNSPECIFIED; ··· 1012 1021 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 1013 1022 smp->prnd); 1014 1023 1015 - smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk); 1024 + smp_s1(smp->tk, smp->prnd, smp->rrnd, stk); 1016 1025 1017 1026 if (hcon->pending_sec_level == BT_SECURITY_HIGH) 1018 1027 auth = 1; ··· 1380 1389 if (!smp) 1381 1390 return NULL; 1382 1391 1383 - smp->tfm_aes = crypto_alloc_cipher("aes", 0, 0); 1384 - if (IS_ERR(smp->tfm_aes)) { 1385 - BT_ERR("Unable to create AES crypto context"); 1386 - goto zfree_smp; 1387 - } 1388 - 1389 1392 smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0); 1390 1393 if (IS_ERR(smp->tfm_cmac)) { 1391 1394 BT_ERR("Unable to create CMAC crypto context"); 1392 - goto free_cipher; 1395 + goto zfree_smp; 1393 1396 } 1394 1397 1395 1398 smp->tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0); ··· 1405 1420 1406 1421 free_shash: 1407 1422 crypto_free_shash(smp->tfm_cmac); 1408 - free_cipher: 1409 - crypto_free_cipher(smp->tfm_aes); 1410 1423 zfree_smp: 1411 1424 kzfree(smp); 1412 1425 return NULL; ··· 3215 3232 { 3216 3233 struct l2cap_chan *chan; 3217 3234 struct smp_dev *smp; 3218 - struct crypto_cipher *tfm_aes; 3219 3235 struct crypto_shash *tfm_cmac; 3220 3236 struct crypto_kpp *tfm_ecdh; 3221 3237 ··· 3227 3245 if (!smp) 3228 3246 return ERR_PTR(-ENOMEM); 3229 3247 3230 - tfm_aes = crypto_alloc_cipher("aes", 0, 0); 3231 - if (IS_ERR(tfm_aes)) { 3232 - BT_ERR("Unable to create AES crypto context"); 3233 - kzfree(smp); 3234 - return ERR_CAST(tfm_aes); 3235 - } 3236 - 3237 3248 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0); 3238 3249 if (IS_ERR(tfm_cmac)) { 3239 3250 BT_ERR("Unable to create CMAC crypto context"); 3240 - crypto_free_cipher(tfm_aes); 3241 3251 kzfree(smp); 3242 3252 return ERR_CAST(tfm_cmac); 3243 3253 } ··· 3238 3264 if (IS_ERR(tfm_ecdh)) { 3239 3265 BT_ERR("Unable to create ECDH crypto context"); 3240 3266 crypto_free_shash(tfm_cmac); 3241 - crypto_free_cipher(tfm_aes); 3242 3267 kzfree(smp); 3243 3268 return ERR_CAST(tfm_ecdh); 3244 3269 } 3245 3270 3246 3271 smp->local_oob = false; 3247 - smp->tfm_aes = tfm_aes; 3248 3272 smp->tfm_cmac = tfm_cmac; 3249 3273 smp->tfm_ecdh = tfm_ecdh; 3250 3274 ··· 3250 3278 chan = l2cap_chan_create(); 3251 3279 if (!chan) { 3252 3280 if (smp) { 3253 - crypto_free_cipher(smp->tfm_aes); 3254 3281 crypto_free_shash(smp->tfm_cmac); 3255 3282 crypto_free_kpp(smp->tfm_ecdh); 3256 3283 kzfree(smp); ··· 3297 3326 smp = chan->data; 3298 3327 if (smp) { 3299 3328 chan->data = NULL; 3300 - crypto_free_cipher(smp->tfm_aes); 3301 3329 crypto_free_shash(smp->tfm_cmac); 3302 3330 crypto_free_kpp(smp->tfm_ecdh); 3303 3331 kzfree(smp); ··· 3552 3582 return 0; 3553 3583 } 3554 3584 3555 - static int __init test_ah(struct crypto_cipher *tfm_aes) 3585 + static int __init test_ah(void) 3556 3586 { 3557 3587 const u8 irk[16] = { 3558 3588 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34, ··· 3562 3592 u8 res[3]; 3563 3593 int err; 3564 3594 3565 - err = smp_ah(tfm_aes, irk, r, res); 3595 + err = smp_ah(irk, r, res); 3566 3596 if (err) 3567 3597 return err; 3568 3598 ··· 3572 3602 return 0; 3573 3603 } 3574 3604 3575 - static int __init test_c1(struct crypto_cipher *tfm_aes) 3605 + static int __init test_c1(void) 3576 3606 { 3577 3607 const u8 k[16] = { 3578 3608 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ··· 3592 3622 u8 res[16]; 3593 3623 int err; 3594 3624 3595 - err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res); 3625 + err = smp_c1(k, r, preq, pres, _iat, &ia, _rat, &ra, res); 3596 3626 if (err) 3597 3627 return err; 3598 3628 ··· 3602 3632 return 0; 3603 3633 } 3604 3634 3605 - static int __init test_s1(struct crypto_cipher *tfm_aes) 3635 + static int __init test_s1(void) 3606 3636 { 3607 3637 const u8 k[16] = { 3608 3638 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ··· 3617 3647 u8 res[16]; 3618 3648 int err; 3619 3649 3620 - err = smp_s1(tfm_aes, k, r1, r2, res); 3650 + err = smp_s1(k, r1, r2, res); 3621 3651 if (err) 3622 3652 return err; 3623 3653 ··· 3798 3828 .llseek = default_llseek, 3799 3829 }; 3800 3830 3801 - static int __init run_selftests(struct crypto_cipher *tfm_aes, 3802 - struct crypto_shash *tfm_cmac, 3831 + static int __init run_selftests(struct crypto_shash *tfm_cmac, 3803 3832 struct crypto_kpp *tfm_ecdh) 3804 3833 { 3805 3834 ktime_t calltime, delta, rettime; ··· 3813 3844 goto done; 3814 3845 } 3815 3846 3816 - err = test_ah(tfm_aes); 3847 + err = test_ah(); 3817 3848 if (err) { 3818 3849 BT_ERR("smp_ah test failed"); 3819 3850 goto done; 3820 3851 } 3821 3852 3822 - err = test_c1(tfm_aes); 3853 + err = test_c1(); 3823 3854 if (err) { 3824 3855 BT_ERR("smp_c1 test failed"); 3825 3856 goto done; 3826 3857 } 3827 3858 3828 - err = test_s1(tfm_aes); 3859 + err = test_s1(); 3829 3860 if (err) { 3830 3861 BT_ERR("smp_s1 test failed"); 3831 3862 goto done; ··· 3882 3913 3883 3914 int __init bt_selftest_smp(void) 3884 3915 { 3885 - struct crypto_cipher *tfm_aes; 3886 3916 struct crypto_shash *tfm_cmac; 3887 3917 struct crypto_kpp *tfm_ecdh; 3888 3918 int err; 3889 3919 3890 - tfm_aes = crypto_alloc_cipher("aes", 0, 0); 3891 - if (IS_ERR(tfm_aes)) { 3892 - BT_ERR("Unable to create AES crypto context"); 3893 - return PTR_ERR(tfm_aes); 3894 - } 3895 - 3896 3920 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0); 3897 3921 if (IS_ERR(tfm_cmac)) { 3898 3922 BT_ERR("Unable to create CMAC crypto context"); 3899 - crypto_free_cipher(tfm_aes); 3900 3923 return PTR_ERR(tfm_cmac); 3901 3924 } 3902 3925 ··· 3896 3935 if (IS_ERR(tfm_ecdh)) { 3897 3936 BT_ERR("Unable to create ECDH crypto context"); 3898 3937 crypto_free_shash(tfm_cmac); 3899 - crypto_free_cipher(tfm_aes); 3900 3938 return PTR_ERR(tfm_ecdh); 3901 3939 } 3902 3940 3903 - err = run_selftests(tfm_aes, tfm_cmac, tfm_ecdh); 3941 + err = run_selftests(tfm_cmac, tfm_ecdh); 3904 3942 3905 3943 crypto_free_shash(tfm_cmac); 3906 - crypto_free_cipher(tfm_aes); 3907 3944 crypto_free_kpp(tfm_ecdh); 3908 3945 3909 3946 return err;