wifi: mac80211: Use AES-CMAC library in aes_s2v()

Now that AES-CMAC has a library API, convert aes_s2v() to use it instead
of a "cmac(aes)" crypto_shash.  The result is faster and simpler code.

It's also more reliable, since with the library the only step that can
fail is preparing the key.  In contrast, crypto_shash_digest(),
crypto_shash_init(), crypto_shash_update(), and crypto_shash_final()
could all fail and return an errno value.  aes_s2v() ignored these
errors, which was a bug.  So that bug is fixed as well.

As part of this, change the prototype of aes_s2v() to take the raw key
directly instead of a prepared key.  Its only two callers prepare a key
for each call, so it might as well be done directly in aes_s2v().

Since this removes the last dependency on the "cmac(aes)" crypto_shash
from mac80211, also remove the 'select CRYPTO_CMAC'.

Acked-by: Johannes Berg <johannes@sipsolutions.net>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Link: https://lore.kernel.org/r/20260218213501.136844-16-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>

diff --git a/net/mac80211/Kconfig b/net/mac80211/Kconfig
index 0afbe4f4f97646937e4f599d4edbc2318a5a12d6..d6bc295e23a1aad4ab002da2bd5b2a84634e3137 100644 (file)
--- a/net/mac80211/Kconfig
+++ b/net/mac80211/Kconfig
@@ -8,7 +8,6 @@ config MAC80211
        select CRYPTO_AES
        select CRYPTO_CCM
        select CRYPTO_GCM
-       select CRYPTO_CMAC
        select CRC32
        help
          This option enables the hardware independent IEEE 802.11

diff --git a/net/mac80211/fils_aead.c b/net/mac80211/fils_aead.c
index 912c46f74d2444085d35ba1de8b2b2b7c5a46e3e..d2f4a17eab990169a594eb66f8bc4ddc79392658 100644 (file)
--- a/net/mac80211/fils_aead.c
+++ b/net/mac80211/fils_aead.c
@@ -4,13 +4,11 @@
  * Copyright 2016, Qualcomm Atheros, Inc.
  */
 
-#include <crypto/aes.h>
-#include <crypto/hash.h>
+#include <crypto/aes-cbc-macs.h>
 #include <crypto/skcipher.h>
 #include <crypto/utils.h>
 
 #include "ieee80211_i.h"
-#include "aes_cmac.h"
 #include "fils_aead.h"
 
 static void gf_mulx(u8 *pad)
@@ -22,31 +20,35 @@ static void gf_mulx(u8 *pad)
        put_unaligned_be64((b << 1) ^ ((a >> 63) ? 0x87 : 0), pad + 8);
 }
 
-static int aes_s2v(struct crypto_shash *tfm,
+static int aes_s2v(const u8 *in_key, size_t key_len,
                   size_t num_elem, const u8 *addr[], size_t len[], u8 *v)
 {
        u8 d[AES_BLOCK_SIZE], tmp[AES_BLOCK_SIZE] = {};
-       SHASH_DESC_ON_STACK(desc, tfm);
+       struct aes_cmac_key key;
+       struct aes_cmac_ctx ctx;
        size_t i;
+       int res;
 
-       desc->tfm = tfm;
+       res = aes_cmac_preparekey(&key, in_key, key_len);
+       if (res)
+               return res;
 
        /* D = AES-CMAC(K, <zero>) */
-       crypto_shash_digest(desc, tmp, AES_BLOCK_SIZE, d);
+       aes_cmac(&key, tmp, AES_BLOCK_SIZE, d);
 
        for (i = 0; i < num_elem - 1; i++) {
                /* D = dbl(D) xor AES_CMAC(K, Si) */
                gf_mulx(d); /* dbl */
-               crypto_shash_digest(desc, addr[i], len[i], tmp);
+               aes_cmac(&key, addr[i], len[i], tmp);
                crypto_xor(d, tmp, AES_BLOCK_SIZE);
        }
 
-       crypto_shash_init(desc);
+       aes_cmac_init(&ctx, &key);
 
        if (len[i] >= AES_BLOCK_SIZE) {
                /* len(Sn) >= 128 */
                /* T = Sn xorend D */
-               crypto_shash_update(desc, addr[i], len[i] - AES_BLOCK_SIZE);
+               aes_cmac_update(&ctx, addr[i], len[i] - AES_BLOCK_SIZE);
                crypto_xor(d, addr[i] + len[i] - AES_BLOCK_SIZE,
                           AES_BLOCK_SIZE);
        } else {
@@ -57,8 +59,10 @@ static int aes_s2v(struct crypto_shash *tfm,
                d[len[i]] ^= 0x80;
        }
        /* V = AES-CMAC(K, T) */
-       crypto_shash_finup(desc, d, AES_BLOCK_SIZE, v);
+       aes_cmac_update(&ctx, d, AES_BLOCK_SIZE);
+       aes_cmac_final(&ctx, v);
 
+       memzero_explicit(&key, sizeof(key));
        return 0;
 }
 
@@ -69,7 +73,6 @@ static int aes_siv_encrypt(const u8 *key, size_t key_len,
                           size_t len[], u8 *out)
 {
        u8 v[AES_BLOCK_SIZE];
-       struct crypto_shash *tfm;
        struct crypto_skcipher *tfm2;
        struct skcipher_request *req;
        int res;
@@ -83,15 +86,7 @@ static int aes_siv_encrypt(const u8 *key, size_t key_len,
        num_elem++;
 
        /* S2V */
-
-       tfm = crypto_alloc_shash("cmac(aes)", 0, 0);
-       if (IS_ERR(tfm))
-               return PTR_ERR(tfm);
-       /* K1 for S2V */
-       res = crypto_shash_setkey(tfm, key, key_len);
-       if (!res)
-               res = aes_s2v(tfm, num_elem, addr, len, v);
-       crypto_free_shash(tfm);
+       res = aes_s2v(key /* K1 */, key_len, num_elem, addr, len, v);
        if (res)
                return res;
 
@@ -146,7 +141,6 @@ static int aes_siv_decrypt(const u8 *key, size_t key_len,
                           size_t num_elem, const u8 *addr[], size_t len[],
                           u8 *out)
 {
-       struct crypto_shash *tfm;
        struct crypto_skcipher *tfm2;
        struct skcipher_request *req;
        struct scatterlist src[1], dst[1];
@@ -198,15 +192,7 @@ static int aes_siv_decrypt(const u8 *key, size_t key_len,
                return res;
 
        /* S2V */
-
-       tfm = crypto_alloc_shash("cmac(aes)", 0, 0);
-       if (IS_ERR(tfm))
-               return PTR_ERR(tfm);
-       /* K1 for S2V */
-       res = crypto_shash_setkey(tfm, key, key_len);
-       if (!res)
-               res = aes_s2v(tfm, num_elem, addr, len, check);
-       crypto_free_shash(tfm);
+       res = aes_s2v(key /* K1 */, key_len, num_elem, addr, len, check);
        if (res)
                return res;
        if (memcmp(check, frame_iv, AES_BLOCK_SIZE) != 0)