Commit | Line | Data |
---|---|---|
4a49b499 JL |
1 | /* |
2 | * CCM: Counter with CBC-MAC | |
3 | * | |
4 | * (C) Copyright IBM Corp. 2007 - Joy Latten <latten@us.ibm.com> | |
5 | * | |
6 | * This program is free software; you can redistribute it and/or modify it | |
7 | * under the terms of the GNU General Public License as published by the Free | |
8 | * Software Foundation; either version 2 of the License, or (at your option) | |
9 | * any later version. | |
10 | * | |
11 | */ | |
12 | ||
13 | #include <crypto/internal/aead.h> | |
14 | #include <crypto/internal/skcipher.h> | |
15 | #include <crypto/scatterwalk.h> | |
16 | #include <linux/err.h> | |
17 | #include <linux/init.h> | |
18 | #include <linux/kernel.h> | |
19 | #include <linux/module.h> | |
20 | #include <linux/slab.h> | |
21 | ||
22 | #include "internal.h" | |
23 | ||
24 | struct ccm_instance_ctx { | |
25 | struct crypto_skcipher_spawn ctr; | |
26 | struct crypto_spawn cipher; | |
27 | }; | |
28 | ||
29 | struct crypto_ccm_ctx { | |
30 | struct crypto_cipher *cipher; | |
464b93a3 | 31 | struct crypto_skcipher *ctr; |
4a49b499 JL |
32 | }; |
33 | ||
34 | struct crypto_rfc4309_ctx { | |
35 | struct crypto_aead *child; | |
36 | u8 nonce[3]; | |
37 | }; | |
38 | ||
81c4c35e HX |
39 | struct crypto_rfc4309_req_ctx { |
40 | struct scatterlist src[3]; | |
41 | struct scatterlist dst[3]; | |
42 | struct aead_request subreq; | |
43 | }; | |
44 | ||
4a49b499 JL |
45 | struct crypto_ccm_req_priv_ctx { |
46 | u8 odata[16]; | |
47 | u8 idata[16]; | |
48 | u8 auth_tag[16]; | |
49 | u32 ilen; | |
50 | u32 flags; | |
81c4c35e HX |
51 | struct scatterlist src[3]; |
52 | struct scatterlist dst[3]; | |
464b93a3 | 53 | struct skcipher_request skreq; |
4a49b499 JL |
54 | }; |
55 | ||
56 | static inline struct crypto_ccm_req_priv_ctx *crypto_ccm_reqctx( | |
57 | struct aead_request *req) | |
58 | { | |
59 | unsigned long align = crypto_aead_alignmask(crypto_aead_reqtfm(req)); | |
60 | ||
61 | return (void *)PTR_ALIGN((u8 *)aead_request_ctx(req), align + 1); | |
62 | } | |
63 | ||
64 | static int set_msg_len(u8 *block, unsigned int msglen, int csize) | |
65 | { | |
66 | __be32 data; | |
67 | ||
68 | memset(block, 0, csize); | |
69 | block += csize; | |
70 | ||
71 | if (csize >= 4) | |
72 | csize = 4; | |
73 | else if (msglen > (1 << (8 * csize))) | |
74 | return -EOVERFLOW; | |
75 | ||
76 | data = cpu_to_be32(msglen); | |
77 | memcpy(block - csize, (u8 *)&data + 4 - csize, csize); | |
78 | ||
79 | return 0; | |
80 | } | |
81 | ||
82 | static int crypto_ccm_setkey(struct crypto_aead *aead, const u8 *key, | |
83 | unsigned int keylen) | |
84 | { | |
85 | struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead); | |
464b93a3 | 86 | struct crypto_skcipher *ctr = ctx->ctr; |
4a49b499 JL |
87 | struct crypto_cipher *tfm = ctx->cipher; |
88 | int err = 0; | |
89 | ||
464b93a3 HX |
90 | crypto_skcipher_clear_flags(ctr, CRYPTO_TFM_REQ_MASK); |
91 | crypto_skcipher_set_flags(ctr, crypto_aead_get_flags(aead) & | |
92 | CRYPTO_TFM_REQ_MASK); | |
93 | err = crypto_skcipher_setkey(ctr, key, keylen); | |
94 | crypto_aead_set_flags(aead, crypto_skcipher_get_flags(ctr) & | |
4a49b499 JL |
95 | CRYPTO_TFM_RES_MASK); |
96 | if (err) | |
97 | goto out; | |
98 | ||
99 | crypto_cipher_clear_flags(tfm, CRYPTO_TFM_REQ_MASK); | |
100 | crypto_cipher_set_flags(tfm, crypto_aead_get_flags(aead) & | |
101 | CRYPTO_TFM_REQ_MASK); | |
102 | err = crypto_cipher_setkey(tfm, key, keylen); | |
103 | crypto_aead_set_flags(aead, crypto_cipher_get_flags(tfm) & | |
104 | CRYPTO_TFM_RES_MASK); | |
105 | ||
106 | out: | |
107 | return err; | |
108 | } | |
109 | ||
110 | static int crypto_ccm_setauthsize(struct crypto_aead *tfm, | |
111 | unsigned int authsize) | |
112 | { | |
113 | switch (authsize) { | |
114 | case 4: | |
115 | case 6: | |
116 | case 8: | |
117 | case 10: | |
118 | case 12: | |
119 | case 14: | |
120 | case 16: | |
121 | break; | |
122 | default: | |
123 | return -EINVAL; | |
124 | } | |
125 | ||
126 | return 0; | |
127 | } | |
128 | ||
129 | static int format_input(u8 *info, struct aead_request *req, | |
130 | unsigned int cryptlen) | |
131 | { | |
132 | struct crypto_aead *aead = crypto_aead_reqtfm(req); | |
133 | unsigned int lp = req->iv[0]; | |
134 | unsigned int l = lp + 1; | |
135 | unsigned int m; | |
136 | ||
137 | m = crypto_aead_authsize(aead); | |
138 | ||
139 | memcpy(info, req->iv, 16); | |
140 | ||
141 | /* format control info per RFC 3610 and | |
142 | * NIST Special Publication 800-38C | |
143 | */ | |
144 | *info |= (8 * ((m - 2) / 2)); | |
145 | if (req->assoclen) | |
146 | *info |= 64; | |
147 | ||
148 | return set_msg_len(info + 16 - l, cryptlen, l); | |
149 | } | |
150 | ||
151 | static int format_adata(u8 *adata, unsigned int a) | |
152 | { | |
153 | int len = 0; | |
154 | ||
155 | /* add control info for associated data | |
156 | * RFC 3610 and NIST Special Publication 800-38C | |
157 | */ | |
158 | if (a < 65280) { | |
159 | *(__be16 *)adata = cpu_to_be16(a); | |
160 | len = 2; | |
161 | } else { | |
162 | *(__be16 *)adata = cpu_to_be16(0xfffe); | |
163 | *(__be32 *)&adata[2] = cpu_to_be32(a); | |
164 | len = 6; | |
165 | } | |
166 | ||
167 | return len; | |
168 | } | |
169 | ||
170 | static void compute_mac(struct crypto_cipher *tfm, u8 *data, int n, | |
171 | struct crypto_ccm_req_priv_ctx *pctx) | |
172 | { | |
173 | unsigned int bs = 16; | |
174 | u8 *odata = pctx->odata; | |
175 | u8 *idata = pctx->idata; | |
176 | int datalen, getlen; | |
177 | ||
178 | datalen = n; | |
179 | ||
180 | /* first time in here, block may be partially filled. */ | |
181 | getlen = bs - pctx->ilen; | |
182 | if (datalen >= getlen) { | |
183 | memcpy(idata + pctx->ilen, data, getlen); | |
184 | crypto_xor(odata, idata, bs); | |
185 | crypto_cipher_encrypt_one(tfm, odata, odata); | |
186 | datalen -= getlen; | |
187 | data += getlen; | |
188 | pctx->ilen = 0; | |
189 | } | |
190 | ||
191 | /* now encrypt rest of data */ | |
192 | while (datalen >= bs) { | |
193 | crypto_xor(odata, data, bs); | |
194 | crypto_cipher_encrypt_one(tfm, odata, odata); | |
195 | ||
196 | datalen -= bs; | |
197 | data += bs; | |
198 | } | |
199 | ||
200 | /* check and see if there's leftover data that wasn't | |
201 | * enough to fill a block. | |
202 | */ | |
203 | if (datalen) { | |
204 | memcpy(idata + pctx->ilen, data, datalen); | |
205 | pctx->ilen += datalen; | |
206 | } | |
207 | } | |
208 | ||
209 | static void get_data_to_compute(struct crypto_cipher *tfm, | |
210 | struct crypto_ccm_req_priv_ctx *pctx, | |
211 | struct scatterlist *sg, unsigned int len) | |
212 | { | |
213 | struct scatter_walk walk; | |
214 | u8 *data_src; | |
215 | int n; | |
216 | ||
217 | scatterwalk_start(&walk, sg); | |
218 | ||
219 | while (len) { | |
220 | n = scatterwalk_clamp(&walk, len); | |
221 | if (!n) { | |
222 | scatterwalk_start(&walk, sg_next(walk.sg)); | |
223 | n = scatterwalk_clamp(&walk, len); | |
224 | } | |
f0dfc0b0 | 225 | data_src = scatterwalk_map(&walk); |
4a49b499 JL |
226 | |
227 | compute_mac(tfm, data_src, n, pctx); | |
228 | len -= n; | |
229 | ||
f0dfc0b0 | 230 | scatterwalk_unmap(data_src); |
4a49b499 JL |
231 | scatterwalk_advance(&walk, n); |
232 | scatterwalk_done(&walk, 0, len); | |
233 | if (len) | |
234 | crypto_yield(pctx->flags); | |
235 | } | |
236 | ||
237 | /* any leftover needs padding and then encrypted */ | |
238 | if (pctx->ilen) { | |
239 | int padlen; | |
240 | u8 *odata = pctx->odata; | |
241 | u8 *idata = pctx->idata; | |
242 | ||
243 | padlen = 16 - pctx->ilen; | |
244 | memset(idata + pctx->ilen, 0, padlen); | |
245 | crypto_xor(odata, idata, 16); | |
246 | crypto_cipher_encrypt_one(tfm, odata, odata); | |
247 | pctx->ilen = 0; | |
248 | } | |
249 | } | |
250 | ||
251 | static int crypto_ccm_auth(struct aead_request *req, struct scatterlist *plain, | |
252 | unsigned int cryptlen) | |
253 | { | |
254 | struct crypto_aead *aead = crypto_aead_reqtfm(req); | |
255 | struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead); | |
256 | struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); | |
257 | struct crypto_cipher *cipher = ctx->cipher; | |
258 | unsigned int assoclen = req->assoclen; | |
259 | u8 *odata = pctx->odata; | |
260 | u8 *idata = pctx->idata; | |
261 | int err; | |
262 | ||
263 | /* format control data for input */ | |
264 | err = format_input(odata, req, cryptlen); | |
265 | if (err) | |
266 | goto out; | |
267 | ||
268 | /* encrypt first block to use as start in computing mac */ | |
269 | crypto_cipher_encrypt_one(cipher, odata, odata); | |
270 | ||
271 | /* format associated data and compute into mac */ | |
272 | if (assoclen) { | |
273 | pctx->ilen = format_adata(idata, assoclen); | |
81c4c35e | 274 | get_data_to_compute(cipher, pctx, req->src, req->assoclen); |
516280e7 JW |
275 | } else { |
276 | pctx->ilen = 0; | |
4a49b499 JL |
277 | } |
278 | ||
279 | /* compute plaintext into mac */ | |
5638cabf HG |
280 | if (cryptlen) |
281 | get_data_to_compute(cipher, pctx, plain, cryptlen); | |
4a49b499 JL |
282 | |
283 | out: | |
284 | return err; | |
285 | } | |
286 | ||
287 | static void crypto_ccm_encrypt_done(struct crypto_async_request *areq, int err) | |
288 | { | |
289 | struct aead_request *req = areq->data; | |
290 | struct crypto_aead *aead = crypto_aead_reqtfm(req); | |
291 | struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); | |
292 | u8 *odata = pctx->odata; | |
293 | ||
294 | if (!err) | |
81c4c35e HX |
295 | scatterwalk_map_and_copy(odata, req->dst, |
296 | req->assoclen + req->cryptlen, | |
4a49b499 JL |
297 | crypto_aead_authsize(aead), 1); |
298 | aead_request_complete(req, err); | |
299 | } | |
300 | ||
301 | static inline int crypto_ccm_check_iv(const u8 *iv) | |
302 | { | |
303 | /* 2 <= L <= 8, so 1 <= L' <= 7. */ | |
304 | if (1 > iv[0] || iv[0] > 7) | |
305 | return -EINVAL; | |
306 | ||
307 | return 0; | |
308 | } | |
309 | ||
81c4c35e HX |
310 | static int crypto_ccm_init_crypt(struct aead_request *req, u8 *tag) |
311 | { | |
312 | struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); | |
313 | struct scatterlist *sg; | |
314 | u8 *iv = req->iv; | |
315 | int err; | |
316 | ||
317 | err = crypto_ccm_check_iv(iv); | |
318 | if (err) | |
319 | return err; | |
320 | ||
321 | pctx->flags = aead_request_flags(req); | |
322 | ||
323 | /* Note: rfc 3610 and NIST 800-38C require counter of | |
324 | * zero to encrypt auth tag. | |
325 | */ | |
326 | memset(iv + 15 - iv[0], 0, iv[0] + 1); | |
327 | ||
328 | sg_init_table(pctx->src, 3); | |
329 | sg_set_buf(pctx->src, tag, 16); | |
330 | sg = scatterwalk_ffwd(pctx->src + 1, req->src, req->assoclen); | |
331 | if (sg != pctx->src + 1) | |
332 | sg_chain(pctx->src, 2, sg); | |
333 | ||
334 | if (req->src != req->dst) { | |
335 | sg_init_table(pctx->dst, 3); | |
336 | sg_set_buf(pctx->dst, tag, 16); | |
337 | sg = scatterwalk_ffwd(pctx->dst + 1, req->dst, req->assoclen); | |
338 | if (sg != pctx->dst + 1) | |
339 | sg_chain(pctx->dst, 2, sg); | |
340 | } | |
341 | ||
342 | return 0; | |
343 | } | |
344 | ||
4a49b499 JL |
345 | static int crypto_ccm_encrypt(struct aead_request *req) |
346 | { | |
347 | struct crypto_aead *aead = crypto_aead_reqtfm(req); | |
348 | struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead); | |
349 | struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); | |
464b93a3 | 350 | struct skcipher_request *skreq = &pctx->skreq; |
4a49b499 JL |
351 | struct scatterlist *dst; |
352 | unsigned int cryptlen = req->cryptlen; | |
353 | u8 *odata = pctx->odata; | |
354 | u8 *iv = req->iv; | |
355 | int err; | |
356 | ||
81c4c35e | 357 | err = crypto_ccm_init_crypt(req, odata); |
4a49b499 JL |
358 | if (err) |
359 | return err; | |
360 | ||
81c4c35e | 361 | err = crypto_ccm_auth(req, sg_next(pctx->src), cryptlen); |
4a49b499 JL |
362 | if (err) |
363 | return err; | |
364 | ||
4a49b499 | 365 | dst = pctx->src; |
81c4c35e | 366 | if (req->src != req->dst) |
4a49b499 | 367 | dst = pctx->dst; |
4a49b499 | 368 | |
464b93a3 HX |
369 | skcipher_request_set_tfm(skreq, ctx->ctr); |
370 | skcipher_request_set_callback(skreq, pctx->flags, | |
371 | crypto_ccm_encrypt_done, req); | |
372 | skcipher_request_set_crypt(skreq, pctx->src, dst, cryptlen + 16, iv); | |
373 | err = crypto_skcipher_encrypt(skreq); | |
4a49b499 JL |
374 | if (err) |
375 | return err; | |
376 | ||
377 | /* copy authtag to end of dst */ | |
81c4c35e | 378 | scatterwalk_map_and_copy(odata, sg_next(dst), cryptlen, |
4a49b499 JL |
379 | crypto_aead_authsize(aead), 1); |
380 | return err; | |
381 | } | |
382 | ||
383 | static void crypto_ccm_decrypt_done(struct crypto_async_request *areq, | |
384 | int err) | |
385 | { | |
386 | struct aead_request *req = areq->data; | |
387 | struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); | |
388 | struct crypto_aead *aead = crypto_aead_reqtfm(req); | |
389 | unsigned int authsize = crypto_aead_authsize(aead); | |
390 | unsigned int cryptlen = req->cryptlen - authsize; | |
81c4c35e HX |
391 | struct scatterlist *dst; |
392 | ||
393 | pctx->flags = 0; | |
394 | ||
395 | dst = sg_next(req->src == req->dst ? pctx->src : pctx->dst); | |
4a49b499 JL |
396 | |
397 | if (!err) { | |
81c4c35e | 398 | err = crypto_ccm_auth(req, dst, cryptlen); |
6bf37e5a | 399 | if (!err && crypto_memneq(pctx->auth_tag, pctx->odata, authsize)) |
4a49b499 JL |
400 | err = -EBADMSG; |
401 | } | |
402 | aead_request_complete(req, err); | |
403 | } | |
404 | ||
405 | static int crypto_ccm_decrypt(struct aead_request *req) | |
406 | { | |
407 | struct crypto_aead *aead = crypto_aead_reqtfm(req); | |
408 | struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead); | |
409 | struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); | |
464b93a3 | 410 | struct skcipher_request *skreq = &pctx->skreq; |
4a49b499 JL |
411 | struct scatterlist *dst; |
412 | unsigned int authsize = crypto_aead_authsize(aead); | |
413 | unsigned int cryptlen = req->cryptlen; | |
414 | u8 *authtag = pctx->auth_tag; | |
415 | u8 *odata = pctx->odata; | |
416 | u8 *iv = req->iv; | |
417 | int err; | |
418 | ||
4a49b499 JL |
419 | cryptlen -= authsize; |
420 | ||
81c4c35e | 421 | err = crypto_ccm_init_crypt(req, authtag); |
4a49b499 JL |
422 | if (err) |
423 | return err; | |
424 | ||
81c4c35e HX |
425 | scatterwalk_map_and_copy(authtag, sg_next(pctx->src), cryptlen, |
426 | authsize, 0); | |
4a49b499 JL |
427 | |
428 | dst = pctx->src; | |
81c4c35e | 429 | if (req->src != req->dst) |
4a49b499 | 430 | dst = pctx->dst; |
4a49b499 | 431 | |
464b93a3 HX |
432 | skcipher_request_set_tfm(skreq, ctx->ctr); |
433 | skcipher_request_set_callback(skreq, pctx->flags, | |
434 | crypto_ccm_decrypt_done, req); | |
435 | skcipher_request_set_crypt(skreq, pctx->src, dst, cryptlen + 16, iv); | |
436 | err = crypto_skcipher_decrypt(skreq); | |
4a49b499 JL |
437 | if (err) |
438 | return err; | |
439 | ||
81c4c35e | 440 | err = crypto_ccm_auth(req, sg_next(dst), cryptlen); |
4a49b499 JL |
441 | if (err) |
442 | return err; | |
443 | ||
444 | /* verify */ | |
6bf37e5a | 445 | if (crypto_memneq(authtag, odata, authsize)) |
4a49b499 JL |
446 | return -EBADMSG; |
447 | ||
448 | return err; | |
449 | } | |
450 | ||
81c4c35e | 451 | static int crypto_ccm_init_tfm(struct crypto_aead *tfm) |
4a49b499 | 452 | { |
81c4c35e HX |
453 | struct aead_instance *inst = aead_alg_instance(tfm); |
454 | struct ccm_instance_ctx *ictx = aead_instance_ctx(inst); | |
455 | struct crypto_ccm_ctx *ctx = crypto_aead_ctx(tfm); | |
4a49b499 | 456 | struct crypto_cipher *cipher; |
464b93a3 | 457 | struct crypto_skcipher *ctr; |
4a49b499 JL |
458 | unsigned long align; |
459 | int err; | |
460 | ||
461 | cipher = crypto_spawn_cipher(&ictx->cipher); | |
462 | if (IS_ERR(cipher)) | |
463 | return PTR_ERR(cipher); | |
464 | ||
464b93a3 | 465 | ctr = crypto_spawn_skcipher2(&ictx->ctr); |
4a49b499 JL |
466 | err = PTR_ERR(ctr); |
467 | if (IS_ERR(ctr)) | |
468 | goto err_free_cipher; | |
469 | ||
470 | ctx->cipher = cipher; | |
471 | ctx->ctr = ctr; | |
472 | ||
81c4c35e | 473 | align = crypto_aead_alignmask(tfm); |
4a49b499 | 474 | align &= ~(crypto_tfm_ctx_alignment() - 1); |
81c4c35e HX |
475 | crypto_aead_set_reqsize( |
476 | tfm, | |
2c221ad3 | 477 | align + sizeof(struct crypto_ccm_req_priv_ctx) + |
464b93a3 | 478 | crypto_skcipher_reqsize(ctr)); |
4a49b499 JL |
479 | |
480 | return 0; | |
481 | ||
482 | err_free_cipher: | |
483 | crypto_free_cipher(cipher); | |
484 | return err; | |
485 | } | |
486 | ||
81c4c35e | 487 | static void crypto_ccm_exit_tfm(struct crypto_aead *tfm) |
4a49b499 | 488 | { |
81c4c35e | 489 | struct crypto_ccm_ctx *ctx = crypto_aead_ctx(tfm); |
4a49b499 JL |
490 | |
491 | crypto_free_cipher(ctx->cipher); | |
464b93a3 | 492 | crypto_free_skcipher(ctx->ctr); |
4a49b499 JL |
493 | } |
494 | ||
81c4c35e HX |
495 | static void crypto_ccm_free(struct aead_instance *inst) |
496 | { | |
497 | struct ccm_instance_ctx *ctx = aead_instance_ctx(inst); | |
498 | ||
499 | crypto_drop_spawn(&ctx->cipher); | |
500 | crypto_drop_skcipher(&ctx->ctr); | |
501 | kfree(inst); | |
502 | } | |
503 | ||
504 | static int crypto_ccm_create_common(struct crypto_template *tmpl, | |
505 | struct rtattr **tb, | |
506 | const char *full_name, | |
507 | const char *ctr_name, | |
508 | const char *cipher_name) | |
4a49b499 JL |
509 | { |
510 | struct crypto_attr_type *algt; | |
81c4c35e | 511 | struct aead_instance *inst; |
464b93a3 | 512 | struct skcipher_alg *ctr; |
4a49b499 JL |
513 | struct crypto_alg *cipher; |
514 | struct ccm_instance_ctx *ictx; | |
515 | int err; | |
516 | ||
517 | algt = crypto_get_attr_type(tb); | |
4a49b499 | 518 | if (IS_ERR(algt)) |
81c4c35e | 519 | return PTR_ERR(algt); |
4a49b499 | 520 | |
5e4b8c1f | 521 | if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask) |
81c4c35e | 522 | return -EINVAL; |
4a49b499 JL |
523 | |
524 | cipher = crypto_alg_mod_lookup(cipher_name, CRYPTO_ALG_TYPE_CIPHER, | |
525 | CRYPTO_ALG_TYPE_MASK); | |
4a49b499 | 526 | if (IS_ERR(cipher)) |
81c4c35e | 527 | return PTR_ERR(cipher); |
4a49b499 JL |
528 | |
529 | err = -EINVAL; | |
530 | if (cipher->cra_blocksize != 16) | |
531 | goto out_put_cipher; | |
532 | ||
533 | inst = kzalloc(sizeof(*inst) + sizeof(*ictx), GFP_KERNEL); | |
534 | err = -ENOMEM; | |
535 | if (!inst) | |
536 | goto out_put_cipher; | |
537 | ||
81c4c35e | 538 | ictx = aead_instance_ctx(inst); |
4a49b499 | 539 | |
81c4c35e HX |
540 | err = crypto_init_spawn(&ictx->cipher, cipher, |
541 | aead_crypto_instance(inst), | |
4a49b499 JL |
542 | CRYPTO_ALG_TYPE_MASK); |
543 | if (err) | |
544 | goto err_free_inst; | |
545 | ||
81c4c35e | 546 | crypto_set_skcipher_spawn(&ictx->ctr, aead_crypto_instance(inst)); |
464b93a3 HX |
547 | err = crypto_grab_skcipher2(&ictx->ctr, ctr_name, 0, |
548 | crypto_requires_sync(algt->type, | |
549 | algt->mask)); | |
4a49b499 JL |
550 | if (err) |
551 | goto err_drop_cipher; | |
552 | ||
464b93a3 | 553 | ctr = crypto_spawn_skcipher_alg(&ictx->ctr); |
4a49b499 JL |
554 | |
555 | /* Not a stream cipher? */ | |
556 | err = -EINVAL; | |
464b93a3 | 557 | if (ctr->base.cra_blocksize != 1) |
4a49b499 JL |
558 | goto err_drop_ctr; |
559 | ||
560 | /* We want the real thing! */ | |
464b93a3 | 561 | if (crypto_skcipher_alg_ivsize(ctr) != 16) |
4a49b499 JL |
562 | goto err_drop_ctr; |
563 | ||
564 | err = -ENAMETOOLONG; | |
81c4c35e | 565 | if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME, |
464b93a3 | 566 | "ccm_base(%s,%s)", ctr->base.cra_driver_name, |
4a49b499 JL |
567 | cipher->cra_driver_name) >= CRYPTO_MAX_ALG_NAME) |
568 | goto err_drop_ctr; | |
569 | ||
81c4c35e HX |
570 | memcpy(inst->alg.base.cra_name, full_name, CRYPTO_MAX_ALG_NAME); |
571 | ||
464b93a3 | 572 | inst->alg.base.cra_flags = ctr->base.cra_flags & CRYPTO_ALG_ASYNC; |
81c4c35e | 573 | inst->alg.base.cra_priority = (cipher->cra_priority + |
464b93a3 | 574 | ctr->base.cra_priority) / 2; |
81c4c35e HX |
575 | inst->alg.base.cra_blocksize = 1; |
576 | inst->alg.base.cra_alignmask = cipher->cra_alignmask | | |
464b93a3 | 577 | ctr->base.cra_alignmask | |
81c4c35e HX |
578 | (__alignof__(u32) - 1); |
579 | inst->alg.ivsize = 16; | |
464b93a3 | 580 | inst->alg.chunksize = crypto_skcipher_alg_chunksize(ctr); |
81c4c35e HX |
581 | inst->alg.maxauthsize = 16; |
582 | inst->alg.base.cra_ctxsize = sizeof(struct crypto_ccm_ctx); | |
583 | inst->alg.init = crypto_ccm_init_tfm; | |
584 | inst->alg.exit = crypto_ccm_exit_tfm; | |
585 | inst->alg.setkey = crypto_ccm_setkey; | |
586 | inst->alg.setauthsize = crypto_ccm_setauthsize; | |
587 | inst->alg.encrypt = crypto_ccm_encrypt; | |
588 | inst->alg.decrypt = crypto_ccm_decrypt; | |
589 | ||
590 | inst->free = crypto_ccm_free; | |
591 | ||
592 | err = aead_register_instance(tmpl, inst); | |
593 | if (err) | |
594 | goto err_drop_ctr; | |
4a49b499 | 595 | |
81c4c35e | 596 | out_put_cipher: |
4a49b499 | 597 | crypto_mod_put(cipher); |
81c4c35e | 598 | return err; |
4a49b499 JL |
599 | |
600 | err_drop_ctr: | |
601 | crypto_drop_skcipher(&ictx->ctr); | |
602 | err_drop_cipher: | |
603 | crypto_drop_spawn(&ictx->cipher); | |
604 | err_free_inst: | |
605 | kfree(inst); | |
81c4c35e | 606 | goto out_put_cipher; |
4a49b499 JL |
607 | } |
608 | ||
81c4c35e | 609 | static int crypto_ccm_create(struct crypto_template *tmpl, struct rtattr **tb) |
4a49b499 | 610 | { |
4a49b499 JL |
611 | const char *cipher_name; |
612 | char ctr_name[CRYPTO_MAX_ALG_NAME]; | |
613 | char full_name[CRYPTO_MAX_ALG_NAME]; | |
614 | ||
615 | cipher_name = crypto_attr_alg_name(tb[1]); | |
4a49b499 | 616 | if (IS_ERR(cipher_name)) |
81c4c35e | 617 | return PTR_ERR(cipher_name); |
4a49b499 JL |
618 | |
619 | if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)", | |
620 | cipher_name) >= CRYPTO_MAX_ALG_NAME) | |
81c4c35e | 621 | return -ENAMETOOLONG; |
4a49b499 JL |
622 | |
623 | if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "ccm(%s)", cipher_name) >= | |
624 | CRYPTO_MAX_ALG_NAME) | |
81c4c35e | 625 | return -ENAMETOOLONG; |
4a49b499 | 626 | |
81c4c35e HX |
627 | return crypto_ccm_create_common(tmpl, tb, full_name, ctr_name, |
628 | cipher_name); | |
4a49b499 JL |
629 | } |
630 | ||
631 | static struct crypto_template crypto_ccm_tmpl = { | |
632 | .name = "ccm", | |
81c4c35e | 633 | .create = crypto_ccm_create, |
4a49b499 JL |
634 | .module = THIS_MODULE, |
635 | }; | |
636 | ||
81c4c35e HX |
637 | static int crypto_ccm_base_create(struct crypto_template *tmpl, |
638 | struct rtattr **tb) | |
4a49b499 | 639 | { |
4a49b499 JL |
640 | const char *ctr_name; |
641 | const char *cipher_name; | |
642 | char full_name[CRYPTO_MAX_ALG_NAME]; | |
643 | ||
644 | ctr_name = crypto_attr_alg_name(tb[1]); | |
4a49b499 | 645 | if (IS_ERR(ctr_name)) |
81c4c35e | 646 | return PTR_ERR(ctr_name); |
4a49b499 JL |
647 | |
648 | cipher_name = crypto_attr_alg_name(tb[2]); | |
4a49b499 | 649 | if (IS_ERR(cipher_name)) |
81c4c35e | 650 | return PTR_ERR(cipher_name); |
4a49b499 JL |
651 | |
652 | if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "ccm_base(%s,%s)", | |
653 | ctr_name, cipher_name) >= CRYPTO_MAX_ALG_NAME) | |
81c4c35e | 654 | return -ENAMETOOLONG; |
4a49b499 | 655 | |
81c4c35e HX |
656 | return crypto_ccm_create_common(tmpl, tb, full_name, ctr_name, |
657 | cipher_name); | |
4a49b499 JL |
658 | } |
659 | ||
660 | static struct crypto_template crypto_ccm_base_tmpl = { | |
661 | .name = "ccm_base", | |
81c4c35e | 662 | .create = crypto_ccm_base_create, |
4a49b499 JL |
663 | .module = THIS_MODULE, |
664 | }; | |
665 | ||
666 | static int crypto_rfc4309_setkey(struct crypto_aead *parent, const u8 *key, | |
667 | unsigned int keylen) | |
668 | { | |
669 | struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(parent); | |
670 | struct crypto_aead *child = ctx->child; | |
671 | int err; | |
672 | ||
673 | if (keylen < 3) | |
674 | return -EINVAL; | |
675 | ||
676 | keylen -= 3; | |
677 | memcpy(ctx->nonce, key + keylen, 3); | |
678 | ||
679 | crypto_aead_clear_flags(child, CRYPTO_TFM_REQ_MASK); | |
680 | crypto_aead_set_flags(child, crypto_aead_get_flags(parent) & | |
681 | CRYPTO_TFM_REQ_MASK); | |
682 | err = crypto_aead_setkey(child, key, keylen); | |
683 | crypto_aead_set_flags(parent, crypto_aead_get_flags(child) & | |
684 | CRYPTO_TFM_RES_MASK); | |
685 | ||
686 | return err; | |
687 | } | |
688 | ||
689 | static int crypto_rfc4309_setauthsize(struct crypto_aead *parent, | |
690 | unsigned int authsize) | |
691 | { | |
692 | struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(parent); | |
693 | ||
694 | switch (authsize) { | |
695 | case 8: | |
696 | case 12: | |
697 | case 16: | |
698 | break; | |
699 | default: | |
700 | return -EINVAL; | |
701 | } | |
702 | ||
703 | return crypto_aead_setauthsize(ctx->child, authsize); | |
704 | } | |
705 | ||
706 | static struct aead_request *crypto_rfc4309_crypt(struct aead_request *req) | |
707 | { | |
81c4c35e HX |
708 | struct crypto_rfc4309_req_ctx *rctx = aead_request_ctx(req); |
709 | struct aead_request *subreq = &rctx->subreq; | |
4a49b499 JL |
710 | struct crypto_aead *aead = crypto_aead_reqtfm(req); |
711 | struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(aead); | |
712 | struct crypto_aead *child = ctx->child; | |
81c4c35e | 713 | struct scatterlist *sg; |
4a49b499 JL |
714 | u8 *iv = PTR_ALIGN((u8 *)(subreq + 1) + crypto_aead_reqsize(child), |
715 | crypto_aead_alignmask(child) + 1); | |
716 | ||
717 | /* L' */ | |
718 | iv[0] = 3; | |
719 | ||
720 | memcpy(iv + 1, ctx->nonce, 3); | |
721 | memcpy(iv + 4, req->iv, 8); | |
722 | ||
81c4c35e HX |
723 | scatterwalk_map_and_copy(iv + 16, req->src, 0, req->assoclen - 8, 0); |
724 | ||
725 | sg_init_table(rctx->src, 3); | |
726 | sg_set_buf(rctx->src, iv + 16, req->assoclen - 8); | |
727 | sg = scatterwalk_ffwd(rctx->src + 1, req->src, req->assoclen); | |
728 | if (sg != rctx->src + 1) | |
729 | sg_chain(rctx->src, 2, sg); | |
730 | ||
731 | if (req->src != req->dst) { | |
732 | sg_init_table(rctx->dst, 3); | |
733 | sg_set_buf(rctx->dst, iv + 16, req->assoclen - 8); | |
734 | sg = scatterwalk_ffwd(rctx->dst + 1, req->dst, req->assoclen); | |
735 | if (sg != rctx->dst + 1) | |
736 | sg_chain(rctx->dst, 2, sg); | |
737 | } | |
738 | ||
4a49b499 JL |
739 | aead_request_set_tfm(subreq, child); |
740 | aead_request_set_callback(subreq, req->base.flags, req->base.complete, | |
741 | req->base.data); | |
81c4c35e HX |
742 | aead_request_set_crypt(subreq, rctx->src, |
743 | req->src == req->dst ? rctx->src : rctx->dst, | |
744 | req->cryptlen, iv); | |
745 | aead_request_set_ad(subreq, req->assoclen - 8); | |
4a49b499 JL |
746 | |
747 | return subreq; | |
748 | } | |
749 | ||
750 | static int crypto_rfc4309_encrypt(struct aead_request *req) | |
751 | { | |
81c4c35e HX |
752 | if (req->assoclen != 16 && req->assoclen != 20) |
753 | return -EINVAL; | |
754 | ||
4a49b499 JL |
755 | req = crypto_rfc4309_crypt(req); |
756 | ||
757 | return crypto_aead_encrypt(req); | |
758 | } | |
759 | ||
760 | static int crypto_rfc4309_decrypt(struct aead_request *req) | |
761 | { | |
81c4c35e HX |
762 | if (req->assoclen != 16 && req->assoclen != 20) |
763 | return -EINVAL; | |
764 | ||
4a49b499 JL |
765 | req = crypto_rfc4309_crypt(req); |
766 | ||
767 | return crypto_aead_decrypt(req); | |
768 | } | |
769 | ||
81c4c35e | 770 | static int crypto_rfc4309_init_tfm(struct crypto_aead *tfm) |
4a49b499 | 771 | { |
81c4c35e HX |
772 | struct aead_instance *inst = aead_alg_instance(tfm); |
773 | struct crypto_aead_spawn *spawn = aead_instance_ctx(inst); | |
774 | struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(tfm); | |
4a49b499 JL |
775 | struct crypto_aead *aead; |
776 | unsigned long align; | |
777 | ||
778 | aead = crypto_spawn_aead(spawn); | |
779 | if (IS_ERR(aead)) | |
780 | return PTR_ERR(aead); | |
781 | ||
782 | ctx->child = aead; | |
783 | ||
784 | align = crypto_aead_alignmask(aead); | |
785 | align &= ~(crypto_tfm_ctx_alignment() - 1); | |
81c4c35e HX |
786 | crypto_aead_set_reqsize( |
787 | tfm, | |
788 | sizeof(struct crypto_rfc4309_req_ctx) + | |
2c221ad3 | 789 | ALIGN(crypto_aead_reqsize(aead), crypto_tfm_ctx_alignment()) + |
81c4c35e | 790 | align + 32); |
4a49b499 JL |
791 | |
792 | return 0; | |
793 | } | |
794 | ||
81c4c35e | 795 | static void crypto_rfc4309_exit_tfm(struct crypto_aead *tfm) |
4a49b499 | 796 | { |
81c4c35e | 797 | struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(tfm); |
4a49b499 JL |
798 | |
799 | crypto_free_aead(ctx->child); | |
800 | } | |
801 | ||
81c4c35e HX |
802 | static void crypto_rfc4309_free(struct aead_instance *inst) |
803 | { | |
804 | crypto_drop_aead(aead_instance_ctx(inst)); | |
805 | kfree(inst); | |
806 | } | |
807 | ||
808 | static int crypto_rfc4309_create(struct crypto_template *tmpl, | |
809 | struct rtattr **tb) | |
4a49b499 JL |
810 | { |
811 | struct crypto_attr_type *algt; | |
81c4c35e | 812 | struct aead_instance *inst; |
4a49b499 | 813 | struct crypto_aead_spawn *spawn; |
81c4c35e | 814 | struct aead_alg *alg; |
4a49b499 JL |
815 | const char *ccm_name; |
816 | int err; | |
817 | ||
818 | algt = crypto_get_attr_type(tb); | |
4a49b499 | 819 | if (IS_ERR(algt)) |
81c4c35e | 820 | return PTR_ERR(algt); |
4a49b499 | 821 | |
5e4b8c1f | 822 | if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask) |
81c4c35e | 823 | return -EINVAL; |
4a49b499 JL |
824 | |
825 | ccm_name = crypto_attr_alg_name(tb[1]); | |
4a49b499 | 826 | if (IS_ERR(ccm_name)) |
81c4c35e | 827 | return PTR_ERR(ccm_name); |
4a49b499 JL |
828 | |
829 | inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL); | |
830 | if (!inst) | |
81c4c35e | 831 | return -ENOMEM; |
4a49b499 | 832 | |
81c4c35e HX |
833 | spawn = aead_instance_ctx(inst); |
834 | crypto_set_aead_spawn(spawn, aead_crypto_instance(inst)); | |
4a49b499 JL |
835 | err = crypto_grab_aead(spawn, ccm_name, 0, |
836 | crypto_requires_sync(algt->type, algt->mask)); | |
837 | if (err) | |
838 | goto out_free_inst; | |
839 | ||
81c4c35e | 840 | alg = crypto_spawn_aead_alg(spawn); |
4a49b499 JL |
841 | |
842 | err = -EINVAL; | |
843 | ||
844 | /* We only support 16-byte blocks. */ | |
81c4c35e | 845 | if (crypto_aead_alg_ivsize(alg) != 16) |
4a49b499 JL |
846 | goto out_drop_alg; |
847 | ||
848 | /* Not a stream cipher? */ | |
81c4c35e | 849 | if (alg->base.cra_blocksize != 1) |
4a49b499 JL |
850 | goto out_drop_alg; |
851 | ||
852 | err = -ENAMETOOLONG; | |
81c4c35e HX |
853 | if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME, |
854 | "rfc4309(%s)", alg->base.cra_name) >= | |
855 | CRYPTO_MAX_ALG_NAME || | |
856 | snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME, | |
857 | "rfc4309(%s)", alg->base.cra_driver_name) >= | |
4a49b499 JL |
858 | CRYPTO_MAX_ALG_NAME) |
859 | goto out_drop_alg; | |
860 | ||
81c4c35e | 861 | inst->alg.base.cra_flags = alg->base.cra_flags & CRYPTO_ALG_ASYNC; |
81c4c35e HX |
862 | inst->alg.base.cra_priority = alg->base.cra_priority; |
863 | inst->alg.base.cra_blocksize = 1; | |
864 | inst->alg.base.cra_alignmask = alg->base.cra_alignmask; | |
4a49b499 | 865 | |
81c4c35e | 866 | inst->alg.ivsize = 8; |
464b93a3 | 867 | inst->alg.chunksize = crypto_aead_alg_chunksize(alg); |
81c4c35e | 868 | inst->alg.maxauthsize = 16; |
4a49b499 | 869 | |
81c4c35e | 870 | inst->alg.base.cra_ctxsize = sizeof(struct crypto_rfc4309_ctx); |
4a49b499 | 871 | |
81c4c35e HX |
872 | inst->alg.init = crypto_rfc4309_init_tfm; |
873 | inst->alg.exit = crypto_rfc4309_exit_tfm; | |
4a49b499 | 874 | |
81c4c35e HX |
875 | inst->alg.setkey = crypto_rfc4309_setkey; |
876 | inst->alg.setauthsize = crypto_rfc4309_setauthsize; | |
877 | inst->alg.encrypt = crypto_rfc4309_encrypt; | |
878 | inst->alg.decrypt = crypto_rfc4309_decrypt; | |
4a49b499 | 879 | |
81c4c35e HX |
880 | inst->free = crypto_rfc4309_free; |
881 | ||
882 | err = aead_register_instance(tmpl, inst); | |
883 | if (err) | |
884 | goto out_drop_alg; | |
4a49b499 JL |
885 | |
886 | out: | |
81c4c35e | 887 | return err; |
4a49b499 JL |
888 | |
889 | out_drop_alg: | |
890 | crypto_drop_aead(spawn); | |
891 | out_free_inst: | |
892 | kfree(inst); | |
4a49b499 JL |
893 | goto out; |
894 | } | |
895 | ||
4a49b499 JL |
896 | static struct crypto_template crypto_rfc4309_tmpl = { |
897 | .name = "rfc4309", | |
81c4c35e | 898 | .create = crypto_rfc4309_create, |
4a49b499 JL |
899 | .module = THIS_MODULE, |
900 | }; | |
901 | ||
902 | static int __init crypto_ccm_module_init(void) | |
903 | { | |
904 | int err; | |
905 | ||
906 | err = crypto_register_template(&crypto_ccm_base_tmpl); | |
907 | if (err) | |
908 | goto out; | |
909 | ||
910 | err = crypto_register_template(&crypto_ccm_tmpl); | |
911 | if (err) | |
912 | goto out_undo_base; | |
913 | ||
914 | err = crypto_register_template(&crypto_rfc4309_tmpl); | |
915 | if (err) | |
916 | goto out_undo_ccm; | |
917 | ||
918 | out: | |
919 | return err; | |
920 | ||
921 | out_undo_ccm: | |
922 | crypto_unregister_template(&crypto_ccm_tmpl); | |
923 | out_undo_base: | |
924 | crypto_unregister_template(&crypto_ccm_base_tmpl); | |
925 | goto out; | |
926 | } | |
927 | ||
928 | static void __exit crypto_ccm_module_exit(void) | |
929 | { | |
930 | crypto_unregister_template(&crypto_rfc4309_tmpl); | |
931 | crypto_unregister_template(&crypto_ccm_tmpl); | |
932 | crypto_unregister_template(&crypto_ccm_base_tmpl); | |
933 | } | |
934 | ||
935 | module_init(crypto_ccm_module_init); | |
936 | module_exit(crypto_ccm_module_exit); | |
937 | ||
938 | MODULE_LICENSE("GPL"); | |
939 | MODULE_DESCRIPTION("Counter with CBC MAC"); | |
5d26a105 KC |
940 | MODULE_ALIAS_CRYPTO("ccm_base"); |
941 | MODULE_ALIAS_CRYPTO("rfc4309"); | |
4943ba16 | 942 | MODULE_ALIAS_CRYPTO("ccm"); |