Commit | Line | Data |
---|---|---|
4a49b499 JL |
1 | /* |
2 | * CCM: Counter with CBC-MAC | |
3 | * | |
4 | * (C) Copyright IBM Corp. 2007 - Joy Latten <latten@us.ibm.com> | |
5 | * | |
6 | * This program is free software; you can redistribute it and/or modify it | |
7 | * under the terms of the GNU General Public License as published by the Free | |
8 | * Software Foundation; either version 2 of the License, or (at your option) | |
9 | * any later version. | |
10 | * | |
11 | */ | |
12 | ||
13 | #include <crypto/internal/aead.h> | |
14 | #include <crypto/internal/skcipher.h> | |
15 | #include <crypto/scatterwalk.h> | |
16 | #include <linux/err.h> | |
17 | #include <linux/init.h> | |
18 | #include <linux/kernel.h> | |
19 | #include <linux/module.h> | |
20 | #include <linux/slab.h> | |
21 | ||
22 | #include "internal.h" | |
23 | ||
24 | struct ccm_instance_ctx { | |
25 | struct crypto_skcipher_spawn ctr; | |
26 | struct crypto_spawn cipher; | |
27 | }; | |
28 | ||
29 | struct crypto_ccm_ctx { | |
30 | struct crypto_cipher *cipher; | |
31 | struct crypto_ablkcipher *ctr; | |
32 | }; | |
33 | ||
34 | struct crypto_rfc4309_ctx { | |
35 | struct crypto_aead *child; | |
36 | u8 nonce[3]; | |
37 | }; | |
38 | ||
81c4c35e HX |
39 | struct crypto_rfc4309_req_ctx { |
40 | struct scatterlist src[3]; | |
41 | struct scatterlist dst[3]; | |
42 | struct aead_request subreq; | |
43 | }; | |
44 | ||
4a49b499 JL |
45 | struct crypto_ccm_req_priv_ctx { |
46 | u8 odata[16]; | |
47 | u8 idata[16]; | |
48 | u8 auth_tag[16]; | |
49 | u32 ilen; | |
50 | u32 flags; | |
81c4c35e HX |
51 | struct scatterlist src[3]; |
52 | struct scatterlist dst[3]; | |
4a49b499 JL |
53 | struct ablkcipher_request abreq; |
54 | }; | |
55 | ||
56 | static inline struct crypto_ccm_req_priv_ctx *crypto_ccm_reqctx( | |
57 | struct aead_request *req) | |
58 | { | |
59 | unsigned long align = crypto_aead_alignmask(crypto_aead_reqtfm(req)); | |
60 | ||
61 | return (void *)PTR_ALIGN((u8 *)aead_request_ctx(req), align + 1); | |
62 | } | |
63 | ||
64 | static int set_msg_len(u8 *block, unsigned int msglen, int csize) | |
65 | { | |
66 | __be32 data; | |
67 | ||
68 | memset(block, 0, csize); | |
69 | block += csize; | |
70 | ||
71 | if (csize >= 4) | |
72 | csize = 4; | |
73 | else if (msglen > (1 << (8 * csize))) | |
74 | return -EOVERFLOW; | |
75 | ||
76 | data = cpu_to_be32(msglen); | |
77 | memcpy(block - csize, (u8 *)&data + 4 - csize, csize); | |
78 | ||
79 | return 0; | |
80 | } | |
81 | ||
82 | static int crypto_ccm_setkey(struct crypto_aead *aead, const u8 *key, | |
83 | unsigned int keylen) | |
84 | { | |
85 | struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead); | |
86 | struct crypto_ablkcipher *ctr = ctx->ctr; | |
87 | struct crypto_cipher *tfm = ctx->cipher; | |
88 | int err = 0; | |
89 | ||
90 | crypto_ablkcipher_clear_flags(ctr, CRYPTO_TFM_REQ_MASK); | |
91 | crypto_ablkcipher_set_flags(ctr, crypto_aead_get_flags(aead) & | |
92 | CRYPTO_TFM_REQ_MASK); | |
93 | err = crypto_ablkcipher_setkey(ctr, key, keylen); | |
94 | crypto_aead_set_flags(aead, crypto_ablkcipher_get_flags(ctr) & | |
95 | CRYPTO_TFM_RES_MASK); | |
96 | if (err) | |
97 | goto out; | |
98 | ||
99 | crypto_cipher_clear_flags(tfm, CRYPTO_TFM_REQ_MASK); | |
100 | crypto_cipher_set_flags(tfm, crypto_aead_get_flags(aead) & | |
101 | CRYPTO_TFM_REQ_MASK); | |
102 | err = crypto_cipher_setkey(tfm, key, keylen); | |
103 | crypto_aead_set_flags(aead, crypto_cipher_get_flags(tfm) & | |
104 | CRYPTO_TFM_RES_MASK); | |
105 | ||
106 | out: | |
107 | return err; | |
108 | } | |
109 | ||
110 | static int crypto_ccm_setauthsize(struct crypto_aead *tfm, | |
111 | unsigned int authsize) | |
112 | { | |
113 | switch (authsize) { | |
114 | case 4: | |
115 | case 6: | |
116 | case 8: | |
117 | case 10: | |
118 | case 12: | |
119 | case 14: | |
120 | case 16: | |
121 | break; | |
122 | default: | |
123 | return -EINVAL; | |
124 | } | |
125 | ||
126 | return 0; | |
127 | } | |
128 | ||
129 | static int format_input(u8 *info, struct aead_request *req, | |
130 | unsigned int cryptlen) | |
131 | { | |
132 | struct crypto_aead *aead = crypto_aead_reqtfm(req); | |
133 | unsigned int lp = req->iv[0]; | |
134 | unsigned int l = lp + 1; | |
135 | unsigned int m; | |
136 | ||
137 | m = crypto_aead_authsize(aead); | |
138 | ||
139 | memcpy(info, req->iv, 16); | |
140 | ||
141 | /* format control info per RFC 3610 and | |
142 | * NIST Special Publication 800-38C | |
143 | */ | |
144 | *info |= (8 * ((m - 2) / 2)); | |
145 | if (req->assoclen) | |
146 | *info |= 64; | |
147 | ||
148 | return set_msg_len(info + 16 - l, cryptlen, l); | |
149 | } | |
150 | ||
151 | static int format_adata(u8 *adata, unsigned int a) | |
152 | { | |
153 | int len = 0; | |
154 | ||
155 | /* add control info for associated data | |
156 | * RFC 3610 and NIST Special Publication 800-38C | |
157 | */ | |
158 | if (a < 65280) { | |
159 | *(__be16 *)adata = cpu_to_be16(a); | |
160 | len = 2; | |
161 | } else { | |
162 | *(__be16 *)adata = cpu_to_be16(0xfffe); | |
163 | *(__be32 *)&adata[2] = cpu_to_be32(a); | |
164 | len = 6; | |
165 | } | |
166 | ||
167 | return len; | |
168 | } | |
169 | ||
170 | static void compute_mac(struct crypto_cipher *tfm, u8 *data, int n, | |
171 | struct crypto_ccm_req_priv_ctx *pctx) | |
172 | { | |
173 | unsigned int bs = 16; | |
174 | u8 *odata = pctx->odata; | |
175 | u8 *idata = pctx->idata; | |
176 | int datalen, getlen; | |
177 | ||
178 | datalen = n; | |
179 | ||
180 | /* first time in here, block may be partially filled. */ | |
181 | getlen = bs - pctx->ilen; | |
182 | if (datalen >= getlen) { | |
183 | memcpy(idata + pctx->ilen, data, getlen); | |
184 | crypto_xor(odata, idata, bs); | |
185 | crypto_cipher_encrypt_one(tfm, odata, odata); | |
186 | datalen -= getlen; | |
187 | data += getlen; | |
188 | pctx->ilen = 0; | |
189 | } | |
190 | ||
191 | /* now encrypt rest of data */ | |
192 | while (datalen >= bs) { | |
193 | crypto_xor(odata, data, bs); | |
194 | crypto_cipher_encrypt_one(tfm, odata, odata); | |
195 | ||
196 | datalen -= bs; | |
197 | data += bs; | |
198 | } | |
199 | ||
200 | /* check and see if there's leftover data that wasn't | |
201 | * enough to fill a block. | |
202 | */ | |
203 | if (datalen) { | |
204 | memcpy(idata + pctx->ilen, data, datalen); | |
205 | pctx->ilen += datalen; | |
206 | } | |
207 | } | |
208 | ||
209 | static void get_data_to_compute(struct crypto_cipher *tfm, | |
210 | struct crypto_ccm_req_priv_ctx *pctx, | |
211 | struct scatterlist *sg, unsigned int len) | |
212 | { | |
213 | struct scatter_walk walk; | |
214 | u8 *data_src; | |
215 | int n; | |
216 | ||
217 | scatterwalk_start(&walk, sg); | |
218 | ||
219 | while (len) { | |
220 | n = scatterwalk_clamp(&walk, len); | |
221 | if (!n) { | |
222 | scatterwalk_start(&walk, sg_next(walk.sg)); | |
223 | n = scatterwalk_clamp(&walk, len); | |
224 | } | |
f0dfc0b0 | 225 | data_src = scatterwalk_map(&walk); |
4a49b499 JL |
226 | |
227 | compute_mac(tfm, data_src, n, pctx); | |
228 | len -= n; | |
229 | ||
f0dfc0b0 | 230 | scatterwalk_unmap(data_src); |
4a49b499 JL |
231 | scatterwalk_advance(&walk, n); |
232 | scatterwalk_done(&walk, 0, len); | |
233 | if (len) | |
234 | crypto_yield(pctx->flags); | |
235 | } | |
236 | ||
237 | /* any leftover needs padding and then encrypted */ | |
238 | if (pctx->ilen) { | |
239 | int padlen; | |
240 | u8 *odata = pctx->odata; | |
241 | u8 *idata = pctx->idata; | |
242 | ||
243 | padlen = 16 - pctx->ilen; | |
244 | memset(idata + pctx->ilen, 0, padlen); | |
245 | crypto_xor(odata, idata, 16); | |
246 | crypto_cipher_encrypt_one(tfm, odata, odata); | |
247 | pctx->ilen = 0; | |
248 | } | |
249 | } | |
250 | ||
251 | static int crypto_ccm_auth(struct aead_request *req, struct scatterlist *plain, | |
252 | unsigned int cryptlen) | |
253 | { | |
254 | struct crypto_aead *aead = crypto_aead_reqtfm(req); | |
255 | struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead); | |
256 | struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); | |
257 | struct crypto_cipher *cipher = ctx->cipher; | |
258 | unsigned int assoclen = req->assoclen; | |
259 | u8 *odata = pctx->odata; | |
260 | u8 *idata = pctx->idata; | |
261 | int err; | |
262 | ||
263 | /* format control data for input */ | |
264 | err = format_input(odata, req, cryptlen); | |
265 | if (err) | |
266 | goto out; | |
267 | ||
268 | /* encrypt first block to use as start in computing mac */ | |
269 | crypto_cipher_encrypt_one(cipher, odata, odata); | |
270 | ||
271 | /* format associated data and compute into mac */ | |
272 | if (assoclen) { | |
273 | pctx->ilen = format_adata(idata, assoclen); | |
81c4c35e | 274 | get_data_to_compute(cipher, pctx, req->src, req->assoclen); |
516280e7 JW |
275 | } else { |
276 | pctx->ilen = 0; | |
4a49b499 JL |
277 | } |
278 | ||
279 | /* compute plaintext into mac */ | |
5638cabf HG |
280 | if (cryptlen) |
281 | get_data_to_compute(cipher, pctx, plain, cryptlen); | |
4a49b499 JL |
282 | |
283 | out: | |
284 | return err; | |
285 | } | |
286 | ||
287 | static void crypto_ccm_encrypt_done(struct crypto_async_request *areq, int err) | |
288 | { | |
289 | struct aead_request *req = areq->data; | |
290 | struct crypto_aead *aead = crypto_aead_reqtfm(req); | |
291 | struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); | |
292 | u8 *odata = pctx->odata; | |
293 | ||
294 | if (!err) | |
81c4c35e HX |
295 | scatterwalk_map_and_copy(odata, req->dst, |
296 | req->assoclen + req->cryptlen, | |
4a49b499 JL |
297 | crypto_aead_authsize(aead), 1); |
298 | aead_request_complete(req, err); | |
299 | } | |
300 | ||
301 | static inline int crypto_ccm_check_iv(const u8 *iv) | |
302 | { | |
303 | /* 2 <= L <= 8, so 1 <= L' <= 7. */ | |
304 | if (1 > iv[0] || iv[0] > 7) | |
305 | return -EINVAL; | |
306 | ||
307 | return 0; | |
308 | } | |
309 | ||
81c4c35e HX |
310 | static int crypto_ccm_init_crypt(struct aead_request *req, u8 *tag) |
311 | { | |
312 | struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); | |
313 | struct scatterlist *sg; | |
314 | u8 *iv = req->iv; | |
315 | int err; | |
316 | ||
317 | err = crypto_ccm_check_iv(iv); | |
318 | if (err) | |
319 | return err; | |
320 | ||
321 | pctx->flags = aead_request_flags(req); | |
322 | ||
323 | /* Note: rfc 3610 and NIST 800-38C require counter of | |
324 | * zero to encrypt auth tag. | |
325 | */ | |
326 | memset(iv + 15 - iv[0], 0, iv[0] + 1); | |
327 | ||
328 | sg_init_table(pctx->src, 3); | |
329 | sg_set_buf(pctx->src, tag, 16); | |
330 | sg = scatterwalk_ffwd(pctx->src + 1, req->src, req->assoclen); | |
331 | if (sg != pctx->src + 1) | |
332 | sg_chain(pctx->src, 2, sg); | |
333 | ||
334 | if (req->src != req->dst) { | |
335 | sg_init_table(pctx->dst, 3); | |
336 | sg_set_buf(pctx->dst, tag, 16); | |
337 | sg = scatterwalk_ffwd(pctx->dst + 1, req->dst, req->assoclen); | |
338 | if (sg != pctx->dst + 1) | |
339 | sg_chain(pctx->dst, 2, sg); | |
340 | } | |
341 | ||
342 | return 0; | |
343 | } | |
344 | ||
4a49b499 JL |
345 | static int crypto_ccm_encrypt(struct aead_request *req) |
346 | { | |
347 | struct crypto_aead *aead = crypto_aead_reqtfm(req); | |
348 | struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead); | |
349 | struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); | |
350 | struct ablkcipher_request *abreq = &pctx->abreq; | |
351 | struct scatterlist *dst; | |
352 | unsigned int cryptlen = req->cryptlen; | |
353 | u8 *odata = pctx->odata; | |
354 | u8 *iv = req->iv; | |
355 | int err; | |
356 | ||
81c4c35e | 357 | err = crypto_ccm_init_crypt(req, odata); |
4a49b499 JL |
358 | if (err) |
359 | return err; | |
360 | ||
81c4c35e | 361 | err = crypto_ccm_auth(req, sg_next(pctx->src), cryptlen); |
4a49b499 JL |
362 | if (err) |
363 | return err; | |
364 | ||
4a49b499 | 365 | dst = pctx->src; |
81c4c35e | 366 | if (req->src != req->dst) |
4a49b499 | 367 | dst = pctx->dst; |
4a49b499 JL |
368 | |
369 | ablkcipher_request_set_tfm(abreq, ctx->ctr); | |
370 | ablkcipher_request_set_callback(abreq, pctx->flags, | |
371 | crypto_ccm_encrypt_done, req); | |
372 | ablkcipher_request_set_crypt(abreq, pctx->src, dst, cryptlen + 16, iv); | |
373 | err = crypto_ablkcipher_encrypt(abreq); | |
374 | if (err) | |
375 | return err; | |
376 | ||
377 | /* copy authtag to end of dst */ | |
81c4c35e | 378 | scatterwalk_map_and_copy(odata, sg_next(dst), cryptlen, |
4a49b499 JL |
379 | crypto_aead_authsize(aead), 1); |
380 | return err; | |
381 | } | |
382 | ||
383 | static void crypto_ccm_decrypt_done(struct crypto_async_request *areq, | |
384 | int err) | |
385 | { | |
386 | struct aead_request *req = areq->data; | |
387 | struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); | |
388 | struct crypto_aead *aead = crypto_aead_reqtfm(req); | |
389 | unsigned int authsize = crypto_aead_authsize(aead); | |
390 | unsigned int cryptlen = req->cryptlen - authsize; | |
81c4c35e HX |
391 | struct scatterlist *dst; |
392 | ||
393 | pctx->flags = 0; | |
394 | ||
395 | dst = sg_next(req->src == req->dst ? pctx->src : pctx->dst); | |
4a49b499 JL |
396 | |
397 | if (!err) { | |
81c4c35e | 398 | err = crypto_ccm_auth(req, dst, cryptlen); |
6bf37e5a | 399 | if (!err && crypto_memneq(pctx->auth_tag, pctx->odata, authsize)) |
4a49b499 JL |
400 | err = -EBADMSG; |
401 | } | |
402 | aead_request_complete(req, err); | |
403 | } | |
404 | ||
405 | static int crypto_ccm_decrypt(struct aead_request *req) | |
406 | { | |
407 | struct crypto_aead *aead = crypto_aead_reqtfm(req); | |
408 | struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead); | |
409 | struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); | |
410 | struct ablkcipher_request *abreq = &pctx->abreq; | |
411 | struct scatterlist *dst; | |
412 | unsigned int authsize = crypto_aead_authsize(aead); | |
413 | unsigned int cryptlen = req->cryptlen; | |
414 | u8 *authtag = pctx->auth_tag; | |
415 | u8 *odata = pctx->odata; | |
416 | u8 *iv = req->iv; | |
417 | int err; | |
418 | ||
4a49b499 JL |
419 | cryptlen -= authsize; |
420 | ||
81c4c35e | 421 | err = crypto_ccm_init_crypt(req, authtag); |
4a49b499 JL |
422 | if (err) |
423 | return err; | |
424 | ||
81c4c35e HX |
425 | scatterwalk_map_and_copy(authtag, sg_next(pctx->src), cryptlen, |
426 | authsize, 0); | |
4a49b499 JL |
427 | |
428 | dst = pctx->src; | |
81c4c35e | 429 | if (req->src != req->dst) |
4a49b499 | 430 | dst = pctx->dst; |
4a49b499 JL |
431 | |
432 | ablkcipher_request_set_tfm(abreq, ctx->ctr); | |
433 | ablkcipher_request_set_callback(abreq, pctx->flags, | |
434 | crypto_ccm_decrypt_done, req); | |
435 | ablkcipher_request_set_crypt(abreq, pctx->src, dst, cryptlen + 16, iv); | |
436 | err = crypto_ablkcipher_decrypt(abreq); | |
437 | if (err) | |
438 | return err; | |
439 | ||
81c4c35e | 440 | err = crypto_ccm_auth(req, sg_next(dst), cryptlen); |
4a49b499 JL |
441 | if (err) |
442 | return err; | |
443 | ||
444 | /* verify */ | |
6bf37e5a | 445 | if (crypto_memneq(authtag, odata, authsize)) |
4a49b499 JL |
446 | return -EBADMSG; |
447 | ||
448 | return err; | |
449 | } | |
450 | ||
81c4c35e | 451 | static int crypto_ccm_init_tfm(struct crypto_aead *tfm) |
4a49b499 | 452 | { |
81c4c35e HX |
453 | struct aead_instance *inst = aead_alg_instance(tfm); |
454 | struct ccm_instance_ctx *ictx = aead_instance_ctx(inst); | |
455 | struct crypto_ccm_ctx *ctx = crypto_aead_ctx(tfm); | |
4a49b499 JL |
456 | struct crypto_cipher *cipher; |
457 | struct crypto_ablkcipher *ctr; | |
458 | unsigned long align; | |
459 | int err; | |
460 | ||
461 | cipher = crypto_spawn_cipher(&ictx->cipher); | |
462 | if (IS_ERR(cipher)) | |
463 | return PTR_ERR(cipher); | |
464 | ||
465 | ctr = crypto_spawn_skcipher(&ictx->ctr); | |
466 | err = PTR_ERR(ctr); | |
467 | if (IS_ERR(ctr)) | |
468 | goto err_free_cipher; | |
469 | ||
470 | ctx->cipher = cipher; | |
471 | ctx->ctr = ctr; | |
472 | ||
81c4c35e | 473 | align = crypto_aead_alignmask(tfm); |
4a49b499 | 474 | align &= ~(crypto_tfm_ctx_alignment() - 1); |
81c4c35e HX |
475 | crypto_aead_set_reqsize( |
476 | tfm, | |
2c221ad3 HX |
477 | align + sizeof(struct crypto_ccm_req_priv_ctx) + |
478 | crypto_ablkcipher_reqsize(ctr)); | |
4a49b499 JL |
479 | |
480 | return 0; | |
481 | ||
482 | err_free_cipher: | |
483 | crypto_free_cipher(cipher); | |
484 | return err; | |
485 | } | |
486 | ||
81c4c35e | 487 | static void crypto_ccm_exit_tfm(struct crypto_aead *tfm) |
4a49b499 | 488 | { |
81c4c35e | 489 | struct crypto_ccm_ctx *ctx = crypto_aead_ctx(tfm); |
4a49b499 JL |
490 | |
491 | crypto_free_cipher(ctx->cipher); | |
492 | crypto_free_ablkcipher(ctx->ctr); | |
493 | } | |
494 | ||
81c4c35e HX |
495 | static void crypto_ccm_free(struct aead_instance *inst) |
496 | { | |
497 | struct ccm_instance_ctx *ctx = aead_instance_ctx(inst); | |
498 | ||
499 | crypto_drop_spawn(&ctx->cipher); | |
500 | crypto_drop_skcipher(&ctx->ctr); | |
501 | kfree(inst); | |
502 | } | |
503 | ||
504 | static int crypto_ccm_create_common(struct crypto_template *tmpl, | |
505 | struct rtattr **tb, | |
506 | const char *full_name, | |
507 | const char *ctr_name, | |
508 | const char *cipher_name) | |
4a49b499 JL |
509 | { |
510 | struct crypto_attr_type *algt; | |
81c4c35e | 511 | struct aead_instance *inst; |
4a49b499 JL |
512 | struct crypto_alg *ctr; |
513 | struct crypto_alg *cipher; | |
514 | struct ccm_instance_ctx *ictx; | |
515 | int err; | |
516 | ||
517 | algt = crypto_get_attr_type(tb); | |
4a49b499 | 518 | if (IS_ERR(algt)) |
81c4c35e | 519 | return PTR_ERR(algt); |
4a49b499 | 520 | |
81c4c35e HX |
521 | if ((algt->type ^ (CRYPTO_ALG_TYPE_AEAD | CRYPTO_ALG_AEAD_NEW)) & |
522 | algt->mask) | |
523 | return -EINVAL; | |
4a49b499 JL |
524 | |
525 | cipher = crypto_alg_mod_lookup(cipher_name, CRYPTO_ALG_TYPE_CIPHER, | |
526 | CRYPTO_ALG_TYPE_MASK); | |
4a49b499 | 527 | if (IS_ERR(cipher)) |
81c4c35e | 528 | return PTR_ERR(cipher); |
4a49b499 JL |
529 | |
530 | err = -EINVAL; | |
531 | if (cipher->cra_blocksize != 16) | |
532 | goto out_put_cipher; | |
533 | ||
534 | inst = kzalloc(sizeof(*inst) + sizeof(*ictx), GFP_KERNEL); | |
535 | err = -ENOMEM; | |
536 | if (!inst) | |
537 | goto out_put_cipher; | |
538 | ||
81c4c35e | 539 | ictx = aead_instance_ctx(inst); |
4a49b499 | 540 | |
81c4c35e HX |
541 | err = crypto_init_spawn(&ictx->cipher, cipher, |
542 | aead_crypto_instance(inst), | |
4a49b499 JL |
543 | CRYPTO_ALG_TYPE_MASK); |
544 | if (err) | |
545 | goto err_free_inst; | |
546 | ||
81c4c35e | 547 | crypto_set_skcipher_spawn(&ictx->ctr, aead_crypto_instance(inst)); |
4a49b499 JL |
548 | err = crypto_grab_skcipher(&ictx->ctr, ctr_name, 0, |
549 | crypto_requires_sync(algt->type, | |
550 | algt->mask)); | |
551 | if (err) | |
552 | goto err_drop_cipher; | |
553 | ||
554 | ctr = crypto_skcipher_spawn_alg(&ictx->ctr); | |
555 | ||
556 | /* Not a stream cipher? */ | |
557 | err = -EINVAL; | |
558 | if (ctr->cra_blocksize != 1) | |
559 | goto err_drop_ctr; | |
560 | ||
561 | /* We want the real thing! */ | |
562 | if (ctr->cra_ablkcipher.ivsize != 16) | |
563 | goto err_drop_ctr; | |
564 | ||
565 | err = -ENAMETOOLONG; | |
81c4c35e | 566 | if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME, |
4a49b499 JL |
567 | "ccm_base(%s,%s)", ctr->cra_driver_name, |
568 | cipher->cra_driver_name) >= CRYPTO_MAX_ALG_NAME) | |
569 | goto err_drop_ctr; | |
570 | ||
81c4c35e HX |
571 | memcpy(inst->alg.base.cra_name, full_name, CRYPTO_MAX_ALG_NAME); |
572 | ||
573 | inst->alg.base.cra_flags = ctr->cra_flags & CRYPTO_ALG_ASYNC; | |
574 | inst->alg.base.cra_flags |= CRYPTO_ALG_AEAD_NEW; | |
575 | inst->alg.base.cra_priority = (cipher->cra_priority + | |
576 | ctr->cra_priority) / 2; | |
577 | inst->alg.base.cra_blocksize = 1; | |
578 | inst->alg.base.cra_alignmask = cipher->cra_alignmask | | |
579 | ctr->cra_alignmask | | |
580 | (__alignof__(u32) - 1); | |
581 | inst->alg.ivsize = 16; | |
582 | inst->alg.maxauthsize = 16; | |
583 | inst->alg.base.cra_ctxsize = sizeof(struct crypto_ccm_ctx); | |
584 | inst->alg.init = crypto_ccm_init_tfm; | |
585 | inst->alg.exit = crypto_ccm_exit_tfm; | |
586 | inst->alg.setkey = crypto_ccm_setkey; | |
587 | inst->alg.setauthsize = crypto_ccm_setauthsize; | |
588 | inst->alg.encrypt = crypto_ccm_encrypt; | |
589 | inst->alg.decrypt = crypto_ccm_decrypt; | |
590 | ||
591 | inst->free = crypto_ccm_free; | |
592 | ||
593 | err = aead_register_instance(tmpl, inst); | |
594 | if (err) | |
595 | goto err_drop_ctr; | |
4a49b499 | 596 | |
81c4c35e | 597 | out_put_cipher: |
4a49b499 | 598 | crypto_mod_put(cipher); |
81c4c35e | 599 | return err; |
4a49b499 JL |
600 | |
601 | err_drop_ctr: | |
602 | crypto_drop_skcipher(&ictx->ctr); | |
603 | err_drop_cipher: | |
604 | crypto_drop_spawn(&ictx->cipher); | |
605 | err_free_inst: | |
606 | kfree(inst); | |
81c4c35e | 607 | goto out_put_cipher; |
4a49b499 JL |
608 | } |
609 | ||
81c4c35e | 610 | static int crypto_ccm_create(struct crypto_template *tmpl, struct rtattr **tb) |
4a49b499 | 611 | { |
4a49b499 JL |
612 | const char *cipher_name; |
613 | char ctr_name[CRYPTO_MAX_ALG_NAME]; | |
614 | char full_name[CRYPTO_MAX_ALG_NAME]; | |
615 | ||
616 | cipher_name = crypto_attr_alg_name(tb[1]); | |
4a49b499 | 617 | if (IS_ERR(cipher_name)) |
81c4c35e | 618 | return PTR_ERR(cipher_name); |
4a49b499 JL |
619 | |
620 | if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)", | |
621 | cipher_name) >= CRYPTO_MAX_ALG_NAME) | |
81c4c35e | 622 | return -ENAMETOOLONG; |
4a49b499 JL |
623 | |
624 | if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "ccm(%s)", cipher_name) >= | |
625 | CRYPTO_MAX_ALG_NAME) | |
81c4c35e | 626 | return -ENAMETOOLONG; |
4a49b499 | 627 | |
81c4c35e HX |
628 | return crypto_ccm_create_common(tmpl, tb, full_name, ctr_name, |
629 | cipher_name); | |
4a49b499 JL |
630 | } |
631 | ||
632 | static struct crypto_template crypto_ccm_tmpl = { | |
633 | .name = "ccm", | |
81c4c35e | 634 | .create = crypto_ccm_create, |
4a49b499 JL |
635 | .module = THIS_MODULE, |
636 | }; | |
637 | ||
81c4c35e HX |
638 | static int crypto_ccm_base_create(struct crypto_template *tmpl, |
639 | struct rtattr **tb) | |
4a49b499 | 640 | { |
4a49b499 JL |
641 | const char *ctr_name; |
642 | const char *cipher_name; | |
643 | char full_name[CRYPTO_MAX_ALG_NAME]; | |
644 | ||
645 | ctr_name = crypto_attr_alg_name(tb[1]); | |
4a49b499 | 646 | if (IS_ERR(ctr_name)) |
81c4c35e | 647 | return PTR_ERR(ctr_name); |
4a49b499 JL |
648 | |
649 | cipher_name = crypto_attr_alg_name(tb[2]); | |
4a49b499 | 650 | if (IS_ERR(cipher_name)) |
81c4c35e | 651 | return PTR_ERR(cipher_name); |
4a49b499 JL |
652 | |
653 | if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "ccm_base(%s,%s)", | |
654 | ctr_name, cipher_name) >= CRYPTO_MAX_ALG_NAME) | |
81c4c35e | 655 | return -ENAMETOOLONG; |
4a49b499 | 656 | |
81c4c35e HX |
657 | return crypto_ccm_create_common(tmpl, tb, full_name, ctr_name, |
658 | cipher_name); | |
4a49b499 JL |
659 | } |
660 | ||
661 | static struct crypto_template crypto_ccm_base_tmpl = { | |
662 | .name = "ccm_base", | |
81c4c35e | 663 | .create = crypto_ccm_base_create, |
4a49b499 JL |
664 | .module = THIS_MODULE, |
665 | }; | |
666 | ||
667 | static int crypto_rfc4309_setkey(struct crypto_aead *parent, const u8 *key, | |
668 | unsigned int keylen) | |
669 | { | |
670 | struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(parent); | |
671 | struct crypto_aead *child = ctx->child; | |
672 | int err; | |
673 | ||
674 | if (keylen < 3) | |
675 | return -EINVAL; | |
676 | ||
677 | keylen -= 3; | |
678 | memcpy(ctx->nonce, key + keylen, 3); | |
679 | ||
680 | crypto_aead_clear_flags(child, CRYPTO_TFM_REQ_MASK); | |
681 | crypto_aead_set_flags(child, crypto_aead_get_flags(parent) & | |
682 | CRYPTO_TFM_REQ_MASK); | |
683 | err = crypto_aead_setkey(child, key, keylen); | |
684 | crypto_aead_set_flags(parent, crypto_aead_get_flags(child) & | |
685 | CRYPTO_TFM_RES_MASK); | |
686 | ||
687 | return err; | |
688 | } | |
689 | ||
690 | static int crypto_rfc4309_setauthsize(struct crypto_aead *parent, | |
691 | unsigned int authsize) | |
692 | { | |
693 | struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(parent); | |
694 | ||
695 | switch (authsize) { | |
696 | case 8: | |
697 | case 12: | |
698 | case 16: | |
699 | break; | |
700 | default: | |
701 | return -EINVAL; | |
702 | } | |
703 | ||
704 | return crypto_aead_setauthsize(ctx->child, authsize); | |
705 | } | |
706 | ||
707 | static struct aead_request *crypto_rfc4309_crypt(struct aead_request *req) | |
708 | { | |
81c4c35e HX |
709 | struct crypto_rfc4309_req_ctx *rctx = aead_request_ctx(req); |
710 | struct aead_request *subreq = &rctx->subreq; | |
4a49b499 JL |
711 | struct crypto_aead *aead = crypto_aead_reqtfm(req); |
712 | struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(aead); | |
713 | struct crypto_aead *child = ctx->child; | |
81c4c35e | 714 | struct scatterlist *sg; |
4a49b499 JL |
715 | u8 *iv = PTR_ALIGN((u8 *)(subreq + 1) + crypto_aead_reqsize(child), |
716 | crypto_aead_alignmask(child) + 1); | |
717 | ||
718 | /* L' */ | |
719 | iv[0] = 3; | |
720 | ||
721 | memcpy(iv + 1, ctx->nonce, 3); | |
722 | memcpy(iv + 4, req->iv, 8); | |
723 | ||
81c4c35e HX |
724 | scatterwalk_map_and_copy(iv + 16, req->src, 0, req->assoclen - 8, 0); |
725 | ||
726 | sg_init_table(rctx->src, 3); | |
727 | sg_set_buf(rctx->src, iv + 16, req->assoclen - 8); | |
728 | sg = scatterwalk_ffwd(rctx->src + 1, req->src, req->assoclen); | |
729 | if (sg != rctx->src + 1) | |
730 | sg_chain(rctx->src, 2, sg); | |
731 | ||
732 | if (req->src != req->dst) { | |
733 | sg_init_table(rctx->dst, 3); | |
734 | sg_set_buf(rctx->dst, iv + 16, req->assoclen - 8); | |
735 | sg = scatterwalk_ffwd(rctx->dst + 1, req->dst, req->assoclen); | |
736 | if (sg != rctx->dst + 1) | |
737 | sg_chain(rctx->dst, 2, sg); | |
738 | } | |
739 | ||
4a49b499 JL |
740 | aead_request_set_tfm(subreq, child); |
741 | aead_request_set_callback(subreq, req->base.flags, req->base.complete, | |
742 | req->base.data); | |
81c4c35e HX |
743 | aead_request_set_crypt(subreq, rctx->src, |
744 | req->src == req->dst ? rctx->src : rctx->dst, | |
745 | req->cryptlen, iv); | |
746 | aead_request_set_ad(subreq, req->assoclen - 8); | |
4a49b499 JL |
747 | |
748 | return subreq; | |
749 | } | |
750 | ||
751 | static int crypto_rfc4309_encrypt(struct aead_request *req) | |
752 | { | |
81c4c35e HX |
753 | if (req->assoclen != 16 && req->assoclen != 20) |
754 | return -EINVAL; | |
755 | ||
4a49b499 JL |
756 | req = crypto_rfc4309_crypt(req); |
757 | ||
758 | return crypto_aead_encrypt(req); | |
759 | } | |
760 | ||
761 | static int crypto_rfc4309_decrypt(struct aead_request *req) | |
762 | { | |
81c4c35e HX |
763 | if (req->assoclen != 16 && req->assoclen != 20) |
764 | return -EINVAL; | |
765 | ||
4a49b499 JL |
766 | req = crypto_rfc4309_crypt(req); |
767 | ||
768 | return crypto_aead_decrypt(req); | |
769 | } | |
770 | ||
81c4c35e | 771 | static int crypto_rfc4309_init_tfm(struct crypto_aead *tfm) |
4a49b499 | 772 | { |
81c4c35e HX |
773 | struct aead_instance *inst = aead_alg_instance(tfm); |
774 | struct crypto_aead_spawn *spawn = aead_instance_ctx(inst); | |
775 | struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(tfm); | |
4a49b499 JL |
776 | struct crypto_aead *aead; |
777 | unsigned long align; | |
778 | ||
779 | aead = crypto_spawn_aead(spawn); | |
780 | if (IS_ERR(aead)) | |
781 | return PTR_ERR(aead); | |
782 | ||
783 | ctx->child = aead; | |
784 | ||
785 | align = crypto_aead_alignmask(aead); | |
786 | align &= ~(crypto_tfm_ctx_alignment() - 1); | |
81c4c35e HX |
787 | crypto_aead_set_reqsize( |
788 | tfm, | |
789 | sizeof(struct crypto_rfc4309_req_ctx) + | |
2c221ad3 | 790 | ALIGN(crypto_aead_reqsize(aead), crypto_tfm_ctx_alignment()) + |
81c4c35e | 791 | align + 32); |
4a49b499 JL |
792 | |
793 | return 0; | |
794 | } | |
795 | ||
81c4c35e | 796 | static void crypto_rfc4309_exit_tfm(struct crypto_aead *tfm) |
4a49b499 | 797 | { |
81c4c35e | 798 | struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(tfm); |
4a49b499 JL |
799 | |
800 | crypto_free_aead(ctx->child); | |
801 | } | |
802 | ||
81c4c35e HX |
803 | static void crypto_rfc4309_free(struct aead_instance *inst) |
804 | { | |
805 | crypto_drop_aead(aead_instance_ctx(inst)); | |
806 | kfree(inst); | |
807 | } | |
808 | ||
809 | static int crypto_rfc4309_create(struct crypto_template *tmpl, | |
810 | struct rtattr **tb) | |
4a49b499 JL |
811 | { |
812 | struct crypto_attr_type *algt; | |
81c4c35e | 813 | struct aead_instance *inst; |
4a49b499 | 814 | struct crypto_aead_spawn *spawn; |
81c4c35e | 815 | struct aead_alg *alg; |
4a49b499 JL |
816 | const char *ccm_name; |
817 | int err; | |
818 | ||
819 | algt = crypto_get_attr_type(tb); | |
4a49b499 | 820 | if (IS_ERR(algt)) |
81c4c35e | 821 | return PTR_ERR(algt); |
4a49b499 | 822 | |
81c4c35e HX |
823 | if ((algt->type ^ (CRYPTO_ALG_TYPE_AEAD | CRYPTO_ALG_AEAD_NEW)) & |
824 | algt->mask) | |
825 | return -EINVAL; | |
4a49b499 JL |
826 | |
827 | ccm_name = crypto_attr_alg_name(tb[1]); | |
4a49b499 | 828 | if (IS_ERR(ccm_name)) |
81c4c35e | 829 | return PTR_ERR(ccm_name); |
4a49b499 JL |
830 | |
831 | inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL); | |
832 | if (!inst) | |
81c4c35e | 833 | return -ENOMEM; |
4a49b499 | 834 | |
81c4c35e HX |
835 | spawn = aead_instance_ctx(inst); |
836 | crypto_set_aead_spawn(spawn, aead_crypto_instance(inst)); | |
4a49b499 JL |
837 | err = crypto_grab_aead(spawn, ccm_name, 0, |
838 | crypto_requires_sync(algt->type, algt->mask)); | |
839 | if (err) | |
840 | goto out_free_inst; | |
841 | ||
81c4c35e | 842 | alg = crypto_spawn_aead_alg(spawn); |
4a49b499 JL |
843 | |
844 | err = -EINVAL; | |
845 | ||
846 | /* We only support 16-byte blocks. */ | |
81c4c35e | 847 | if (crypto_aead_alg_ivsize(alg) != 16) |
4a49b499 JL |
848 | goto out_drop_alg; |
849 | ||
850 | /* Not a stream cipher? */ | |
81c4c35e | 851 | if (alg->base.cra_blocksize != 1) |
4a49b499 JL |
852 | goto out_drop_alg; |
853 | ||
854 | err = -ENAMETOOLONG; | |
81c4c35e HX |
855 | if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME, |
856 | "rfc4309(%s)", alg->base.cra_name) >= | |
857 | CRYPTO_MAX_ALG_NAME || | |
858 | snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME, | |
859 | "rfc4309(%s)", alg->base.cra_driver_name) >= | |
4a49b499 JL |
860 | CRYPTO_MAX_ALG_NAME) |
861 | goto out_drop_alg; | |
862 | ||
81c4c35e HX |
863 | inst->alg.base.cra_flags = alg->base.cra_flags & CRYPTO_ALG_ASYNC; |
864 | inst->alg.base.cra_flags |= CRYPTO_ALG_AEAD_NEW; | |
865 | inst->alg.base.cra_priority = alg->base.cra_priority; | |
866 | inst->alg.base.cra_blocksize = 1; | |
867 | inst->alg.base.cra_alignmask = alg->base.cra_alignmask; | |
4a49b499 | 868 | |
81c4c35e HX |
869 | inst->alg.ivsize = 8; |
870 | inst->alg.maxauthsize = 16; | |
4a49b499 | 871 | |
81c4c35e | 872 | inst->alg.base.cra_ctxsize = sizeof(struct crypto_rfc4309_ctx); |
4a49b499 | 873 | |
81c4c35e HX |
874 | inst->alg.init = crypto_rfc4309_init_tfm; |
875 | inst->alg.exit = crypto_rfc4309_exit_tfm; | |
4a49b499 | 876 | |
81c4c35e HX |
877 | inst->alg.setkey = crypto_rfc4309_setkey; |
878 | inst->alg.setauthsize = crypto_rfc4309_setauthsize; | |
879 | inst->alg.encrypt = crypto_rfc4309_encrypt; | |
880 | inst->alg.decrypt = crypto_rfc4309_decrypt; | |
4a49b499 | 881 | |
81c4c35e HX |
882 | inst->free = crypto_rfc4309_free; |
883 | ||
884 | err = aead_register_instance(tmpl, inst); | |
885 | if (err) | |
886 | goto out_drop_alg; | |
4a49b499 JL |
887 | |
888 | out: | |
81c4c35e | 889 | return err; |
4a49b499 JL |
890 | |
891 | out_drop_alg: | |
892 | crypto_drop_aead(spawn); | |
893 | out_free_inst: | |
894 | kfree(inst); | |
4a49b499 JL |
895 | goto out; |
896 | } | |
897 | ||
4a49b499 JL |
898 | static struct crypto_template crypto_rfc4309_tmpl = { |
899 | .name = "rfc4309", | |
81c4c35e | 900 | .create = crypto_rfc4309_create, |
4a49b499 JL |
901 | .module = THIS_MODULE, |
902 | }; | |
903 | ||
904 | static int __init crypto_ccm_module_init(void) | |
905 | { | |
906 | int err; | |
907 | ||
908 | err = crypto_register_template(&crypto_ccm_base_tmpl); | |
909 | if (err) | |
910 | goto out; | |
911 | ||
912 | err = crypto_register_template(&crypto_ccm_tmpl); | |
913 | if (err) | |
914 | goto out_undo_base; | |
915 | ||
916 | err = crypto_register_template(&crypto_rfc4309_tmpl); | |
917 | if (err) | |
918 | goto out_undo_ccm; | |
919 | ||
920 | out: | |
921 | return err; | |
922 | ||
923 | out_undo_ccm: | |
924 | crypto_unregister_template(&crypto_ccm_tmpl); | |
925 | out_undo_base: | |
926 | crypto_unregister_template(&crypto_ccm_base_tmpl); | |
927 | goto out; | |
928 | } | |
929 | ||
930 | static void __exit crypto_ccm_module_exit(void) | |
931 | { | |
932 | crypto_unregister_template(&crypto_rfc4309_tmpl); | |
933 | crypto_unregister_template(&crypto_ccm_tmpl); | |
934 | crypto_unregister_template(&crypto_ccm_base_tmpl); | |
935 | } | |
936 | ||
937 | module_init(crypto_ccm_module_init); | |
938 | module_exit(crypto_ccm_module_exit); | |
939 | ||
940 | MODULE_LICENSE("GPL"); | |
941 | MODULE_DESCRIPTION("Counter with CBC MAC"); | |
5d26a105 KC |
942 | MODULE_ALIAS_CRYPTO("ccm_base"); |
943 | MODULE_ALIAS_CRYPTO("rfc4309"); | |
4943ba16 | 944 | MODULE_ALIAS_CRYPTO("ccm"); |