ccm.c 23 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941
  1. // SPDX-License-Identifier: GPL-2.0-or-later
  2. /*
  3. * CCM: Counter with CBC-MAC
  4. *
  5. * (C) Copyright IBM Corp. 2007 - Joy Latten <latten@us.ibm.com>
  6. */
  7. #include <crypto/internal/aead.h>
  8. #include <crypto/internal/cipher.h>
  9. #include <crypto/internal/hash.h>
  10. #include <crypto/internal/skcipher.h>
  11. #include <crypto/scatterwalk.h>
  12. #include <crypto/utils.h>
  13. #include <linux/err.h>
  14. #include <linux/kernel.h>
  15. #include <linux/module.h>
  16. #include <linux/slab.h>
  17. #include <linux/string.h>
  18. struct ccm_instance_ctx {
  19. struct crypto_skcipher_spawn ctr;
  20. struct crypto_ahash_spawn mac;
  21. };
  22. struct crypto_ccm_ctx {
  23. struct crypto_ahash *mac;
  24. struct crypto_skcipher *ctr;
  25. };
  26. struct crypto_rfc4309_ctx {
  27. struct crypto_aead *child;
  28. u8 nonce[3];
  29. };
  30. struct crypto_rfc4309_req_ctx {
  31. struct scatterlist src[3];
  32. struct scatterlist dst[3];
  33. struct aead_request subreq;
  34. };
  35. struct crypto_ccm_req_priv_ctx {
  36. u8 odata[16];
  37. u8 idata[16];
  38. u8 auth_tag[16];
  39. u32 flags;
  40. struct scatterlist src[3];
  41. struct scatterlist dst[3];
  42. union {
  43. struct ahash_request ahreq;
  44. struct skcipher_request skreq;
  45. };
  46. };
  47. struct cbcmac_tfm_ctx {
  48. struct crypto_cipher *child;
  49. };
  50. static inline struct crypto_ccm_req_priv_ctx *crypto_ccm_reqctx(
  51. struct aead_request *req)
  52. {
  53. unsigned long align = crypto_aead_alignmask(crypto_aead_reqtfm(req));
  54. return (void *)PTR_ALIGN((u8 *)aead_request_ctx(req), align + 1);
  55. }
  56. static int set_msg_len(u8 *block, unsigned int msglen, int csize)
  57. {
  58. __be32 data;
  59. memset(block, 0, csize);
  60. block += csize;
  61. if (csize >= 4)
  62. csize = 4;
  63. else if (msglen > (1 << (8 * csize)))
  64. return -EOVERFLOW;
  65. data = cpu_to_be32(msglen);
  66. memcpy(block - csize, (u8 *)&data + 4 - csize, csize);
  67. return 0;
  68. }
  69. static int crypto_ccm_setkey(struct crypto_aead *aead, const u8 *key,
  70. unsigned int keylen)
  71. {
  72. struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead);
  73. struct crypto_skcipher *ctr = ctx->ctr;
  74. struct crypto_ahash *mac = ctx->mac;
  75. int err;
  76. crypto_skcipher_clear_flags(ctr, CRYPTO_TFM_REQ_MASK);
  77. crypto_skcipher_set_flags(ctr, crypto_aead_get_flags(aead) &
  78. CRYPTO_TFM_REQ_MASK);
  79. err = crypto_skcipher_setkey(ctr, key, keylen);
  80. if (err)
  81. return err;
  82. crypto_ahash_clear_flags(mac, CRYPTO_TFM_REQ_MASK);
  83. crypto_ahash_set_flags(mac, crypto_aead_get_flags(aead) &
  84. CRYPTO_TFM_REQ_MASK);
  85. return crypto_ahash_setkey(mac, key, keylen);
  86. }
  87. static int crypto_ccm_setauthsize(struct crypto_aead *tfm,
  88. unsigned int authsize)
  89. {
  90. switch (authsize) {
  91. case 4:
  92. case 6:
  93. case 8:
  94. case 10:
  95. case 12:
  96. case 14:
  97. case 16:
  98. break;
  99. default:
  100. return -EINVAL;
  101. }
  102. return 0;
  103. }
  104. static int format_input(u8 *info, struct aead_request *req,
  105. unsigned int cryptlen)
  106. {
  107. struct crypto_aead *aead = crypto_aead_reqtfm(req);
  108. unsigned int lp = req->iv[0];
  109. unsigned int l = lp + 1;
  110. unsigned int m;
  111. m = crypto_aead_authsize(aead);
  112. memcpy(info, req->iv, 16);
  113. /* format control info per RFC 3610 and
  114. * NIST Special Publication 800-38C
  115. */
  116. *info |= (8 * ((m - 2) / 2));
  117. if (req->assoclen)
  118. *info |= 64;
  119. return set_msg_len(info + 16 - l, cryptlen, l);
  120. }
  121. static int format_adata(u8 *adata, unsigned int a)
  122. {
  123. int len = 0;
  124. /* add control info for associated data
  125. * RFC 3610 and NIST Special Publication 800-38C
  126. */
  127. if (a < 65280) {
  128. *(__be16 *)adata = cpu_to_be16(a);
  129. len = 2;
  130. } else {
  131. *(__be16 *)adata = cpu_to_be16(0xfffe);
  132. *(__be32 *)&adata[2] = cpu_to_be32(a);
  133. len = 6;
  134. }
  135. return len;
  136. }
  137. static int crypto_ccm_auth(struct aead_request *req, struct scatterlist *plain,
  138. unsigned int cryptlen)
  139. {
  140. struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req);
  141. struct crypto_aead *aead = crypto_aead_reqtfm(req);
  142. struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead);
  143. struct ahash_request *ahreq = &pctx->ahreq;
  144. unsigned int assoclen = req->assoclen;
  145. struct scatterlist sg[3];
  146. u8 *odata = pctx->odata;
  147. u8 *idata = pctx->idata;
  148. int ilen, err;
  149. /* format control data for input */
  150. err = format_input(odata, req, cryptlen);
  151. if (err)
  152. goto out;
  153. sg_init_table(sg, 3);
  154. sg_set_buf(&sg[0], odata, 16);
  155. /* format associated data and compute into mac */
  156. if (assoclen) {
  157. ilen = format_adata(idata, assoclen);
  158. sg_set_buf(&sg[1], idata, ilen);
  159. sg_chain(sg, 3, req->src);
  160. } else {
  161. ilen = 0;
  162. sg_chain(sg, 2, req->src);
  163. }
  164. ahash_request_set_tfm(ahreq, ctx->mac);
  165. ahash_request_set_callback(ahreq, pctx->flags, NULL, NULL);
  166. ahash_request_set_crypt(ahreq, sg, NULL, assoclen + ilen + 16);
  167. err = crypto_ahash_init(ahreq);
  168. if (err)
  169. goto out;
  170. err = crypto_ahash_update(ahreq);
  171. if (err)
  172. goto out;
  173. /* we need to pad the MAC input to a round multiple of the block size */
  174. ilen = 16 - (assoclen + ilen) % 16;
  175. if (ilen < 16) {
  176. memset(idata, 0, ilen);
  177. sg_init_table(sg, 2);
  178. sg_set_buf(&sg[0], idata, ilen);
  179. if (plain)
  180. sg_chain(sg, 2, plain);
  181. plain = sg;
  182. cryptlen += ilen;
  183. }
  184. ahash_request_set_crypt(ahreq, plain, odata, cryptlen);
  185. err = crypto_ahash_finup(ahreq);
  186. out:
  187. return err;
  188. }
  189. static void crypto_ccm_encrypt_done(void *data, int err)
  190. {
  191. struct aead_request *req = data;
  192. struct crypto_aead *aead = crypto_aead_reqtfm(req);
  193. struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req);
  194. u8 *odata = pctx->odata;
  195. if (!err)
  196. scatterwalk_map_and_copy(odata, req->dst,
  197. req->assoclen + req->cryptlen,
  198. crypto_aead_authsize(aead), 1);
  199. aead_request_complete(req, err);
  200. }
  201. static inline int crypto_ccm_check_iv(const u8 *iv)
  202. {
  203. /* 2 <= L <= 8, so 1 <= L' <= 7. */
  204. if (1 > iv[0] || iv[0] > 7)
  205. return -EINVAL;
  206. return 0;
  207. }
  208. static int crypto_ccm_init_crypt(struct aead_request *req, u8 *tag)
  209. {
  210. struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req);
  211. struct scatterlist *sg;
  212. u8 *iv = req->iv;
  213. int err;
  214. err = crypto_ccm_check_iv(iv);
  215. if (err)
  216. return err;
  217. pctx->flags = aead_request_flags(req);
  218. /* Note: rfc 3610 and NIST 800-38C require counter of
  219. * zero to encrypt auth tag.
  220. */
  221. memset(iv + 15 - iv[0], 0, iv[0] + 1);
  222. sg_init_table(pctx->src, 3);
  223. sg_set_buf(pctx->src, tag, 16);
  224. sg = scatterwalk_ffwd(pctx->src + 1, req->src, req->assoclen);
  225. if (sg != pctx->src + 1)
  226. sg_chain(pctx->src, 2, sg);
  227. if (req->src != req->dst) {
  228. sg_init_table(pctx->dst, 3);
  229. sg_set_buf(pctx->dst, tag, 16);
  230. sg = scatterwalk_ffwd(pctx->dst + 1, req->dst, req->assoclen);
  231. if (sg != pctx->dst + 1)
  232. sg_chain(pctx->dst, 2, sg);
  233. }
  234. return 0;
  235. }
  236. static int crypto_ccm_encrypt(struct aead_request *req)
  237. {
  238. struct crypto_aead *aead = crypto_aead_reqtfm(req);
  239. struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead);
  240. struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req);
  241. struct skcipher_request *skreq = &pctx->skreq;
  242. struct scatterlist *dst;
  243. unsigned int cryptlen = req->cryptlen;
  244. u8 *odata = pctx->odata;
  245. u8 *iv = req->iv;
  246. int err;
  247. err = crypto_ccm_init_crypt(req, odata);
  248. if (err)
  249. return err;
  250. err = crypto_ccm_auth(req, sg_next(pctx->src), cryptlen);
  251. if (err)
  252. return err;
  253. dst = pctx->src;
  254. if (req->src != req->dst)
  255. dst = pctx->dst;
  256. skcipher_request_set_tfm(skreq, ctx->ctr);
  257. skcipher_request_set_callback(skreq, pctx->flags,
  258. crypto_ccm_encrypt_done, req);
  259. skcipher_request_set_crypt(skreq, pctx->src, dst, cryptlen + 16, iv);
  260. err = crypto_skcipher_encrypt(skreq);
  261. if (err)
  262. return err;
  263. /* copy authtag to end of dst */
  264. scatterwalk_map_and_copy(odata, sg_next(dst), cryptlen,
  265. crypto_aead_authsize(aead), 1);
  266. return err;
  267. }
  268. static void crypto_ccm_decrypt_done(void *data, int err)
  269. {
  270. struct aead_request *req = data;
  271. struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req);
  272. struct crypto_aead *aead = crypto_aead_reqtfm(req);
  273. unsigned int authsize = crypto_aead_authsize(aead);
  274. unsigned int cryptlen = req->cryptlen - authsize;
  275. struct scatterlist *dst;
  276. pctx->flags = 0;
  277. dst = sg_next(req->src == req->dst ? pctx->src : pctx->dst);
  278. if (!err) {
  279. err = crypto_ccm_auth(req, dst, cryptlen);
  280. if (!err && crypto_memneq(pctx->auth_tag, pctx->odata, authsize))
  281. err = -EBADMSG;
  282. }
  283. aead_request_complete(req, err);
  284. }
  285. static int crypto_ccm_decrypt(struct aead_request *req)
  286. {
  287. struct crypto_aead *aead = crypto_aead_reqtfm(req);
  288. struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead);
  289. struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req);
  290. struct skcipher_request *skreq = &pctx->skreq;
  291. struct scatterlist *dst;
  292. unsigned int authsize = crypto_aead_authsize(aead);
  293. unsigned int cryptlen = req->cryptlen;
  294. u8 *authtag = pctx->auth_tag;
  295. u8 *odata = pctx->odata;
  296. u8 *iv = pctx->idata;
  297. int err;
  298. cryptlen -= authsize;
  299. err = crypto_ccm_init_crypt(req, authtag);
  300. if (err)
  301. return err;
  302. scatterwalk_map_and_copy(authtag, sg_next(pctx->src), cryptlen,
  303. authsize, 0);
  304. dst = pctx->src;
  305. if (req->src != req->dst)
  306. dst = pctx->dst;
  307. memcpy(iv, req->iv, 16);
  308. skcipher_request_set_tfm(skreq, ctx->ctr);
  309. skcipher_request_set_callback(skreq, pctx->flags,
  310. crypto_ccm_decrypt_done, req);
  311. skcipher_request_set_crypt(skreq, pctx->src, dst, cryptlen + 16, iv);
  312. err = crypto_skcipher_decrypt(skreq);
  313. if (err)
  314. return err;
  315. err = crypto_ccm_auth(req, sg_next(dst), cryptlen);
  316. if (err)
  317. return err;
  318. /* verify */
  319. if (crypto_memneq(authtag, odata, authsize))
  320. return -EBADMSG;
  321. return err;
  322. }
  323. static int crypto_ccm_init_tfm(struct crypto_aead *tfm)
  324. {
  325. struct aead_instance *inst = aead_alg_instance(tfm);
  326. struct ccm_instance_ctx *ictx = aead_instance_ctx(inst);
  327. struct crypto_ccm_ctx *ctx = crypto_aead_ctx(tfm);
  328. struct crypto_ahash *mac;
  329. struct crypto_skcipher *ctr;
  330. unsigned long align;
  331. int err;
  332. mac = crypto_spawn_ahash(&ictx->mac);
  333. if (IS_ERR(mac))
  334. return PTR_ERR(mac);
  335. ctr = crypto_spawn_skcipher(&ictx->ctr);
  336. err = PTR_ERR(ctr);
  337. if (IS_ERR(ctr))
  338. goto err_free_mac;
  339. ctx->mac = mac;
  340. ctx->ctr = ctr;
  341. align = crypto_aead_alignmask(tfm);
  342. align &= ~(crypto_tfm_ctx_alignment() - 1);
  343. crypto_aead_set_reqsize(
  344. tfm,
  345. align + sizeof(struct crypto_ccm_req_priv_ctx) +
  346. max(crypto_ahash_reqsize(mac), crypto_skcipher_reqsize(ctr)));
  347. return 0;
  348. err_free_mac:
  349. crypto_free_ahash(mac);
  350. return err;
  351. }
  352. static void crypto_ccm_exit_tfm(struct crypto_aead *tfm)
  353. {
  354. struct crypto_ccm_ctx *ctx = crypto_aead_ctx(tfm);
  355. crypto_free_ahash(ctx->mac);
  356. crypto_free_skcipher(ctx->ctr);
  357. }
  358. static void crypto_ccm_free(struct aead_instance *inst)
  359. {
  360. struct ccm_instance_ctx *ctx = aead_instance_ctx(inst);
  361. crypto_drop_ahash(&ctx->mac);
  362. crypto_drop_skcipher(&ctx->ctr);
  363. kfree(inst);
  364. }
  365. static int crypto_ccm_create_common(struct crypto_template *tmpl,
  366. struct rtattr **tb,
  367. const char *ctr_name,
  368. const char *mac_name)
  369. {
  370. struct skcipher_alg_common *ctr;
  371. u32 mask;
  372. struct aead_instance *inst;
  373. struct ccm_instance_ctx *ictx;
  374. struct hash_alg_common *mac;
  375. int err;
  376. err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_AEAD, &mask);
  377. if (err)
  378. return err;
  379. inst = kzalloc(sizeof(*inst) + sizeof(*ictx), GFP_KERNEL);
  380. if (!inst)
  381. return -ENOMEM;
  382. ictx = aead_instance_ctx(inst);
  383. err = crypto_grab_ahash(&ictx->mac, aead_crypto_instance(inst),
  384. mac_name, 0, mask | CRYPTO_ALG_ASYNC);
  385. if (err)
  386. goto err_free_inst;
  387. mac = crypto_spawn_ahash_alg(&ictx->mac);
  388. err = -EINVAL;
  389. if (strncmp(mac->base.cra_name, "cbcmac(", 7) != 0 ||
  390. mac->digestsize != 16)
  391. goto err_free_inst;
  392. err = crypto_grab_skcipher(&ictx->ctr, aead_crypto_instance(inst),
  393. ctr_name, 0, mask);
  394. if (err)
  395. goto err_free_inst;
  396. ctr = crypto_spawn_skcipher_alg_common(&ictx->ctr);
  397. /* The skcipher algorithm must be CTR mode, using 16-byte blocks. */
  398. err = -EINVAL;
  399. if (strncmp(ctr->base.cra_name, "ctr(", 4) != 0 ||
  400. ctr->ivsize != 16 || ctr->base.cra_blocksize != 1)
  401. goto err_free_inst;
  402. /* ctr and cbcmac must use the same underlying block cipher. */
  403. if (strcmp(ctr->base.cra_name + 4, mac->base.cra_name + 7) != 0)
  404. goto err_free_inst;
  405. err = -ENAMETOOLONG;
  406. if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
  407. "ccm(%s", ctr->base.cra_name + 4) >= CRYPTO_MAX_ALG_NAME)
  408. goto err_free_inst;
  409. if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
  410. "ccm_base(%s,%s)", ctr->base.cra_driver_name,
  411. mac->base.cra_driver_name) >= CRYPTO_MAX_ALG_NAME)
  412. goto err_free_inst;
  413. inst->alg.base.cra_priority = (mac->base.cra_priority +
  414. ctr->base.cra_priority) / 2;
  415. inst->alg.base.cra_blocksize = 1;
  416. inst->alg.base.cra_alignmask = ctr->base.cra_alignmask;
  417. inst->alg.ivsize = 16;
  418. inst->alg.chunksize = ctr->chunksize;
  419. inst->alg.maxauthsize = 16;
  420. inst->alg.base.cra_ctxsize = sizeof(struct crypto_ccm_ctx);
  421. inst->alg.init = crypto_ccm_init_tfm;
  422. inst->alg.exit = crypto_ccm_exit_tfm;
  423. inst->alg.setkey = crypto_ccm_setkey;
  424. inst->alg.setauthsize = crypto_ccm_setauthsize;
  425. inst->alg.encrypt = crypto_ccm_encrypt;
  426. inst->alg.decrypt = crypto_ccm_decrypt;
  427. inst->free = crypto_ccm_free;
  428. err = aead_register_instance(tmpl, inst);
  429. if (err) {
  430. err_free_inst:
  431. crypto_ccm_free(inst);
  432. }
  433. return err;
  434. }
  435. static int crypto_ccm_create(struct crypto_template *tmpl, struct rtattr **tb)
  436. {
  437. const char *cipher_name;
  438. char ctr_name[CRYPTO_MAX_ALG_NAME];
  439. char mac_name[CRYPTO_MAX_ALG_NAME];
  440. cipher_name = crypto_attr_alg_name(tb[1]);
  441. if (IS_ERR(cipher_name))
  442. return PTR_ERR(cipher_name);
  443. if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)",
  444. cipher_name) >= CRYPTO_MAX_ALG_NAME)
  445. return -ENAMETOOLONG;
  446. if (snprintf(mac_name, CRYPTO_MAX_ALG_NAME, "cbcmac(%s)",
  447. cipher_name) >= CRYPTO_MAX_ALG_NAME)
  448. return -ENAMETOOLONG;
  449. return crypto_ccm_create_common(tmpl, tb, ctr_name, mac_name);
  450. }
  451. static int crypto_ccm_base_create(struct crypto_template *tmpl,
  452. struct rtattr **tb)
  453. {
  454. const char *ctr_name;
  455. const char *mac_name;
  456. ctr_name = crypto_attr_alg_name(tb[1]);
  457. if (IS_ERR(ctr_name))
  458. return PTR_ERR(ctr_name);
  459. mac_name = crypto_attr_alg_name(tb[2]);
  460. if (IS_ERR(mac_name))
  461. return PTR_ERR(mac_name);
  462. return crypto_ccm_create_common(tmpl, tb, ctr_name, mac_name);
  463. }
  464. static int crypto_rfc4309_setkey(struct crypto_aead *parent, const u8 *key,
  465. unsigned int keylen)
  466. {
  467. struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(parent);
  468. struct crypto_aead *child = ctx->child;
  469. if (keylen < 3)
  470. return -EINVAL;
  471. keylen -= 3;
  472. memcpy(ctx->nonce, key + keylen, 3);
  473. crypto_aead_clear_flags(child, CRYPTO_TFM_REQ_MASK);
  474. crypto_aead_set_flags(child, crypto_aead_get_flags(parent) &
  475. CRYPTO_TFM_REQ_MASK);
  476. return crypto_aead_setkey(child, key, keylen);
  477. }
  478. static int crypto_rfc4309_setauthsize(struct crypto_aead *parent,
  479. unsigned int authsize)
  480. {
  481. struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(parent);
  482. switch (authsize) {
  483. case 8:
  484. case 12:
  485. case 16:
  486. break;
  487. default:
  488. return -EINVAL;
  489. }
  490. return crypto_aead_setauthsize(ctx->child, authsize);
  491. }
  492. static struct aead_request *crypto_rfc4309_crypt(struct aead_request *req)
  493. {
  494. struct crypto_rfc4309_req_ctx *rctx = aead_request_ctx(req);
  495. struct aead_request *subreq = &rctx->subreq;
  496. struct crypto_aead *aead = crypto_aead_reqtfm(req);
  497. struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(aead);
  498. struct crypto_aead *child = ctx->child;
  499. struct scatterlist *sg;
  500. u8 *iv = PTR_ALIGN((u8 *)(subreq + 1) + crypto_aead_reqsize(child),
  501. crypto_aead_alignmask(child) + 1);
  502. /* L' */
  503. iv[0] = 3;
  504. memcpy(iv + 1, ctx->nonce, 3);
  505. memcpy(iv + 4, req->iv, 8);
  506. scatterwalk_map_and_copy(iv + 16, req->src, 0, req->assoclen - 8, 0);
  507. sg_init_table(rctx->src, 3);
  508. sg_set_buf(rctx->src, iv + 16, req->assoclen - 8);
  509. sg = scatterwalk_ffwd(rctx->src + 1, req->src, req->assoclen);
  510. if (sg != rctx->src + 1)
  511. sg_chain(rctx->src, 2, sg);
  512. if (req->src != req->dst) {
  513. sg_init_table(rctx->dst, 3);
  514. sg_set_buf(rctx->dst, iv + 16, req->assoclen - 8);
  515. sg = scatterwalk_ffwd(rctx->dst + 1, req->dst, req->assoclen);
  516. if (sg != rctx->dst + 1)
  517. sg_chain(rctx->dst, 2, sg);
  518. }
  519. aead_request_set_tfm(subreq, child);
  520. aead_request_set_callback(subreq, req->base.flags, req->base.complete,
  521. req->base.data);
  522. aead_request_set_crypt(subreq, rctx->src,
  523. req->src == req->dst ? rctx->src : rctx->dst,
  524. req->cryptlen, iv);
  525. aead_request_set_ad(subreq, req->assoclen - 8);
  526. return subreq;
  527. }
  528. static int crypto_rfc4309_encrypt(struct aead_request *req)
  529. {
  530. if (req->assoclen != 16 && req->assoclen != 20)
  531. return -EINVAL;
  532. req = crypto_rfc4309_crypt(req);
  533. return crypto_aead_encrypt(req);
  534. }
  535. static int crypto_rfc4309_decrypt(struct aead_request *req)
  536. {
  537. if (req->assoclen != 16 && req->assoclen != 20)
  538. return -EINVAL;
  539. req = crypto_rfc4309_crypt(req);
  540. return crypto_aead_decrypt(req);
  541. }
  542. static int crypto_rfc4309_init_tfm(struct crypto_aead *tfm)
  543. {
  544. struct aead_instance *inst = aead_alg_instance(tfm);
  545. struct crypto_aead_spawn *spawn = aead_instance_ctx(inst);
  546. struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(tfm);
  547. struct crypto_aead *aead;
  548. unsigned long align;
  549. aead = crypto_spawn_aead(spawn);
  550. if (IS_ERR(aead))
  551. return PTR_ERR(aead);
  552. ctx->child = aead;
  553. align = crypto_aead_alignmask(aead);
  554. align &= ~(crypto_tfm_ctx_alignment() - 1);
  555. crypto_aead_set_reqsize(
  556. tfm,
  557. sizeof(struct crypto_rfc4309_req_ctx) +
  558. ALIGN(crypto_aead_reqsize(aead), crypto_tfm_ctx_alignment()) +
  559. align + 32);
  560. return 0;
  561. }
  562. static void crypto_rfc4309_exit_tfm(struct crypto_aead *tfm)
  563. {
  564. struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(tfm);
  565. crypto_free_aead(ctx->child);
  566. }
  567. static void crypto_rfc4309_free(struct aead_instance *inst)
  568. {
  569. crypto_drop_aead(aead_instance_ctx(inst));
  570. kfree(inst);
  571. }
  572. static int crypto_rfc4309_create(struct crypto_template *tmpl,
  573. struct rtattr **tb)
  574. {
  575. u32 mask;
  576. struct aead_instance *inst;
  577. struct crypto_aead_spawn *spawn;
  578. struct aead_alg *alg;
  579. int err;
  580. err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_AEAD, &mask);
  581. if (err)
  582. return err;
  583. inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL);
  584. if (!inst)
  585. return -ENOMEM;
  586. spawn = aead_instance_ctx(inst);
  587. err = crypto_grab_aead(spawn, aead_crypto_instance(inst),
  588. crypto_attr_alg_name(tb[1]), 0, mask);
  589. if (err)
  590. goto err_free_inst;
  591. alg = crypto_spawn_aead_alg(spawn);
  592. err = -EINVAL;
  593. /* We only support 16-byte blocks. */
  594. if (crypto_aead_alg_ivsize(alg) != 16)
  595. goto err_free_inst;
  596. /* Not a stream cipher? */
  597. if (alg->base.cra_blocksize != 1)
  598. goto err_free_inst;
  599. err = -ENAMETOOLONG;
  600. if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
  601. "rfc4309(%s)", alg->base.cra_name) >=
  602. CRYPTO_MAX_ALG_NAME ||
  603. snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
  604. "rfc4309(%s)", alg->base.cra_driver_name) >=
  605. CRYPTO_MAX_ALG_NAME)
  606. goto err_free_inst;
  607. inst->alg.base.cra_priority = alg->base.cra_priority;
  608. inst->alg.base.cra_blocksize = 1;
  609. inst->alg.base.cra_alignmask = alg->base.cra_alignmask;
  610. inst->alg.ivsize = 8;
  611. inst->alg.chunksize = crypto_aead_alg_chunksize(alg);
  612. inst->alg.maxauthsize = 16;
  613. inst->alg.base.cra_ctxsize = sizeof(struct crypto_rfc4309_ctx);
  614. inst->alg.init = crypto_rfc4309_init_tfm;
  615. inst->alg.exit = crypto_rfc4309_exit_tfm;
  616. inst->alg.setkey = crypto_rfc4309_setkey;
  617. inst->alg.setauthsize = crypto_rfc4309_setauthsize;
  618. inst->alg.encrypt = crypto_rfc4309_encrypt;
  619. inst->alg.decrypt = crypto_rfc4309_decrypt;
  620. inst->free = crypto_rfc4309_free;
  621. err = aead_register_instance(tmpl, inst);
  622. if (err) {
  623. err_free_inst:
  624. crypto_rfc4309_free(inst);
  625. }
  626. return err;
  627. }
  628. static int crypto_cbcmac_digest_setkey(struct crypto_shash *parent,
  629. const u8 *inkey, unsigned int keylen)
  630. {
  631. struct cbcmac_tfm_ctx *ctx = crypto_shash_ctx(parent);
  632. return crypto_cipher_setkey(ctx->child, inkey, keylen);
  633. }
  634. static int crypto_cbcmac_digest_init(struct shash_desc *pdesc)
  635. {
  636. int bs = crypto_shash_digestsize(pdesc->tfm);
  637. u8 *dg = shash_desc_ctx(pdesc);
  638. memset(dg, 0, bs);
  639. return 0;
  640. }
  641. static int crypto_cbcmac_digest_update(struct shash_desc *pdesc, const u8 *p,
  642. unsigned int len)
  643. {
  644. struct crypto_shash *parent = pdesc->tfm;
  645. struct cbcmac_tfm_ctx *tctx = crypto_shash_ctx(parent);
  646. struct crypto_cipher *tfm = tctx->child;
  647. int bs = crypto_shash_digestsize(parent);
  648. u8 *dg = shash_desc_ctx(pdesc);
  649. do {
  650. crypto_xor(dg, p, bs);
  651. crypto_cipher_encrypt_one(tfm, dg, dg);
  652. p += bs;
  653. len -= bs;
  654. } while (len >= bs);
  655. return len;
  656. }
  657. static int crypto_cbcmac_digest_finup(struct shash_desc *pdesc, const u8 *src,
  658. unsigned int len, u8 *out)
  659. {
  660. struct crypto_shash *parent = pdesc->tfm;
  661. struct cbcmac_tfm_ctx *tctx = crypto_shash_ctx(parent);
  662. struct crypto_cipher *tfm = tctx->child;
  663. int bs = crypto_shash_digestsize(parent);
  664. u8 *dg = shash_desc_ctx(pdesc);
  665. if (len) {
  666. crypto_xor(dg, src, len);
  667. crypto_cipher_encrypt_one(tfm, out, dg);
  668. return 0;
  669. }
  670. memcpy(out, dg, bs);
  671. return 0;
  672. }
  673. static int cbcmac_init_tfm(struct crypto_tfm *tfm)
  674. {
  675. struct crypto_cipher *cipher;
  676. struct crypto_instance *inst = (void *)tfm->__crt_alg;
  677. struct crypto_cipher_spawn *spawn = crypto_instance_ctx(inst);
  678. struct cbcmac_tfm_ctx *ctx = crypto_tfm_ctx(tfm);
  679. cipher = crypto_spawn_cipher(spawn);
  680. if (IS_ERR(cipher))
  681. return PTR_ERR(cipher);
  682. ctx->child = cipher;
  683. return 0;
  684. };
  685. static void cbcmac_exit_tfm(struct crypto_tfm *tfm)
  686. {
  687. struct cbcmac_tfm_ctx *ctx = crypto_tfm_ctx(tfm);
  688. crypto_free_cipher(ctx->child);
  689. }
  690. static int cbcmac_create(struct crypto_template *tmpl, struct rtattr **tb)
  691. {
  692. struct shash_instance *inst;
  693. struct crypto_cipher_spawn *spawn;
  694. struct crypto_alg *alg;
  695. u32 mask;
  696. int err;
  697. err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_SHASH, &mask);
  698. if (err)
  699. return err;
  700. inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL);
  701. if (!inst)
  702. return -ENOMEM;
  703. spawn = shash_instance_ctx(inst);
  704. err = crypto_grab_cipher(spawn, shash_crypto_instance(inst),
  705. crypto_attr_alg_name(tb[1]), 0, mask);
  706. if (err)
  707. goto err_free_inst;
  708. alg = crypto_spawn_cipher_alg(spawn);
  709. err = crypto_inst_setname(shash_crypto_instance(inst), tmpl->name, alg);
  710. if (err)
  711. goto err_free_inst;
  712. inst->alg.base.cra_priority = alg->cra_priority;
  713. inst->alg.base.cra_blocksize = alg->cra_blocksize;
  714. inst->alg.digestsize = alg->cra_blocksize;
  715. inst->alg.descsize = alg->cra_blocksize;
  716. inst->alg.base.cra_flags = CRYPTO_AHASH_ALG_BLOCK_ONLY;
  717. inst->alg.base.cra_ctxsize = sizeof(struct cbcmac_tfm_ctx);
  718. inst->alg.base.cra_init = cbcmac_init_tfm;
  719. inst->alg.base.cra_exit = cbcmac_exit_tfm;
  720. inst->alg.init = crypto_cbcmac_digest_init;
  721. inst->alg.update = crypto_cbcmac_digest_update;
  722. inst->alg.finup = crypto_cbcmac_digest_finup;
  723. inst->alg.setkey = crypto_cbcmac_digest_setkey;
  724. inst->free = shash_free_singlespawn_instance;
  725. err = shash_register_instance(tmpl, inst);
  726. if (err) {
  727. err_free_inst:
  728. shash_free_singlespawn_instance(inst);
  729. }
  730. return err;
  731. }
  732. static struct crypto_template crypto_ccm_tmpls[] = {
  733. {
  734. .name = "cbcmac",
  735. .create = cbcmac_create,
  736. .module = THIS_MODULE,
  737. }, {
  738. .name = "ccm_base",
  739. .create = crypto_ccm_base_create,
  740. .module = THIS_MODULE,
  741. }, {
  742. .name = "ccm",
  743. .create = crypto_ccm_create,
  744. .module = THIS_MODULE,
  745. }, {
  746. .name = "rfc4309",
  747. .create = crypto_rfc4309_create,
  748. .module = THIS_MODULE,
  749. },
  750. };
  751. static int __init crypto_ccm_module_init(void)
  752. {
  753. return crypto_register_templates(crypto_ccm_tmpls,
  754. ARRAY_SIZE(crypto_ccm_tmpls));
  755. }
  756. static void __exit crypto_ccm_module_exit(void)
  757. {
  758. crypto_unregister_templates(crypto_ccm_tmpls,
  759. ARRAY_SIZE(crypto_ccm_tmpls));
  760. }
  761. module_init(crypto_ccm_module_init);
  762. module_exit(crypto_ccm_module_exit);
  763. MODULE_LICENSE("GPL");
  764. MODULE_DESCRIPTION("Counter with CBC MAC");
  765. MODULE_ALIAS_CRYPTO("ccm_base");
  766. MODULE_ALIAS_CRYPTO("rfc4309");
  767. MODULE_ALIAS_CRYPTO("ccm");
  768. MODULE_ALIAS_CRYPTO("cbcmac");
  769. MODULE_IMPORT_NS("CRYPTO_INTERNAL");