1 /* 2 * Cryptographic API. 3 * 4 * s390 implementation of the GHASH algorithm for GCM (Galois/Counter Mode). 5 * 6 * Copyright IBM Corp. 2011 7 * Author(s): Gerald Schaefer <gerald.schaefer@de.ibm.com> 8 */ 9 10 #include <crypto/internal/hash.h> 11 #include <linux/module.h> 12 #include <linux/cpufeature.h> 13 14 #include "crypt_s390.h" 15 16 #define GHASH_BLOCK_SIZE 16 17 #define GHASH_DIGEST_SIZE 16 18 19 struct ghash_ctx { 20 u8 key[GHASH_BLOCK_SIZE]; 21 }; 22 23 struct ghash_desc_ctx { 24 u8 icv[GHASH_BLOCK_SIZE]; 25 u8 key[GHASH_BLOCK_SIZE]; 26 u8 buffer[GHASH_BLOCK_SIZE]; 27 u32 bytes; 28 }; 29 30 static int ghash_init(struct shash_desc *desc) 31 { 32 struct ghash_desc_ctx *dctx = shash_desc_ctx(desc); 33 struct ghash_ctx *ctx = crypto_shash_ctx(desc->tfm); 34 35 memset(dctx, 0, sizeof(*dctx)); 36 memcpy(dctx->key, ctx->key, GHASH_BLOCK_SIZE); 37 38 return 0; 39 } 40 41 static int ghash_setkey(struct crypto_shash *tfm, 42 const u8 *key, unsigned int keylen) 43 { 44 struct ghash_ctx *ctx = crypto_shash_ctx(tfm); 45 46 if (keylen != GHASH_BLOCK_SIZE) { 47 crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN); 48 return -EINVAL; 49 } 50 51 memcpy(ctx->key, key, GHASH_BLOCK_SIZE); 52 53 return 0; 54 } 55 56 static int ghash_update(struct shash_desc *desc, 57 const u8 *src, unsigned int srclen) 58 { 59 struct ghash_desc_ctx *dctx = shash_desc_ctx(desc); 60 unsigned int n; 61 u8 *buf = dctx->buffer; 62 int ret; 63 64 if (dctx->bytes) { 65 u8 *pos = buf + (GHASH_BLOCK_SIZE - dctx->bytes); 66 67 n = min(srclen, dctx->bytes); 68 dctx->bytes -= n; 69 srclen -= n; 70 71 memcpy(pos, src, n); 72 src += n; 73 74 if (!dctx->bytes) { 75 ret = crypt_s390_kimd(KIMD_GHASH, dctx, buf, 76 GHASH_BLOCK_SIZE); 77 if (ret != GHASH_BLOCK_SIZE) 78 return -EIO; 79 } 80 } 81 82 n = srclen & ~(GHASH_BLOCK_SIZE - 1); 83 if (n) { 84 ret = crypt_s390_kimd(KIMD_GHASH, dctx, src, n); 85 if (ret != n) 86 return -EIO; 87 src += n; 88 srclen -= n; 89 } 90 91 if (srclen) { 92 dctx->bytes = GHASH_BLOCK_SIZE - srclen; 93 memcpy(buf, src, srclen); 94 } 95 96 return 0; 97 } 98 99 static int ghash_flush(struct ghash_desc_ctx *dctx) 100 { 101 u8 *buf = dctx->buffer; 102 int ret; 103 104 if (dctx->bytes) { 105 u8 *pos = buf + (GHASH_BLOCK_SIZE - dctx->bytes); 106 107 memset(pos, 0, dctx->bytes); 108 109 ret = crypt_s390_kimd(KIMD_GHASH, dctx, buf, GHASH_BLOCK_SIZE); 110 if (ret != GHASH_BLOCK_SIZE) 111 return -EIO; 112 113 dctx->bytes = 0; 114 } 115 116 return 0; 117 } 118 119 static int ghash_final(struct shash_desc *desc, u8 *dst) 120 { 121 struct ghash_desc_ctx *dctx = shash_desc_ctx(desc); 122 int ret; 123 124 ret = ghash_flush(dctx); 125 if (!ret) 126 memcpy(dst, dctx->icv, GHASH_BLOCK_SIZE); 127 return ret; 128 } 129 130 static struct shash_alg ghash_alg = { 131 .digestsize = GHASH_DIGEST_SIZE, 132 .init = ghash_init, 133 .update = ghash_update, 134 .final = ghash_final, 135 .setkey = ghash_setkey, 136 .descsize = sizeof(struct ghash_desc_ctx), 137 .base = { 138 .cra_name = "ghash", 139 .cra_driver_name = "ghash-s390", 140 .cra_priority = CRYPT_S390_PRIORITY, 141 .cra_flags = CRYPTO_ALG_TYPE_SHASH, 142 .cra_blocksize = GHASH_BLOCK_SIZE, 143 .cra_ctxsize = sizeof(struct ghash_ctx), 144 .cra_module = THIS_MODULE, 145 }, 146 }; 147 148 static int __init ghash_mod_init(void) 149 { 150 if (!crypt_s390_func_available(KIMD_GHASH, 151 CRYPT_S390_MSA | CRYPT_S390_MSA4)) 152 return -EOPNOTSUPP; 153 154 return crypto_register_shash(&ghash_alg); 155 } 156 157 static void __exit ghash_mod_exit(void) 158 { 159 crypto_unregister_shash(&ghash_alg); 160 } 161 162 module_cpu_feature_match(MSA, ghash_mod_init); 163 module_exit(ghash_mod_exit); 164 165 MODULE_ALIAS_CRYPTO("ghash"); 166 167 MODULE_LICENSE("GPL"); 168 MODULE_DESCRIPTION("GHASH Message Digest Algorithm, s390 implementation"); 169