xref: /openbmc/linux/crypto/ccm.c (revision 2fa5ebe3)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * CCM: Counter with CBC-MAC
4  *
5  * (C) Copyright IBM Corp. 2007 - Joy Latten <latten@us.ibm.com>
6  */
7 
8 #include <crypto/internal/aead.h>
9 #include <crypto/internal/cipher.h>
10 #include <crypto/internal/hash.h>
11 #include <crypto/internal/skcipher.h>
12 #include <crypto/scatterwalk.h>
13 #include <linux/err.h>
14 #include <linux/init.h>
15 #include <linux/kernel.h>
16 #include <linux/module.h>
17 #include <linux/slab.h>
18 
19 struct ccm_instance_ctx {
20 	struct crypto_skcipher_spawn ctr;
21 	struct crypto_ahash_spawn mac;
22 };
23 
24 struct crypto_ccm_ctx {
25 	struct crypto_ahash *mac;
26 	struct crypto_skcipher *ctr;
27 };
28 
29 struct crypto_rfc4309_ctx {
30 	struct crypto_aead *child;
31 	u8 nonce[3];
32 };
33 
34 struct crypto_rfc4309_req_ctx {
35 	struct scatterlist src[3];
36 	struct scatterlist dst[3];
37 	struct aead_request subreq;
38 };
39 
40 struct crypto_ccm_req_priv_ctx {
41 	u8 odata[16];
42 	u8 idata[16];
43 	u8 auth_tag[16];
44 	u32 flags;
45 	struct scatterlist src[3];
46 	struct scatterlist dst[3];
47 	union {
48 		struct ahash_request ahreq;
49 		struct skcipher_request skreq;
50 	};
51 };
52 
53 struct cbcmac_tfm_ctx {
54 	struct crypto_cipher *child;
55 };
56 
57 struct cbcmac_desc_ctx {
58 	unsigned int len;
59 };
60 
61 static inline struct crypto_ccm_req_priv_ctx *crypto_ccm_reqctx(
62 	struct aead_request *req)
63 {
64 	unsigned long align = crypto_aead_alignmask(crypto_aead_reqtfm(req));
65 
66 	return (void *)PTR_ALIGN((u8 *)aead_request_ctx(req), align + 1);
67 }
68 
69 static int set_msg_len(u8 *block, unsigned int msglen, int csize)
70 {
71 	__be32 data;
72 
73 	memset(block, 0, csize);
74 	block += csize;
75 
76 	if (csize >= 4)
77 		csize = 4;
78 	else if (msglen > (1 << (8 * csize)))
79 		return -EOVERFLOW;
80 
81 	data = cpu_to_be32(msglen);
82 	memcpy(block - csize, (u8 *)&data + 4 - csize, csize);
83 
84 	return 0;
85 }
86 
87 static int crypto_ccm_setkey(struct crypto_aead *aead, const u8 *key,
88 			     unsigned int keylen)
89 {
90 	struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead);
91 	struct crypto_skcipher *ctr = ctx->ctr;
92 	struct crypto_ahash *mac = ctx->mac;
93 	int err;
94 
95 	crypto_skcipher_clear_flags(ctr, CRYPTO_TFM_REQ_MASK);
96 	crypto_skcipher_set_flags(ctr, crypto_aead_get_flags(aead) &
97 				       CRYPTO_TFM_REQ_MASK);
98 	err = crypto_skcipher_setkey(ctr, key, keylen);
99 	if (err)
100 		return err;
101 
102 	crypto_ahash_clear_flags(mac, CRYPTO_TFM_REQ_MASK);
103 	crypto_ahash_set_flags(mac, crypto_aead_get_flags(aead) &
104 				    CRYPTO_TFM_REQ_MASK);
105 	return crypto_ahash_setkey(mac, key, keylen);
106 }
107 
108 static int crypto_ccm_setauthsize(struct crypto_aead *tfm,
109 				  unsigned int authsize)
110 {
111 	switch (authsize) {
112 	case 4:
113 	case 6:
114 	case 8:
115 	case 10:
116 	case 12:
117 	case 14:
118 	case 16:
119 		break;
120 	default:
121 		return -EINVAL;
122 	}
123 
124 	return 0;
125 }
126 
127 static int format_input(u8 *info, struct aead_request *req,
128 			unsigned int cryptlen)
129 {
130 	struct crypto_aead *aead = crypto_aead_reqtfm(req);
131 	unsigned int lp = req->iv[0];
132 	unsigned int l = lp + 1;
133 	unsigned int m;
134 
135 	m = crypto_aead_authsize(aead);
136 
137 	memcpy(info, req->iv, 16);
138 
139 	/* format control info per RFC 3610 and
140 	 * NIST Special Publication 800-38C
141 	 */
142 	*info |= (8 * ((m - 2) / 2));
143 	if (req->assoclen)
144 		*info |= 64;
145 
146 	return set_msg_len(info + 16 - l, cryptlen, l);
147 }
148 
149 static int format_adata(u8 *adata, unsigned int a)
150 {
151 	int len = 0;
152 
153 	/* add control info for associated data
154 	 * RFC 3610 and NIST Special Publication 800-38C
155 	 */
156 	if (a < 65280) {
157 		*(__be16 *)adata = cpu_to_be16(a);
158 		len = 2;
159 	} else  {
160 		*(__be16 *)adata = cpu_to_be16(0xfffe);
161 		*(__be32 *)&adata[2] = cpu_to_be32(a);
162 		len = 6;
163 	}
164 
165 	return len;
166 }
167 
168 static int crypto_ccm_auth(struct aead_request *req, struct scatterlist *plain,
169 			   unsigned int cryptlen)
170 {
171 	struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req);
172 	struct crypto_aead *aead = crypto_aead_reqtfm(req);
173 	struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead);
174 	struct ahash_request *ahreq = &pctx->ahreq;
175 	unsigned int assoclen = req->assoclen;
176 	struct scatterlist sg[3];
177 	u8 *odata = pctx->odata;
178 	u8 *idata = pctx->idata;
179 	int ilen, err;
180 
181 	/* format control data for input */
182 	err = format_input(odata, req, cryptlen);
183 	if (err)
184 		goto out;
185 
186 	sg_init_table(sg, 3);
187 	sg_set_buf(&sg[0], odata, 16);
188 
189 	/* format associated data and compute into mac */
190 	if (assoclen) {
191 		ilen = format_adata(idata, assoclen);
192 		sg_set_buf(&sg[1], idata, ilen);
193 		sg_chain(sg, 3, req->src);
194 	} else {
195 		ilen = 0;
196 		sg_chain(sg, 2, req->src);
197 	}
198 
199 	ahash_request_set_tfm(ahreq, ctx->mac);
200 	ahash_request_set_callback(ahreq, pctx->flags, NULL, NULL);
201 	ahash_request_set_crypt(ahreq, sg, NULL, assoclen + ilen + 16);
202 	err = crypto_ahash_init(ahreq);
203 	if (err)
204 		goto out;
205 	err = crypto_ahash_update(ahreq);
206 	if (err)
207 		goto out;
208 
209 	/* we need to pad the MAC input to a round multiple of the block size */
210 	ilen = 16 - (assoclen + ilen) % 16;
211 	if (ilen < 16) {
212 		memset(idata, 0, ilen);
213 		sg_init_table(sg, 2);
214 		sg_set_buf(&sg[0], idata, ilen);
215 		if (plain)
216 			sg_chain(sg, 2, plain);
217 		plain = sg;
218 		cryptlen += ilen;
219 	}
220 
221 	ahash_request_set_crypt(ahreq, plain, odata, cryptlen);
222 	err = crypto_ahash_finup(ahreq);
223 out:
224 	return err;
225 }
226 
227 static void crypto_ccm_encrypt_done(void *data, int err)
228 {
229 	struct aead_request *req = data;
230 	struct crypto_aead *aead = crypto_aead_reqtfm(req);
231 	struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req);
232 	u8 *odata = pctx->odata;
233 
234 	if (!err)
235 		scatterwalk_map_and_copy(odata, req->dst,
236 					 req->assoclen + req->cryptlen,
237 					 crypto_aead_authsize(aead), 1);
238 	aead_request_complete(req, err);
239 }
240 
241 static inline int crypto_ccm_check_iv(const u8 *iv)
242 {
243 	/* 2 <= L <= 8, so 1 <= L' <= 7. */
244 	if (1 > iv[0] || iv[0] > 7)
245 		return -EINVAL;
246 
247 	return 0;
248 }
249 
250 static int crypto_ccm_init_crypt(struct aead_request *req, u8 *tag)
251 {
252 	struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req);
253 	struct scatterlist *sg;
254 	u8 *iv = req->iv;
255 	int err;
256 
257 	err = crypto_ccm_check_iv(iv);
258 	if (err)
259 		return err;
260 
261 	pctx->flags = aead_request_flags(req);
262 
263 	 /* Note: rfc 3610 and NIST 800-38C require counter of
264 	 * zero to encrypt auth tag.
265 	 */
266 	memset(iv + 15 - iv[0], 0, iv[0] + 1);
267 
268 	sg_init_table(pctx->src, 3);
269 	sg_set_buf(pctx->src, tag, 16);
270 	sg = scatterwalk_ffwd(pctx->src + 1, req->src, req->assoclen);
271 	if (sg != pctx->src + 1)
272 		sg_chain(pctx->src, 2, sg);
273 
274 	if (req->src != req->dst) {
275 		sg_init_table(pctx->dst, 3);
276 		sg_set_buf(pctx->dst, tag, 16);
277 		sg = scatterwalk_ffwd(pctx->dst + 1, req->dst, req->assoclen);
278 		if (sg != pctx->dst + 1)
279 			sg_chain(pctx->dst, 2, sg);
280 	}
281 
282 	return 0;
283 }
284 
285 static int crypto_ccm_encrypt(struct aead_request *req)
286 {
287 	struct crypto_aead *aead = crypto_aead_reqtfm(req);
288 	struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead);
289 	struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req);
290 	struct skcipher_request *skreq = &pctx->skreq;
291 	struct scatterlist *dst;
292 	unsigned int cryptlen = req->cryptlen;
293 	u8 *odata = pctx->odata;
294 	u8 *iv = req->iv;
295 	int err;
296 
297 	err = crypto_ccm_init_crypt(req, odata);
298 	if (err)
299 		return err;
300 
301 	err = crypto_ccm_auth(req, sg_next(pctx->src), cryptlen);
302 	if (err)
303 		return err;
304 
305 	dst = pctx->src;
306 	if (req->src != req->dst)
307 		dst = pctx->dst;
308 
309 	skcipher_request_set_tfm(skreq, ctx->ctr);
310 	skcipher_request_set_callback(skreq, pctx->flags,
311 				      crypto_ccm_encrypt_done, req);
312 	skcipher_request_set_crypt(skreq, pctx->src, dst, cryptlen + 16, iv);
313 	err = crypto_skcipher_encrypt(skreq);
314 	if (err)
315 		return err;
316 
317 	/* copy authtag to end of dst */
318 	scatterwalk_map_and_copy(odata, sg_next(dst), cryptlen,
319 				 crypto_aead_authsize(aead), 1);
320 	return err;
321 }
322 
323 static void crypto_ccm_decrypt_done(void *data, int err)
324 {
325 	struct aead_request *req = data;
326 	struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req);
327 	struct crypto_aead *aead = crypto_aead_reqtfm(req);
328 	unsigned int authsize = crypto_aead_authsize(aead);
329 	unsigned int cryptlen = req->cryptlen - authsize;
330 	struct scatterlist *dst;
331 
332 	pctx->flags = 0;
333 
334 	dst = sg_next(req->src == req->dst ? pctx->src : pctx->dst);
335 
336 	if (!err) {
337 		err = crypto_ccm_auth(req, dst, cryptlen);
338 		if (!err && crypto_memneq(pctx->auth_tag, pctx->odata, authsize))
339 			err = -EBADMSG;
340 	}
341 	aead_request_complete(req, err);
342 }
343 
344 static int crypto_ccm_decrypt(struct aead_request *req)
345 {
346 	struct crypto_aead *aead = crypto_aead_reqtfm(req);
347 	struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead);
348 	struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req);
349 	struct skcipher_request *skreq = &pctx->skreq;
350 	struct scatterlist *dst;
351 	unsigned int authsize = crypto_aead_authsize(aead);
352 	unsigned int cryptlen = req->cryptlen;
353 	u8 *authtag = pctx->auth_tag;
354 	u8 *odata = pctx->odata;
355 	u8 *iv = pctx->idata;
356 	int err;
357 
358 	cryptlen -= authsize;
359 
360 	err = crypto_ccm_init_crypt(req, authtag);
361 	if (err)
362 		return err;
363 
364 	scatterwalk_map_and_copy(authtag, sg_next(pctx->src), cryptlen,
365 				 authsize, 0);
366 
367 	dst = pctx->src;
368 	if (req->src != req->dst)
369 		dst = pctx->dst;
370 
371 	memcpy(iv, req->iv, 16);
372 
373 	skcipher_request_set_tfm(skreq, ctx->ctr);
374 	skcipher_request_set_callback(skreq, pctx->flags,
375 				      crypto_ccm_decrypt_done, req);
376 	skcipher_request_set_crypt(skreq, pctx->src, dst, cryptlen + 16, iv);
377 	err = crypto_skcipher_decrypt(skreq);
378 	if (err)
379 		return err;
380 
381 	err = crypto_ccm_auth(req, sg_next(dst), cryptlen);
382 	if (err)
383 		return err;
384 
385 	/* verify */
386 	if (crypto_memneq(authtag, odata, authsize))
387 		return -EBADMSG;
388 
389 	return err;
390 }
391 
392 static int crypto_ccm_init_tfm(struct crypto_aead *tfm)
393 {
394 	struct aead_instance *inst = aead_alg_instance(tfm);
395 	struct ccm_instance_ctx *ictx = aead_instance_ctx(inst);
396 	struct crypto_ccm_ctx *ctx = crypto_aead_ctx(tfm);
397 	struct crypto_ahash *mac;
398 	struct crypto_skcipher *ctr;
399 	unsigned long align;
400 	int err;
401 
402 	mac = crypto_spawn_ahash(&ictx->mac);
403 	if (IS_ERR(mac))
404 		return PTR_ERR(mac);
405 
406 	ctr = crypto_spawn_skcipher(&ictx->ctr);
407 	err = PTR_ERR(ctr);
408 	if (IS_ERR(ctr))
409 		goto err_free_mac;
410 
411 	ctx->mac = mac;
412 	ctx->ctr = ctr;
413 
414 	align = crypto_aead_alignmask(tfm);
415 	align &= ~(crypto_tfm_ctx_alignment() - 1);
416 	crypto_aead_set_reqsize(
417 		tfm,
418 		align + sizeof(struct crypto_ccm_req_priv_ctx) +
419 		max(crypto_ahash_reqsize(mac), crypto_skcipher_reqsize(ctr)));
420 
421 	return 0;
422 
423 err_free_mac:
424 	crypto_free_ahash(mac);
425 	return err;
426 }
427 
428 static void crypto_ccm_exit_tfm(struct crypto_aead *tfm)
429 {
430 	struct crypto_ccm_ctx *ctx = crypto_aead_ctx(tfm);
431 
432 	crypto_free_ahash(ctx->mac);
433 	crypto_free_skcipher(ctx->ctr);
434 }
435 
436 static void crypto_ccm_free(struct aead_instance *inst)
437 {
438 	struct ccm_instance_ctx *ctx = aead_instance_ctx(inst);
439 
440 	crypto_drop_ahash(&ctx->mac);
441 	crypto_drop_skcipher(&ctx->ctr);
442 	kfree(inst);
443 }
444 
445 static int crypto_ccm_create_common(struct crypto_template *tmpl,
446 				    struct rtattr **tb,
447 				    const char *ctr_name,
448 				    const char *mac_name)
449 {
450 	u32 mask;
451 	struct aead_instance *inst;
452 	struct ccm_instance_ctx *ictx;
453 	struct skcipher_alg *ctr;
454 	struct hash_alg_common *mac;
455 	int err;
456 
457 	err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_AEAD, &mask);
458 	if (err)
459 		return err;
460 
461 	inst = kzalloc(sizeof(*inst) + sizeof(*ictx), GFP_KERNEL);
462 	if (!inst)
463 		return -ENOMEM;
464 	ictx = aead_instance_ctx(inst);
465 
466 	err = crypto_grab_ahash(&ictx->mac, aead_crypto_instance(inst),
467 				mac_name, 0, mask | CRYPTO_ALG_ASYNC);
468 	if (err)
469 		goto err_free_inst;
470 	mac = crypto_spawn_ahash_alg(&ictx->mac);
471 
472 	err = -EINVAL;
473 	if (strncmp(mac->base.cra_name, "cbcmac(", 7) != 0 ||
474 	    mac->digestsize != 16)
475 		goto err_free_inst;
476 
477 	err = crypto_grab_skcipher(&ictx->ctr, aead_crypto_instance(inst),
478 				   ctr_name, 0, mask);
479 	if (err)
480 		goto err_free_inst;
481 	ctr = crypto_spawn_skcipher_alg(&ictx->ctr);
482 
483 	/* The skcipher algorithm must be CTR mode, using 16-byte blocks. */
484 	err = -EINVAL;
485 	if (strncmp(ctr->base.cra_name, "ctr(", 4) != 0 ||
486 	    crypto_skcipher_alg_ivsize(ctr) != 16 ||
487 	    ctr->base.cra_blocksize != 1)
488 		goto err_free_inst;
489 
490 	/* ctr and cbcmac must use the same underlying block cipher. */
491 	if (strcmp(ctr->base.cra_name + 4, mac->base.cra_name + 7) != 0)
492 		goto err_free_inst;
493 
494 	err = -ENAMETOOLONG;
495 	if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
496 		     "ccm(%s", ctr->base.cra_name + 4) >= CRYPTO_MAX_ALG_NAME)
497 		goto err_free_inst;
498 
499 	if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
500 		     "ccm_base(%s,%s)", ctr->base.cra_driver_name,
501 		     mac->base.cra_driver_name) >= CRYPTO_MAX_ALG_NAME)
502 		goto err_free_inst;
503 
504 	inst->alg.base.cra_priority = (mac->base.cra_priority +
505 				       ctr->base.cra_priority) / 2;
506 	inst->alg.base.cra_blocksize = 1;
507 	inst->alg.base.cra_alignmask = mac->base.cra_alignmask |
508 				       ctr->base.cra_alignmask;
509 	inst->alg.ivsize = 16;
510 	inst->alg.chunksize = crypto_skcipher_alg_chunksize(ctr);
511 	inst->alg.maxauthsize = 16;
512 	inst->alg.base.cra_ctxsize = sizeof(struct crypto_ccm_ctx);
513 	inst->alg.init = crypto_ccm_init_tfm;
514 	inst->alg.exit = crypto_ccm_exit_tfm;
515 	inst->alg.setkey = crypto_ccm_setkey;
516 	inst->alg.setauthsize = crypto_ccm_setauthsize;
517 	inst->alg.encrypt = crypto_ccm_encrypt;
518 	inst->alg.decrypt = crypto_ccm_decrypt;
519 
520 	inst->free = crypto_ccm_free;
521 
522 	err = aead_register_instance(tmpl, inst);
523 	if (err) {
524 err_free_inst:
525 		crypto_ccm_free(inst);
526 	}
527 	return err;
528 }
529 
530 static int crypto_ccm_create(struct crypto_template *tmpl, struct rtattr **tb)
531 {
532 	const char *cipher_name;
533 	char ctr_name[CRYPTO_MAX_ALG_NAME];
534 	char mac_name[CRYPTO_MAX_ALG_NAME];
535 
536 	cipher_name = crypto_attr_alg_name(tb[1]);
537 	if (IS_ERR(cipher_name))
538 		return PTR_ERR(cipher_name);
539 
540 	if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)",
541 		     cipher_name) >= CRYPTO_MAX_ALG_NAME)
542 		return -ENAMETOOLONG;
543 
544 	if (snprintf(mac_name, CRYPTO_MAX_ALG_NAME, "cbcmac(%s)",
545 		     cipher_name) >= CRYPTO_MAX_ALG_NAME)
546 		return -ENAMETOOLONG;
547 
548 	return crypto_ccm_create_common(tmpl, tb, ctr_name, mac_name);
549 }
550 
551 static int crypto_ccm_base_create(struct crypto_template *tmpl,
552 				  struct rtattr **tb)
553 {
554 	const char *ctr_name;
555 	const char *mac_name;
556 
557 	ctr_name = crypto_attr_alg_name(tb[1]);
558 	if (IS_ERR(ctr_name))
559 		return PTR_ERR(ctr_name);
560 
561 	mac_name = crypto_attr_alg_name(tb[2]);
562 	if (IS_ERR(mac_name))
563 		return PTR_ERR(mac_name);
564 
565 	return crypto_ccm_create_common(tmpl, tb, ctr_name, mac_name);
566 }
567 
568 static int crypto_rfc4309_setkey(struct crypto_aead *parent, const u8 *key,
569 				 unsigned int keylen)
570 {
571 	struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(parent);
572 	struct crypto_aead *child = ctx->child;
573 
574 	if (keylen < 3)
575 		return -EINVAL;
576 
577 	keylen -= 3;
578 	memcpy(ctx->nonce, key + keylen, 3);
579 
580 	crypto_aead_clear_flags(child, CRYPTO_TFM_REQ_MASK);
581 	crypto_aead_set_flags(child, crypto_aead_get_flags(parent) &
582 				     CRYPTO_TFM_REQ_MASK);
583 	return crypto_aead_setkey(child, key, keylen);
584 }
585 
586 static int crypto_rfc4309_setauthsize(struct crypto_aead *parent,
587 				      unsigned int authsize)
588 {
589 	struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(parent);
590 
591 	switch (authsize) {
592 	case 8:
593 	case 12:
594 	case 16:
595 		break;
596 	default:
597 		return -EINVAL;
598 	}
599 
600 	return crypto_aead_setauthsize(ctx->child, authsize);
601 }
602 
603 static struct aead_request *crypto_rfc4309_crypt(struct aead_request *req)
604 {
605 	struct crypto_rfc4309_req_ctx *rctx = aead_request_ctx(req);
606 	struct aead_request *subreq = &rctx->subreq;
607 	struct crypto_aead *aead = crypto_aead_reqtfm(req);
608 	struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(aead);
609 	struct crypto_aead *child = ctx->child;
610 	struct scatterlist *sg;
611 	u8 *iv = PTR_ALIGN((u8 *)(subreq + 1) + crypto_aead_reqsize(child),
612 			   crypto_aead_alignmask(child) + 1);
613 
614 	/* L' */
615 	iv[0] = 3;
616 
617 	memcpy(iv + 1, ctx->nonce, 3);
618 	memcpy(iv + 4, req->iv, 8);
619 
620 	scatterwalk_map_and_copy(iv + 16, req->src, 0, req->assoclen - 8, 0);
621 
622 	sg_init_table(rctx->src, 3);
623 	sg_set_buf(rctx->src, iv + 16, req->assoclen - 8);
624 	sg = scatterwalk_ffwd(rctx->src + 1, req->src, req->assoclen);
625 	if (sg != rctx->src + 1)
626 		sg_chain(rctx->src, 2, sg);
627 
628 	if (req->src != req->dst) {
629 		sg_init_table(rctx->dst, 3);
630 		sg_set_buf(rctx->dst, iv + 16, req->assoclen - 8);
631 		sg = scatterwalk_ffwd(rctx->dst + 1, req->dst, req->assoclen);
632 		if (sg != rctx->dst + 1)
633 			sg_chain(rctx->dst, 2, sg);
634 	}
635 
636 	aead_request_set_tfm(subreq, child);
637 	aead_request_set_callback(subreq, req->base.flags, req->base.complete,
638 				  req->base.data);
639 	aead_request_set_crypt(subreq, rctx->src,
640 			       req->src == req->dst ? rctx->src : rctx->dst,
641 			       req->cryptlen, iv);
642 	aead_request_set_ad(subreq, req->assoclen - 8);
643 
644 	return subreq;
645 }
646 
647 static int crypto_rfc4309_encrypt(struct aead_request *req)
648 {
649 	if (req->assoclen != 16 && req->assoclen != 20)
650 		return -EINVAL;
651 
652 	req = crypto_rfc4309_crypt(req);
653 
654 	return crypto_aead_encrypt(req);
655 }
656 
657 static int crypto_rfc4309_decrypt(struct aead_request *req)
658 {
659 	if (req->assoclen != 16 && req->assoclen != 20)
660 		return -EINVAL;
661 
662 	req = crypto_rfc4309_crypt(req);
663 
664 	return crypto_aead_decrypt(req);
665 }
666 
667 static int crypto_rfc4309_init_tfm(struct crypto_aead *tfm)
668 {
669 	struct aead_instance *inst = aead_alg_instance(tfm);
670 	struct crypto_aead_spawn *spawn = aead_instance_ctx(inst);
671 	struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(tfm);
672 	struct crypto_aead *aead;
673 	unsigned long align;
674 
675 	aead = crypto_spawn_aead(spawn);
676 	if (IS_ERR(aead))
677 		return PTR_ERR(aead);
678 
679 	ctx->child = aead;
680 
681 	align = crypto_aead_alignmask(aead);
682 	align &= ~(crypto_tfm_ctx_alignment() - 1);
683 	crypto_aead_set_reqsize(
684 		tfm,
685 		sizeof(struct crypto_rfc4309_req_ctx) +
686 		ALIGN(crypto_aead_reqsize(aead), crypto_tfm_ctx_alignment()) +
687 		align + 32);
688 
689 	return 0;
690 }
691 
692 static void crypto_rfc4309_exit_tfm(struct crypto_aead *tfm)
693 {
694 	struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(tfm);
695 
696 	crypto_free_aead(ctx->child);
697 }
698 
699 static void crypto_rfc4309_free(struct aead_instance *inst)
700 {
701 	crypto_drop_aead(aead_instance_ctx(inst));
702 	kfree(inst);
703 }
704 
705 static int crypto_rfc4309_create(struct crypto_template *tmpl,
706 				 struct rtattr **tb)
707 {
708 	u32 mask;
709 	struct aead_instance *inst;
710 	struct crypto_aead_spawn *spawn;
711 	struct aead_alg *alg;
712 	int err;
713 
714 	err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_AEAD, &mask);
715 	if (err)
716 		return err;
717 
718 	inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL);
719 	if (!inst)
720 		return -ENOMEM;
721 
722 	spawn = aead_instance_ctx(inst);
723 	err = crypto_grab_aead(spawn, aead_crypto_instance(inst),
724 			       crypto_attr_alg_name(tb[1]), 0, mask);
725 	if (err)
726 		goto err_free_inst;
727 
728 	alg = crypto_spawn_aead_alg(spawn);
729 
730 	err = -EINVAL;
731 
732 	/* We only support 16-byte blocks. */
733 	if (crypto_aead_alg_ivsize(alg) != 16)
734 		goto err_free_inst;
735 
736 	/* Not a stream cipher? */
737 	if (alg->base.cra_blocksize != 1)
738 		goto err_free_inst;
739 
740 	err = -ENAMETOOLONG;
741 	if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
742 		     "rfc4309(%s)", alg->base.cra_name) >=
743 	    CRYPTO_MAX_ALG_NAME ||
744 	    snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
745 		     "rfc4309(%s)", alg->base.cra_driver_name) >=
746 	    CRYPTO_MAX_ALG_NAME)
747 		goto err_free_inst;
748 
749 	inst->alg.base.cra_priority = alg->base.cra_priority;
750 	inst->alg.base.cra_blocksize = 1;
751 	inst->alg.base.cra_alignmask = alg->base.cra_alignmask;
752 
753 	inst->alg.ivsize = 8;
754 	inst->alg.chunksize = crypto_aead_alg_chunksize(alg);
755 	inst->alg.maxauthsize = 16;
756 
757 	inst->alg.base.cra_ctxsize = sizeof(struct crypto_rfc4309_ctx);
758 
759 	inst->alg.init = crypto_rfc4309_init_tfm;
760 	inst->alg.exit = crypto_rfc4309_exit_tfm;
761 
762 	inst->alg.setkey = crypto_rfc4309_setkey;
763 	inst->alg.setauthsize = crypto_rfc4309_setauthsize;
764 	inst->alg.encrypt = crypto_rfc4309_encrypt;
765 	inst->alg.decrypt = crypto_rfc4309_decrypt;
766 
767 	inst->free = crypto_rfc4309_free;
768 
769 	err = aead_register_instance(tmpl, inst);
770 	if (err) {
771 err_free_inst:
772 		crypto_rfc4309_free(inst);
773 	}
774 	return err;
775 }
776 
777 static int crypto_cbcmac_digest_setkey(struct crypto_shash *parent,
778 				     const u8 *inkey, unsigned int keylen)
779 {
780 	struct cbcmac_tfm_ctx *ctx = crypto_shash_ctx(parent);
781 
782 	return crypto_cipher_setkey(ctx->child, inkey, keylen);
783 }
784 
785 static int crypto_cbcmac_digest_init(struct shash_desc *pdesc)
786 {
787 	struct cbcmac_desc_ctx *ctx = shash_desc_ctx(pdesc);
788 	int bs = crypto_shash_digestsize(pdesc->tfm);
789 	u8 *dg = (u8 *)ctx + crypto_shash_descsize(pdesc->tfm) - bs;
790 
791 	ctx->len = 0;
792 	memset(dg, 0, bs);
793 
794 	return 0;
795 }
796 
797 static int crypto_cbcmac_digest_update(struct shash_desc *pdesc, const u8 *p,
798 				       unsigned int len)
799 {
800 	struct crypto_shash *parent = pdesc->tfm;
801 	struct cbcmac_tfm_ctx *tctx = crypto_shash_ctx(parent);
802 	struct cbcmac_desc_ctx *ctx = shash_desc_ctx(pdesc);
803 	struct crypto_cipher *tfm = tctx->child;
804 	int bs = crypto_shash_digestsize(parent);
805 	u8 *dg = (u8 *)ctx + crypto_shash_descsize(parent) - bs;
806 
807 	while (len > 0) {
808 		unsigned int l = min(len, bs - ctx->len);
809 
810 		crypto_xor(dg + ctx->len, p, l);
811 		ctx->len +=l;
812 		len -= l;
813 		p += l;
814 
815 		if (ctx->len == bs) {
816 			crypto_cipher_encrypt_one(tfm, dg, dg);
817 			ctx->len = 0;
818 		}
819 	}
820 
821 	return 0;
822 }
823 
824 static int crypto_cbcmac_digest_final(struct shash_desc *pdesc, u8 *out)
825 {
826 	struct crypto_shash *parent = pdesc->tfm;
827 	struct cbcmac_tfm_ctx *tctx = crypto_shash_ctx(parent);
828 	struct cbcmac_desc_ctx *ctx = shash_desc_ctx(pdesc);
829 	struct crypto_cipher *tfm = tctx->child;
830 	int bs = crypto_shash_digestsize(parent);
831 	u8 *dg = (u8 *)ctx + crypto_shash_descsize(parent) - bs;
832 
833 	if (ctx->len)
834 		crypto_cipher_encrypt_one(tfm, dg, dg);
835 
836 	memcpy(out, dg, bs);
837 	return 0;
838 }
839 
840 static int cbcmac_init_tfm(struct crypto_tfm *tfm)
841 {
842 	struct crypto_cipher *cipher;
843 	struct crypto_instance *inst = (void *)tfm->__crt_alg;
844 	struct crypto_cipher_spawn *spawn = crypto_instance_ctx(inst);
845 	struct cbcmac_tfm_ctx *ctx = crypto_tfm_ctx(tfm);
846 
847 	cipher = crypto_spawn_cipher(spawn);
848 	if (IS_ERR(cipher))
849 		return PTR_ERR(cipher);
850 
851 	ctx->child = cipher;
852 
853 	return 0;
854 };
855 
856 static void cbcmac_exit_tfm(struct crypto_tfm *tfm)
857 {
858 	struct cbcmac_tfm_ctx *ctx = crypto_tfm_ctx(tfm);
859 	crypto_free_cipher(ctx->child);
860 }
861 
862 static int cbcmac_create(struct crypto_template *tmpl, struct rtattr **tb)
863 {
864 	struct shash_instance *inst;
865 	struct crypto_cipher_spawn *spawn;
866 	struct crypto_alg *alg;
867 	u32 mask;
868 	int err;
869 
870 	err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_SHASH, &mask);
871 	if (err)
872 		return err;
873 
874 	inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL);
875 	if (!inst)
876 		return -ENOMEM;
877 	spawn = shash_instance_ctx(inst);
878 
879 	err = crypto_grab_cipher(spawn, shash_crypto_instance(inst),
880 				 crypto_attr_alg_name(tb[1]), 0, mask);
881 	if (err)
882 		goto err_free_inst;
883 	alg = crypto_spawn_cipher_alg(spawn);
884 
885 	err = crypto_inst_setname(shash_crypto_instance(inst), tmpl->name, alg);
886 	if (err)
887 		goto err_free_inst;
888 
889 	inst->alg.base.cra_priority = alg->cra_priority;
890 	inst->alg.base.cra_blocksize = 1;
891 
892 	inst->alg.digestsize = alg->cra_blocksize;
893 	inst->alg.descsize = ALIGN(sizeof(struct cbcmac_desc_ctx),
894 				   alg->cra_alignmask + 1) +
895 			     alg->cra_blocksize;
896 
897 	inst->alg.base.cra_ctxsize = sizeof(struct cbcmac_tfm_ctx);
898 	inst->alg.base.cra_init = cbcmac_init_tfm;
899 	inst->alg.base.cra_exit = cbcmac_exit_tfm;
900 
901 	inst->alg.init = crypto_cbcmac_digest_init;
902 	inst->alg.update = crypto_cbcmac_digest_update;
903 	inst->alg.final = crypto_cbcmac_digest_final;
904 	inst->alg.setkey = crypto_cbcmac_digest_setkey;
905 
906 	inst->free = shash_free_singlespawn_instance;
907 
908 	err = shash_register_instance(tmpl, inst);
909 	if (err) {
910 err_free_inst:
911 		shash_free_singlespawn_instance(inst);
912 	}
913 	return err;
914 }
915 
916 static struct crypto_template crypto_ccm_tmpls[] = {
917 	{
918 		.name = "cbcmac",
919 		.create = cbcmac_create,
920 		.module = THIS_MODULE,
921 	}, {
922 		.name = "ccm_base",
923 		.create = crypto_ccm_base_create,
924 		.module = THIS_MODULE,
925 	}, {
926 		.name = "ccm",
927 		.create = crypto_ccm_create,
928 		.module = THIS_MODULE,
929 	}, {
930 		.name = "rfc4309",
931 		.create = crypto_rfc4309_create,
932 		.module = THIS_MODULE,
933 	},
934 };
935 
936 static int __init crypto_ccm_module_init(void)
937 {
938 	return crypto_register_templates(crypto_ccm_tmpls,
939 					 ARRAY_SIZE(crypto_ccm_tmpls));
940 }
941 
942 static void __exit crypto_ccm_module_exit(void)
943 {
944 	crypto_unregister_templates(crypto_ccm_tmpls,
945 				    ARRAY_SIZE(crypto_ccm_tmpls));
946 }
947 
948 subsys_initcall(crypto_ccm_module_init);
949 module_exit(crypto_ccm_module_exit);
950 
951 MODULE_LICENSE("GPL");
952 MODULE_DESCRIPTION("Counter with CBC MAC");
953 MODULE_ALIAS_CRYPTO("ccm_base");
954 MODULE_ALIAS_CRYPTO("rfc4309");
955 MODULE_ALIAS_CRYPTO("ccm");
956 MODULE_ALIAS_CRYPTO("cbcmac");
957 MODULE_IMPORT_NS(CRYPTO_INTERNAL);
958