1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * CCM: Counter with CBC-MAC 4 * 5 * (C) Copyright IBM Corp. 2007 - Joy Latten <latten@us.ibm.com> 6 */ 7 8 #include <crypto/internal/aead.h> 9 #include <crypto/internal/hash.h> 10 #include <crypto/internal/skcipher.h> 11 #include <crypto/scatterwalk.h> 12 #include <linux/err.h> 13 #include <linux/init.h> 14 #include <linux/kernel.h> 15 #include <linux/module.h> 16 #include <linux/slab.h> 17 18 struct ccm_instance_ctx { 19 struct crypto_skcipher_spawn ctr; 20 struct crypto_ahash_spawn mac; 21 }; 22 23 struct crypto_ccm_ctx { 24 struct crypto_ahash *mac; 25 struct crypto_skcipher *ctr; 26 }; 27 28 struct crypto_rfc4309_ctx { 29 struct crypto_aead *child; 30 u8 nonce[3]; 31 }; 32 33 struct crypto_rfc4309_req_ctx { 34 struct scatterlist src[3]; 35 struct scatterlist dst[3]; 36 struct aead_request subreq; 37 }; 38 39 struct crypto_ccm_req_priv_ctx { 40 u8 odata[16]; 41 u8 idata[16]; 42 u8 auth_tag[16]; 43 u32 flags; 44 struct scatterlist src[3]; 45 struct scatterlist dst[3]; 46 union { 47 struct ahash_request ahreq; 48 struct skcipher_request skreq; 49 }; 50 }; 51 52 struct cbcmac_tfm_ctx { 53 struct crypto_cipher *child; 54 }; 55 56 struct cbcmac_desc_ctx { 57 unsigned int len; 58 }; 59 60 static inline struct crypto_ccm_req_priv_ctx *crypto_ccm_reqctx( 61 struct aead_request *req) 62 { 63 unsigned long align = crypto_aead_alignmask(crypto_aead_reqtfm(req)); 64 65 return (void *)PTR_ALIGN((u8 *)aead_request_ctx(req), align + 1); 66 } 67 68 static int set_msg_len(u8 *block, unsigned int msglen, int csize) 69 { 70 __be32 data; 71 72 memset(block, 0, csize); 73 block += csize; 74 75 if (csize >= 4) 76 csize = 4; 77 else if (msglen > (1 << (8 * csize))) 78 return -EOVERFLOW; 79 80 data = cpu_to_be32(msglen); 81 memcpy(block - csize, (u8 *)&data + 4 - csize, csize); 82 83 return 0; 84 } 85 86 static int crypto_ccm_setkey(struct crypto_aead *aead, const u8 *key, 87 unsigned int keylen) 88 { 89 struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead); 90 struct crypto_skcipher *ctr = ctx->ctr; 91 struct crypto_ahash *mac = ctx->mac; 92 int err; 93 94 crypto_skcipher_clear_flags(ctr, CRYPTO_TFM_REQ_MASK); 95 crypto_skcipher_set_flags(ctr, crypto_aead_get_flags(aead) & 96 CRYPTO_TFM_REQ_MASK); 97 err = crypto_skcipher_setkey(ctr, key, keylen); 98 if (err) 99 return err; 100 101 crypto_ahash_clear_flags(mac, CRYPTO_TFM_REQ_MASK); 102 crypto_ahash_set_flags(mac, crypto_aead_get_flags(aead) & 103 CRYPTO_TFM_REQ_MASK); 104 return crypto_ahash_setkey(mac, key, keylen); 105 } 106 107 static int crypto_ccm_setauthsize(struct crypto_aead *tfm, 108 unsigned int authsize) 109 { 110 switch (authsize) { 111 case 4: 112 case 6: 113 case 8: 114 case 10: 115 case 12: 116 case 14: 117 case 16: 118 break; 119 default: 120 return -EINVAL; 121 } 122 123 return 0; 124 } 125 126 static int format_input(u8 *info, struct aead_request *req, 127 unsigned int cryptlen) 128 { 129 struct crypto_aead *aead = crypto_aead_reqtfm(req); 130 unsigned int lp = req->iv[0]; 131 unsigned int l = lp + 1; 132 unsigned int m; 133 134 m = crypto_aead_authsize(aead); 135 136 memcpy(info, req->iv, 16); 137 138 /* format control info per RFC 3610 and 139 * NIST Special Publication 800-38C 140 */ 141 *info |= (8 * ((m - 2) / 2)); 142 if (req->assoclen) 143 *info |= 64; 144 145 return set_msg_len(info + 16 - l, cryptlen, l); 146 } 147 148 static int format_adata(u8 *adata, unsigned int a) 149 { 150 int len = 0; 151 152 /* add control info for associated data 153 * RFC 3610 and NIST Special Publication 800-38C 154 */ 155 if (a < 65280) { 156 *(__be16 *)adata = cpu_to_be16(a); 157 len = 2; 158 } else { 159 *(__be16 *)adata = cpu_to_be16(0xfffe); 160 *(__be32 *)&adata[2] = cpu_to_be32(a); 161 len = 6; 162 } 163 164 return len; 165 } 166 167 static int crypto_ccm_auth(struct aead_request *req, struct scatterlist *plain, 168 unsigned int cryptlen) 169 { 170 struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); 171 struct crypto_aead *aead = crypto_aead_reqtfm(req); 172 struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead); 173 struct ahash_request *ahreq = &pctx->ahreq; 174 unsigned int assoclen = req->assoclen; 175 struct scatterlist sg[3]; 176 u8 *odata = pctx->odata; 177 u8 *idata = pctx->idata; 178 int ilen, err; 179 180 /* format control data for input */ 181 err = format_input(odata, req, cryptlen); 182 if (err) 183 goto out; 184 185 sg_init_table(sg, 3); 186 sg_set_buf(&sg[0], odata, 16); 187 188 /* format associated data and compute into mac */ 189 if (assoclen) { 190 ilen = format_adata(idata, assoclen); 191 sg_set_buf(&sg[1], idata, ilen); 192 sg_chain(sg, 3, req->src); 193 } else { 194 ilen = 0; 195 sg_chain(sg, 2, req->src); 196 } 197 198 ahash_request_set_tfm(ahreq, ctx->mac); 199 ahash_request_set_callback(ahreq, pctx->flags, NULL, NULL); 200 ahash_request_set_crypt(ahreq, sg, NULL, assoclen + ilen + 16); 201 err = crypto_ahash_init(ahreq); 202 if (err) 203 goto out; 204 err = crypto_ahash_update(ahreq); 205 if (err) 206 goto out; 207 208 /* we need to pad the MAC input to a round multiple of the block size */ 209 ilen = 16 - (assoclen + ilen) % 16; 210 if (ilen < 16) { 211 memset(idata, 0, ilen); 212 sg_init_table(sg, 2); 213 sg_set_buf(&sg[0], idata, ilen); 214 if (plain) 215 sg_chain(sg, 2, plain); 216 plain = sg; 217 cryptlen += ilen; 218 } 219 220 ahash_request_set_crypt(ahreq, plain, pctx->odata, cryptlen); 221 err = crypto_ahash_finup(ahreq); 222 out: 223 return err; 224 } 225 226 static void crypto_ccm_encrypt_done(struct crypto_async_request *areq, int err) 227 { 228 struct aead_request *req = areq->data; 229 struct crypto_aead *aead = crypto_aead_reqtfm(req); 230 struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); 231 u8 *odata = pctx->odata; 232 233 if (!err) 234 scatterwalk_map_and_copy(odata, req->dst, 235 req->assoclen + req->cryptlen, 236 crypto_aead_authsize(aead), 1); 237 aead_request_complete(req, err); 238 } 239 240 static inline int crypto_ccm_check_iv(const u8 *iv) 241 { 242 /* 2 <= L <= 8, so 1 <= L' <= 7. */ 243 if (1 > iv[0] || iv[0] > 7) 244 return -EINVAL; 245 246 return 0; 247 } 248 249 static int crypto_ccm_init_crypt(struct aead_request *req, u8 *tag) 250 { 251 struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); 252 struct scatterlist *sg; 253 u8 *iv = req->iv; 254 int err; 255 256 err = crypto_ccm_check_iv(iv); 257 if (err) 258 return err; 259 260 pctx->flags = aead_request_flags(req); 261 262 /* Note: rfc 3610 and NIST 800-38C require counter of 263 * zero to encrypt auth tag. 264 */ 265 memset(iv + 15 - iv[0], 0, iv[0] + 1); 266 267 sg_init_table(pctx->src, 3); 268 sg_set_buf(pctx->src, tag, 16); 269 sg = scatterwalk_ffwd(pctx->src + 1, req->src, req->assoclen); 270 if (sg != pctx->src + 1) 271 sg_chain(pctx->src, 2, sg); 272 273 if (req->src != req->dst) { 274 sg_init_table(pctx->dst, 3); 275 sg_set_buf(pctx->dst, tag, 16); 276 sg = scatterwalk_ffwd(pctx->dst + 1, req->dst, req->assoclen); 277 if (sg != pctx->dst + 1) 278 sg_chain(pctx->dst, 2, sg); 279 } 280 281 return 0; 282 } 283 284 static int crypto_ccm_encrypt(struct aead_request *req) 285 { 286 struct crypto_aead *aead = crypto_aead_reqtfm(req); 287 struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead); 288 struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); 289 struct skcipher_request *skreq = &pctx->skreq; 290 struct scatterlist *dst; 291 unsigned int cryptlen = req->cryptlen; 292 u8 *odata = pctx->odata; 293 u8 *iv = req->iv; 294 int err; 295 296 err = crypto_ccm_init_crypt(req, odata); 297 if (err) 298 return err; 299 300 err = crypto_ccm_auth(req, sg_next(pctx->src), cryptlen); 301 if (err) 302 return err; 303 304 dst = pctx->src; 305 if (req->src != req->dst) 306 dst = pctx->dst; 307 308 skcipher_request_set_tfm(skreq, ctx->ctr); 309 skcipher_request_set_callback(skreq, pctx->flags, 310 crypto_ccm_encrypt_done, req); 311 skcipher_request_set_crypt(skreq, pctx->src, dst, cryptlen + 16, iv); 312 err = crypto_skcipher_encrypt(skreq); 313 if (err) 314 return err; 315 316 /* copy authtag to end of dst */ 317 scatterwalk_map_and_copy(odata, sg_next(dst), cryptlen, 318 crypto_aead_authsize(aead), 1); 319 return err; 320 } 321 322 static void crypto_ccm_decrypt_done(struct crypto_async_request *areq, 323 int err) 324 { 325 struct aead_request *req = areq->data; 326 struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); 327 struct crypto_aead *aead = crypto_aead_reqtfm(req); 328 unsigned int authsize = crypto_aead_authsize(aead); 329 unsigned int cryptlen = req->cryptlen - authsize; 330 struct scatterlist *dst; 331 332 pctx->flags = 0; 333 334 dst = sg_next(req->src == req->dst ? pctx->src : pctx->dst); 335 336 if (!err) { 337 err = crypto_ccm_auth(req, dst, cryptlen); 338 if (!err && crypto_memneq(pctx->auth_tag, pctx->odata, authsize)) 339 err = -EBADMSG; 340 } 341 aead_request_complete(req, err); 342 } 343 344 static int crypto_ccm_decrypt(struct aead_request *req) 345 { 346 struct crypto_aead *aead = crypto_aead_reqtfm(req); 347 struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead); 348 struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); 349 struct skcipher_request *skreq = &pctx->skreq; 350 struct scatterlist *dst; 351 unsigned int authsize = crypto_aead_authsize(aead); 352 unsigned int cryptlen = req->cryptlen; 353 u8 *authtag = pctx->auth_tag; 354 u8 *odata = pctx->odata; 355 u8 *iv = pctx->idata; 356 int err; 357 358 cryptlen -= authsize; 359 360 err = crypto_ccm_init_crypt(req, authtag); 361 if (err) 362 return err; 363 364 scatterwalk_map_and_copy(authtag, sg_next(pctx->src), cryptlen, 365 authsize, 0); 366 367 dst = pctx->src; 368 if (req->src != req->dst) 369 dst = pctx->dst; 370 371 memcpy(iv, req->iv, 16); 372 373 skcipher_request_set_tfm(skreq, ctx->ctr); 374 skcipher_request_set_callback(skreq, pctx->flags, 375 crypto_ccm_decrypt_done, req); 376 skcipher_request_set_crypt(skreq, pctx->src, dst, cryptlen + 16, iv); 377 err = crypto_skcipher_decrypt(skreq); 378 if (err) 379 return err; 380 381 err = crypto_ccm_auth(req, sg_next(dst), cryptlen); 382 if (err) 383 return err; 384 385 /* verify */ 386 if (crypto_memneq(authtag, odata, authsize)) 387 return -EBADMSG; 388 389 return err; 390 } 391 392 static int crypto_ccm_init_tfm(struct crypto_aead *tfm) 393 { 394 struct aead_instance *inst = aead_alg_instance(tfm); 395 struct ccm_instance_ctx *ictx = aead_instance_ctx(inst); 396 struct crypto_ccm_ctx *ctx = crypto_aead_ctx(tfm); 397 struct crypto_ahash *mac; 398 struct crypto_skcipher *ctr; 399 unsigned long align; 400 int err; 401 402 mac = crypto_spawn_ahash(&ictx->mac); 403 if (IS_ERR(mac)) 404 return PTR_ERR(mac); 405 406 ctr = crypto_spawn_skcipher(&ictx->ctr); 407 err = PTR_ERR(ctr); 408 if (IS_ERR(ctr)) 409 goto err_free_mac; 410 411 ctx->mac = mac; 412 ctx->ctr = ctr; 413 414 align = crypto_aead_alignmask(tfm); 415 align &= ~(crypto_tfm_ctx_alignment() - 1); 416 crypto_aead_set_reqsize( 417 tfm, 418 align + sizeof(struct crypto_ccm_req_priv_ctx) + 419 max(crypto_ahash_reqsize(mac), crypto_skcipher_reqsize(ctr))); 420 421 return 0; 422 423 err_free_mac: 424 crypto_free_ahash(mac); 425 return err; 426 } 427 428 static void crypto_ccm_exit_tfm(struct crypto_aead *tfm) 429 { 430 struct crypto_ccm_ctx *ctx = crypto_aead_ctx(tfm); 431 432 crypto_free_ahash(ctx->mac); 433 crypto_free_skcipher(ctx->ctr); 434 } 435 436 static void crypto_ccm_free(struct aead_instance *inst) 437 { 438 struct ccm_instance_ctx *ctx = aead_instance_ctx(inst); 439 440 crypto_drop_ahash(&ctx->mac); 441 crypto_drop_skcipher(&ctx->ctr); 442 kfree(inst); 443 } 444 445 static int crypto_ccm_create_common(struct crypto_template *tmpl, 446 struct rtattr **tb, 447 const char *ctr_name, 448 const char *mac_name) 449 { 450 struct crypto_attr_type *algt; 451 u32 mask; 452 struct aead_instance *inst; 453 struct ccm_instance_ctx *ictx; 454 struct skcipher_alg *ctr; 455 struct hash_alg_common *mac; 456 int err; 457 458 algt = crypto_get_attr_type(tb); 459 if (IS_ERR(algt)) 460 return PTR_ERR(algt); 461 462 if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask) 463 return -EINVAL; 464 465 mask = crypto_requires_sync(algt->type, algt->mask); 466 467 inst = kzalloc(sizeof(*inst) + sizeof(*ictx), GFP_KERNEL); 468 if (!inst) 469 return -ENOMEM; 470 ictx = aead_instance_ctx(inst); 471 472 err = crypto_grab_ahash(&ictx->mac, aead_crypto_instance(inst), 473 mac_name, 0, CRYPTO_ALG_ASYNC); 474 if (err) 475 goto err_free_inst; 476 mac = crypto_spawn_ahash_alg(&ictx->mac); 477 478 err = -EINVAL; 479 if (strncmp(mac->base.cra_name, "cbcmac(", 7) != 0 || 480 mac->digestsize != 16) 481 goto err_free_inst; 482 483 err = crypto_grab_skcipher(&ictx->ctr, aead_crypto_instance(inst), 484 ctr_name, 0, mask); 485 if (err) 486 goto err_free_inst; 487 ctr = crypto_spawn_skcipher_alg(&ictx->ctr); 488 489 /* The skcipher algorithm must be CTR mode, using 16-byte blocks. */ 490 err = -EINVAL; 491 if (strncmp(ctr->base.cra_name, "ctr(", 4) != 0 || 492 crypto_skcipher_alg_ivsize(ctr) != 16 || 493 ctr->base.cra_blocksize != 1) 494 goto err_free_inst; 495 496 /* ctr and cbcmac must use the same underlying block cipher. */ 497 if (strcmp(ctr->base.cra_name + 4, mac->base.cra_name + 7) != 0) 498 goto err_free_inst; 499 500 err = -ENAMETOOLONG; 501 if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME, 502 "ccm(%s", ctr->base.cra_name + 4) >= CRYPTO_MAX_ALG_NAME) 503 goto err_free_inst; 504 505 if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME, 506 "ccm_base(%s,%s)", ctr->base.cra_driver_name, 507 mac->base.cra_driver_name) >= CRYPTO_MAX_ALG_NAME) 508 goto err_free_inst; 509 510 inst->alg.base.cra_flags = ctr->base.cra_flags & CRYPTO_ALG_ASYNC; 511 inst->alg.base.cra_priority = (mac->base.cra_priority + 512 ctr->base.cra_priority) / 2; 513 inst->alg.base.cra_blocksize = 1; 514 inst->alg.base.cra_alignmask = mac->base.cra_alignmask | 515 ctr->base.cra_alignmask; 516 inst->alg.ivsize = 16; 517 inst->alg.chunksize = crypto_skcipher_alg_chunksize(ctr); 518 inst->alg.maxauthsize = 16; 519 inst->alg.base.cra_ctxsize = sizeof(struct crypto_ccm_ctx); 520 inst->alg.init = crypto_ccm_init_tfm; 521 inst->alg.exit = crypto_ccm_exit_tfm; 522 inst->alg.setkey = crypto_ccm_setkey; 523 inst->alg.setauthsize = crypto_ccm_setauthsize; 524 inst->alg.encrypt = crypto_ccm_encrypt; 525 inst->alg.decrypt = crypto_ccm_decrypt; 526 527 inst->free = crypto_ccm_free; 528 529 err = aead_register_instance(tmpl, inst); 530 if (err) { 531 err_free_inst: 532 crypto_ccm_free(inst); 533 } 534 return err; 535 } 536 537 static int crypto_ccm_create(struct crypto_template *tmpl, struct rtattr **tb) 538 { 539 const char *cipher_name; 540 char ctr_name[CRYPTO_MAX_ALG_NAME]; 541 char mac_name[CRYPTO_MAX_ALG_NAME]; 542 543 cipher_name = crypto_attr_alg_name(tb[1]); 544 if (IS_ERR(cipher_name)) 545 return PTR_ERR(cipher_name); 546 547 if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)", 548 cipher_name) >= CRYPTO_MAX_ALG_NAME) 549 return -ENAMETOOLONG; 550 551 if (snprintf(mac_name, CRYPTO_MAX_ALG_NAME, "cbcmac(%s)", 552 cipher_name) >= CRYPTO_MAX_ALG_NAME) 553 return -ENAMETOOLONG; 554 555 return crypto_ccm_create_common(tmpl, tb, ctr_name, mac_name); 556 } 557 558 static int crypto_ccm_base_create(struct crypto_template *tmpl, 559 struct rtattr **tb) 560 { 561 const char *ctr_name; 562 const char *mac_name; 563 564 ctr_name = crypto_attr_alg_name(tb[1]); 565 if (IS_ERR(ctr_name)) 566 return PTR_ERR(ctr_name); 567 568 mac_name = crypto_attr_alg_name(tb[2]); 569 if (IS_ERR(mac_name)) 570 return PTR_ERR(mac_name); 571 572 return crypto_ccm_create_common(tmpl, tb, ctr_name, mac_name); 573 } 574 575 static int crypto_rfc4309_setkey(struct crypto_aead *parent, const u8 *key, 576 unsigned int keylen) 577 { 578 struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(parent); 579 struct crypto_aead *child = ctx->child; 580 581 if (keylen < 3) 582 return -EINVAL; 583 584 keylen -= 3; 585 memcpy(ctx->nonce, key + keylen, 3); 586 587 crypto_aead_clear_flags(child, CRYPTO_TFM_REQ_MASK); 588 crypto_aead_set_flags(child, crypto_aead_get_flags(parent) & 589 CRYPTO_TFM_REQ_MASK); 590 return crypto_aead_setkey(child, key, keylen); 591 } 592 593 static int crypto_rfc4309_setauthsize(struct crypto_aead *parent, 594 unsigned int authsize) 595 { 596 struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(parent); 597 598 switch (authsize) { 599 case 8: 600 case 12: 601 case 16: 602 break; 603 default: 604 return -EINVAL; 605 } 606 607 return crypto_aead_setauthsize(ctx->child, authsize); 608 } 609 610 static struct aead_request *crypto_rfc4309_crypt(struct aead_request *req) 611 { 612 struct crypto_rfc4309_req_ctx *rctx = aead_request_ctx(req); 613 struct aead_request *subreq = &rctx->subreq; 614 struct crypto_aead *aead = crypto_aead_reqtfm(req); 615 struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(aead); 616 struct crypto_aead *child = ctx->child; 617 struct scatterlist *sg; 618 u8 *iv = PTR_ALIGN((u8 *)(subreq + 1) + crypto_aead_reqsize(child), 619 crypto_aead_alignmask(child) + 1); 620 621 /* L' */ 622 iv[0] = 3; 623 624 memcpy(iv + 1, ctx->nonce, 3); 625 memcpy(iv + 4, req->iv, 8); 626 627 scatterwalk_map_and_copy(iv + 16, req->src, 0, req->assoclen - 8, 0); 628 629 sg_init_table(rctx->src, 3); 630 sg_set_buf(rctx->src, iv + 16, req->assoclen - 8); 631 sg = scatterwalk_ffwd(rctx->src + 1, req->src, req->assoclen); 632 if (sg != rctx->src + 1) 633 sg_chain(rctx->src, 2, sg); 634 635 if (req->src != req->dst) { 636 sg_init_table(rctx->dst, 3); 637 sg_set_buf(rctx->dst, iv + 16, req->assoclen - 8); 638 sg = scatterwalk_ffwd(rctx->dst + 1, req->dst, req->assoclen); 639 if (sg != rctx->dst + 1) 640 sg_chain(rctx->dst, 2, sg); 641 } 642 643 aead_request_set_tfm(subreq, child); 644 aead_request_set_callback(subreq, req->base.flags, req->base.complete, 645 req->base.data); 646 aead_request_set_crypt(subreq, rctx->src, 647 req->src == req->dst ? rctx->src : rctx->dst, 648 req->cryptlen, iv); 649 aead_request_set_ad(subreq, req->assoclen - 8); 650 651 return subreq; 652 } 653 654 static int crypto_rfc4309_encrypt(struct aead_request *req) 655 { 656 if (req->assoclen != 16 && req->assoclen != 20) 657 return -EINVAL; 658 659 req = crypto_rfc4309_crypt(req); 660 661 return crypto_aead_encrypt(req); 662 } 663 664 static int crypto_rfc4309_decrypt(struct aead_request *req) 665 { 666 if (req->assoclen != 16 && req->assoclen != 20) 667 return -EINVAL; 668 669 req = crypto_rfc4309_crypt(req); 670 671 return crypto_aead_decrypt(req); 672 } 673 674 static int crypto_rfc4309_init_tfm(struct crypto_aead *tfm) 675 { 676 struct aead_instance *inst = aead_alg_instance(tfm); 677 struct crypto_aead_spawn *spawn = aead_instance_ctx(inst); 678 struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(tfm); 679 struct crypto_aead *aead; 680 unsigned long align; 681 682 aead = crypto_spawn_aead(spawn); 683 if (IS_ERR(aead)) 684 return PTR_ERR(aead); 685 686 ctx->child = aead; 687 688 align = crypto_aead_alignmask(aead); 689 align &= ~(crypto_tfm_ctx_alignment() - 1); 690 crypto_aead_set_reqsize( 691 tfm, 692 sizeof(struct crypto_rfc4309_req_ctx) + 693 ALIGN(crypto_aead_reqsize(aead), crypto_tfm_ctx_alignment()) + 694 align + 32); 695 696 return 0; 697 } 698 699 static void crypto_rfc4309_exit_tfm(struct crypto_aead *tfm) 700 { 701 struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(tfm); 702 703 crypto_free_aead(ctx->child); 704 } 705 706 static void crypto_rfc4309_free(struct aead_instance *inst) 707 { 708 crypto_drop_aead(aead_instance_ctx(inst)); 709 kfree(inst); 710 } 711 712 static int crypto_rfc4309_create(struct crypto_template *tmpl, 713 struct rtattr **tb) 714 { 715 struct crypto_attr_type *algt; 716 u32 mask; 717 struct aead_instance *inst; 718 struct crypto_aead_spawn *spawn; 719 struct aead_alg *alg; 720 const char *ccm_name; 721 int err; 722 723 algt = crypto_get_attr_type(tb); 724 if (IS_ERR(algt)) 725 return PTR_ERR(algt); 726 727 if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask) 728 return -EINVAL; 729 730 mask = crypto_requires_sync(algt->type, algt->mask); 731 732 ccm_name = crypto_attr_alg_name(tb[1]); 733 if (IS_ERR(ccm_name)) 734 return PTR_ERR(ccm_name); 735 736 inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL); 737 if (!inst) 738 return -ENOMEM; 739 740 spawn = aead_instance_ctx(inst); 741 err = crypto_grab_aead(spawn, aead_crypto_instance(inst), 742 ccm_name, 0, mask); 743 if (err) 744 goto out_free_inst; 745 746 alg = crypto_spawn_aead_alg(spawn); 747 748 err = -EINVAL; 749 750 /* We only support 16-byte blocks. */ 751 if (crypto_aead_alg_ivsize(alg) != 16) 752 goto out_drop_alg; 753 754 /* Not a stream cipher? */ 755 if (alg->base.cra_blocksize != 1) 756 goto out_drop_alg; 757 758 err = -ENAMETOOLONG; 759 if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME, 760 "rfc4309(%s)", alg->base.cra_name) >= 761 CRYPTO_MAX_ALG_NAME || 762 snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME, 763 "rfc4309(%s)", alg->base.cra_driver_name) >= 764 CRYPTO_MAX_ALG_NAME) 765 goto out_drop_alg; 766 767 inst->alg.base.cra_flags = alg->base.cra_flags & CRYPTO_ALG_ASYNC; 768 inst->alg.base.cra_priority = alg->base.cra_priority; 769 inst->alg.base.cra_blocksize = 1; 770 inst->alg.base.cra_alignmask = alg->base.cra_alignmask; 771 772 inst->alg.ivsize = 8; 773 inst->alg.chunksize = crypto_aead_alg_chunksize(alg); 774 inst->alg.maxauthsize = 16; 775 776 inst->alg.base.cra_ctxsize = sizeof(struct crypto_rfc4309_ctx); 777 778 inst->alg.init = crypto_rfc4309_init_tfm; 779 inst->alg.exit = crypto_rfc4309_exit_tfm; 780 781 inst->alg.setkey = crypto_rfc4309_setkey; 782 inst->alg.setauthsize = crypto_rfc4309_setauthsize; 783 inst->alg.encrypt = crypto_rfc4309_encrypt; 784 inst->alg.decrypt = crypto_rfc4309_decrypt; 785 786 inst->free = crypto_rfc4309_free; 787 788 err = aead_register_instance(tmpl, inst); 789 if (err) 790 goto out_drop_alg; 791 792 out: 793 return err; 794 795 out_drop_alg: 796 crypto_drop_aead(spawn); 797 out_free_inst: 798 kfree(inst); 799 goto out; 800 } 801 802 static int crypto_cbcmac_digest_setkey(struct crypto_shash *parent, 803 const u8 *inkey, unsigned int keylen) 804 { 805 struct cbcmac_tfm_ctx *ctx = crypto_shash_ctx(parent); 806 807 return crypto_cipher_setkey(ctx->child, inkey, keylen); 808 } 809 810 static int crypto_cbcmac_digest_init(struct shash_desc *pdesc) 811 { 812 struct cbcmac_desc_ctx *ctx = shash_desc_ctx(pdesc); 813 int bs = crypto_shash_digestsize(pdesc->tfm); 814 u8 *dg = (u8 *)ctx + crypto_shash_descsize(pdesc->tfm) - bs; 815 816 ctx->len = 0; 817 memset(dg, 0, bs); 818 819 return 0; 820 } 821 822 static int crypto_cbcmac_digest_update(struct shash_desc *pdesc, const u8 *p, 823 unsigned int len) 824 { 825 struct crypto_shash *parent = pdesc->tfm; 826 struct cbcmac_tfm_ctx *tctx = crypto_shash_ctx(parent); 827 struct cbcmac_desc_ctx *ctx = shash_desc_ctx(pdesc); 828 struct crypto_cipher *tfm = tctx->child; 829 int bs = crypto_shash_digestsize(parent); 830 u8 *dg = (u8 *)ctx + crypto_shash_descsize(parent) - bs; 831 832 while (len > 0) { 833 unsigned int l = min(len, bs - ctx->len); 834 835 crypto_xor(dg + ctx->len, p, l); 836 ctx->len +=l; 837 len -= l; 838 p += l; 839 840 if (ctx->len == bs) { 841 crypto_cipher_encrypt_one(tfm, dg, dg); 842 ctx->len = 0; 843 } 844 } 845 846 return 0; 847 } 848 849 static int crypto_cbcmac_digest_final(struct shash_desc *pdesc, u8 *out) 850 { 851 struct crypto_shash *parent = pdesc->tfm; 852 struct cbcmac_tfm_ctx *tctx = crypto_shash_ctx(parent); 853 struct cbcmac_desc_ctx *ctx = shash_desc_ctx(pdesc); 854 struct crypto_cipher *tfm = tctx->child; 855 int bs = crypto_shash_digestsize(parent); 856 u8 *dg = (u8 *)ctx + crypto_shash_descsize(parent) - bs; 857 858 if (ctx->len) 859 crypto_cipher_encrypt_one(tfm, dg, dg); 860 861 memcpy(out, dg, bs); 862 return 0; 863 } 864 865 static int cbcmac_init_tfm(struct crypto_tfm *tfm) 866 { 867 struct crypto_cipher *cipher; 868 struct crypto_instance *inst = (void *)tfm->__crt_alg; 869 struct crypto_cipher_spawn *spawn = crypto_instance_ctx(inst); 870 struct cbcmac_tfm_ctx *ctx = crypto_tfm_ctx(tfm); 871 872 cipher = crypto_spawn_cipher(spawn); 873 if (IS_ERR(cipher)) 874 return PTR_ERR(cipher); 875 876 ctx->child = cipher; 877 878 return 0; 879 }; 880 881 static void cbcmac_exit_tfm(struct crypto_tfm *tfm) 882 { 883 struct cbcmac_tfm_ctx *ctx = crypto_tfm_ctx(tfm); 884 crypto_free_cipher(ctx->child); 885 } 886 887 static int cbcmac_create(struct crypto_template *tmpl, struct rtattr **tb) 888 { 889 struct shash_instance *inst; 890 struct crypto_cipher_spawn *spawn; 891 struct crypto_alg *alg; 892 int err; 893 894 err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_SHASH); 895 if (err) 896 return err; 897 898 inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL); 899 if (!inst) 900 return -ENOMEM; 901 spawn = shash_instance_ctx(inst); 902 903 err = crypto_grab_cipher(spawn, shash_crypto_instance(inst), 904 crypto_attr_alg_name(tb[1]), 0, 0); 905 if (err) 906 goto err_free_inst; 907 alg = crypto_spawn_cipher_alg(spawn); 908 909 err = crypto_inst_setname(shash_crypto_instance(inst), tmpl->name, alg); 910 if (err) 911 goto err_free_inst; 912 913 inst->alg.base.cra_priority = alg->cra_priority; 914 inst->alg.base.cra_blocksize = 1; 915 916 inst->alg.digestsize = alg->cra_blocksize; 917 inst->alg.descsize = ALIGN(sizeof(struct cbcmac_desc_ctx), 918 alg->cra_alignmask + 1) + 919 alg->cra_blocksize; 920 921 inst->alg.base.cra_ctxsize = sizeof(struct cbcmac_tfm_ctx); 922 inst->alg.base.cra_init = cbcmac_init_tfm; 923 inst->alg.base.cra_exit = cbcmac_exit_tfm; 924 925 inst->alg.init = crypto_cbcmac_digest_init; 926 inst->alg.update = crypto_cbcmac_digest_update; 927 inst->alg.final = crypto_cbcmac_digest_final; 928 inst->alg.setkey = crypto_cbcmac_digest_setkey; 929 930 inst->free = shash_free_singlespawn_instance; 931 932 err = shash_register_instance(tmpl, inst); 933 if (err) { 934 err_free_inst: 935 shash_free_singlespawn_instance(inst); 936 } 937 return err; 938 } 939 940 static struct crypto_template crypto_ccm_tmpls[] = { 941 { 942 .name = "cbcmac", 943 .create = cbcmac_create, 944 .module = THIS_MODULE, 945 }, { 946 .name = "ccm_base", 947 .create = crypto_ccm_base_create, 948 .module = THIS_MODULE, 949 }, { 950 .name = "ccm", 951 .create = crypto_ccm_create, 952 .module = THIS_MODULE, 953 }, { 954 .name = "rfc4309", 955 .create = crypto_rfc4309_create, 956 .module = THIS_MODULE, 957 }, 958 }; 959 960 static int __init crypto_ccm_module_init(void) 961 { 962 return crypto_register_templates(crypto_ccm_tmpls, 963 ARRAY_SIZE(crypto_ccm_tmpls)); 964 } 965 966 static void __exit crypto_ccm_module_exit(void) 967 { 968 crypto_unregister_templates(crypto_ccm_tmpls, 969 ARRAY_SIZE(crypto_ccm_tmpls)); 970 } 971 972 subsys_initcall(crypto_ccm_module_init); 973 module_exit(crypto_ccm_module_exit); 974 975 MODULE_LICENSE("GPL"); 976 MODULE_DESCRIPTION("Counter with CBC MAC"); 977 MODULE_ALIAS_CRYPTO("ccm_base"); 978 MODULE_ALIAS_CRYPTO("rfc4309"); 979 MODULE_ALIAS_CRYPTO("ccm"); 980 MODULE_ALIAS_CRYPTO("cbcmac"); 981