xref: /openbmc/linux/crypto/ccm.c (revision 791d3ef2)
1  /*
2   * CCM: Counter with CBC-MAC
3   *
4   * (C) Copyright IBM Corp. 2007 - Joy Latten <latten@us.ibm.com>
5   *
6   * This program is free software; you can redistribute it and/or modify it
7   * under the terms of the GNU General Public License as published by the Free
8   * Software Foundation; either version 2 of the License, or (at your option)
9   * any later version.
10   *
11   */
12  
13  #include <crypto/internal/aead.h>
14  #include <crypto/internal/hash.h>
15  #include <crypto/internal/skcipher.h>
16  #include <crypto/scatterwalk.h>
17  #include <linux/err.h>
18  #include <linux/init.h>
19  #include <linux/kernel.h>
20  #include <linux/module.h>
21  #include <linux/slab.h>
22  
23  #include "internal.h"
24  
25  struct ccm_instance_ctx {
26  	struct crypto_skcipher_spawn ctr;
27  	struct crypto_ahash_spawn mac;
28  };
29  
30  struct crypto_ccm_ctx {
31  	struct crypto_ahash *mac;
32  	struct crypto_skcipher *ctr;
33  };
34  
35  struct crypto_rfc4309_ctx {
36  	struct crypto_aead *child;
37  	u8 nonce[3];
38  };
39  
40  struct crypto_rfc4309_req_ctx {
41  	struct scatterlist src[3];
42  	struct scatterlist dst[3];
43  	struct aead_request subreq;
44  };
45  
46  struct crypto_ccm_req_priv_ctx {
47  	u8 odata[16];
48  	u8 idata[16];
49  	u8 auth_tag[16];
50  	u32 flags;
51  	struct scatterlist src[3];
52  	struct scatterlist dst[3];
53  	struct skcipher_request skreq;
54  };
55  
56  struct cbcmac_tfm_ctx {
57  	struct crypto_cipher *child;
58  };
59  
60  struct cbcmac_desc_ctx {
61  	unsigned int len;
62  };
63  
64  static inline struct crypto_ccm_req_priv_ctx *crypto_ccm_reqctx(
65  	struct aead_request *req)
66  {
67  	unsigned long align = crypto_aead_alignmask(crypto_aead_reqtfm(req));
68  
69  	return (void *)PTR_ALIGN((u8 *)aead_request_ctx(req), align + 1);
70  }
71  
72  static int set_msg_len(u8 *block, unsigned int msglen, int csize)
73  {
74  	__be32 data;
75  
76  	memset(block, 0, csize);
77  	block += csize;
78  
79  	if (csize >= 4)
80  		csize = 4;
81  	else if (msglen > (1 << (8 * csize)))
82  		return -EOVERFLOW;
83  
84  	data = cpu_to_be32(msglen);
85  	memcpy(block - csize, (u8 *)&data + 4 - csize, csize);
86  
87  	return 0;
88  }
89  
90  static int crypto_ccm_setkey(struct crypto_aead *aead, const u8 *key,
91  			     unsigned int keylen)
92  {
93  	struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead);
94  	struct crypto_skcipher *ctr = ctx->ctr;
95  	struct crypto_ahash *mac = ctx->mac;
96  	int err = 0;
97  
98  	crypto_skcipher_clear_flags(ctr, CRYPTO_TFM_REQ_MASK);
99  	crypto_skcipher_set_flags(ctr, crypto_aead_get_flags(aead) &
100  				       CRYPTO_TFM_REQ_MASK);
101  	err = crypto_skcipher_setkey(ctr, key, keylen);
102  	crypto_aead_set_flags(aead, crypto_skcipher_get_flags(ctr) &
103  			      CRYPTO_TFM_RES_MASK);
104  	if (err)
105  		goto out;
106  
107  	crypto_ahash_clear_flags(mac, CRYPTO_TFM_REQ_MASK);
108  	crypto_ahash_set_flags(mac, crypto_aead_get_flags(aead) &
109  				    CRYPTO_TFM_REQ_MASK);
110  	err = crypto_ahash_setkey(mac, key, keylen);
111  	crypto_aead_set_flags(aead, crypto_ahash_get_flags(mac) &
112  			      CRYPTO_TFM_RES_MASK);
113  
114  out:
115  	return err;
116  }
117  
118  static int crypto_ccm_setauthsize(struct crypto_aead *tfm,
119  				  unsigned int authsize)
120  {
121  	switch (authsize) {
122  	case 4:
123  	case 6:
124  	case 8:
125  	case 10:
126  	case 12:
127  	case 14:
128  	case 16:
129  		break;
130  	default:
131  		return -EINVAL;
132  	}
133  
134  	return 0;
135  }
136  
137  static int format_input(u8 *info, struct aead_request *req,
138  			unsigned int cryptlen)
139  {
140  	struct crypto_aead *aead = crypto_aead_reqtfm(req);
141  	unsigned int lp = req->iv[0];
142  	unsigned int l = lp + 1;
143  	unsigned int m;
144  
145  	m = crypto_aead_authsize(aead);
146  
147  	memcpy(info, req->iv, 16);
148  
149  	/* format control info per RFC 3610 and
150  	 * NIST Special Publication 800-38C
151  	 */
152  	*info |= (8 * ((m - 2) / 2));
153  	if (req->assoclen)
154  		*info |= 64;
155  
156  	return set_msg_len(info + 16 - l, cryptlen, l);
157  }
158  
159  static int format_adata(u8 *adata, unsigned int a)
160  {
161  	int len = 0;
162  
163  	/* add control info for associated data
164  	 * RFC 3610 and NIST Special Publication 800-38C
165  	 */
166  	if (a < 65280) {
167  		*(__be16 *)adata = cpu_to_be16(a);
168  		len = 2;
169  	} else  {
170  		*(__be16 *)adata = cpu_to_be16(0xfffe);
171  		*(__be32 *)&adata[2] = cpu_to_be32(a);
172  		len = 6;
173  	}
174  
175  	return len;
176  }
177  
178  static int crypto_ccm_auth(struct aead_request *req, struct scatterlist *plain,
179  			   unsigned int cryptlen)
180  {
181  	struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req);
182  	struct crypto_aead *aead = crypto_aead_reqtfm(req);
183  	struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead);
184  	AHASH_REQUEST_ON_STACK(ahreq, ctx->mac);
185  	unsigned int assoclen = req->assoclen;
186  	struct scatterlist sg[3];
187  	u8 *odata = pctx->odata;
188  	u8 *idata = pctx->idata;
189  	int ilen, err;
190  
191  	/* format control data for input */
192  	err = format_input(odata, req, cryptlen);
193  	if (err)
194  		goto out;
195  
196  	sg_init_table(sg, 3);
197  	sg_set_buf(&sg[0], odata, 16);
198  
199  	/* format associated data and compute into mac */
200  	if (assoclen) {
201  		ilen = format_adata(idata, assoclen);
202  		sg_set_buf(&sg[1], idata, ilen);
203  		sg_chain(sg, 3, req->src);
204  	} else {
205  		ilen = 0;
206  		sg_chain(sg, 2, req->src);
207  	}
208  
209  	ahash_request_set_tfm(ahreq, ctx->mac);
210  	ahash_request_set_callback(ahreq, pctx->flags, NULL, NULL);
211  	ahash_request_set_crypt(ahreq, sg, NULL, assoclen + ilen + 16);
212  	err = crypto_ahash_init(ahreq);
213  	if (err)
214  		goto out;
215  	err = crypto_ahash_update(ahreq);
216  	if (err)
217  		goto out;
218  
219  	/* we need to pad the MAC input to a round multiple of the block size */
220  	ilen = 16 - (assoclen + ilen) % 16;
221  	if (ilen < 16) {
222  		memset(idata, 0, ilen);
223  		sg_init_table(sg, 2);
224  		sg_set_buf(&sg[0], idata, ilen);
225  		if (plain)
226  			sg_chain(sg, 2, plain);
227  		plain = sg;
228  		cryptlen += ilen;
229  	}
230  
231  	ahash_request_set_crypt(ahreq, plain, pctx->odata, cryptlen);
232  	err = crypto_ahash_finup(ahreq);
233  out:
234  	return err;
235  }
236  
237  static void crypto_ccm_encrypt_done(struct crypto_async_request *areq, int err)
238  {
239  	struct aead_request *req = areq->data;
240  	struct crypto_aead *aead = crypto_aead_reqtfm(req);
241  	struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req);
242  	u8 *odata = pctx->odata;
243  
244  	if (!err)
245  		scatterwalk_map_and_copy(odata, req->dst,
246  					 req->assoclen + req->cryptlen,
247  					 crypto_aead_authsize(aead), 1);
248  	aead_request_complete(req, err);
249  }
250  
251  static inline int crypto_ccm_check_iv(const u8 *iv)
252  {
253  	/* 2 <= L <= 8, so 1 <= L' <= 7. */
254  	if (1 > iv[0] || iv[0] > 7)
255  		return -EINVAL;
256  
257  	return 0;
258  }
259  
260  static int crypto_ccm_init_crypt(struct aead_request *req, u8 *tag)
261  {
262  	struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req);
263  	struct scatterlist *sg;
264  	u8 *iv = req->iv;
265  	int err;
266  
267  	err = crypto_ccm_check_iv(iv);
268  	if (err)
269  		return err;
270  
271  	pctx->flags = aead_request_flags(req);
272  
273  	 /* Note: rfc 3610 and NIST 800-38C require counter of
274  	 * zero to encrypt auth tag.
275  	 */
276  	memset(iv + 15 - iv[0], 0, iv[0] + 1);
277  
278  	sg_init_table(pctx->src, 3);
279  	sg_set_buf(pctx->src, tag, 16);
280  	sg = scatterwalk_ffwd(pctx->src + 1, req->src, req->assoclen);
281  	if (sg != pctx->src + 1)
282  		sg_chain(pctx->src, 2, sg);
283  
284  	if (req->src != req->dst) {
285  		sg_init_table(pctx->dst, 3);
286  		sg_set_buf(pctx->dst, tag, 16);
287  		sg = scatterwalk_ffwd(pctx->dst + 1, req->dst, req->assoclen);
288  		if (sg != pctx->dst + 1)
289  			sg_chain(pctx->dst, 2, sg);
290  	}
291  
292  	return 0;
293  }
294  
295  static int crypto_ccm_encrypt(struct aead_request *req)
296  {
297  	struct crypto_aead *aead = crypto_aead_reqtfm(req);
298  	struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead);
299  	struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req);
300  	struct skcipher_request *skreq = &pctx->skreq;
301  	struct scatterlist *dst;
302  	unsigned int cryptlen = req->cryptlen;
303  	u8 *odata = pctx->odata;
304  	u8 *iv = req->iv;
305  	int err;
306  
307  	err = crypto_ccm_init_crypt(req, odata);
308  	if (err)
309  		return err;
310  
311  	err = crypto_ccm_auth(req, sg_next(pctx->src), cryptlen);
312  	if (err)
313  		return err;
314  
315  	dst = pctx->src;
316  	if (req->src != req->dst)
317  		dst = pctx->dst;
318  
319  	skcipher_request_set_tfm(skreq, ctx->ctr);
320  	skcipher_request_set_callback(skreq, pctx->flags,
321  				      crypto_ccm_encrypt_done, req);
322  	skcipher_request_set_crypt(skreq, pctx->src, dst, cryptlen + 16, iv);
323  	err = crypto_skcipher_encrypt(skreq);
324  	if (err)
325  		return err;
326  
327  	/* copy authtag to end of dst */
328  	scatterwalk_map_and_copy(odata, sg_next(dst), cryptlen,
329  				 crypto_aead_authsize(aead), 1);
330  	return err;
331  }
332  
333  static void crypto_ccm_decrypt_done(struct crypto_async_request *areq,
334  				   int err)
335  {
336  	struct aead_request *req = areq->data;
337  	struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req);
338  	struct crypto_aead *aead = crypto_aead_reqtfm(req);
339  	unsigned int authsize = crypto_aead_authsize(aead);
340  	unsigned int cryptlen = req->cryptlen - authsize;
341  	struct scatterlist *dst;
342  
343  	pctx->flags = 0;
344  
345  	dst = sg_next(req->src == req->dst ? pctx->src : pctx->dst);
346  
347  	if (!err) {
348  		err = crypto_ccm_auth(req, dst, cryptlen);
349  		if (!err && crypto_memneq(pctx->auth_tag, pctx->odata, authsize))
350  			err = -EBADMSG;
351  	}
352  	aead_request_complete(req, err);
353  }
354  
355  static int crypto_ccm_decrypt(struct aead_request *req)
356  {
357  	struct crypto_aead *aead = crypto_aead_reqtfm(req);
358  	struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead);
359  	struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req);
360  	struct skcipher_request *skreq = &pctx->skreq;
361  	struct scatterlist *dst;
362  	unsigned int authsize = crypto_aead_authsize(aead);
363  	unsigned int cryptlen = req->cryptlen;
364  	u8 *authtag = pctx->auth_tag;
365  	u8 *odata = pctx->odata;
366  	u8 *iv = pctx->idata;
367  	int err;
368  
369  	cryptlen -= authsize;
370  
371  	err = crypto_ccm_init_crypt(req, authtag);
372  	if (err)
373  		return err;
374  
375  	scatterwalk_map_and_copy(authtag, sg_next(pctx->src), cryptlen,
376  				 authsize, 0);
377  
378  	dst = pctx->src;
379  	if (req->src != req->dst)
380  		dst = pctx->dst;
381  
382  	memcpy(iv, req->iv, 16);
383  
384  	skcipher_request_set_tfm(skreq, ctx->ctr);
385  	skcipher_request_set_callback(skreq, pctx->flags,
386  				      crypto_ccm_decrypt_done, req);
387  	skcipher_request_set_crypt(skreq, pctx->src, dst, cryptlen + 16, iv);
388  	err = crypto_skcipher_decrypt(skreq);
389  	if (err)
390  		return err;
391  
392  	err = crypto_ccm_auth(req, sg_next(dst), cryptlen);
393  	if (err)
394  		return err;
395  
396  	/* verify */
397  	if (crypto_memneq(authtag, odata, authsize))
398  		return -EBADMSG;
399  
400  	return err;
401  }
402  
403  static int crypto_ccm_init_tfm(struct crypto_aead *tfm)
404  {
405  	struct aead_instance *inst = aead_alg_instance(tfm);
406  	struct ccm_instance_ctx *ictx = aead_instance_ctx(inst);
407  	struct crypto_ccm_ctx *ctx = crypto_aead_ctx(tfm);
408  	struct crypto_ahash *mac;
409  	struct crypto_skcipher *ctr;
410  	unsigned long align;
411  	int err;
412  
413  	mac = crypto_spawn_ahash(&ictx->mac);
414  	if (IS_ERR(mac))
415  		return PTR_ERR(mac);
416  
417  	ctr = crypto_spawn_skcipher(&ictx->ctr);
418  	err = PTR_ERR(ctr);
419  	if (IS_ERR(ctr))
420  		goto err_free_mac;
421  
422  	ctx->mac = mac;
423  	ctx->ctr = ctr;
424  
425  	align = crypto_aead_alignmask(tfm);
426  	align &= ~(crypto_tfm_ctx_alignment() - 1);
427  	crypto_aead_set_reqsize(
428  		tfm,
429  		align + sizeof(struct crypto_ccm_req_priv_ctx) +
430  		crypto_skcipher_reqsize(ctr));
431  
432  	return 0;
433  
434  err_free_mac:
435  	crypto_free_ahash(mac);
436  	return err;
437  }
438  
439  static void crypto_ccm_exit_tfm(struct crypto_aead *tfm)
440  {
441  	struct crypto_ccm_ctx *ctx = crypto_aead_ctx(tfm);
442  
443  	crypto_free_ahash(ctx->mac);
444  	crypto_free_skcipher(ctx->ctr);
445  }
446  
447  static void crypto_ccm_free(struct aead_instance *inst)
448  {
449  	struct ccm_instance_ctx *ctx = aead_instance_ctx(inst);
450  
451  	crypto_drop_ahash(&ctx->mac);
452  	crypto_drop_skcipher(&ctx->ctr);
453  	kfree(inst);
454  }
455  
456  static int crypto_ccm_create_common(struct crypto_template *tmpl,
457  				    struct rtattr **tb,
458  				    const char *full_name,
459  				    const char *ctr_name,
460  				    const char *mac_name)
461  {
462  	struct crypto_attr_type *algt;
463  	struct aead_instance *inst;
464  	struct skcipher_alg *ctr;
465  	struct crypto_alg *mac_alg;
466  	struct hash_alg_common *mac;
467  	struct ccm_instance_ctx *ictx;
468  	int err;
469  
470  	algt = crypto_get_attr_type(tb);
471  	if (IS_ERR(algt))
472  		return PTR_ERR(algt);
473  
474  	if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask)
475  		return -EINVAL;
476  
477  	mac_alg = crypto_find_alg(mac_name, &crypto_ahash_type,
478  				  CRYPTO_ALG_TYPE_HASH,
479  				  CRYPTO_ALG_TYPE_AHASH_MASK |
480  				  CRYPTO_ALG_ASYNC);
481  	if (IS_ERR(mac_alg))
482  		return PTR_ERR(mac_alg);
483  
484  	mac = __crypto_hash_alg_common(mac_alg);
485  	err = -EINVAL;
486  	if (mac->digestsize != 16)
487  		goto out_put_mac;
488  
489  	inst = kzalloc(sizeof(*inst) + sizeof(*ictx), GFP_KERNEL);
490  	err = -ENOMEM;
491  	if (!inst)
492  		goto out_put_mac;
493  
494  	ictx = aead_instance_ctx(inst);
495  	err = crypto_init_ahash_spawn(&ictx->mac, mac,
496  				      aead_crypto_instance(inst));
497  	if (err)
498  		goto err_free_inst;
499  
500  	crypto_set_skcipher_spawn(&ictx->ctr, aead_crypto_instance(inst));
501  	err = crypto_grab_skcipher(&ictx->ctr, ctr_name, 0,
502  				   crypto_requires_sync(algt->type,
503  							algt->mask));
504  	if (err)
505  		goto err_drop_mac;
506  
507  	ctr = crypto_spawn_skcipher_alg(&ictx->ctr);
508  
509  	/* Not a stream cipher? */
510  	err = -EINVAL;
511  	if (ctr->base.cra_blocksize != 1)
512  		goto err_drop_ctr;
513  
514  	/* We want the real thing! */
515  	if (crypto_skcipher_alg_ivsize(ctr) != 16)
516  		goto err_drop_ctr;
517  
518  	err = -ENAMETOOLONG;
519  	if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
520  		     "ccm_base(%s,%s)", ctr->base.cra_driver_name,
521  		     mac->base.cra_driver_name) >= CRYPTO_MAX_ALG_NAME)
522  		goto err_drop_ctr;
523  
524  	memcpy(inst->alg.base.cra_name, full_name, CRYPTO_MAX_ALG_NAME);
525  
526  	inst->alg.base.cra_flags = ctr->base.cra_flags & CRYPTO_ALG_ASYNC;
527  	inst->alg.base.cra_priority = (mac->base.cra_priority +
528  				       ctr->base.cra_priority) / 2;
529  	inst->alg.base.cra_blocksize = 1;
530  	inst->alg.base.cra_alignmask = mac->base.cra_alignmask |
531  				       ctr->base.cra_alignmask;
532  	inst->alg.ivsize = 16;
533  	inst->alg.chunksize = crypto_skcipher_alg_chunksize(ctr);
534  	inst->alg.maxauthsize = 16;
535  	inst->alg.base.cra_ctxsize = sizeof(struct crypto_ccm_ctx);
536  	inst->alg.init = crypto_ccm_init_tfm;
537  	inst->alg.exit = crypto_ccm_exit_tfm;
538  	inst->alg.setkey = crypto_ccm_setkey;
539  	inst->alg.setauthsize = crypto_ccm_setauthsize;
540  	inst->alg.encrypt = crypto_ccm_encrypt;
541  	inst->alg.decrypt = crypto_ccm_decrypt;
542  
543  	inst->free = crypto_ccm_free;
544  
545  	err = aead_register_instance(tmpl, inst);
546  	if (err)
547  		goto err_drop_ctr;
548  
549  out_put_mac:
550  	crypto_mod_put(mac_alg);
551  	return err;
552  
553  err_drop_ctr:
554  	crypto_drop_skcipher(&ictx->ctr);
555  err_drop_mac:
556  	crypto_drop_ahash(&ictx->mac);
557  err_free_inst:
558  	kfree(inst);
559  	goto out_put_mac;
560  }
561  
562  static int crypto_ccm_create(struct crypto_template *tmpl, struct rtattr **tb)
563  {
564  	const char *cipher_name;
565  	char ctr_name[CRYPTO_MAX_ALG_NAME];
566  	char mac_name[CRYPTO_MAX_ALG_NAME];
567  	char full_name[CRYPTO_MAX_ALG_NAME];
568  
569  	cipher_name = crypto_attr_alg_name(tb[1]);
570  	if (IS_ERR(cipher_name))
571  		return PTR_ERR(cipher_name);
572  
573  	if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)",
574  		     cipher_name) >= CRYPTO_MAX_ALG_NAME)
575  		return -ENAMETOOLONG;
576  
577  	if (snprintf(mac_name, CRYPTO_MAX_ALG_NAME, "cbcmac(%s)",
578  		     cipher_name) >= CRYPTO_MAX_ALG_NAME)
579  		return -ENAMETOOLONG;
580  
581  	if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "ccm(%s)", cipher_name) >=
582  	    CRYPTO_MAX_ALG_NAME)
583  		return -ENAMETOOLONG;
584  
585  	return crypto_ccm_create_common(tmpl, tb, full_name, ctr_name,
586  					mac_name);
587  }
588  
589  static struct crypto_template crypto_ccm_tmpl = {
590  	.name = "ccm",
591  	.create = crypto_ccm_create,
592  	.module = THIS_MODULE,
593  };
594  
595  static int crypto_ccm_base_create(struct crypto_template *tmpl,
596  				  struct rtattr **tb)
597  {
598  	const char *ctr_name;
599  	const char *cipher_name;
600  	char full_name[CRYPTO_MAX_ALG_NAME];
601  
602  	ctr_name = crypto_attr_alg_name(tb[1]);
603  	if (IS_ERR(ctr_name))
604  		return PTR_ERR(ctr_name);
605  
606  	cipher_name = crypto_attr_alg_name(tb[2]);
607  	if (IS_ERR(cipher_name))
608  		return PTR_ERR(cipher_name);
609  
610  	if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "ccm_base(%s,%s)",
611  		     ctr_name, cipher_name) >= CRYPTO_MAX_ALG_NAME)
612  		return -ENAMETOOLONG;
613  
614  	return crypto_ccm_create_common(tmpl, tb, full_name, ctr_name,
615  					cipher_name);
616  }
617  
618  static struct crypto_template crypto_ccm_base_tmpl = {
619  	.name = "ccm_base",
620  	.create = crypto_ccm_base_create,
621  	.module = THIS_MODULE,
622  };
623  
624  static int crypto_rfc4309_setkey(struct crypto_aead *parent, const u8 *key,
625  				 unsigned int keylen)
626  {
627  	struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(parent);
628  	struct crypto_aead *child = ctx->child;
629  	int err;
630  
631  	if (keylen < 3)
632  		return -EINVAL;
633  
634  	keylen -= 3;
635  	memcpy(ctx->nonce, key + keylen, 3);
636  
637  	crypto_aead_clear_flags(child, CRYPTO_TFM_REQ_MASK);
638  	crypto_aead_set_flags(child, crypto_aead_get_flags(parent) &
639  				     CRYPTO_TFM_REQ_MASK);
640  	err = crypto_aead_setkey(child, key, keylen);
641  	crypto_aead_set_flags(parent, crypto_aead_get_flags(child) &
642  				      CRYPTO_TFM_RES_MASK);
643  
644  	return err;
645  }
646  
647  static int crypto_rfc4309_setauthsize(struct crypto_aead *parent,
648  				      unsigned int authsize)
649  {
650  	struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(parent);
651  
652  	switch (authsize) {
653  	case 8:
654  	case 12:
655  	case 16:
656  		break;
657  	default:
658  		return -EINVAL;
659  	}
660  
661  	return crypto_aead_setauthsize(ctx->child, authsize);
662  }
663  
664  static struct aead_request *crypto_rfc4309_crypt(struct aead_request *req)
665  {
666  	struct crypto_rfc4309_req_ctx *rctx = aead_request_ctx(req);
667  	struct aead_request *subreq = &rctx->subreq;
668  	struct crypto_aead *aead = crypto_aead_reqtfm(req);
669  	struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(aead);
670  	struct crypto_aead *child = ctx->child;
671  	struct scatterlist *sg;
672  	u8 *iv = PTR_ALIGN((u8 *)(subreq + 1) + crypto_aead_reqsize(child),
673  			   crypto_aead_alignmask(child) + 1);
674  
675  	/* L' */
676  	iv[0] = 3;
677  
678  	memcpy(iv + 1, ctx->nonce, 3);
679  	memcpy(iv + 4, req->iv, 8);
680  
681  	scatterwalk_map_and_copy(iv + 16, req->src, 0, req->assoclen - 8, 0);
682  
683  	sg_init_table(rctx->src, 3);
684  	sg_set_buf(rctx->src, iv + 16, req->assoclen - 8);
685  	sg = scatterwalk_ffwd(rctx->src + 1, req->src, req->assoclen);
686  	if (sg != rctx->src + 1)
687  		sg_chain(rctx->src, 2, sg);
688  
689  	if (req->src != req->dst) {
690  		sg_init_table(rctx->dst, 3);
691  		sg_set_buf(rctx->dst, iv + 16, req->assoclen - 8);
692  		sg = scatterwalk_ffwd(rctx->dst + 1, req->dst, req->assoclen);
693  		if (sg != rctx->dst + 1)
694  			sg_chain(rctx->dst, 2, sg);
695  	}
696  
697  	aead_request_set_tfm(subreq, child);
698  	aead_request_set_callback(subreq, req->base.flags, req->base.complete,
699  				  req->base.data);
700  	aead_request_set_crypt(subreq, rctx->src,
701  			       req->src == req->dst ? rctx->src : rctx->dst,
702  			       req->cryptlen, iv);
703  	aead_request_set_ad(subreq, req->assoclen - 8);
704  
705  	return subreq;
706  }
707  
708  static int crypto_rfc4309_encrypt(struct aead_request *req)
709  {
710  	if (req->assoclen != 16 && req->assoclen != 20)
711  		return -EINVAL;
712  
713  	req = crypto_rfc4309_crypt(req);
714  
715  	return crypto_aead_encrypt(req);
716  }
717  
718  static int crypto_rfc4309_decrypt(struct aead_request *req)
719  {
720  	if (req->assoclen != 16 && req->assoclen != 20)
721  		return -EINVAL;
722  
723  	req = crypto_rfc4309_crypt(req);
724  
725  	return crypto_aead_decrypt(req);
726  }
727  
728  static int crypto_rfc4309_init_tfm(struct crypto_aead *tfm)
729  {
730  	struct aead_instance *inst = aead_alg_instance(tfm);
731  	struct crypto_aead_spawn *spawn = aead_instance_ctx(inst);
732  	struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(tfm);
733  	struct crypto_aead *aead;
734  	unsigned long align;
735  
736  	aead = crypto_spawn_aead(spawn);
737  	if (IS_ERR(aead))
738  		return PTR_ERR(aead);
739  
740  	ctx->child = aead;
741  
742  	align = crypto_aead_alignmask(aead);
743  	align &= ~(crypto_tfm_ctx_alignment() - 1);
744  	crypto_aead_set_reqsize(
745  		tfm,
746  		sizeof(struct crypto_rfc4309_req_ctx) +
747  		ALIGN(crypto_aead_reqsize(aead), crypto_tfm_ctx_alignment()) +
748  		align + 32);
749  
750  	return 0;
751  }
752  
753  static void crypto_rfc4309_exit_tfm(struct crypto_aead *tfm)
754  {
755  	struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(tfm);
756  
757  	crypto_free_aead(ctx->child);
758  }
759  
760  static void crypto_rfc4309_free(struct aead_instance *inst)
761  {
762  	crypto_drop_aead(aead_instance_ctx(inst));
763  	kfree(inst);
764  }
765  
766  static int crypto_rfc4309_create(struct crypto_template *tmpl,
767  				 struct rtattr **tb)
768  {
769  	struct crypto_attr_type *algt;
770  	struct aead_instance *inst;
771  	struct crypto_aead_spawn *spawn;
772  	struct aead_alg *alg;
773  	const char *ccm_name;
774  	int err;
775  
776  	algt = crypto_get_attr_type(tb);
777  	if (IS_ERR(algt))
778  		return PTR_ERR(algt);
779  
780  	if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask)
781  		return -EINVAL;
782  
783  	ccm_name = crypto_attr_alg_name(tb[1]);
784  	if (IS_ERR(ccm_name))
785  		return PTR_ERR(ccm_name);
786  
787  	inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL);
788  	if (!inst)
789  		return -ENOMEM;
790  
791  	spawn = aead_instance_ctx(inst);
792  	crypto_set_aead_spawn(spawn, aead_crypto_instance(inst));
793  	err = crypto_grab_aead(spawn, ccm_name, 0,
794  			       crypto_requires_sync(algt->type, algt->mask));
795  	if (err)
796  		goto out_free_inst;
797  
798  	alg = crypto_spawn_aead_alg(spawn);
799  
800  	err = -EINVAL;
801  
802  	/* We only support 16-byte blocks. */
803  	if (crypto_aead_alg_ivsize(alg) != 16)
804  		goto out_drop_alg;
805  
806  	/* Not a stream cipher? */
807  	if (alg->base.cra_blocksize != 1)
808  		goto out_drop_alg;
809  
810  	err = -ENAMETOOLONG;
811  	if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
812  		     "rfc4309(%s)", alg->base.cra_name) >=
813  	    CRYPTO_MAX_ALG_NAME ||
814  	    snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
815  		     "rfc4309(%s)", alg->base.cra_driver_name) >=
816  	    CRYPTO_MAX_ALG_NAME)
817  		goto out_drop_alg;
818  
819  	inst->alg.base.cra_flags = alg->base.cra_flags & CRYPTO_ALG_ASYNC;
820  	inst->alg.base.cra_priority = alg->base.cra_priority;
821  	inst->alg.base.cra_blocksize = 1;
822  	inst->alg.base.cra_alignmask = alg->base.cra_alignmask;
823  
824  	inst->alg.ivsize = 8;
825  	inst->alg.chunksize = crypto_aead_alg_chunksize(alg);
826  	inst->alg.maxauthsize = 16;
827  
828  	inst->alg.base.cra_ctxsize = sizeof(struct crypto_rfc4309_ctx);
829  
830  	inst->alg.init = crypto_rfc4309_init_tfm;
831  	inst->alg.exit = crypto_rfc4309_exit_tfm;
832  
833  	inst->alg.setkey = crypto_rfc4309_setkey;
834  	inst->alg.setauthsize = crypto_rfc4309_setauthsize;
835  	inst->alg.encrypt = crypto_rfc4309_encrypt;
836  	inst->alg.decrypt = crypto_rfc4309_decrypt;
837  
838  	inst->free = crypto_rfc4309_free;
839  
840  	err = aead_register_instance(tmpl, inst);
841  	if (err)
842  		goto out_drop_alg;
843  
844  out:
845  	return err;
846  
847  out_drop_alg:
848  	crypto_drop_aead(spawn);
849  out_free_inst:
850  	kfree(inst);
851  	goto out;
852  }
853  
854  static struct crypto_template crypto_rfc4309_tmpl = {
855  	.name = "rfc4309",
856  	.create = crypto_rfc4309_create,
857  	.module = THIS_MODULE,
858  };
859  
860  static int crypto_cbcmac_digest_setkey(struct crypto_shash *parent,
861  				     const u8 *inkey, unsigned int keylen)
862  {
863  	struct cbcmac_tfm_ctx *ctx = crypto_shash_ctx(parent);
864  
865  	return crypto_cipher_setkey(ctx->child, inkey, keylen);
866  }
867  
868  static int crypto_cbcmac_digest_init(struct shash_desc *pdesc)
869  {
870  	struct cbcmac_desc_ctx *ctx = shash_desc_ctx(pdesc);
871  	int bs = crypto_shash_digestsize(pdesc->tfm);
872  	u8 *dg = (u8 *)ctx + crypto_shash_descsize(pdesc->tfm) - bs;
873  
874  	ctx->len = 0;
875  	memset(dg, 0, bs);
876  
877  	return 0;
878  }
879  
880  static int crypto_cbcmac_digest_update(struct shash_desc *pdesc, const u8 *p,
881  				       unsigned int len)
882  {
883  	struct crypto_shash *parent = pdesc->tfm;
884  	struct cbcmac_tfm_ctx *tctx = crypto_shash_ctx(parent);
885  	struct cbcmac_desc_ctx *ctx = shash_desc_ctx(pdesc);
886  	struct crypto_cipher *tfm = tctx->child;
887  	int bs = crypto_shash_digestsize(parent);
888  	u8 *dg = (u8 *)ctx + crypto_shash_descsize(parent) - bs;
889  
890  	while (len > 0) {
891  		unsigned int l = min(len, bs - ctx->len);
892  
893  		crypto_xor(dg + ctx->len, p, l);
894  		ctx->len +=l;
895  		len -= l;
896  		p += l;
897  
898  		if (ctx->len == bs) {
899  			crypto_cipher_encrypt_one(tfm, dg, dg);
900  			ctx->len = 0;
901  		}
902  	}
903  
904  	return 0;
905  }
906  
907  static int crypto_cbcmac_digest_final(struct shash_desc *pdesc, u8 *out)
908  {
909  	struct crypto_shash *parent = pdesc->tfm;
910  	struct cbcmac_tfm_ctx *tctx = crypto_shash_ctx(parent);
911  	struct cbcmac_desc_ctx *ctx = shash_desc_ctx(pdesc);
912  	struct crypto_cipher *tfm = tctx->child;
913  	int bs = crypto_shash_digestsize(parent);
914  	u8 *dg = (u8 *)ctx + crypto_shash_descsize(parent) - bs;
915  
916  	if (ctx->len)
917  		crypto_cipher_encrypt_one(tfm, dg, dg);
918  
919  	memcpy(out, dg, bs);
920  	return 0;
921  }
922  
923  static int cbcmac_init_tfm(struct crypto_tfm *tfm)
924  {
925  	struct crypto_cipher *cipher;
926  	struct crypto_instance *inst = (void *)tfm->__crt_alg;
927  	struct crypto_spawn *spawn = crypto_instance_ctx(inst);
928  	struct cbcmac_tfm_ctx *ctx = crypto_tfm_ctx(tfm);
929  
930  	cipher = crypto_spawn_cipher(spawn);
931  	if (IS_ERR(cipher))
932  		return PTR_ERR(cipher);
933  
934  	ctx->child = cipher;
935  
936  	return 0;
937  };
938  
939  static void cbcmac_exit_tfm(struct crypto_tfm *tfm)
940  {
941  	struct cbcmac_tfm_ctx *ctx = crypto_tfm_ctx(tfm);
942  	crypto_free_cipher(ctx->child);
943  }
944  
945  static int cbcmac_create(struct crypto_template *tmpl, struct rtattr **tb)
946  {
947  	struct shash_instance *inst;
948  	struct crypto_alg *alg;
949  	int err;
950  
951  	err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_SHASH);
952  	if (err)
953  		return err;
954  
955  	alg = crypto_get_attr_alg(tb, CRYPTO_ALG_TYPE_CIPHER,
956  				  CRYPTO_ALG_TYPE_MASK);
957  	if (IS_ERR(alg))
958  		return PTR_ERR(alg);
959  
960  	inst = shash_alloc_instance("cbcmac", alg);
961  	err = PTR_ERR(inst);
962  	if (IS_ERR(inst))
963  		goto out_put_alg;
964  
965  	err = crypto_init_spawn(shash_instance_ctx(inst), alg,
966  				shash_crypto_instance(inst),
967  				CRYPTO_ALG_TYPE_MASK);
968  	if (err)
969  		goto out_free_inst;
970  
971  	inst->alg.base.cra_priority = alg->cra_priority;
972  	inst->alg.base.cra_blocksize = 1;
973  
974  	inst->alg.digestsize = alg->cra_blocksize;
975  	inst->alg.descsize = ALIGN(sizeof(struct cbcmac_desc_ctx),
976  				   alg->cra_alignmask + 1) +
977  			     alg->cra_blocksize;
978  
979  	inst->alg.base.cra_ctxsize = sizeof(struct cbcmac_tfm_ctx);
980  	inst->alg.base.cra_init = cbcmac_init_tfm;
981  	inst->alg.base.cra_exit = cbcmac_exit_tfm;
982  
983  	inst->alg.init = crypto_cbcmac_digest_init;
984  	inst->alg.update = crypto_cbcmac_digest_update;
985  	inst->alg.final = crypto_cbcmac_digest_final;
986  	inst->alg.setkey = crypto_cbcmac_digest_setkey;
987  
988  	err = shash_register_instance(tmpl, inst);
989  
990  out_free_inst:
991  	if (err)
992  		shash_free_instance(shash_crypto_instance(inst));
993  
994  out_put_alg:
995  	crypto_mod_put(alg);
996  	return err;
997  }
998  
999  static struct crypto_template crypto_cbcmac_tmpl = {
1000  	.name = "cbcmac",
1001  	.create = cbcmac_create,
1002  	.free = shash_free_instance,
1003  	.module = THIS_MODULE,
1004  };
1005  
1006  static int __init crypto_ccm_module_init(void)
1007  {
1008  	int err;
1009  
1010  	err = crypto_register_template(&crypto_cbcmac_tmpl);
1011  	if (err)
1012  		goto out;
1013  
1014  	err = crypto_register_template(&crypto_ccm_base_tmpl);
1015  	if (err)
1016  		goto out_undo_cbcmac;
1017  
1018  	err = crypto_register_template(&crypto_ccm_tmpl);
1019  	if (err)
1020  		goto out_undo_base;
1021  
1022  	err = crypto_register_template(&crypto_rfc4309_tmpl);
1023  	if (err)
1024  		goto out_undo_ccm;
1025  
1026  out:
1027  	return err;
1028  
1029  out_undo_ccm:
1030  	crypto_unregister_template(&crypto_ccm_tmpl);
1031  out_undo_base:
1032  	crypto_unregister_template(&crypto_ccm_base_tmpl);
1033  out_undo_cbcmac:
1034  	crypto_register_template(&crypto_cbcmac_tmpl);
1035  	goto out;
1036  }
1037  
1038  static void __exit crypto_ccm_module_exit(void)
1039  {
1040  	crypto_unregister_template(&crypto_rfc4309_tmpl);
1041  	crypto_unregister_template(&crypto_ccm_tmpl);
1042  	crypto_unregister_template(&crypto_ccm_base_tmpl);
1043  	crypto_unregister_template(&crypto_cbcmac_tmpl);
1044  }
1045  
1046  module_init(crypto_ccm_module_init);
1047  module_exit(crypto_ccm_module_exit);
1048  
1049  MODULE_LICENSE("GPL");
1050  MODULE_DESCRIPTION("Counter with CBC MAC");
1051  MODULE_ALIAS_CRYPTO("ccm_base");
1052  MODULE_ALIAS_CRYPTO("rfc4309");
1053  MODULE_ALIAS_CRYPTO("ccm");
1054