1 /* 2 * CCM: Counter with CBC-MAC 3 * 4 * (C) Copyright IBM Corp. 2007 - Joy Latten <latten@us.ibm.com> 5 * 6 * This program is free software; you can redistribute it and/or modify it 7 * under the terms of the GNU General Public License as published by the Free 8 * Software Foundation; either version 2 of the License, or (at your option) 9 * any later version. 10 * 11 */ 12 13 #include <crypto/internal/aead.h> 14 #include <crypto/internal/skcipher.h> 15 #include <crypto/scatterwalk.h> 16 #include <linux/err.h> 17 #include <linux/init.h> 18 #include <linux/kernel.h> 19 #include <linux/module.h> 20 #include <linux/slab.h> 21 22 #include "internal.h" 23 24 struct ccm_instance_ctx { 25 struct crypto_skcipher_spawn ctr; 26 struct crypto_spawn cipher; 27 }; 28 29 struct crypto_ccm_ctx { 30 struct crypto_cipher *cipher; 31 struct crypto_ablkcipher *ctr; 32 }; 33 34 struct crypto_rfc4309_ctx { 35 struct crypto_aead *child; 36 u8 nonce[3]; 37 }; 38 39 struct crypto_rfc4309_req_ctx { 40 struct scatterlist src[3]; 41 struct scatterlist dst[3]; 42 struct aead_request subreq; 43 }; 44 45 struct crypto_ccm_req_priv_ctx { 46 u8 odata[16]; 47 u8 idata[16]; 48 u8 auth_tag[16]; 49 u32 ilen; 50 u32 flags; 51 struct scatterlist src[3]; 52 struct scatterlist dst[3]; 53 struct ablkcipher_request abreq; 54 }; 55 56 static inline struct crypto_ccm_req_priv_ctx *crypto_ccm_reqctx( 57 struct aead_request *req) 58 { 59 unsigned long align = crypto_aead_alignmask(crypto_aead_reqtfm(req)); 60 61 return (void *)PTR_ALIGN((u8 *)aead_request_ctx(req), align + 1); 62 } 63 64 static int set_msg_len(u8 *block, unsigned int msglen, int csize) 65 { 66 __be32 data; 67 68 memset(block, 0, csize); 69 block += csize; 70 71 if (csize >= 4) 72 csize = 4; 73 else if (msglen > (1 << (8 * csize))) 74 return -EOVERFLOW; 75 76 data = cpu_to_be32(msglen); 77 memcpy(block - csize, (u8 *)&data + 4 - csize, csize); 78 79 return 0; 80 } 81 82 static int crypto_ccm_setkey(struct crypto_aead *aead, const u8 *key, 83 unsigned int keylen) 84 { 85 struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead); 86 struct crypto_ablkcipher *ctr = ctx->ctr; 87 struct crypto_cipher *tfm = ctx->cipher; 88 int err = 0; 89 90 crypto_ablkcipher_clear_flags(ctr, CRYPTO_TFM_REQ_MASK); 91 crypto_ablkcipher_set_flags(ctr, crypto_aead_get_flags(aead) & 92 CRYPTO_TFM_REQ_MASK); 93 err = crypto_ablkcipher_setkey(ctr, key, keylen); 94 crypto_aead_set_flags(aead, crypto_ablkcipher_get_flags(ctr) & 95 CRYPTO_TFM_RES_MASK); 96 if (err) 97 goto out; 98 99 crypto_cipher_clear_flags(tfm, CRYPTO_TFM_REQ_MASK); 100 crypto_cipher_set_flags(tfm, crypto_aead_get_flags(aead) & 101 CRYPTO_TFM_REQ_MASK); 102 err = crypto_cipher_setkey(tfm, key, keylen); 103 crypto_aead_set_flags(aead, crypto_cipher_get_flags(tfm) & 104 CRYPTO_TFM_RES_MASK); 105 106 out: 107 return err; 108 } 109 110 static int crypto_ccm_setauthsize(struct crypto_aead *tfm, 111 unsigned int authsize) 112 { 113 switch (authsize) { 114 case 4: 115 case 6: 116 case 8: 117 case 10: 118 case 12: 119 case 14: 120 case 16: 121 break; 122 default: 123 return -EINVAL; 124 } 125 126 return 0; 127 } 128 129 static int format_input(u8 *info, struct aead_request *req, 130 unsigned int cryptlen) 131 { 132 struct crypto_aead *aead = crypto_aead_reqtfm(req); 133 unsigned int lp = req->iv[0]; 134 unsigned int l = lp + 1; 135 unsigned int m; 136 137 m = crypto_aead_authsize(aead); 138 139 memcpy(info, req->iv, 16); 140 141 /* format control info per RFC 3610 and 142 * NIST Special Publication 800-38C 143 */ 144 *info |= (8 * ((m - 2) / 2)); 145 if (req->assoclen) 146 *info |= 64; 147 148 return set_msg_len(info + 16 - l, cryptlen, l); 149 } 150 151 static int format_adata(u8 *adata, unsigned int a) 152 { 153 int len = 0; 154 155 /* add control info for associated data 156 * RFC 3610 and NIST Special Publication 800-38C 157 */ 158 if (a < 65280) { 159 *(__be16 *)adata = cpu_to_be16(a); 160 len = 2; 161 } else { 162 *(__be16 *)adata = cpu_to_be16(0xfffe); 163 *(__be32 *)&adata[2] = cpu_to_be32(a); 164 len = 6; 165 } 166 167 return len; 168 } 169 170 static void compute_mac(struct crypto_cipher *tfm, u8 *data, int n, 171 struct crypto_ccm_req_priv_ctx *pctx) 172 { 173 unsigned int bs = 16; 174 u8 *odata = pctx->odata; 175 u8 *idata = pctx->idata; 176 int datalen, getlen; 177 178 datalen = n; 179 180 /* first time in here, block may be partially filled. */ 181 getlen = bs - pctx->ilen; 182 if (datalen >= getlen) { 183 memcpy(idata + pctx->ilen, data, getlen); 184 crypto_xor(odata, idata, bs); 185 crypto_cipher_encrypt_one(tfm, odata, odata); 186 datalen -= getlen; 187 data += getlen; 188 pctx->ilen = 0; 189 } 190 191 /* now encrypt rest of data */ 192 while (datalen >= bs) { 193 crypto_xor(odata, data, bs); 194 crypto_cipher_encrypt_one(tfm, odata, odata); 195 196 datalen -= bs; 197 data += bs; 198 } 199 200 /* check and see if there's leftover data that wasn't 201 * enough to fill a block. 202 */ 203 if (datalen) { 204 memcpy(idata + pctx->ilen, data, datalen); 205 pctx->ilen += datalen; 206 } 207 } 208 209 static void get_data_to_compute(struct crypto_cipher *tfm, 210 struct crypto_ccm_req_priv_ctx *pctx, 211 struct scatterlist *sg, unsigned int len) 212 { 213 struct scatter_walk walk; 214 u8 *data_src; 215 int n; 216 217 scatterwalk_start(&walk, sg); 218 219 while (len) { 220 n = scatterwalk_clamp(&walk, len); 221 if (!n) { 222 scatterwalk_start(&walk, sg_next(walk.sg)); 223 n = scatterwalk_clamp(&walk, len); 224 } 225 data_src = scatterwalk_map(&walk); 226 227 compute_mac(tfm, data_src, n, pctx); 228 len -= n; 229 230 scatterwalk_unmap(data_src); 231 scatterwalk_advance(&walk, n); 232 scatterwalk_done(&walk, 0, len); 233 if (len) 234 crypto_yield(pctx->flags); 235 } 236 237 /* any leftover needs padding and then encrypted */ 238 if (pctx->ilen) { 239 int padlen; 240 u8 *odata = pctx->odata; 241 u8 *idata = pctx->idata; 242 243 padlen = 16 - pctx->ilen; 244 memset(idata + pctx->ilen, 0, padlen); 245 crypto_xor(odata, idata, 16); 246 crypto_cipher_encrypt_one(tfm, odata, odata); 247 pctx->ilen = 0; 248 } 249 } 250 251 static int crypto_ccm_auth(struct aead_request *req, struct scatterlist *plain, 252 unsigned int cryptlen) 253 { 254 struct crypto_aead *aead = crypto_aead_reqtfm(req); 255 struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead); 256 struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); 257 struct crypto_cipher *cipher = ctx->cipher; 258 unsigned int assoclen = req->assoclen; 259 u8 *odata = pctx->odata; 260 u8 *idata = pctx->idata; 261 int err; 262 263 /* format control data for input */ 264 err = format_input(odata, req, cryptlen); 265 if (err) 266 goto out; 267 268 /* encrypt first block to use as start in computing mac */ 269 crypto_cipher_encrypt_one(cipher, odata, odata); 270 271 /* format associated data and compute into mac */ 272 if (assoclen) { 273 pctx->ilen = format_adata(idata, assoclen); 274 get_data_to_compute(cipher, pctx, req->src, req->assoclen); 275 } else { 276 pctx->ilen = 0; 277 } 278 279 /* compute plaintext into mac */ 280 if (cryptlen) 281 get_data_to_compute(cipher, pctx, plain, cryptlen); 282 283 out: 284 return err; 285 } 286 287 static void crypto_ccm_encrypt_done(struct crypto_async_request *areq, int err) 288 { 289 struct aead_request *req = areq->data; 290 struct crypto_aead *aead = crypto_aead_reqtfm(req); 291 struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); 292 u8 *odata = pctx->odata; 293 294 if (!err) 295 scatterwalk_map_and_copy(odata, req->dst, 296 req->assoclen + req->cryptlen, 297 crypto_aead_authsize(aead), 1); 298 aead_request_complete(req, err); 299 } 300 301 static inline int crypto_ccm_check_iv(const u8 *iv) 302 { 303 /* 2 <= L <= 8, so 1 <= L' <= 7. */ 304 if (1 > iv[0] || iv[0] > 7) 305 return -EINVAL; 306 307 return 0; 308 } 309 310 static int crypto_ccm_init_crypt(struct aead_request *req, u8 *tag) 311 { 312 struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); 313 struct scatterlist *sg; 314 u8 *iv = req->iv; 315 int err; 316 317 err = crypto_ccm_check_iv(iv); 318 if (err) 319 return err; 320 321 pctx->flags = aead_request_flags(req); 322 323 /* Note: rfc 3610 and NIST 800-38C require counter of 324 * zero to encrypt auth tag. 325 */ 326 memset(iv + 15 - iv[0], 0, iv[0] + 1); 327 328 sg_init_table(pctx->src, 3); 329 sg_set_buf(pctx->src, tag, 16); 330 sg = scatterwalk_ffwd(pctx->src + 1, req->src, req->assoclen); 331 if (sg != pctx->src + 1) 332 sg_chain(pctx->src, 2, sg); 333 334 if (req->src != req->dst) { 335 sg_init_table(pctx->dst, 3); 336 sg_set_buf(pctx->dst, tag, 16); 337 sg = scatterwalk_ffwd(pctx->dst + 1, req->dst, req->assoclen); 338 if (sg != pctx->dst + 1) 339 sg_chain(pctx->dst, 2, sg); 340 } 341 342 return 0; 343 } 344 345 static int crypto_ccm_encrypt(struct aead_request *req) 346 { 347 struct crypto_aead *aead = crypto_aead_reqtfm(req); 348 struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead); 349 struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); 350 struct ablkcipher_request *abreq = &pctx->abreq; 351 struct scatterlist *dst; 352 unsigned int cryptlen = req->cryptlen; 353 u8 *odata = pctx->odata; 354 u8 *iv = req->iv; 355 int err; 356 357 err = crypto_ccm_init_crypt(req, odata); 358 if (err) 359 return err; 360 361 err = crypto_ccm_auth(req, sg_next(pctx->src), cryptlen); 362 if (err) 363 return err; 364 365 dst = pctx->src; 366 if (req->src != req->dst) 367 dst = pctx->dst; 368 369 ablkcipher_request_set_tfm(abreq, ctx->ctr); 370 ablkcipher_request_set_callback(abreq, pctx->flags, 371 crypto_ccm_encrypt_done, req); 372 ablkcipher_request_set_crypt(abreq, pctx->src, dst, cryptlen + 16, iv); 373 err = crypto_ablkcipher_encrypt(abreq); 374 if (err) 375 return err; 376 377 /* copy authtag to end of dst */ 378 scatterwalk_map_and_copy(odata, sg_next(dst), cryptlen, 379 crypto_aead_authsize(aead), 1); 380 return err; 381 } 382 383 static void crypto_ccm_decrypt_done(struct crypto_async_request *areq, 384 int err) 385 { 386 struct aead_request *req = areq->data; 387 struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); 388 struct crypto_aead *aead = crypto_aead_reqtfm(req); 389 unsigned int authsize = crypto_aead_authsize(aead); 390 unsigned int cryptlen = req->cryptlen - authsize; 391 struct scatterlist *dst; 392 393 pctx->flags = 0; 394 395 dst = sg_next(req->src == req->dst ? pctx->src : pctx->dst); 396 397 if (!err) { 398 err = crypto_ccm_auth(req, dst, cryptlen); 399 if (!err && crypto_memneq(pctx->auth_tag, pctx->odata, authsize)) 400 err = -EBADMSG; 401 } 402 aead_request_complete(req, err); 403 } 404 405 static int crypto_ccm_decrypt(struct aead_request *req) 406 { 407 struct crypto_aead *aead = crypto_aead_reqtfm(req); 408 struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead); 409 struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); 410 struct ablkcipher_request *abreq = &pctx->abreq; 411 struct scatterlist *dst; 412 unsigned int authsize = crypto_aead_authsize(aead); 413 unsigned int cryptlen = req->cryptlen; 414 u8 *authtag = pctx->auth_tag; 415 u8 *odata = pctx->odata; 416 u8 *iv = req->iv; 417 int err; 418 419 cryptlen -= authsize; 420 421 err = crypto_ccm_init_crypt(req, authtag); 422 if (err) 423 return err; 424 425 scatterwalk_map_and_copy(authtag, sg_next(pctx->src), cryptlen, 426 authsize, 0); 427 428 dst = pctx->src; 429 if (req->src != req->dst) 430 dst = pctx->dst; 431 432 ablkcipher_request_set_tfm(abreq, ctx->ctr); 433 ablkcipher_request_set_callback(abreq, pctx->flags, 434 crypto_ccm_decrypt_done, req); 435 ablkcipher_request_set_crypt(abreq, pctx->src, dst, cryptlen + 16, iv); 436 err = crypto_ablkcipher_decrypt(abreq); 437 if (err) 438 return err; 439 440 err = crypto_ccm_auth(req, sg_next(dst), cryptlen); 441 if (err) 442 return err; 443 444 /* verify */ 445 if (crypto_memneq(authtag, odata, authsize)) 446 return -EBADMSG; 447 448 return err; 449 } 450 451 static int crypto_ccm_init_tfm(struct crypto_aead *tfm) 452 { 453 struct aead_instance *inst = aead_alg_instance(tfm); 454 struct ccm_instance_ctx *ictx = aead_instance_ctx(inst); 455 struct crypto_ccm_ctx *ctx = crypto_aead_ctx(tfm); 456 struct crypto_cipher *cipher; 457 struct crypto_ablkcipher *ctr; 458 unsigned long align; 459 int err; 460 461 cipher = crypto_spawn_cipher(&ictx->cipher); 462 if (IS_ERR(cipher)) 463 return PTR_ERR(cipher); 464 465 ctr = crypto_spawn_skcipher(&ictx->ctr); 466 err = PTR_ERR(ctr); 467 if (IS_ERR(ctr)) 468 goto err_free_cipher; 469 470 ctx->cipher = cipher; 471 ctx->ctr = ctr; 472 473 align = crypto_aead_alignmask(tfm); 474 align &= ~(crypto_tfm_ctx_alignment() - 1); 475 crypto_aead_set_reqsize( 476 tfm, 477 align + sizeof(struct crypto_ccm_req_priv_ctx) + 478 crypto_ablkcipher_reqsize(ctr)); 479 480 return 0; 481 482 err_free_cipher: 483 crypto_free_cipher(cipher); 484 return err; 485 } 486 487 static void crypto_ccm_exit_tfm(struct crypto_aead *tfm) 488 { 489 struct crypto_ccm_ctx *ctx = crypto_aead_ctx(tfm); 490 491 crypto_free_cipher(ctx->cipher); 492 crypto_free_ablkcipher(ctx->ctr); 493 } 494 495 static void crypto_ccm_free(struct aead_instance *inst) 496 { 497 struct ccm_instance_ctx *ctx = aead_instance_ctx(inst); 498 499 crypto_drop_spawn(&ctx->cipher); 500 crypto_drop_skcipher(&ctx->ctr); 501 kfree(inst); 502 } 503 504 static int crypto_ccm_create_common(struct crypto_template *tmpl, 505 struct rtattr **tb, 506 const char *full_name, 507 const char *ctr_name, 508 const char *cipher_name) 509 { 510 struct crypto_attr_type *algt; 511 struct aead_instance *inst; 512 struct crypto_alg *ctr; 513 struct crypto_alg *cipher; 514 struct ccm_instance_ctx *ictx; 515 int err; 516 517 algt = crypto_get_attr_type(tb); 518 if (IS_ERR(algt)) 519 return PTR_ERR(algt); 520 521 if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask) 522 return -EINVAL; 523 524 cipher = crypto_alg_mod_lookup(cipher_name, CRYPTO_ALG_TYPE_CIPHER, 525 CRYPTO_ALG_TYPE_MASK); 526 if (IS_ERR(cipher)) 527 return PTR_ERR(cipher); 528 529 err = -EINVAL; 530 if (cipher->cra_blocksize != 16) 531 goto out_put_cipher; 532 533 inst = kzalloc(sizeof(*inst) + sizeof(*ictx), GFP_KERNEL); 534 err = -ENOMEM; 535 if (!inst) 536 goto out_put_cipher; 537 538 ictx = aead_instance_ctx(inst); 539 540 err = crypto_init_spawn(&ictx->cipher, cipher, 541 aead_crypto_instance(inst), 542 CRYPTO_ALG_TYPE_MASK); 543 if (err) 544 goto err_free_inst; 545 546 crypto_set_skcipher_spawn(&ictx->ctr, aead_crypto_instance(inst)); 547 err = crypto_grab_skcipher(&ictx->ctr, ctr_name, 0, 548 crypto_requires_sync(algt->type, 549 algt->mask)); 550 if (err) 551 goto err_drop_cipher; 552 553 ctr = crypto_skcipher_spawn_alg(&ictx->ctr); 554 555 /* Not a stream cipher? */ 556 err = -EINVAL; 557 if (ctr->cra_blocksize != 1) 558 goto err_drop_ctr; 559 560 /* We want the real thing! */ 561 if (ctr->cra_ablkcipher.ivsize != 16) 562 goto err_drop_ctr; 563 564 err = -ENAMETOOLONG; 565 if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME, 566 "ccm_base(%s,%s)", ctr->cra_driver_name, 567 cipher->cra_driver_name) >= CRYPTO_MAX_ALG_NAME) 568 goto err_drop_ctr; 569 570 memcpy(inst->alg.base.cra_name, full_name, CRYPTO_MAX_ALG_NAME); 571 572 inst->alg.base.cra_flags = ctr->cra_flags & CRYPTO_ALG_ASYNC; 573 inst->alg.base.cra_priority = (cipher->cra_priority + 574 ctr->cra_priority) / 2; 575 inst->alg.base.cra_blocksize = 1; 576 inst->alg.base.cra_alignmask = cipher->cra_alignmask | 577 ctr->cra_alignmask | 578 (__alignof__(u32) - 1); 579 inst->alg.ivsize = 16; 580 inst->alg.maxauthsize = 16; 581 inst->alg.base.cra_ctxsize = sizeof(struct crypto_ccm_ctx); 582 inst->alg.init = crypto_ccm_init_tfm; 583 inst->alg.exit = crypto_ccm_exit_tfm; 584 inst->alg.setkey = crypto_ccm_setkey; 585 inst->alg.setauthsize = crypto_ccm_setauthsize; 586 inst->alg.encrypt = crypto_ccm_encrypt; 587 inst->alg.decrypt = crypto_ccm_decrypt; 588 589 inst->free = crypto_ccm_free; 590 591 err = aead_register_instance(tmpl, inst); 592 if (err) 593 goto err_drop_ctr; 594 595 out_put_cipher: 596 crypto_mod_put(cipher); 597 return err; 598 599 err_drop_ctr: 600 crypto_drop_skcipher(&ictx->ctr); 601 err_drop_cipher: 602 crypto_drop_spawn(&ictx->cipher); 603 err_free_inst: 604 kfree(inst); 605 goto out_put_cipher; 606 } 607 608 static int crypto_ccm_create(struct crypto_template *tmpl, struct rtattr **tb) 609 { 610 const char *cipher_name; 611 char ctr_name[CRYPTO_MAX_ALG_NAME]; 612 char full_name[CRYPTO_MAX_ALG_NAME]; 613 614 cipher_name = crypto_attr_alg_name(tb[1]); 615 if (IS_ERR(cipher_name)) 616 return PTR_ERR(cipher_name); 617 618 if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)", 619 cipher_name) >= CRYPTO_MAX_ALG_NAME) 620 return -ENAMETOOLONG; 621 622 if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "ccm(%s)", cipher_name) >= 623 CRYPTO_MAX_ALG_NAME) 624 return -ENAMETOOLONG; 625 626 return crypto_ccm_create_common(tmpl, tb, full_name, ctr_name, 627 cipher_name); 628 } 629 630 static struct crypto_template crypto_ccm_tmpl = { 631 .name = "ccm", 632 .create = crypto_ccm_create, 633 .module = THIS_MODULE, 634 }; 635 636 static int crypto_ccm_base_create(struct crypto_template *tmpl, 637 struct rtattr **tb) 638 { 639 const char *ctr_name; 640 const char *cipher_name; 641 char full_name[CRYPTO_MAX_ALG_NAME]; 642 643 ctr_name = crypto_attr_alg_name(tb[1]); 644 if (IS_ERR(ctr_name)) 645 return PTR_ERR(ctr_name); 646 647 cipher_name = crypto_attr_alg_name(tb[2]); 648 if (IS_ERR(cipher_name)) 649 return PTR_ERR(cipher_name); 650 651 if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "ccm_base(%s,%s)", 652 ctr_name, cipher_name) >= CRYPTO_MAX_ALG_NAME) 653 return -ENAMETOOLONG; 654 655 return crypto_ccm_create_common(tmpl, tb, full_name, ctr_name, 656 cipher_name); 657 } 658 659 static struct crypto_template crypto_ccm_base_tmpl = { 660 .name = "ccm_base", 661 .create = crypto_ccm_base_create, 662 .module = THIS_MODULE, 663 }; 664 665 static int crypto_rfc4309_setkey(struct crypto_aead *parent, const u8 *key, 666 unsigned int keylen) 667 { 668 struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(parent); 669 struct crypto_aead *child = ctx->child; 670 int err; 671 672 if (keylen < 3) 673 return -EINVAL; 674 675 keylen -= 3; 676 memcpy(ctx->nonce, key + keylen, 3); 677 678 crypto_aead_clear_flags(child, CRYPTO_TFM_REQ_MASK); 679 crypto_aead_set_flags(child, crypto_aead_get_flags(parent) & 680 CRYPTO_TFM_REQ_MASK); 681 err = crypto_aead_setkey(child, key, keylen); 682 crypto_aead_set_flags(parent, crypto_aead_get_flags(child) & 683 CRYPTO_TFM_RES_MASK); 684 685 return err; 686 } 687 688 static int crypto_rfc4309_setauthsize(struct crypto_aead *parent, 689 unsigned int authsize) 690 { 691 struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(parent); 692 693 switch (authsize) { 694 case 8: 695 case 12: 696 case 16: 697 break; 698 default: 699 return -EINVAL; 700 } 701 702 return crypto_aead_setauthsize(ctx->child, authsize); 703 } 704 705 static struct aead_request *crypto_rfc4309_crypt(struct aead_request *req) 706 { 707 struct crypto_rfc4309_req_ctx *rctx = aead_request_ctx(req); 708 struct aead_request *subreq = &rctx->subreq; 709 struct crypto_aead *aead = crypto_aead_reqtfm(req); 710 struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(aead); 711 struct crypto_aead *child = ctx->child; 712 struct scatterlist *sg; 713 u8 *iv = PTR_ALIGN((u8 *)(subreq + 1) + crypto_aead_reqsize(child), 714 crypto_aead_alignmask(child) + 1); 715 716 /* L' */ 717 iv[0] = 3; 718 719 memcpy(iv + 1, ctx->nonce, 3); 720 memcpy(iv + 4, req->iv, 8); 721 722 scatterwalk_map_and_copy(iv + 16, req->src, 0, req->assoclen - 8, 0); 723 724 sg_init_table(rctx->src, 3); 725 sg_set_buf(rctx->src, iv + 16, req->assoclen - 8); 726 sg = scatterwalk_ffwd(rctx->src + 1, req->src, req->assoclen); 727 if (sg != rctx->src + 1) 728 sg_chain(rctx->src, 2, sg); 729 730 if (req->src != req->dst) { 731 sg_init_table(rctx->dst, 3); 732 sg_set_buf(rctx->dst, iv + 16, req->assoclen - 8); 733 sg = scatterwalk_ffwd(rctx->dst + 1, req->dst, req->assoclen); 734 if (sg != rctx->dst + 1) 735 sg_chain(rctx->dst, 2, sg); 736 } 737 738 aead_request_set_tfm(subreq, child); 739 aead_request_set_callback(subreq, req->base.flags, req->base.complete, 740 req->base.data); 741 aead_request_set_crypt(subreq, rctx->src, 742 req->src == req->dst ? rctx->src : rctx->dst, 743 req->cryptlen, iv); 744 aead_request_set_ad(subreq, req->assoclen - 8); 745 746 return subreq; 747 } 748 749 static int crypto_rfc4309_encrypt(struct aead_request *req) 750 { 751 if (req->assoclen != 16 && req->assoclen != 20) 752 return -EINVAL; 753 754 req = crypto_rfc4309_crypt(req); 755 756 return crypto_aead_encrypt(req); 757 } 758 759 static int crypto_rfc4309_decrypt(struct aead_request *req) 760 { 761 if (req->assoclen != 16 && req->assoclen != 20) 762 return -EINVAL; 763 764 req = crypto_rfc4309_crypt(req); 765 766 return crypto_aead_decrypt(req); 767 } 768 769 static int crypto_rfc4309_init_tfm(struct crypto_aead *tfm) 770 { 771 struct aead_instance *inst = aead_alg_instance(tfm); 772 struct crypto_aead_spawn *spawn = aead_instance_ctx(inst); 773 struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(tfm); 774 struct crypto_aead *aead; 775 unsigned long align; 776 777 aead = crypto_spawn_aead(spawn); 778 if (IS_ERR(aead)) 779 return PTR_ERR(aead); 780 781 ctx->child = aead; 782 783 align = crypto_aead_alignmask(aead); 784 align &= ~(crypto_tfm_ctx_alignment() - 1); 785 crypto_aead_set_reqsize( 786 tfm, 787 sizeof(struct crypto_rfc4309_req_ctx) + 788 ALIGN(crypto_aead_reqsize(aead), crypto_tfm_ctx_alignment()) + 789 align + 32); 790 791 return 0; 792 } 793 794 static void crypto_rfc4309_exit_tfm(struct crypto_aead *tfm) 795 { 796 struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(tfm); 797 798 crypto_free_aead(ctx->child); 799 } 800 801 static void crypto_rfc4309_free(struct aead_instance *inst) 802 { 803 crypto_drop_aead(aead_instance_ctx(inst)); 804 kfree(inst); 805 } 806 807 static int crypto_rfc4309_create(struct crypto_template *tmpl, 808 struct rtattr **tb) 809 { 810 struct crypto_attr_type *algt; 811 struct aead_instance *inst; 812 struct crypto_aead_spawn *spawn; 813 struct aead_alg *alg; 814 const char *ccm_name; 815 int err; 816 817 algt = crypto_get_attr_type(tb); 818 if (IS_ERR(algt)) 819 return PTR_ERR(algt); 820 821 if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask) 822 return -EINVAL; 823 824 ccm_name = crypto_attr_alg_name(tb[1]); 825 if (IS_ERR(ccm_name)) 826 return PTR_ERR(ccm_name); 827 828 inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL); 829 if (!inst) 830 return -ENOMEM; 831 832 spawn = aead_instance_ctx(inst); 833 crypto_set_aead_spawn(spawn, aead_crypto_instance(inst)); 834 err = crypto_grab_aead(spawn, ccm_name, 0, 835 crypto_requires_sync(algt->type, algt->mask)); 836 if (err) 837 goto out_free_inst; 838 839 alg = crypto_spawn_aead_alg(spawn); 840 841 err = -EINVAL; 842 843 /* We only support 16-byte blocks. */ 844 if (crypto_aead_alg_ivsize(alg) != 16) 845 goto out_drop_alg; 846 847 /* Not a stream cipher? */ 848 if (alg->base.cra_blocksize != 1) 849 goto out_drop_alg; 850 851 err = -ENAMETOOLONG; 852 if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME, 853 "rfc4309(%s)", alg->base.cra_name) >= 854 CRYPTO_MAX_ALG_NAME || 855 snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME, 856 "rfc4309(%s)", alg->base.cra_driver_name) >= 857 CRYPTO_MAX_ALG_NAME) 858 goto out_drop_alg; 859 860 inst->alg.base.cra_flags = alg->base.cra_flags & CRYPTO_ALG_ASYNC; 861 inst->alg.base.cra_priority = alg->base.cra_priority; 862 inst->alg.base.cra_blocksize = 1; 863 inst->alg.base.cra_alignmask = alg->base.cra_alignmask; 864 865 inst->alg.ivsize = 8; 866 inst->alg.maxauthsize = 16; 867 868 inst->alg.base.cra_ctxsize = sizeof(struct crypto_rfc4309_ctx); 869 870 inst->alg.init = crypto_rfc4309_init_tfm; 871 inst->alg.exit = crypto_rfc4309_exit_tfm; 872 873 inst->alg.setkey = crypto_rfc4309_setkey; 874 inst->alg.setauthsize = crypto_rfc4309_setauthsize; 875 inst->alg.encrypt = crypto_rfc4309_encrypt; 876 inst->alg.decrypt = crypto_rfc4309_decrypt; 877 878 inst->free = crypto_rfc4309_free; 879 880 err = aead_register_instance(tmpl, inst); 881 if (err) 882 goto out_drop_alg; 883 884 out: 885 return err; 886 887 out_drop_alg: 888 crypto_drop_aead(spawn); 889 out_free_inst: 890 kfree(inst); 891 goto out; 892 } 893 894 static struct crypto_template crypto_rfc4309_tmpl = { 895 .name = "rfc4309", 896 .create = crypto_rfc4309_create, 897 .module = THIS_MODULE, 898 }; 899 900 static int __init crypto_ccm_module_init(void) 901 { 902 int err; 903 904 err = crypto_register_template(&crypto_ccm_base_tmpl); 905 if (err) 906 goto out; 907 908 err = crypto_register_template(&crypto_ccm_tmpl); 909 if (err) 910 goto out_undo_base; 911 912 err = crypto_register_template(&crypto_rfc4309_tmpl); 913 if (err) 914 goto out_undo_ccm; 915 916 out: 917 return err; 918 919 out_undo_ccm: 920 crypto_unregister_template(&crypto_ccm_tmpl); 921 out_undo_base: 922 crypto_unregister_template(&crypto_ccm_base_tmpl); 923 goto out; 924 } 925 926 static void __exit crypto_ccm_module_exit(void) 927 { 928 crypto_unregister_template(&crypto_rfc4309_tmpl); 929 crypto_unregister_template(&crypto_ccm_tmpl); 930 crypto_unregister_template(&crypto_ccm_base_tmpl); 931 } 932 933 module_init(crypto_ccm_module_init); 934 module_exit(crypto_ccm_module_exit); 935 936 MODULE_LICENSE("GPL"); 937 MODULE_DESCRIPTION("Counter with CBC MAC"); 938 MODULE_ALIAS_CRYPTO("ccm_base"); 939 MODULE_ALIAS_CRYPTO("rfc4309"); 940 MODULE_ALIAS_CRYPTO("ccm"); 941