1 /* 2 * CCM: Counter with CBC-MAC 3 * 4 * (C) Copyright IBM Corp. 2007 - Joy Latten <latten@us.ibm.com> 5 * 6 * This program is free software; you can redistribute it and/or modify it 7 * under the terms of the GNU General Public License as published by the Free 8 * Software Foundation; either version 2 of the License, or (at your option) 9 * any later version. 10 * 11 */ 12 13 #include <crypto/internal/aead.h> 14 #include <crypto/internal/skcipher.h> 15 #include <crypto/scatterwalk.h> 16 #include <linux/err.h> 17 #include <linux/init.h> 18 #include <linux/kernel.h> 19 #include <linux/module.h> 20 #include <linux/slab.h> 21 22 #include "internal.h" 23 24 struct ccm_instance_ctx { 25 struct crypto_skcipher_spawn ctr; 26 struct crypto_spawn cipher; 27 }; 28 29 struct crypto_ccm_ctx { 30 struct crypto_cipher *cipher; 31 struct crypto_skcipher *ctr; 32 }; 33 34 struct crypto_rfc4309_ctx { 35 struct crypto_aead *child; 36 u8 nonce[3]; 37 }; 38 39 struct crypto_rfc4309_req_ctx { 40 struct scatterlist src[3]; 41 struct scatterlist dst[3]; 42 struct aead_request subreq; 43 }; 44 45 struct crypto_ccm_req_priv_ctx { 46 u8 odata[16]; 47 u8 idata[16]; 48 u8 auth_tag[16]; 49 u32 ilen; 50 u32 flags; 51 struct scatterlist src[3]; 52 struct scatterlist dst[3]; 53 struct skcipher_request skreq; 54 }; 55 56 static inline struct crypto_ccm_req_priv_ctx *crypto_ccm_reqctx( 57 struct aead_request *req) 58 { 59 unsigned long align = crypto_aead_alignmask(crypto_aead_reqtfm(req)); 60 61 return (void *)PTR_ALIGN((u8 *)aead_request_ctx(req), align + 1); 62 } 63 64 static int set_msg_len(u8 *block, unsigned int msglen, int csize) 65 { 66 __be32 data; 67 68 memset(block, 0, csize); 69 block += csize; 70 71 if (csize >= 4) 72 csize = 4; 73 else if (msglen > (1 << (8 * csize))) 74 return -EOVERFLOW; 75 76 data = cpu_to_be32(msglen); 77 memcpy(block - csize, (u8 *)&data + 4 - csize, csize); 78 79 return 0; 80 } 81 82 static int crypto_ccm_setkey(struct crypto_aead *aead, const u8 *key, 83 unsigned int keylen) 84 { 85 struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead); 86 struct crypto_skcipher *ctr = ctx->ctr; 87 struct crypto_cipher *tfm = ctx->cipher; 88 int err = 0; 89 90 crypto_skcipher_clear_flags(ctr, CRYPTO_TFM_REQ_MASK); 91 crypto_skcipher_set_flags(ctr, crypto_aead_get_flags(aead) & 92 CRYPTO_TFM_REQ_MASK); 93 err = crypto_skcipher_setkey(ctr, key, keylen); 94 crypto_aead_set_flags(aead, crypto_skcipher_get_flags(ctr) & 95 CRYPTO_TFM_RES_MASK); 96 if (err) 97 goto out; 98 99 crypto_cipher_clear_flags(tfm, CRYPTO_TFM_REQ_MASK); 100 crypto_cipher_set_flags(tfm, crypto_aead_get_flags(aead) & 101 CRYPTO_TFM_REQ_MASK); 102 err = crypto_cipher_setkey(tfm, key, keylen); 103 crypto_aead_set_flags(aead, crypto_cipher_get_flags(tfm) & 104 CRYPTO_TFM_RES_MASK); 105 106 out: 107 return err; 108 } 109 110 static int crypto_ccm_setauthsize(struct crypto_aead *tfm, 111 unsigned int authsize) 112 { 113 switch (authsize) { 114 case 4: 115 case 6: 116 case 8: 117 case 10: 118 case 12: 119 case 14: 120 case 16: 121 break; 122 default: 123 return -EINVAL; 124 } 125 126 return 0; 127 } 128 129 static int format_input(u8 *info, struct aead_request *req, 130 unsigned int cryptlen) 131 { 132 struct crypto_aead *aead = crypto_aead_reqtfm(req); 133 unsigned int lp = req->iv[0]; 134 unsigned int l = lp + 1; 135 unsigned int m; 136 137 m = crypto_aead_authsize(aead); 138 139 memcpy(info, req->iv, 16); 140 141 /* format control info per RFC 3610 and 142 * NIST Special Publication 800-38C 143 */ 144 *info |= (8 * ((m - 2) / 2)); 145 if (req->assoclen) 146 *info |= 64; 147 148 return set_msg_len(info + 16 - l, cryptlen, l); 149 } 150 151 static int format_adata(u8 *adata, unsigned int a) 152 { 153 int len = 0; 154 155 /* add control info for associated data 156 * RFC 3610 and NIST Special Publication 800-38C 157 */ 158 if (a < 65280) { 159 *(__be16 *)adata = cpu_to_be16(a); 160 len = 2; 161 } else { 162 *(__be16 *)adata = cpu_to_be16(0xfffe); 163 *(__be32 *)&adata[2] = cpu_to_be32(a); 164 len = 6; 165 } 166 167 return len; 168 } 169 170 static void compute_mac(struct crypto_cipher *tfm, u8 *data, int n, 171 struct crypto_ccm_req_priv_ctx *pctx) 172 { 173 unsigned int bs = 16; 174 u8 *odata = pctx->odata; 175 u8 *idata = pctx->idata; 176 int datalen, getlen; 177 178 datalen = n; 179 180 /* first time in here, block may be partially filled. */ 181 getlen = bs - pctx->ilen; 182 if (datalen >= getlen) { 183 memcpy(idata + pctx->ilen, data, getlen); 184 crypto_xor(odata, idata, bs); 185 crypto_cipher_encrypt_one(tfm, odata, odata); 186 datalen -= getlen; 187 data += getlen; 188 pctx->ilen = 0; 189 } 190 191 /* now encrypt rest of data */ 192 while (datalen >= bs) { 193 crypto_xor(odata, data, bs); 194 crypto_cipher_encrypt_one(tfm, odata, odata); 195 196 datalen -= bs; 197 data += bs; 198 } 199 200 /* check and see if there's leftover data that wasn't 201 * enough to fill a block. 202 */ 203 if (datalen) { 204 memcpy(idata + pctx->ilen, data, datalen); 205 pctx->ilen += datalen; 206 } 207 } 208 209 static void get_data_to_compute(struct crypto_cipher *tfm, 210 struct crypto_ccm_req_priv_ctx *pctx, 211 struct scatterlist *sg, unsigned int len) 212 { 213 struct scatter_walk walk; 214 u8 *data_src; 215 int n; 216 217 scatterwalk_start(&walk, sg); 218 219 while (len) { 220 n = scatterwalk_clamp(&walk, len); 221 if (!n) { 222 scatterwalk_start(&walk, sg_next(walk.sg)); 223 n = scatterwalk_clamp(&walk, len); 224 } 225 data_src = scatterwalk_map(&walk); 226 227 compute_mac(tfm, data_src, n, pctx); 228 len -= n; 229 230 scatterwalk_unmap(data_src); 231 scatterwalk_advance(&walk, n); 232 scatterwalk_done(&walk, 0, len); 233 if (len) 234 crypto_yield(pctx->flags); 235 } 236 237 /* any leftover needs padding and then encrypted */ 238 if (pctx->ilen) { 239 int padlen; 240 u8 *odata = pctx->odata; 241 u8 *idata = pctx->idata; 242 243 padlen = 16 - pctx->ilen; 244 memset(idata + pctx->ilen, 0, padlen); 245 crypto_xor(odata, idata, 16); 246 crypto_cipher_encrypt_one(tfm, odata, odata); 247 pctx->ilen = 0; 248 } 249 } 250 251 static int crypto_ccm_auth(struct aead_request *req, struct scatterlist *plain, 252 unsigned int cryptlen) 253 { 254 struct crypto_aead *aead = crypto_aead_reqtfm(req); 255 struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead); 256 struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); 257 struct crypto_cipher *cipher = ctx->cipher; 258 unsigned int assoclen = req->assoclen; 259 u8 *odata = pctx->odata; 260 u8 *idata = pctx->idata; 261 int err; 262 263 /* format control data for input */ 264 err = format_input(odata, req, cryptlen); 265 if (err) 266 goto out; 267 268 /* encrypt first block to use as start in computing mac */ 269 crypto_cipher_encrypt_one(cipher, odata, odata); 270 271 /* format associated data and compute into mac */ 272 if (assoclen) { 273 pctx->ilen = format_adata(idata, assoclen); 274 get_data_to_compute(cipher, pctx, req->src, req->assoclen); 275 } else { 276 pctx->ilen = 0; 277 } 278 279 /* compute plaintext into mac */ 280 if (cryptlen) 281 get_data_to_compute(cipher, pctx, plain, cryptlen); 282 283 out: 284 return err; 285 } 286 287 static void crypto_ccm_encrypt_done(struct crypto_async_request *areq, int err) 288 { 289 struct aead_request *req = areq->data; 290 struct crypto_aead *aead = crypto_aead_reqtfm(req); 291 struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); 292 u8 *odata = pctx->odata; 293 294 if (!err) 295 scatterwalk_map_and_copy(odata, req->dst, 296 req->assoclen + req->cryptlen, 297 crypto_aead_authsize(aead), 1); 298 aead_request_complete(req, err); 299 } 300 301 static inline int crypto_ccm_check_iv(const u8 *iv) 302 { 303 /* 2 <= L <= 8, so 1 <= L' <= 7. */ 304 if (1 > iv[0] || iv[0] > 7) 305 return -EINVAL; 306 307 return 0; 308 } 309 310 static int crypto_ccm_init_crypt(struct aead_request *req, u8 *tag) 311 { 312 struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); 313 struct scatterlist *sg; 314 u8 *iv = req->iv; 315 int err; 316 317 err = crypto_ccm_check_iv(iv); 318 if (err) 319 return err; 320 321 pctx->flags = aead_request_flags(req); 322 323 /* Note: rfc 3610 and NIST 800-38C require counter of 324 * zero to encrypt auth tag. 325 */ 326 memset(iv + 15 - iv[0], 0, iv[0] + 1); 327 328 sg_init_table(pctx->src, 3); 329 sg_set_buf(pctx->src, tag, 16); 330 sg = scatterwalk_ffwd(pctx->src + 1, req->src, req->assoclen); 331 if (sg != pctx->src + 1) 332 sg_chain(pctx->src, 2, sg); 333 334 if (req->src != req->dst) { 335 sg_init_table(pctx->dst, 3); 336 sg_set_buf(pctx->dst, tag, 16); 337 sg = scatterwalk_ffwd(pctx->dst + 1, req->dst, req->assoclen); 338 if (sg != pctx->dst + 1) 339 sg_chain(pctx->dst, 2, sg); 340 } 341 342 return 0; 343 } 344 345 static int crypto_ccm_encrypt(struct aead_request *req) 346 { 347 struct crypto_aead *aead = crypto_aead_reqtfm(req); 348 struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead); 349 struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); 350 struct skcipher_request *skreq = &pctx->skreq; 351 struct scatterlist *dst; 352 unsigned int cryptlen = req->cryptlen; 353 u8 *odata = pctx->odata; 354 u8 *iv = req->iv; 355 int err; 356 357 err = crypto_ccm_init_crypt(req, odata); 358 if (err) 359 return err; 360 361 err = crypto_ccm_auth(req, sg_next(pctx->src), cryptlen); 362 if (err) 363 return err; 364 365 dst = pctx->src; 366 if (req->src != req->dst) 367 dst = pctx->dst; 368 369 skcipher_request_set_tfm(skreq, ctx->ctr); 370 skcipher_request_set_callback(skreq, pctx->flags, 371 crypto_ccm_encrypt_done, req); 372 skcipher_request_set_crypt(skreq, pctx->src, dst, cryptlen + 16, iv); 373 err = crypto_skcipher_encrypt(skreq); 374 if (err) 375 return err; 376 377 /* copy authtag to end of dst */ 378 scatterwalk_map_and_copy(odata, sg_next(dst), cryptlen, 379 crypto_aead_authsize(aead), 1); 380 return err; 381 } 382 383 static void crypto_ccm_decrypt_done(struct crypto_async_request *areq, 384 int err) 385 { 386 struct aead_request *req = areq->data; 387 struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); 388 struct crypto_aead *aead = crypto_aead_reqtfm(req); 389 unsigned int authsize = crypto_aead_authsize(aead); 390 unsigned int cryptlen = req->cryptlen - authsize; 391 struct scatterlist *dst; 392 393 pctx->flags = 0; 394 395 dst = sg_next(req->src == req->dst ? pctx->src : pctx->dst); 396 397 if (!err) { 398 err = crypto_ccm_auth(req, dst, cryptlen); 399 if (!err && crypto_memneq(pctx->auth_tag, pctx->odata, authsize)) 400 err = -EBADMSG; 401 } 402 aead_request_complete(req, err); 403 } 404 405 static int crypto_ccm_decrypt(struct aead_request *req) 406 { 407 struct crypto_aead *aead = crypto_aead_reqtfm(req); 408 struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead); 409 struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); 410 struct skcipher_request *skreq = &pctx->skreq; 411 struct scatterlist *dst; 412 unsigned int authsize = crypto_aead_authsize(aead); 413 unsigned int cryptlen = req->cryptlen; 414 u8 *authtag = pctx->auth_tag; 415 u8 *odata = pctx->odata; 416 u8 *iv = req->iv; 417 int err; 418 419 cryptlen -= authsize; 420 421 err = crypto_ccm_init_crypt(req, authtag); 422 if (err) 423 return err; 424 425 scatterwalk_map_and_copy(authtag, sg_next(pctx->src), cryptlen, 426 authsize, 0); 427 428 dst = pctx->src; 429 if (req->src != req->dst) 430 dst = pctx->dst; 431 432 skcipher_request_set_tfm(skreq, ctx->ctr); 433 skcipher_request_set_callback(skreq, pctx->flags, 434 crypto_ccm_decrypt_done, req); 435 skcipher_request_set_crypt(skreq, pctx->src, dst, cryptlen + 16, iv); 436 err = crypto_skcipher_decrypt(skreq); 437 if (err) 438 return err; 439 440 err = crypto_ccm_auth(req, sg_next(dst), cryptlen); 441 if (err) 442 return err; 443 444 /* verify */ 445 if (crypto_memneq(authtag, odata, authsize)) 446 return -EBADMSG; 447 448 return err; 449 } 450 451 static int crypto_ccm_init_tfm(struct crypto_aead *tfm) 452 { 453 struct aead_instance *inst = aead_alg_instance(tfm); 454 struct ccm_instance_ctx *ictx = aead_instance_ctx(inst); 455 struct crypto_ccm_ctx *ctx = crypto_aead_ctx(tfm); 456 struct crypto_cipher *cipher; 457 struct crypto_skcipher *ctr; 458 unsigned long align; 459 int err; 460 461 cipher = crypto_spawn_cipher(&ictx->cipher); 462 if (IS_ERR(cipher)) 463 return PTR_ERR(cipher); 464 465 ctr = crypto_spawn_skcipher2(&ictx->ctr); 466 err = PTR_ERR(ctr); 467 if (IS_ERR(ctr)) 468 goto err_free_cipher; 469 470 ctx->cipher = cipher; 471 ctx->ctr = ctr; 472 473 align = crypto_aead_alignmask(tfm); 474 align &= ~(crypto_tfm_ctx_alignment() - 1); 475 crypto_aead_set_reqsize( 476 tfm, 477 align + sizeof(struct crypto_ccm_req_priv_ctx) + 478 crypto_skcipher_reqsize(ctr)); 479 480 return 0; 481 482 err_free_cipher: 483 crypto_free_cipher(cipher); 484 return err; 485 } 486 487 static void crypto_ccm_exit_tfm(struct crypto_aead *tfm) 488 { 489 struct crypto_ccm_ctx *ctx = crypto_aead_ctx(tfm); 490 491 crypto_free_cipher(ctx->cipher); 492 crypto_free_skcipher(ctx->ctr); 493 } 494 495 static void crypto_ccm_free(struct aead_instance *inst) 496 { 497 struct ccm_instance_ctx *ctx = aead_instance_ctx(inst); 498 499 crypto_drop_spawn(&ctx->cipher); 500 crypto_drop_skcipher(&ctx->ctr); 501 kfree(inst); 502 } 503 504 static int crypto_ccm_create_common(struct crypto_template *tmpl, 505 struct rtattr **tb, 506 const char *full_name, 507 const char *ctr_name, 508 const char *cipher_name) 509 { 510 struct crypto_attr_type *algt; 511 struct aead_instance *inst; 512 struct skcipher_alg *ctr; 513 struct crypto_alg *cipher; 514 struct ccm_instance_ctx *ictx; 515 int err; 516 517 algt = crypto_get_attr_type(tb); 518 if (IS_ERR(algt)) 519 return PTR_ERR(algt); 520 521 if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask) 522 return -EINVAL; 523 524 cipher = crypto_alg_mod_lookup(cipher_name, CRYPTO_ALG_TYPE_CIPHER, 525 CRYPTO_ALG_TYPE_MASK); 526 if (IS_ERR(cipher)) 527 return PTR_ERR(cipher); 528 529 err = -EINVAL; 530 if (cipher->cra_blocksize != 16) 531 goto out_put_cipher; 532 533 inst = kzalloc(sizeof(*inst) + sizeof(*ictx), GFP_KERNEL); 534 err = -ENOMEM; 535 if (!inst) 536 goto out_put_cipher; 537 538 ictx = aead_instance_ctx(inst); 539 540 err = crypto_init_spawn(&ictx->cipher, cipher, 541 aead_crypto_instance(inst), 542 CRYPTO_ALG_TYPE_MASK); 543 if (err) 544 goto err_free_inst; 545 546 crypto_set_skcipher_spawn(&ictx->ctr, aead_crypto_instance(inst)); 547 err = crypto_grab_skcipher2(&ictx->ctr, ctr_name, 0, 548 crypto_requires_sync(algt->type, 549 algt->mask)); 550 if (err) 551 goto err_drop_cipher; 552 553 ctr = crypto_spawn_skcipher_alg(&ictx->ctr); 554 555 /* Not a stream cipher? */ 556 err = -EINVAL; 557 if (ctr->base.cra_blocksize != 1) 558 goto err_drop_ctr; 559 560 /* We want the real thing! */ 561 if (crypto_skcipher_alg_ivsize(ctr) != 16) 562 goto err_drop_ctr; 563 564 err = -ENAMETOOLONG; 565 if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME, 566 "ccm_base(%s,%s)", ctr->base.cra_driver_name, 567 cipher->cra_driver_name) >= CRYPTO_MAX_ALG_NAME) 568 goto err_drop_ctr; 569 570 memcpy(inst->alg.base.cra_name, full_name, CRYPTO_MAX_ALG_NAME); 571 572 inst->alg.base.cra_flags = ctr->base.cra_flags & CRYPTO_ALG_ASYNC; 573 inst->alg.base.cra_priority = (cipher->cra_priority + 574 ctr->base.cra_priority) / 2; 575 inst->alg.base.cra_blocksize = 1; 576 inst->alg.base.cra_alignmask = cipher->cra_alignmask | 577 ctr->base.cra_alignmask | 578 (__alignof__(u32) - 1); 579 inst->alg.ivsize = 16; 580 inst->alg.chunksize = crypto_skcipher_alg_chunksize(ctr); 581 inst->alg.maxauthsize = 16; 582 inst->alg.base.cra_ctxsize = sizeof(struct crypto_ccm_ctx); 583 inst->alg.init = crypto_ccm_init_tfm; 584 inst->alg.exit = crypto_ccm_exit_tfm; 585 inst->alg.setkey = crypto_ccm_setkey; 586 inst->alg.setauthsize = crypto_ccm_setauthsize; 587 inst->alg.encrypt = crypto_ccm_encrypt; 588 inst->alg.decrypt = crypto_ccm_decrypt; 589 590 inst->free = crypto_ccm_free; 591 592 err = aead_register_instance(tmpl, inst); 593 if (err) 594 goto err_drop_ctr; 595 596 out_put_cipher: 597 crypto_mod_put(cipher); 598 return err; 599 600 err_drop_ctr: 601 crypto_drop_skcipher(&ictx->ctr); 602 err_drop_cipher: 603 crypto_drop_spawn(&ictx->cipher); 604 err_free_inst: 605 kfree(inst); 606 goto out_put_cipher; 607 } 608 609 static int crypto_ccm_create(struct crypto_template *tmpl, struct rtattr **tb) 610 { 611 const char *cipher_name; 612 char ctr_name[CRYPTO_MAX_ALG_NAME]; 613 char full_name[CRYPTO_MAX_ALG_NAME]; 614 615 cipher_name = crypto_attr_alg_name(tb[1]); 616 if (IS_ERR(cipher_name)) 617 return PTR_ERR(cipher_name); 618 619 if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)", 620 cipher_name) >= CRYPTO_MAX_ALG_NAME) 621 return -ENAMETOOLONG; 622 623 if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "ccm(%s)", cipher_name) >= 624 CRYPTO_MAX_ALG_NAME) 625 return -ENAMETOOLONG; 626 627 return crypto_ccm_create_common(tmpl, tb, full_name, ctr_name, 628 cipher_name); 629 } 630 631 static struct crypto_template crypto_ccm_tmpl = { 632 .name = "ccm", 633 .create = crypto_ccm_create, 634 .module = THIS_MODULE, 635 }; 636 637 static int crypto_ccm_base_create(struct crypto_template *tmpl, 638 struct rtattr **tb) 639 { 640 const char *ctr_name; 641 const char *cipher_name; 642 char full_name[CRYPTO_MAX_ALG_NAME]; 643 644 ctr_name = crypto_attr_alg_name(tb[1]); 645 if (IS_ERR(ctr_name)) 646 return PTR_ERR(ctr_name); 647 648 cipher_name = crypto_attr_alg_name(tb[2]); 649 if (IS_ERR(cipher_name)) 650 return PTR_ERR(cipher_name); 651 652 if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "ccm_base(%s,%s)", 653 ctr_name, cipher_name) >= CRYPTO_MAX_ALG_NAME) 654 return -ENAMETOOLONG; 655 656 return crypto_ccm_create_common(tmpl, tb, full_name, ctr_name, 657 cipher_name); 658 } 659 660 static struct crypto_template crypto_ccm_base_tmpl = { 661 .name = "ccm_base", 662 .create = crypto_ccm_base_create, 663 .module = THIS_MODULE, 664 }; 665 666 static int crypto_rfc4309_setkey(struct crypto_aead *parent, const u8 *key, 667 unsigned int keylen) 668 { 669 struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(parent); 670 struct crypto_aead *child = ctx->child; 671 int err; 672 673 if (keylen < 3) 674 return -EINVAL; 675 676 keylen -= 3; 677 memcpy(ctx->nonce, key + keylen, 3); 678 679 crypto_aead_clear_flags(child, CRYPTO_TFM_REQ_MASK); 680 crypto_aead_set_flags(child, crypto_aead_get_flags(parent) & 681 CRYPTO_TFM_REQ_MASK); 682 err = crypto_aead_setkey(child, key, keylen); 683 crypto_aead_set_flags(parent, crypto_aead_get_flags(child) & 684 CRYPTO_TFM_RES_MASK); 685 686 return err; 687 } 688 689 static int crypto_rfc4309_setauthsize(struct crypto_aead *parent, 690 unsigned int authsize) 691 { 692 struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(parent); 693 694 switch (authsize) { 695 case 8: 696 case 12: 697 case 16: 698 break; 699 default: 700 return -EINVAL; 701 } 702 703 return crypto_aead_setauthsize(ctx->child, authsize); 704 } 705 706 static struct aead_request *crypto_rfc4309_crypt(struct aead_request *req) 707 { 708 struct crypto_rfc4309_req_ctx *rctx = aead_request_ctx(req); 709 struct aead_request *subreq = &rctx->subreq; 710 struct crypto_aead *aead = crypto_aead_reqtfm(req); 711 struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(aead); 712 struct crypto_aead *child = ctx->child; 713 struct scatterlist *sg; 714 u8 *iv = PTR_ALIGN((u8 *)(subreq + 1) + crypto_aead_reqsize(child), 715 crypto_aead_alignmask(child) + 1); 716 717 /* L' */ 718 iv[0] = 3; 719 720 memcpy(iv + 1, ctx->nonce, 3); 721 memcpy(iv + 4, req->iv, 8); 722 723 scatterwalk_map_and_copy(iv + 16, req->src, 0, req->assoclen - 8, 0); 724 725 sg_init_table(rctx->src, 3); 726 sg_set_buf(rctx->src, iv + 16, req->assoclen - 8); 727 sg = scatterwalk_ffwd(rctx->src + 1, req->src, req->assoclen); 728 if (sg != rctx->src + 1) 729 sg_chain(rctx->src, 2, sg); 730 731 if (req->src != req->dst) { 732 sg_init_table(rctx->dst, 3); 733 sg_set_buf(rctx->dst, iv + 16, req->assoclen - 8); 734 sg = scatterwalk_ffwd(rctx->dst + 1, req->dst, req->assoclen); 735 if (sg != rctx->dst + 1) 736 sg_chain(rctx->dst, 2, sg); 737 } 738 739 aead_request_set_tfm(subreq, child); 740 aead_request_set_callback(subreq, req->base.flags, req->base.complete, 741 req->base.data); 742 aead_request_set_crypt(subreq, rctx->src, 743 req->src == req->dst ? rctx->src : rctx->dst, 744 req->cryptlen, iv); 745 aead_request_set_ad(subreq, req->assoclen - 8); 746 747 return subreq; 748 } 749 750 static int crypto_rfc4309_encrypt(struct aead_request *req) 751 { 752 if (req->assoclen != 16 && req->assoclen != 20) 753 return -EINVAL; 754 755 req = crypto_rfc4309_crypt(req); 756 757 return crypto_aead_encrypt(req); 758 } 759 760 static int crypto_rfc4309_decrypt(struct aead_request *req) 761 { 762 if (req->assoclen != 16 && req->assoclen != 20) 763 return -EINVAL; 764 765 req = crypto_rfc4309_crypt(req); 766 767 return crypto_aead_decrypt(req); 768 } 769 770 static int crypto_rfc4309_init_tfm(struct crypto_aead *tfm) 771 { 772 struct aead_instance *inst = aead_alg_instance(tfm); 773 struct crypto_aead_spawn *spawn = aead_instance_ctx(inst); 774 struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(tfm); 775 struct crypto_aead *aead; 776 unsigned long align; 777 778 aead = crypto_spawn_aead(spawn); 779 if (IS_ERR(aead)) 780 return PTR_ERR(aead); 781 782 ctx->child = aead; 783 784 align = crypto_aead_alignmask(aead); 785 align &= ~(crypto_tfm_ctx_alignment() - 1); 786 crypto_aead_set_reqsize( 787 tfm, 788 sizeof(struct crypto_rfc4309_req_ctx) + 789 ALIGN(crypto_aead_reqsize(aead), crypto_tfm_ctx_alignment()) + 790 align + 32); 791 792 return 0; 793 } 794 795 static void crypto_rfc4309_exit_tfm(struct crypto_aead *tfm) 796 { 797 struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(tfm); 798 799 crypto_free_aead(ctx->child); 800 } 801 802 static void crypto_rfc4309_free(struct aead_instance *inst) 803 { 804 crypto_drop_aead(aead_instance_ctx(inst)); 805 kfree(inst); 806 } 807 808 static int crypto_rfc4309_create(struct crypto_template *tmpl, 809 struct rtattr **tb) 810 { 811 struct crypto_attr_type *algt; 812 struct aead_instance *inst; 813 struct crypto_aead_spawn *spawn; 814 struct aead_alg *alg; 815 const char *ccm_name; 816 int err; 817 818 algt = crypto_get_attr_type(tb); 819 if (IS_ERR(algt)) 820 return PTR_ERR(algt); 821 822 if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask) 823 return -EINVAL; 824 825 ccm_name = crypto_attr_alg_name(tb[1]); 826 if (IS_ERR(ccm_name)) 827 return PTR_ERR(ccm_name); 828 829 inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL); 830 if (!inst) 831 return -ENOMEM; 832 833 spawn = aead_instance_ctx(inst); 834 crypto_set_aead_spawn(spawn, aead_crypto_instance(inst)); 835 err = crypto_grab_aead(spawn, ccm_name, 0, 836 crypto_requires_sync(algt->type, algt->mask)); 837 if (err) 838 goto out_free_inst; 839 840 alg = crypto_spawn_aead_alg(spawn); 841 842 err = -EINVAL; 843 844 /* We only support 16-byte blocks. */ 845 if (crypto_aead_alg_ivsize(alg) != 16) 846 goto out_drop_alg; 847 848 /* Not a stream cipher? */ 849 if (alg->base.cra_blocksize != 1) 850 goto out_drop_alg; 851 852 err = -ENAMETOOLONG; 853 if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME, 854 "rfc4309(%s)", alg->base.cra_name) >= 855 CRYPTO_MAX_ALG_NAME || 856 snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME, 857 "rfc4309(%s)", alg->base.cra_driver_name) >= 858 CRYPTO_MAX_ALG_NAME) 859 goto out_drop_alg; 860 861 inst->alg.base.cra_flags = alg->base.cra_flags & CRYPTO_ALG_ASYNC; 862 inst->alg.base.cra_priority = alg->base.cra_priority; 863 inst->alg.base.cra_blocksize = 1; 864 inst->alg.base.cra_alignmask = alg->base.cra_alignmask; 865 866 inst->alg.ivsize = 8; 867 inst->alg.chunksize = crypto_aead_alg_chunksize(alg); 868 inst->alg.maxauthsize = 16; 869 870 inst->alg.base.cra_ctxsize = sizeof(struct crypto_rfc4309_ctx); 871 872 inst->alg.init = crypto_rfc4309_init_tfm; 873 inst->alg.exit = crypto_rfc4309_exit_tfm; 874 875 inst->alg.setkey = crypto_rfc4309_setkey; 876 inst->alg.setauthsize = crypto_rfc4309_setauthsize; 877 inst->alg.encrypt = crypto_rfc4309_encrypt; 878 inst->alg.decrypt = crypto_rfc4309_decrypt; 879 880 inst->free = crypto_rfc4309_free; 881 882 err = aead_register_instance(tmpl, inst); 883 if (err) 884 goto out_drop_alg; 885 886 out: 887 return err; 888 889 out_drop_alg: 890 crypto_drop_aead(spawn); 891 out_free_inst: 892 kfree(inst); 893 goto out; 894 } 895 896 static struct crypto_template crypto_rfc4309_tmpl = { 897 .name = "rfc4309", 898 .create = crypto_rfc4309_create, 899 .module = THIS_MODULE, 900 }; 901 902 static int __init crypto_ccm_module_init(void) 903 { 904 int err; 905 906 err = crypto_register_template(&crypto_ccm_base_tmpl); 907 if (err) 908 goto out; 909 910 err = crypto_register_template(&crypto_ccm_tmpl); 911 if (err) 912 goto out_undo_base; 913 914 err = crypto_register_template(&crypto_rfc4309_tmpl); 915 if (err) 916 goto out_undo_ccm; 917 918 out: 919 return err; 920 921 out_undo_ccm: 922 crypto_unregister_template(&crypto_ccm_tmpl); 923 out_undo_base: 924 crypto_unregister_template(&crypto_ccm_base_tmpl); 925 goto out; 926 } 927 928 static void __exit crypto_ccm_module_exit(void) 929 { 930 crypto_unregister_template(&crypto_rfc4309_tmpl); 931 crypto_unregister_template(&crypto_ccm_tmpl); 932 crypto_unregister_template(&crypto_ccm_base_tmpl); 933 } 934 935 module_init(crypto_ccm_module_init); 936 module_exit(crypto_ccm_module_exit); 937 938 MODULE_LICENSE("GPL"); 939 MODULE_DESCRIPTION("Counter with CBC MAC"); 940 MODULE_ALIAS_CRYPTO("ccm_base"); 941 MODULE_ALIAS_CRYPTO("rfc4309"); 942 MODULE_ALIAS_CRYPTO("ccm"); 943