1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * ChaCha20-Poly1305 AEAD, RFC7539 4 * 5 * Copyright (C) 2015 Martin Willi 6 */ 7 8 #include <crypto/internal/aead.h> 9 #include <crypto/internal/hash.h> 10 #include <crypto/internal/skcipher.h> 11 #include <crypto/scatterwalk.h> 12 #include <crypto/chacha.h> 13 #include <crypto/poly1305.h> 14 #include <linux/err.h> 15 #include <linux/init.h> 16 #include <linux/kernel.h> 17 #include <linux/module.h> 18 19 #include "internal.h" 20 21 struct chachapoly_instance_ctx { 22 struct crypto_skcipher_spawn chacha; 23 struct crypto_ahash_spawn poly; 24 unsigned int saltlen; 25 }; 26 27 struct chachapoly_ctx { 28 struct crypto_skcipher *chacha; 29 struct crypto_ahash *poly; 30 /* key bytes we use for the ChaCha20 IV */ 31 unsigned int saltlen; 32 u8 salt[]; 33 }; 34 35 struct poly_req { 36 /* zero byte padding for AD/ciphertext, as needed */ 37 u8 pad[POLY1305_BLOCK_SIZE]; 38 /* tail data with AD/ciphertext lengths */ 39 struct { 40 __le64 assoclen; 41 __le64 cryptlen; 42 } tail; 43 struct scatterlist src[1]; 44 struct ahash_request req; /* must be last member */ 45 }; 46 47 struct chacha_req { 48 u8 iv[CHACHA_IV_SIZE]; 49 struct scatterlist src[1]; 50 struct skcipher_request req; /* must be last member */ 51 }; 52 53 struct chachapoly_req_ctx { 54 struct scatterlist src[2]; 55 struct scatterlist dst[2]; 56 /* the key we generate for Poly1305 using Chacha20 */ 57 u8 key[POLY1305_KEY_SIZE]; 58 /* calculated Poly1305 tag */ 59 u8 tag[POLY1305_DIGEST_SIZE]; 60 /* length of data to en/decrypt, without ICV */ 61 unsigned int cryptlen; 62 /* Actual AD, excluding IV */ 63 unsigned int assoclen; 64 /* request flags, with MAY_SLEEP cleared if needed */ 65 u32 flags; 66 union { 67 struct poly_req poly; 68 struct chacha_req chacha; 69 } u; 70 }; 71 72 static inline void async_done_continue(struct aead_request *req, int err, 73 int (*cont)(struct aead_request *)) 74 { 75 if (!err) { 76 struct chachapoly_req_ctx *rctx = aead_request_ctx(req); 77 78 rctx->flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP; 79 err = cont(req); 80 } 81 82 if (err != -EINPROGRESS && err != -EBUSY) 83 aead_request_complete(req, err); 84 } 85 86 static void chacha_iv(u8 *iv, struct aead_request *req, u32 icb) 87 { 88 struct chachapoly_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req)); 89 __le32 leicb = cpu_to_le32(icb); 90 91 memcpy(iv, &leicb, sizeof(leicb)); 92 memcpy(iv + sizeof(leicb), ctx->salt, ctx->saltlen); 93 memcpy(iv + sizeof(leicb) + ctx->saltlen, req->iv, 94 CHACHA_IV_SIZE - sizeof(leicb) - ctx->saltlen); 95 } 96 97 static int poly_verify_tag(struct aead_request *req) 98 { 99 struct chachapoly_req_ctx *rctx = aead_request_ctx(req); 100 u8 tag[sizeof(rctx->tag)]; 101 102 scatterwalk_map_and_copy(tag, req->src, 103 req->assoclen + rctx->cryptlen, 104 sizeof(tag), 0); 105 if (crypto_memneq(tag, rctx->tag, sizeof(tag))) 106 return -EBADMSG; 107 return 0; 108 } 109 110 static int poly_copy_tag(struct aead_request *req) 111 { 112 struct chachapoly_req_ctx *rctx = aead_request_ctx(req); 113 114 scatterwalk_map_and_copy(rctx->tag, req->dst, 115 req->assoclen + rctx->cryptlen, 116 sizeof(rctx->tag), 1); 117 return 0; 118 } 119 120 static void chacha_decrypt_done(struct crypto_async_request *areq, int err) 121 { 122 async_done_continue(areq->data, err, poly_verify_tag); 123 } 124 125 static int chacha_decrypt(struct aead_request *req) 126 { 127 struct chachapoly_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req)); 128 struct chachapoly_req_ctx *rctx = aead_request_ctx(req); 129 struct chacha_req *creq = &rctx->u.chacha; 130 struct scatterlist *src, *dst; 131 int err; 132 133 if (rctx->cryptlen == 0) 134 goto skip; 135 136 chacha_iv(creq->iv, req, 1); 137 138 src = scatterwalk_ffwd(rctx->src, req->src, req->assoclen); 139 dst = src; 140 if (req->src != req->dst) 141 dst = scatterwalk_ffwd(rctx->dst, req->dst, req->assoclen); 142 143 skcipher_request_set_callback(&creq->req, rctx->flags, 144 chacha_decrypt_done, req); 145 skcipher_request_set_tfm(&creq->req, ctx->chacha); 146 skcipher_request_set_crypt(&creq->req, src, dst, 147 rctx->cryptlen, creq->iv); 148 err = crypto_skcipher_decrypt(&creq->req); 149 if (err) 150 return err; 151 152 skip: 153 return poly_verify_tag(req); 154 } 155 156 static int poly_tail_continue(struct aead_request *req) 157 { 158 struct chachapoly_req_ctx *rctx = aead_request_ctx(req); 159 160 if (rctx->cryptlen == req->cryptlen) /* encrypting */ 161 return poly_copy_tag(req); 162 163 return chacha_decrypt(req); 164 } 165 166 static void poly_tail_done(struct crypto_async_request *areq, int err) 167 { 168 async_done_continue(areq->data, err, poly_tail_continue); 169 } 170 171 static int poly_tail(struct aead_request *req) 172 { 173 struct crypto_aead *tfm = crypto_aead_reqtfm(req); 174 struct chachapoly_ctx *ctx = crypto_aead_ctx(tfm); 175 struct chachapoly_req_ctx *rctx = aead_request_ctx(req); 176 struct poly_req *preq = &rctx->u.poly; 177 int err; 178 179 preq->tail.assoclen = cpu_to_le64(rctx->assoclen); 180 preq->tail.cryptlen = cpu_to_le64(rctx->cryptlen); 181 sg_init_one(preq->src, &preq->tail, sizeof(preq->tail)); 182 183 ahash_request_set_callback(&preq->req, rctx->flags, 184 poly_tail_done, req); 185 ahash_request_set_tfm(&preq->req, ctx->poly); 186 ahash_request_set_crypt(&preq->req, preq->src, 187 rctx->tag, sizeof(preq->tail)); 188 189 err = crypto_ahash_finup(&preq->req); 190 if (err) 191 return err; 192 193 return poly_tail_continue(req); 194 } 195 196 static void poly_cipherpad_done(struct crypto_async_request *areq, int err) 197 { 198 async_done_continue(areq->data, err, poly_tail); 199 } 200 201 static int poly_cipherpad(struct aead_request *req) 202 { 203 struct chachapoly_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req)); 204 struct chachapoly_req_ctx *rctx = aead_request_ctx(req); 205 struct poly_req *preq = &rctx->u.poly; 206 unsigned int padlen; 207 int err; 208 209 padlen = -rctx->cryptlen % POLY1305_BLOCK_SIZE; 210 memset(preq->pad, 0, sizeof(preq->pad)); 211 sg_init_one(preq->src, preq->pad, padlen); 212 213 ahash_request_set_callback(&preq->req, rctx->flags, 214 poly_cipherpad_done, req); 215 ahash_request_set_tfm(&preq->req, ctx->poly); 216 ahash_request_set_crypt(&preq->req, preq->src, NULL, padlen); 217 218 err = crypto_ahash_update(&preq->req); 219 if (err) 220 return err; 221 222 return poly_tail(req); 223 } 224 225 static void poly_cipher_done(struct crypto_async_request *areq, int err) 226 { 227 async_done_continue(areq->data, err, poly_cipherpad); 228 } 229 230 static int poly_cipher(struct aead_request *req) 231 { 232 struct chachapoly_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req)); 233 struct chachapoly_req_ctx *rctx = aead_request_ctx(req); 234 struct poly_req *preq = &rctx->u.poly; 235 struct scatterlist *crypt = req->src; 236 int err; 237 238 if (rctx->cryptlen == req->cryptlen) /* encrypting */ 239 crypt = req->dst; 240 241 crypt = scatterwalk_ffwd(rctx->src, crypt, req->assoclen); 242 243 ahash_request_set_callback(&preq->req, rctx->flags, 244 poly_cipher_done, req); 245 ahash_request_set_tfm(&preq->req, ctx->poly); 246 ahash_request_set_crypt(&preq->req, crypt, NULL, rctx->cryptlen); 247 248 err = crypto_ahash_update(&preq->req); 249 if (err) 250 return err; 251 252 return poly_cipherpad(req); 253 } 254 255 static void poly_adpad_done(struct crypto_async_request *areq, int err) 256 { 257 async_done_continue(areq->data, err, poly_cipher); 258 } 259 260 static int poly_adpad(struct aead_request *req) 261 { 262 struct chachapoly_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req)); 263 struct chachapoly_req_ctx *rctx = aead_request_ctx(req); 264 struct poly_req *preq = &rctx->u.poly; 265 unsigned int padlen; 266 int err; 267 268 padlen = -rctx->assoclen % POLY1305_BLOCK_SIZE; 269 memset(preq->pad, 0, sizeof(preq->pad)); 270 sg_init_one(preq->src, preq->pad, padlen); 271 272 ahash_request_set_callback(&preq->req, rctx->flags, 273 poly_adpad_done, req); 274 ahash_request_set_tfm(&preq->req, ctx->poly); 275 ahash_request_set_crypt(&preq->req, preq->src, NULL, padlen); 276 277 err = crypto_ahash_update(&preq->req); 278 if (err) 279 return err; 280 281 return poly_cipher(req); 282 } 283 284 static void poly_ad_done(struct crypto_async_request *areq, int err) 285 { 286 async_done_continue(areq->data, err, poly_adpad); 287 } 288 289 static int poly_ad(struct aead_request *req) 290 { 291 struct chachapoly_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req)); 292 struct chachapoly_req_ctx *rctx = aead_request_ctx(req); 293 struct poly_req *preq = &rctx->u.poly; 294 int err; 295 296 ahash_request_set_callback(&preq->req, rctx->flags, 297 poly_ad_done, req); 298 ahash_request_set_tfm(&preq->req, ctx->poly); 299 ahash_request_set_crypt(&preq->req, req->src, NULL, rctx->assoclen); 300 301 err = crypto_ahash_update(&preq->req); 302 if (err) 303 return err; 304 305 return poly_adpad(req); 306 } 307 308 static void poly_setkey_done(struct crypto_async_request *areq, int err) 309 { 310 async_done_continue(areq->data, err, poly_ad); 311 } 312 313 static int poly_setkey(struct aead_request *req) 314 { 315 struct chachapoly_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req)); 316 struct chachapoly_req_ctx *rctx = aead_request_ctx(req); 317 struct poly_req *preq = &rctx->u.poly; 318 int err; 319 320 sg_init_one(preq->src, rctx->key, sizeof(rctx->key)); 321 322 ahash_request_set_callback(&preq->req, rctx->flags, 323 poly_setkey_done, req); 324 ahash_request_set_tfm(&preq->req, ctx->poly); 325 ahash_request_set_crypt(&preq->req, preq->src, NULL, sizeof(rctx->key)); 326 327 err = crypto_ahash_update(&preq->req); 328 if (err) 329 return err; 330 331 return poly_ad(req); 332 } 333 334 static void poly_init_done(struct crypto_async_request *areq, int err) 335 { 336 async_done_continue(areq->data, err, poly_setkey); 337 } 338 339 static int poly_init(struct aead_request *req) 340 { 341 struct chachapoly_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req)); 342 struct chachapoly_req_ctx *rctx = aead_request_ctx(req); 343 struct poly_req *preq = &rctx->u.poly; 344 int err; 345 346 ahash_request_set_callback(&preq->req, rctx->flags, 347 poly_init_done, req); 348 ahash_request_set_tfm(&preq->req, ctx->poly); 349 350 err = crypto_ahash_init(&preq->req); 351 if (err) 352 return err; 353 354 return poly_setkey(req); 355 } 356 357 static void poly_genkey_done(struct crypto_async_request *areq, int err) 358 { 359 async_done_continue(areq->data, err, poly_init); 360 } 361 362 static int poly_genkey(struct aead_request *req) 363 { 364 struct crypto_aead *tfm = crypto_aead_reqtfm(req); 365 struct chachapoly_ctx *ctx = crypto_aead_ctx(tfm); 366 struct chachapoly_req_ctx *rctx = aead_request_ctx(req); 367 struct chacha_req *creq = &rctx->u.chacha; 368 int err; 369 370 rctx->assoclen = req->assoclen; 371 372 if (crypto_aead_ivsize(tfm) == 8) { 373 if (rctx->assoclen < 8) 374 return -EINVAL; 375 rctx->assoclen -= 8; 376 } 377 378 memset(rctx->key, 0, sizeof(rctx->key)); 379 sg_init_one(creq->src, rctx->key, sizeof(rctx->key)); 380 381 chacha_iv(creq->iv, req, 0); 382 383 skcipher_request_set_callback(&creq->req, rctx->flags, 384 poly_genkey_done, req); 385 skcipher_request_set_tfm(&creq->req, ctx->chacha); 386 skcipher_request_set_crypt(&creq->req, creq->src, creq->src, 387 POLY1305_KEY_SIZE, creq->iv); 388 389 err = crypto_skcipher_decrypt(&creq->req); 390 if (err) 391 return err; 392 393 return poly_init(req); 394 } 395 396 static void chacha_encrypt_done(struct crypto_async_request *areq, int err) 397 { 398 async_done_continue(areq->data, err, poly_genkey); 399 } 400 401 static int chacha_encrypt(struct aead_request *req) 402 { 403 struct chachapoly_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req)); 404 struct chachapoly_req_ctx *rctx = aead_request_ctx(req); 405 struct chacha_req *creq = &rctx->u.chacha; 406 struct scatterlist *src, *dst; 407 int err; 408 409 if (req->cryptlen == 0) 410 goto skip; 411 412 chacha_iv(creq->iv, req, 1); 413 414 src = scatterwalk_ffwd(rctx->src, req->src, req->assoclen); 415 dst = src; 416 if (req->src != req->dst) 417 dst = scatterwalk_ffwd(rctx->dst, req->dst, req->assoclen); 418 419 skcipher_request_set_callback(&creq->req, rctx->flags, 420 chacha_encrypt_done, req); 421 skcipher_request_set_tfm(&creq->req, ctx->chacha); 422 skcipher_request_set_crypt(&creq->req, src, dst, 423 req->cryptlen, creq->iv); 424 err = crypto_skcipher_encrypt(&creq->req); 425 if (err) 426 return err; 427 428 skip: 429 return poly_genkey(req); 430 } 431 432 static int chachapoly_encrypt(struct aead_request *req) 433 { 434 struct chachapoly_req_ctx *rctx = aead_request_ctx(req); 435 436 rctx->cryptlen = req->cryptlen; 437 rctx->flags = aead_request_flags(req); 438 439 /* encrypt call chain: 440 * - chacha_encrypt/done() 441 * - poly_genkey/done() 442 * - poly_init/done() 443 * - poly_setkey/done() 444 * - poly_ad/done() 445 * - poly_adpad/done() 446 * - poly_cipher/done() 447 * - poly_cipherpad/done() 448 * - poly_tail/done/continue() 449 * - poly_copy_tag() 450 */ 451 return chacha_encrypt(req); 452 } 453 454 static int chachapoly_decrypt(struct aead_request *req) 455 { 456 struct chachapoly_req_ctx *rctx = aead_request_ctx(req); 457 458 rctx->cryptlen = req->cryptlen - POLY1305_DIGEST_SIZE; 459 rctx->flags = aead_request_flags(req); 460 461 /* decrypt call chain: 462 * - poly_genkey/done() 463 * - poly_init/done() 464 * - poly_setkey/done() 465 * - poly_ad/done() 466 * - poly_adpad/done() 467 * - poly_cipher/done() 468 * - poly_cipherpad/done() 469 * - poly_tail/done/continue() 470 * - chacha_decrypt/done() 471 * - poly_verify_tag() 472 */ 473 return poly_genkey(req); 474 } 475 476 static int chachapoly_setkey(struct crypto_aead *aead, const u8 *key, 477 unsigned int keylen) 478 { 479 struct chachapoly_ctx *ctx = crypto_aead_ctx(aead); 480 int err; 481 482 if (keylen != ctx->saltlen + CHACHA_KEY_SIZE) 483 return -EINVAL; 484 485 keylen -= ctx->saltlen; 486 memcpy(ctx->salt, key + keylen, ctx->saltlen); 487 488 crypto_skcipher_clear_flags(ctx->chacha, CRYPTO_TFM_REQ_MASK); 489 crypto_skcipher_set_flags(ctx->chacha, crypto_aead_get_flags(aead) & 490 CRYPTO_TFM_REQ_MASK); 491 492 err = crypto_skcipher_setkey(ctx->chacha, key, keylen); 493 crypto_aead_set_flags(aead, crypto_skcipher_get_flags(ctx->chacha) & 494 CRYPTO_TFM_RES_MASK); 495 return err; 496 } 497 498 static int chachapoly_setauthsize(struct crypto_aead *tfm, 499 unsigned int authsize) 500 { 501 if (authsize != POLY1305_DIGEST_SIZE) 502 return -EINVAL; 503 504 return 0; 505 } 506 507 static int chachapoly_init(struct crypto_aead *tfm) 508 { 509 struct aead_instance *inst = aead_alg_instance(tfm); 510 struct chachapoly_instance_ctx *ictx = aead_instance_ctx(inst); 511 struct chachapoly_ctx *ctx = crypto_aead_ctx(tfm); 512 struct crypto_skcipher *chacha; 513 struct crypto_ahash *poly; 514 unsigned long align; 515 516 poly = crypto_spawn_ahash(&ictx->poly); 517 if (IS_ERR(poly)) 518 return PTR_ERR(poly); 519 520 chacha = crypto_spawn_skcipher(&ictx->chacha); 521 if (IS_ERR(chacha)) { 522 crypto_free_ahash(poly); 523 return PTR_ERR(chacha); 524 } 525 526 ctx->chacha = chacha; 527 ctx->poly = poly; 528 ctx->saltlen = ictx->saltlen; 529 530 align = crypto_aead_alignmask(tfm); 531 align &= ~(crypto_tfm_ctx_alignment() - 1); 532 crypto_aead_set_reqsize( 533 tfm, 534 align + offsetof(struct chachapoly_req_ctx, u) + 535 max(offsetof(struct chacha_req, req) + 536 sizeof(struct skcipher_request) + 537 crypto_skcipher_reqsize(chacha), 538 offsetof(struct poly_req, req) + 539 sizeof(struct ahash_request) + 540 crypto_ahash_reqsize(poly))); 541 542 return 0; 543 } 544 545 static void chachapoly_exit(struct crypto_aead *tfm) 546 { 547 struct chachapoly_ctx *ctx = crypto_aead_ctx(tfm); 548 549 crypto_free_ahash(ctx->poly); 550 crypto_free_skcipher(ctx->chacha); 551 } 552 553 static void chachapoly_free(struct aead_instance *inst) 554 { 555 struct chachapoly_instance_ctx *ctx = aead_instance_ctx(inst); 556 557 crypto_drop_skcipher(&ctx->chacha); 558 crypto_drop_ahash(&ctx->poly); 559 kfree(inst); 560 } 561 562 static int chachapoly_create(struct crypto_template *tmpl, struct rtattr **tb, 563 const char *name, unsigned int ivsize) 564 { 565 struct crypto_attr_type *algt; 566 struct aead_instance *inst; 567 struct skcipher_alg *chacha; 568 struct crypto_alg *poly; 569 struct hash_alg_common *poly_hash; 570 struct chachapoly_instance_ctx *ctx; 571 const char *chacha_name, *poly_name; 572 int err; 573 574 if (ivsize > CHACHAPOLY_IV_SIZE) 575 return -EINVAL; 576 577 algt = crypto_get_attr_type(tb); 578 if (IS_ERR(algt)) 579 return PTR_ERR(algt); 580 581 if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask) 582 return -EINVAL; 583 584 chacha_name = crypto_attr_alg_name(tb[1]); 585 if (IS_ERR(chacha_name)) 586 return PTR_ERR(chacha_name); 587 poly_name = crypto_attr_alg_name(tb[2]); 588 if (IS_ERR(poly_name)) 589 return PTR_ERR(poly_name); 590 591 poly = crypto_find_alg(poly_name, &crypto_ahash_type, 592 CRYPTO_ALG_TYPE_HASH, 593 CRYPTO_ALG_TYPE_AHASH_MASK | 594 crypto_requires_sync(algt->type, 595 algt->mask)); 596 if (IS_ERR(poly)) 597 return PTR_ERR(poly); 598 poly_hash = __crypto_hash_alg_common(poly); 599 600 err = -EINVAL; 601 if (poly_hash->digestsize != POLY1305_DIGEST_SIZE) 602 goto out_put_poly; 603 604 err = -ENOMEM; 605 inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL); 606 if (!inst) 607 goto out_put_poly; 608 609 ctx = aead_instance_ctx(inst); 610 ctx->saltlen = CHACHAPOLY_IV_SIZE - ivsize; 611 err = crypto_init_ahash_spawn(&ctx->poly, poly_hash, 612 aead_crypto_instance(inst)); 613 if (err) 614 goto err_free_inst; 615 616 crypto_set_skcipher_spawn(&ctx->chacha, aead_crypto_instance(inst)); 617 err = crypto_grab_skcipher(&ctx->chacha, chacha_name, 0, 618 crypto_requires_sync(algt->type, 619 algt->mask)); 620 if (err) 621 goto err_drop_poly; 622 623 chacha = crypto_spawn_skcipher_alg(&ctx->chacha); 624 625 err = -EINVAL; 626 /* Need 16-byte IV size, including Initial Block Counter value */ 627 if (crypto_skcipher_alg_ivsize(chacha) != CHACHA_IV_SIZE) 628 goto out_drop_chacha; 629 /* Not a stream cipher? */ 630 if (chacha->base.cra_blocksize != 1) 631 goto out_drop_chacha; 632 633 err = -ENAMETOOLONG; 634 if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME, 635 "%s(%s,%s)", name, chacha->base.cra_name, 636 poly->cra_name) >= CRYPTO_MAX_ALG_NAME) 637 goto out_drop_chacha; 638 if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME, 639 "%s(%s,%s)", name, chacha->base.cra_driver_name, 640 poly->cra_driver_name) >= CRYPTO_MAX_ALG_NAME) 641 goto out_drop_chacha; 642 643 inst->alg.base.cra_flags = (chacha->base.cra_flags | poly->cra_flags) & 644 CRYPTO_ALG_ASYNC; 645 inst->alg.base.cra_priority = (chacha->base.cra_priority + 646 poly->cra_priority) / 2; 647 inst->alg.base.cra_blocksize = 1; 648 inst->alg.base.cra_alignmask = chacha->base.cra_alignmask | 649 poly->cra_alignmask; 650 inst->alg.base.cra_ctxsize = sizeof(struct chachapoly_ctx) + 651 ctx->saltlen; 652 inst->alg.ivsize = ivsize; 653 inst->alg.chunksize = crypto_skcipher_alg_chunksize(chacha); 654 inst->alg.maxauthsize = POLY1305_DIGEST_SIZE; 655 inst->alg.init = chachapoly_init; 656 inst->alg.exit = chachapoly_exit; 657 inst->alg.encrypt = chachapoly_encrypt; 658 inst->alg.decrypt = chachapoly_decrypt; 659 inst->alg.setkey = chachapoly_setkey; 660 inst->alg.setauthsize = chachapoly_setauthsize; 661 662 inst->free = chachapoly_free; 663 664 err = aead_register_instance(tmpl, inst); 665 if (err) 666 goto out_drop_chacha; 667 668 out_put_poly: 669 crypto_mod_put(poly); 670 return err; 671 672 out_drop_chacha: 673 crypto_drop_skcipher(&ctx->chacha); 674 err_drop_poly: 675 crypto_drop_ahash(&ctx->poly); 676 err_free_inst: 677 kfree(inst); 678 goto out_put_poly; 679 } 680 681 static int rfc7539_create(struct crypto_template *tmpl, struct rtattr **tb) 682 { 683 return chachapoly_create(tmpl, tb, "rfc7539", 12); 684 } 685 686 static int rfc7539esp_create(struct crypto_template *tmpl, struct rtattr **tb) 687 { 688 return chachapoly_create(tmpl, tb, "rfc7539esp", 8); 689 } 690 691 static struct crypto_template rfc7539_tmpls[] = { 692 { 693 .name = "rfc7539", 694 .create = rfc7539_create, 695 .module = THIS_MODULE, 696 }, { 697 .name = "rfc7539esp", 698 .create = rfc7539esp_create, 699 .module = THIS_MODULE, 700 }, 701 }; 702 703 static int __init chacha20poly1305_module_init(void) 704 { 705 return crypto_register_templates(rfc7539_tmpls, 706 ARRAY_SIZE(rfc7539_tmpls)); 707 } 708 709 static void __exit chacha20poly1305_module_exit(void) 710 { 711 crypto_unregister_templates(rfc7539_tmpls, 712 ARRAY_SIZE(rfc7539_tmpls)); 713 } 714 715 subsys_initcall(chacha20poly1305_module_init); 716 module_exit(chacha20poly1305_module_exit); 717 718 MODULE_LICENSE("GPL"); 719 MODULE_AUTHOR("Martin Willi <martin@strongswan.org>"); 720 MODULE_DESCRIPTION("ChaCha20-Poly1305 AEAD"); 721 MODULE_ALIAS_CRYPTO("rfc7539"); 722 MODULE_ALIAS_CRYPTO("rfc7539esp"); 723