1 | // SPDX-License-Identifier: GPL-2.0-or-later |
2 | /* |
3 | * CCM: Counter with CBC-MAC |
4 | * |
5 | * (C) Copyright IBM Corp. 2007 - Joy Latten <latten@us.ibm.com> |
6 | */ |
7 | |
8 | #include <crypto/internal/aead.h> |
9 | #include <crypto/internal/cipher.h> |
10 | #include <crypto/internal/hash.h> |
11 | #include <crypto/internal/skcipher.h> |
12 | #include <crypto/scatterwalk.h> |
13 | #include <linux/err.h> |
14 | #include <linux/init.h> |
15 | #include <linux/kernel.h> |
16 | #include <linux/module.h> |
17 | #include <linux/slab.h> |
18 | |
19 | struct ccm_instance_ctx { |
20 | struct crypto_skcipher_spawn ctr; |
21 | struct crypto_ahash_spawn mac; |
22 | }; |
23 | |
24 | struct crypto_ccm_ctx { |
25 | struct crypto_ahash *mac; |
26 | struct crypto_skcipher *ctr; |
27 | }; |
28 | |
29 | struct crypto_rfc4309_ctx { |
30 | struct crypto_aead *child; |
31 | u8 nonce[3]; |
32 | }; |
33 | |
34 | struct crypto_rfc4309_req_ctx { |
35 | struct scatterlist src[3]; |
36 | struct scatterlist dst[3]; |
37 | struct aead_request subreq; |
38 | }; |
39 | |
40 | struct crypto_ccm_req_priv_ctx { |
41 | u8 odata[16]; |
42 | u8 idata[16]; |
43 | u8 auth_tag[16]; |
44 | u32 flags; |
45 | struct scatterlist src[3]; |
46 | struct scatterlist dst[3]; |
47 | union { |
48 | struct ahash_request ahreq; |
49 | struct skcipher_request skreq; |
50 | }; |
51 | }; |
52 | |
53 | struct cbcmac_tfm_ctx { |
54 | struct crypto_cipher *child; |
55 | }; |
56 | |
57 | struct cbcmac_desc_ctx { |
58 | unsigned int len; |
59 | u8 dg[]; |
60 | }; |
61 | |
62 | static inline struct crypto_ccm_req_priv_ctx *crypto_ccm_reqctx( |
63 | struct aead_request *req) |
64 | { |
65 | unsigned long align = crypto_aead_alignmask(tfm: crypto_aead_reqtfm(req)); |
66 | |
67 | return (void *)PTR_ALIGN((u8 *)aead_request_ctx(req), align + 1); |
68 | } |
69 | |
70 | static int set_msg_len(u8 *block, unsigned int msglen, int csize) |
71 | { |
72 | __be32 data; |
73 | |
74 | memset(block, 0, csize); |
75 | block += csize; |
76 | |
77 | if (csize >= 4) |
78 | csize = 4; |
79 | else if (msglen > (1 << (8 * csize))) |
80 | return -EOVERFLOW; |
81 | |
82 | data = cpu_to_be32(msglen); |
83 | memcpy(block - csize, (u8 *)&data + 4 - csize, csize); |
84 | |
85 | return 0; |
86 | } |
87 | |
88 | static int crypto_ccm_setkey(struct crypto_aead *aead, const u8 *key, |
89 | unsigned int keylen) |
90 | { |
91 | struct crypto_ccm_ctx *ctx = crypto_aead_ctx(tfm: aead); |
92 | struct crypto_skcipher *ctr = ctx->ctr; |
93 | struct crypto_ahash *mac = ctx->mac; |
94 | int err; |
95 | |
96 | crypto_skcipher_clear_flags(tfm: ctr, CRYPTO_TFM_REQ_MASK); |
97 | crypto_skcipher_set_flags(tfm: ctr, flags: crypto_aead_get_flags(tfm: aead) & |
98 | CRYPTO_TFM_REQ_MASK); |
99 | err = crypto_skcipher_setkey(tfm: ctr, key, keylen); |
100 | if (err) |
101 | return err; |
102 | |
103 | crypto_ahash_clear_flags(tfm: mac, CRYPTO_TFM_REQ_MASK); |
104 | crypto_ahash_set_flags(tfm: mac, flags: crypto_aead_get_flags(tfm: aead) & |
105 | CRYPTO_TFM_REQ_MASK); |
106 | return crypto_ahash_setkey(tfm: mac, key, keylen); |
107 | } |
108 | |
109 | static int crypto_ccm_setauthsize(struct crypto_aead *tfm, |
110 | unsigned int authsize) |
111 | { |
112 | switch (authsize) { |
113 | case 4: |
114 | case 6: |
115 | case 8: |
116 | case 10: |
117 | case 12: |
118 | case 14: |
119 | case 16: |
120 | break; |
121 | default: |
122 | return -EINVAL; |
123 | } |
124 | |
125 | return 0; |
126 | } |
127 | |
128 | static int format_input(u8 *info, struct aead_request *req, |
129 | unsigned int cryptlen) |
130 | { |
131 | struct crypto_aead *aead = crypto_aead_reqtfm(req); |
132 | unsigned int lp = req->iv[0]; |
133 | unsigned int l = lp + 1; |
134 | unsigned int m; |
135 | |
136 | m = crypto_aead_authsize(tfm: aead); |
137 | |
138 | memcpy(info, req->iv, 16); |
139 | |
140 | /* format control info per RFC 3610 and |
141 | * NIST Special Publication 800-38C |
142 | */ |
143 | *info |= (8 * ((m - 2) / 2)); |
144 | if (req->assoclen) |
145 | *info |= 64; |
146 | |
147 | return set_msg_len(block: info + 16 - l, msglen: cryptlen, csize: l); |
148 | } |
149 | |
150 | static int format_adata(u8 *adata, unsigned int a) |
151 | { |
152 | int len = 0; |
153 | |
154 | /* add control info for associated data |
155 | * RFC 3610 and NIST Special Publication 800-38C |
156 | */ |
157 | if (a < 65280) { |
158 | *(__be16 *)adata = cpu_to_be16(a); |
159 | len = 2; |
160 | } else { |
161 | *(__be16 *)adata = cpu_to_be16(0xfffe); |
162 | *(__be32 *)&adata[2] = cpu_to_be32(a); |
163 | len = 6; |
164 | } |
165 | |
166 | return len; |
167 | } |
168 | |
169 | static int crypto_ccm_auth(struct aead_request *req, struct scatterlist *plain, |
170 | unsigned int cryptlen) |
171 | { |
172 | struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); |
173 | struct crypto_aead *aead = crypto_aead_reqtfm(req); |
174 | struct crypto_ccm_ctx *ctx = crypto_aead_ctx(tfm: aead); |
175 | struct ahash_request *ahreq = &pctx->ahreq; |
176 | unsigned int assoclen = req->assoclen; |
177 | struct scatterlist sg[3]; |
178 | u8 *odata = pctx->odata; |
179 | u8 *idata = pctx->idata; |
180 | int ilen, err; |
181 | |
182 | /* format control data for input */ |
183 | err = format_input(info: odata, req, cryptlen); |
184 | if (err) |
185 | goto out; |
186 | |
187 | sg_init_table(sg, 3); |
188 | sg_set_buf(sg: &sg[0], buf: odata, buflen: 16); |
189 | |
190 | /* format associated data and compute into mac */ |
191 | if (assoclen) { |
192 | ilen = format_adata(adata: idata, a: assoclen); |
193 | sg_set_buf(sg: &sg[1], buf: idata, buflen: ilen); |
194 | sg_chain(prv: sg, prv_nents: 3, sgl: req->src); |
195 | } else { |
196 | ilen = 0; |
197 | sg_chain(prv: sg, prv_nents: 2, sgl: req->src); |
198 | } |
199 | |
200 | ahash_request_set_tfm(req: ahreq, tfm: ctx->mac); |
201 | ahash_request_set_callback(req: ahreq, flags: pctx->flags, NULL, NULL); |
202 | ahash_request_set_crypt(req: ahreq, src: sg, NULL, nbytes: assoclen + ilen + 16); |
203 | err = crypto_ahash_init(req: ahreq); |
204 | if (err) |
205 | goto out; |
206 | err = crypto_ahash_update(req: ahreq); |
207 | if (err) |
208 | goto out; |
209 | |
210 | /* we need to pad the MAC input to a round multiple of the block size */ |
211 | ilen = 16 - (assoclen + ilen) % 16; |
212 | if (ilen < 16) { |
213 | memset(idata, 0, ilen); |
214 | sg_init_table(sg, 2); |
215 | sg_set_buf(sg: &sg[0], buf: idata, buflen: ilen); |
216 | if (plain) |
217 | sg_chain(prv: sg, prv_nents: 2, sgl: plain); |
218 | plain = sg; |
219 | cryptlen += ilen; |
220 | } |
221 | |
222 | ahash_request_set_crypt(req: ahreq, src: plain, result: odata, nbytes: cryptlen); |
223 | err = crypto_ahash_finup(req: ahreq); |
224 | out: |
225 | return err; |
226 | } |
227 | |
228 | static void crypto_ccm_encrypt_done(void *data, int err) |
229 | { |
230 | struct aead_request *req = data; |
231 | struct crypto_aead *aead = crypto_aead_reqtfm(req); |
232 | struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); |
233 | u8 *odata = pctx->odata; |
234 | |
235 | if (!err) |
236 | scatterwalk_map_and_copy(buf: odata, sg: req->dst, |
237 | start: req->assoclen + req->cryptlen, |
238 | nbytes: crypto_aead_authsize(tfm: aead), out: 1); |
239 | aead_request_complete(req, err); |
240 | } |
241 | |
242 | static inline int crypto_ccm_check_iv(const u8 *iv) |
243 | { |
244 | /* 2 <= L <= 8, so 1 <= L' <= 7. */ |
245 | if (1 > iv[0] || iv[0] > 7) |
246 | return -EINVAL; |
247 | |
248 | return 0; |
249 | } |
250 | |
251 | static int crypto_ccm_init_crypt(struct aead_request *req, u8 *tag) |
252 | { |
253 | struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); |
254 | struct scatterlist *sg; |
255 | u8 *iv = req->iv; |
256 | int err; |
257 | |
258 | err = crypto_ccm_check_iv(iv); |
259 | if (err) |
260 | return err; |
261 | |
262 | pctx->flags = aead_request_flags(req); |
263 | |
264 | /* Note: rfc 3610 and NIST 800-38C require counter of |
265 | * zero to encrypt auth tag. |
266 | */ |
267 | memset(iv + 15 - iv[0], 0, iv[0] + 1); |
268 | |
269 | sg_init_table(pctx->src, 3); |
270 | sg_set_buf(sg: pctx->src, buf: tag, buflen: 16); |
271 | sg = scatterwalk_ffwd(dst: pctx->src + 1, src: req->src, len: req->assoclen); |
272 | if (sg != pctx->src + 1) |
273 | sg_chain(prv: pctx->src, prv_nents: 2, sgl: sg); |
274 | |
275 | if (req->src != req->dst) { |
276 | sg_init_table(pctx->dst, 3); |
277 | sg_set_buf(sg: pctx->dst, buf: tag, buflen: 16); |
278 | sg = scatterwalk_ffwd(dst: pctx->dst + 1, src: req->dst, len: req->assoclen); |
279 | if (sg != pctx->dst + 1) |
280 | sg_chain(prv: pctx->dst, prv_nents: 2, sgl: sg); |
281 | } |
282 | |
283 | return 0; |
284 | } |
285 | |
286 | static int crypto_ccm_encrypt(struct aead_request *req) |
287 | { |
288 | struct crypto_aead *aead = crypto_aead_reqtfm(req); |
289 | struct crypto_ccm_ctx *ctx = crypto_aead_ctx(tfm: aead); |
290 | struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); |
291 | struct skcipher_request *skreq = &pctx->skreq; |
292 | struct scatterlist *dst; |
293 | unsigned int cryptlen = req->cryptlen; |
294 | u8 *odata = pctx->odata; |
295 | u8 *iv = req->iv; |
296 | int err; |
297 | |
298 | err = crypto_ccm_init_crypt(req, tag: odata); |
299 | if (err) |
300 | return err; |
301 | |
302 | err = crypto_ccm_auth(req, plain: sg_next(pctx->src), cryptlen); |
303 | if (err) |
304 | return err; |
305 | |
306 | dst = pctx->src; |
307 | if (req->src != req->dst) |
308 | dst = pctx->dst; |
309 | |
310 | skcipher_request_set_tfm(req: skreq, tfm: ctx->ctr); |
311 | skcipher_request_set_callback(req: skreq, flags: pctx->flags, |
312 | compl: crypto_ccm_encrypt_done, data: req); |
313 | skcipher_request_set_crypt(req: skreq, src: pctx->src, dst, cryptlen: cryptlen + 16, iv); |
314 | err = crypto_skcipher_encrypt(req: skreq); |
315 | if (err) |
316 | return err; |
317 | |
318 | /* copy authtag to end of dst */ |
319 | scatterwalk_map_and_copy(buf: odata, sg: sg_next(dst), start: cryptlen, |
320 | nbytes: crypto_aead_authsize(tfm: aead), out: 1); |
321 | return err; |
322 | } |
323 | |
324 | static void crypto_ccm_decrypt_done(void *data, int err) |
325 | { |
326 | struct aead_request *req = data; |
327 | struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); |
328 | struct crypto_aead *aead = crypto_aead_reqtfm(req); |
329 | unsigned int authsize = crypto_aead_authsize(tfm: aead); |
330 | unsigned int cryptlen = req->cryptlen - authsize; |
331 | struct scatterlist *dst; |
332 | |
333 | pctx->flags = 0; |
334 | |
335 | dst = sg_next(req->src == req->dst ? pctx->src : pctx->dst); |
336 | |
337 | if (!err) { |
338 | err = crypto_ccm_auth(req, plain: dst, cryptlen); |
339 | if (!err && crypto_memneq(a: pctx->auth_tag, b: pctx->odata, size: authsize)) |
340 | err = -EBADMSG; |
341 | } |
342 | aead_request_complete(req, err); |
343 | } |
344 | |
345 | static int crypto_ccm_decrypt(struct aead_request *req) |
346 | { |
347 | struct crypto_aead *aead = crypto_aead_reqtfm(req); |
348 | struct crypto_ccm_ctx *ctx = crypto_aead_ctx(tfm: aead); |
349 | struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); |
350 | struct skcipher_request *skreq = &pctx->skreq; |
351 | struct scatterlist *dst; |
352 | unsigned int authsize = crypto_aead_authsize(tfm: aead); |
353 | unsigned int cryptlen = req->cryptlen; |
354 | u8 *authtag = pctx->auth_tag; |
355 | u8 *odata = pctx->odata; |
356 | u8 *iv = pctx->idata; |
357 | int err; |
358 | |
359 | cryptlen -= authsize; |
360 | |
361 | err = crypto_ccm_init_crypt(req, tag: authtag); |
362 | if (err) |
363 | return err; |
364 | |
365 | scatterwalk_map_and_copy(buf: authtag, sg: sg_next(pctx->src), start: cryptlen, |
366 | nbytes: authsize, out: 0); |
367 | |
368 | dst = pctx->src; |
369 | if (req->src != req->dst) |
370 | dst = pctx->dst; |
371 | |
372 | memcpy(iv, req->iv, 16); |
373 | |
374 | skcipher_request_set_tfm(req: skreq, tfm: ctx->ctr); |
375 | skcipher_request_set_callback(req: skreq, flags: pctx->flags, |
376 | compl: crypto_ccm_decrypt_done, data: req); |
377 | skcipher_request_set_crypt(req: skreq, src: pctx->src, dst, cryptlen: cryptlen + 16, iv); |
378 | err = crypto_skcipher_decrypt(req: skreq); |
379 | if (err) |
380 | return err; |
381 | |
382 | err = crypto_ccm_auth(req, plain: sg_next(dst), cryptlen); |
383 | if (err) |
384 | return err; |
385 | |
386 | /* verify */ |
387 | if (crypto_memneq(a: authtag, b: odata, size: authsize)) |
388 | return -EBADMSG; |
389 | |
390 | return err; |
391 | } |
392 | |
393 | static int crypto_ccm_init_tfm(struct crypto_aead *tfm) |
394 | { |
395 | struct aead_instance *inst = aead_alg_instance(aead: tfm); |
396 | struct ccm_instance_ctx *ictx = aead_instance_ctx(inst); |
397 | struct crypto_ccm_ctx *ctx = crypto_aead_ctx(tfm); |
398 | struct crypto_ahash *mac; |
399 | struct crypto_skcipher *ctr; |
400 | unsigned long align; |
401 | int err; |
402 | |
403 | mac = crypto_spawn_ahash(spawn: &ictx->mac); |
404 | if (IS_ERR(ptr: mac)) |
405 | return PTR_ERR(ptr: mac); |
406 | |
407 | ctr = crypto_spawn_skcipher(spawn: &ictx->ctr); |
408 | err = PTR_ERR(ptr: ctr); |
409 | if (IS_ERR(ptr: ctr)) |
410 | goto err_free_mac; |
411 | |
412 | ctx->mac = mac; |
413 | ctx->ctr = ctr; |
414 | |
415 | align = crypto_aead_alignmask(tfm); |
416 | align &= ~(crypto_tfm_ctx_alignment() - 1); |
417 | crypto_aead_set_reqsize( |
418 | aead: tfm, |
419 | reqsize: align + sizeof(struct crypto_ccm_req_priv_ctx) + |
420 | max(crypto_ahash_reqsize(mac), crypto_skcipher_reqsize(ctr))); |
421 | |
422 | return 0; |
423 | |
424 | err_free_mac: |
425 | crypto_free_ahash(tfm: mac); |
426 | return err; |
427 | } |
428 | |
429 | static void crypto_ccm_exit_tfm(struct crypto_aead *tfm) |
430 | { |
431 | struct crypto_ccm_ctx *ctx = crypto_aead_ctx(tfm); |
432 | |
433 | crypto_free_ahash(tfm: ctx->mac); |
434 | crypto_free_skcipher(tfm: ctx->ctr); |
435 | } |
436 | |
437 | static void crypto_ccm_free(struct aead_instance *inst) |
438 | { |
439 | struct ccm_instance_ctx *ctx = aead_instance_ctx(inst); |
440 | |
441 | crypto_drop_ahash(spawn: &ctx->mac); |
442 | crypto_drop_skcipher(spawn: &ctx->ctr); |
443 | kfree(objp: inst); |
444 | } |
445 | |
446 | static int crypto_ccm_create_common(struct crypto_template *tmpl, |
447 | struct rtattr **tb, |
448 | const char *ctr_name, |
449 | const char *mac_name) |
450 | { |
451 | struct skcipher_alg_common *ctr; |
452 | u32 mask; |
453 | struct aead_instance *inst; |
454 | struct ccm_instance_ctx *ictx; |
455 | struct hash_alg_common *mac; |
456 | int err; |
457 | |
458 | err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_AEAD, mask_ret: &mask); |
459 | if (err) |
460 | return err; |
461 | |
462 | inst = kzalloc(size: sizeof(*inst) + sizeof(*ictx), GFP_KERNEL); |
463 | if (!inst) |
464 | return -ENOMEM; |
465 | ictx = aead_instance_ctx(inst); |
466 | |
467 | err = crypto_grab_ahash(spawn: &ictx->mac, inst: aead_crypto_instance(inst), |
468 | name: mac_name, type: 0, mask: mask | CRYPTO_ALG_ASYNC); |
469 | if (err) |
470 | goto err_free_inst; |
471 | mac = crypto_spawn_ahash_alg(spawn: &ictx->mac); |
472 | |
473 | err = -EINVAL; |
474 | if (strncmp(mac->base.cra_name, "cbcmac(" , 7) != 0 || |
475 | mac->digestsize != 16) |
476 | goto err_free_inst; |
477 | |
478 | err = crypto_grab_skcipher(spawn: &ictx->ctr, inst: aead_crypto_instance(inst), |
479 | name: ctr_name, type: 0, mask); |
480 | if (err) |
481 | goto err_free_inst; |
482 | ctr = crypto_spawn_skcipher_alg_common(spawn: &ictx->ctr); |
483 | |
484 | /* The skcipher algorithm must be CTR mode, using 16-byte blocks. */ |
485 | err = -EINVAL; |
486 | if (strncmp(ctr->base.cra_name, "ctr(" , 4) != 0 || |
487 | ctr->ivsize != 16 || ctr->base.cra_blocksize != 1) |
488 | goto err_free_inst; |
489 | |
490 | /* ctr and cbcmac must use the same underlying block cipher. */ |
491 | if (strcmp(ctr->base.cra_name + 4, mac->base.cra_name + 7) != 0) |
492 | goto err_free_inst; |
493 | |
494 | err = -ENAMETOOLONG; |
495 | if (snprintf(buf: inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME, |
496 | fmt: "ccm(%s" , ctr->base.cra_name + 4) >= CRYPTO_MAX_ALG_NAME) |
497 | goto err_free_inst; |
498 | |
499 | if (snprintf(buf: inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME, |
500 | fmt: "ccm_base(%s,%s)" , ctr->base.cra_driver_name, |
501 | mac->base.cra_driver_name) >= CRYPTO_MAX_ALG_NAME) |
502 | goto err_free_inst; |
503 | |
504 | inst->alg.base.cra_priority = (mac->base.cra_priority + |
505 | ctr->base.cra_priority) / 2; |
506 | inst->alg.base.cra_blocksize = 1; |
507 | inst->alg.base.cra_alignmask = ctr->base.cra_alignmask; |
508 | inst->alg.ivsize = 16; |
509 | inst->alg.chunksize = ctr->chunksize; |
510 | inst->alg.maxauthsize = 16; |
511 | inst->alg.base.cra_ctxsize = sizeof(struct crypto_ccm_ctx); |
512 | inst->alg.init = crypto_ccm_init_tfm; |
513 | inst->alg.exit = crypto_ccm_exit_tfm; |
514 | inst->alg.setkey = crypto_ccm_setkey; |
515 | inst->alg.setauthsize = crypto_ccm_setauthsize; |
516 | inst->alg.encrypt = crypto_ccm_encrypt; |
517 | inst->alg.decrypt = crypto_ccm_decrypt; |
518 | |
519 | inst->free = crypto_ccm_free; |
520 | |
521 | err = aead_register_instance(tmpl, inst); |
522 | if (err) { |
523 | err_free_inst: |
524 | crypto_ccm_free(inst); |
525 | } |
526 | return err; |
527 | } |
528 | |
529 | static int crypto_ccm_create(struct crypto_template *tmpl, struct rtattr **tb) |
530 | { |
531 | const char *cipher_name; |
532 | char ctr_name[CRYPTO_MAX_ALG_NAME]; |
533 | char mac_name[CRYPTO_MAX_ALG_NAME]; |
534 | |
535 | cipher_name = crypto_attr_alg_name(rta: tb[1]); |
536 | if (IS_ERR(ptr: cipher_name)) |
537 | return PTR_ERR(ptr: cipher_name); |
538 | |
539 | if (snprintf(buf: ctr_name, CRYPTO_MAX_ALG_NAME, fmt: "ctr(%s)" , |
540 | cipher_name) >= CRYPTO_MAX_ALG_NAME) |
541 | return -ENAMETOOLONG; |
542 | |
543 | if (snprintf(buf: mac_name, CRYPTO_MAX_ALG_NAME, fmt: "cbcmac(%s)" , |
544 | cipher_name) >= CRYPTO_MAX_ALG_NAME) |
545 | return -ENAMETOOLONG; |
546 | |
547 | return crypto_ccm_create_common(tmpl, tb, ctr_name, mac_name); |
548 | } |
549 | |
550 | static int crypto_ccm_base_create(struct crypto_template *tmpl, |
551 | struct rtattr **tb) |
552 | { |
553 | const char *ctr_name; |
554 | const char *mac_name; |
555 | |
556 | ctr_name = crypto_attr_alg_name(rta: tb[1]); |
557 | if (IS_ERR(ptr: ctr_name)) |
558 | return PTR_ERR(ptr: ctr_name); |
559 | |
560 | mac_name = crypto_attr_alg_name(rta: tb[2]); |
561 | if (IS_ERR(ptr: mac_name)) |
562 | return PTR_ERR(ptr: mac_name); |
563 | |
564 | return crypto_ccm_create_common(tmpl, tb, ctr_name, mac_name); |
565 | } |
566 | |
567 | static int crypto_rfc4309_setkey(struct crypto_aead *parent, const u8 *key, |
568 | unsigned int keylen) |
569 | { |
570 | struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(tfm: parent); |
571 | struct crypto_aead *child = ctx->child; |
572 | |
573 | if (keylen < 3) |
574 | return -EINVAL; |
575 | |
576 | keylen -= 3; |
577 | memcpy(ctx->nonce, key + keylen, 3); |
578 | |
579 | crypto_aead_clear_flags(tfm: child, CRYPTO_TFM_REQ_MASK); |
580 | crypto_aead_set_flags(tfm: child, flags: crypto_aead_get_flags(tfm: parent) & |
581 | CRYPTO_TFM_REQ_MASK); |
582 | return crypto_aead_setkey(tfm: child, key, keylen); |
583 | } |
584 | |
585 | static int crypto_rfc4309_setauthsize(struct crypto_aead *parent, |
586 | unsigned int authsize) |
587 | { |
588 | struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(tfm: parent); |
589 | |
590 | switch (authsize) { |
591 | case 8: |
592 | case 12: |
593 | case 16: |
594 | break; |
595 | default: |
596 | return -EINVAL; |
597 | } |
598 | |
599 | return crypto_aead_setauthsize(tfm: ctx->child, authsize); |
600 | } |
601 | |
602 | static struct aead_request *crypto_rfc4309_crypt(struct aead_request *req) |
603 | { |
604 | struct crypto_rfc4309_req_ctx *rctx = aead_request_ctx(req); |
605 | struct aead_request *subreq = &rctx->subreq; |
606 | struct crypto_aead *aead = crypto_aead_reqtfm(req); |
607 | struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(tfm: aead); |
608 | struct crypto_aead *child = ctx->child; |
609 | struct scatterlist *sg; |
610 | u8 *iv = PTR_ALIGN((u8 *)(subreq + 1) + crypto_aead_reqsize(child), |
611 | crypto_aead_alignmask(child) + 1); |
612 | |
613 | /* L' */ |
614 | iv[0] = 3; |
615 | |
616 | memcpy(iv + 1, ctx->nonce, 3); |
617 | memcpy(iv + 4, req->iv, 8); |
618 | |
619 | scatterwalk_map_and_copy(buf: iv + 16, sg: req->src, start: 0, nbytes: req->assoclen - 8, out: 0); |
620 | |
621 | sg_init_table(rctx->src, 3); |
622 | sg_set_buf(sg: rctx->src, buf: iv + 16, buflen: req->assoclen - 8); |
623 | sg = scatterwalk_ffwd(dst: rctx->src + 1, src: req->src, len: req->assoclen); |
624 | if (sg != rctx->src + 1) |
625 | sg_chain(prv: rctx->src, prv_nents: 2, sgl: sg); |
626 | |
627 | if (req->src != req->dst) { |
628 | sg_init_table(rctx->dst, 3); |
629 | sg_set_buf(sg: rctx->dst, buf: iv + 16, buflen: req->assoclen - 8); |
630 | sg = scatterwalk_ffwd(dst: rctx->dst + 1, src: req->dst, len: req->assoclen); |
631 | if (sg != rctx->dst + 1) |
632 | sg_chain(prv: rctx->dst, prv_nents: 2, sgl: sg); |
633 | } |
634 | |
635 | aead_request_set_tfm(req: subreq, tfm: child); |
636 | aead_request_set_callback(req: subreq, flags: req->base.flags, compl: req->base.complete, |
637 | data: req->base.data); |
638 | aead_request_set_crypt(req: subreq, src: rctx->src, |
639 | dst: req->src == req->dst ? rctx->src : rctx->dst, |
640 | cryptlen: req->cryptlen, iv); |
641 | aead_request_set_ad(req: subreq, assoclen: req->assoclen - 8); |
642 | |
643 | return subreq; |
644 | } |
645 | |
646 | static int crypto_rfc4309_encrypt(struct aead_request *req) |
647 | { |
648 | if (req->assoclen != 16 && req->assoclen != 20) |
649 | return -EINVAL; |
650 | |
651 | req = crypto_rfc4309_crypt(req); |
652 | |
653 | return crypto_aead_encrypt(req); |
654 | } |
655 | |
656 | static int crypto_rfc4309_decrypt(struct aead_request *req) |
657 | { |
658 | if (req->assoclen != 16 && req->assoclen != 20) |
659 | return -EINVAL; |
660 | |
661 | req = crypto_rfc4309_crypt(req); |
662 | |
663 | return crypto_aead_decrypt(req); |
664 | } |
665 | |
666 | static int crypto_rfc4309_init_tfm(struct crypto_aead *tfm) |
667 | { |
668 | struct aead_instance *inst = aead_alg_instance(aead: tfm); |
669 | struct crypto_aead_spawn *spawn = aead_instance_ctx(inst); |
670 | struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(tfm); |
671 | struct crypto_aead *aead; |
672 | unsigned long align; |
673 | |
674 | aead = crypto_spawn_aead(spawn); |
675 | if (IS_ERR(ptr: aead)) |
676 | return PTR_ERR(ptr: aead); |
677 | |
678 | ctx->child = aead; |
679 | |
680 | align = crypto_aead_alignmask(tfm: aead); |
681 | align &= ~(crypto_tfm_ctx_alignment() - 1); |
682 | crypto_aead_set_reqsize( |
683 | aead: tfm, |
684 | reqsize: sizeof(struct crypto_rfc4309_req_ctx) + |
685 | ALIGN(crypto_aead_reqsize(aead), crypto_tfm_ctx_alignment()) + |
686 | align + 32); |
687 | |
688 | return 0; |
689 | } |
690 | |
691 | static void crypto_rfc4309_exit_tfm(struct crypto_aead *tfm) |
692 | { |
693 | struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(tfm); |
694 | |
695 | crypto_free_aead(tfm: ctx->child); |
696 | } |
697 | |
698 | static void crypto_rfc4309_free(struct aead_instance *inst) |
699 | { |
700 | crypto_drop_aead(spawn: aead_instance_ctx(inst)); |
701 | kfree(objp: inst); |
702 | } |
703 | |
704 | static int crypto_rfc4309_create(struct crypto_template *tmpl, |
705 | struct rtattr **tb) |
706 | { |
707 | u32 mask; |
708 | struct aead_instance *inst; |
709 | struct crypto_aead_spawn *spawn; |
710 | struct aead_alg *alg; |
711 | int err; |
712 | |
713 | err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_AEAD, mask_ret: &mask); |
714 | if (err) |
715 | return err; |
716 | |
717 | inst = kzalloc(size: sizeof(*inst) + sizeof(*spawn), GFP_KERNEL); |
718 | if (!inst) |
719 | return -ENOMEM; |
720 | |
721 | spawn = aead_instance_ctx(inst); |
722 | err = crypto_grab_aead(spawn, inst: aead_crypto_instance(inst), |
723 | name: crypto_attr_alg_name(rta: tb[1]), type: 0, mask); |
724 | if (err) |
725 | goto err_free_inst; |
726 | |
727 | alg = crypto_spawn_aead_alg(spawn); |
728 | |
729 | err = -EINVAL; |
730 | |
731 | /* We only support 16-byte blocks. */ |
732 | if (crypto_aead_alg_ivsize(alg) != 16) |
733 | goto err_free_inst; |
734 | |
735 | /* Not a stream cipher? */ |
736 | if (alg->base.cra_blocksize != 1) |
737 | goto err_free_inst; |
738 | |
739 | err = -ENAMETOOLONG; |
740 | if (snprintf(buf: inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME, |
741 | fmt: "rfc4309(%s)" , alg->base.cra_name) >= |
742 | CRYPTO_MAX_ALG_NAME || |
743 | snprintf(buf: inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME, |
744 | fmt: "rfc4309(%s)" , alg->base.cra_driver_name) >= |
745 | CRYPTO_MAX_ALG_NAME) |
746 | goto err_free_inst; |
747 | |
748 | inst->alg.base.cra_priority = alg->base.cra_priority; |
749 | inst->alg.base.cra_blocksize = 1; |
750 | inst->alg.base.cra_alignmask = alg->base.cra_alignmask; |
751 | |
752 | inst->alg.ivsize = 8; |
753 | inst->alg.chunksize = crypto_aead_alg_chunksize(alg); |
754 | inst->alg.maxauthsize = 16; |
755 | |
756 | inst->alg.base.cra_ctxsize = sizeof(struct crypto_rfc4309_ctx); |
757 | |
758 | inst->alg.init = crypto_rfc4309_init_tfm; |
759 | inst->alg.exit = crypto_rfc4309_exit_tfm; |
760 | |
761 | inst->alg.setkey = crypto_rfc4309_setkey; |
762 | inst->alg.setauthsize = crypto_rfc4309_setauthsize; |
763 | inst->alg.encrypt = crypto_rfc4309_encrypt; |
764 | inst->alg.decrypt = crypto_rfc4309_decrypt; |
765 | |
766 | inst->free = crypto_rfc4309_free; |
767 | |
768 | err = aead_register_instance(tmpl, inst); |
769 | if (err) { |
770 | err_free_inst: |
771 | crypto_rfc4309_free(inst); |
772 | } |
773 | return err; |
774 | } |
775 | |
776 | static int crypto_cbcmac_digest_setkey(struct crypto_shash *parent, |
777 | const u8 *inkey, unsigned int keylen) |
778 | { |
779 | struct cbcmac_tfm_ctx *ctx = crypto_shash_ctx(tfm: parent); |
780 | |
781 | return crypto_cipher_setkey(tfm: ctx->child, key: inkey, keylen); |
782 | } |
783 | |
784 | static int crypto_cbcmac_digest_init(struct shash_desc *pdesc) |
785 | { |
786 | struct cbcmac_desc_ctx *ctx = shash_desc_ctx(desc: pdesc); |
787 | int bs = crypto_shash_digestsize(tfm: pdesc->tfm); |
788 | |
789 | ctx->len = 0; |
790 | memset(ctx->dg, 0, bs); |
791 | |
792 | return 0; |
793 | } |
794 | |
795 | static int crypto_cbcmac_digest_update(struct shash_desc *pdesc, const u8 *p, |
796 | unsigned int len) |
797 | { |
798 | struct crypto_shash *parent = pdesc->tfm; |
799 | struct cbcmac_tfm_ctx *tctx = crypto_shash_ctx(tfm: parent); |
800 | struct cbcmac_desc_ctx *ctx = shash_desc_ctx(desc: pdesc); |
801 | struct crypto_cipher *tfm = tctx->child; |
802 | int bs = crypto_shash_digestsize(tfm: parent); |
803 | |
804 | while (len > 0) { |
805 | unsigned int l = min(len, bs - ctx->len); |
806 | |
807 | crypto_xor(dst: &ctx->dg[ctx->len], src: p, size: l); |
808 | ctx->len +=l; |
809 | len -= l; |
810 | p += l; |
811 | |
812 | if (ctx->len == bs) { |
813 | crypto_cipher_encrypt_one(tfm, dst: ctx->dg, src: ctx->dg); |
814 | ctx->len = 0; |
815 | } |
816 | } |
817 | |
818 | return 0; |
819 | } |
820 | |
821 | static int crypto_cbcmac_digest_final(struct shash_desc *pdesc, u8 *out) |
822 | { |
823 | struct crypto_shash *parent = pdesc->tfm; |
824 | struct cbcmac_tfm_ctx *tctx = crypto_shash_ctx(tfm: parent); |
825 | struct cbcmac_desc_ctx *ctx = shash_desc_ctx(desc: pdesc); |
826 | struct crypto_cipher *tfm = tctx->child; |
827 | int bs = crypto_shash_digestsize(tfm: parent); |
828 | |
829 | if (ctx->len) |
830 | crypto_cipher_encrypt_one(tfm, dst: ctx->dg, src: ctx->dg); |
831 | |
832 | memcpy(out, ctx->dg, bs); |
833 | return 0; |
834 | } |
835 | |
836 | static int cbcmac_init_tfm(struct crypto_tfm *tfm) |
837 | { |
838 | struct crypto_cipher *cipher; |
839 | struct crypto_instance *inst = (void *)tfm->__crt_alg; |
840 | struct crypto_cipher_spawn *spawn = crypto_instance_ctx(inst); |
841 | struct cbcmac_tfm_ctx *ctx = crypto_tfm_ctx(tfm); |
842 | |
843 | cipher = crypto_spawn_cipher(spawn); |
844 | if (IS_ERR(ptr: cipher)) |
845 | return PTR_ERR(ptr: cipher); |
846 | |
847 | ctx->child = cipher; |
848 | |
849 | return 0; |
850 | }; |
851 | |
852 | static void cbcmac_exit_tfm(struct crypto_tfm *tfm) |
853 | { |
854 | struct cbcmac_tfm_ctx *ctx = crypto_tfm_ctx(tfm); |
855 | crypto_free_cipher(tfm: ctx->child); |
856 | } |
857 | |
858 | static int cbcmac_create(struct crypto_template *tmpl, struct rtattr **tb) |
859 | { |
860 | struct shash_instance *inst; |
861 | struct crypto_cipher_spawn *spawn; |
862 | struct crypto_alg *alg; |
863 | u32 mask; |
864 | int err; |
865 | |
866 | err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_SHASH, mask_ret: &mask); |
867 | if (err) |
868 | return err; |
869 | |
870 | inst = kzalloc(size: sizeof(*inst) + sizeof(*spawn), GFP_KERNEL); |
871 | if (!inst) |
872 | return -ENOMEM; |
873 | spawn = shash_instance_ctx(inst); |
874 | |
875 | err = crypto_grab_cipher(spawn, inst: shash_crypto_instance(inst), |
876 | name: crypto_attr_alg_name(rta: tb[1]), type: 0, mask); |
877 | if (err) |
878 | goto err_free_inst; |
879 | alg = crypto_spawn_cipher_alg(spawn); |
880 | |
881 | err = crypto_inst_setname(inst: shash_crypto_instance(inst), name: tmpl->name, alg); |
882 | if (err) |
883 | goto err_free_inst; |
884 | |
885 | inst->alg.base.cra_priority = alg->cra_priority; |
886 | inst->alg.base.cra_blocksize = 1; |
887 | |
888 | inst->alg.digestsize = alg->cra_blocksize; |
889 | inst->alg.descsize = sizeof(struct cbcmac_desc_ctx) + |
890 | alg->cra_blocksize; |
891 | |
892 | inst->alg.base.cra_ctxsize = sizeof(struct cbcmac_tfm_ctx); |
893 | inst->alg.base.cra_init = cbcmac_init_tfm; |
894 | inst->alg.base.cra_exit = cbcmac_exit_tfm; |
895 | |
896 | inst->alg.init = crypto_cbcmac_digest_init; |
897 | inst->alg.update = crypto_cbcmac_digest_update; |
898 | inst->alg.final = crypto_cbcmac_digest_final; |
899 | inst->alg.setkey = crypto_cbcmac_digest_setkey; |
900 | |
901 | inst->free = shash_free_singlespawn_instance; |
902 | |
903 | err = shash_register_instance(tmpl, inst); |
904 | if (err) { |
905 | err_free_inst: |
906 | shash_free_singlespawn_instance(inst); |
907 | } |
908 | return err; |
909 | } |
910 | |
911 | static struct crypto_template crypto_ccm_tmpls[] = { |
912 | { |
913 | .name = "cbcmac" , |
914 | .create = cbcmac_create, |
915 | .module = THIS_MODULE, |
916 | }, { |
917 | .name = "ccm_base" , |
918 | .create = crypto_ccm_base_create, |
919 | .module = THIS_MODULE, |
920 | }, { |
921 | .name = "ccm" , |
922 | .create = crypto_ccm_create, |
923 | .module = THIS_MODULE, |
924 | }, { |
925 | .name = "rfc4309" , |
926 | .create = crypto_rfc4309_create, |
927 | .module = THIS_MODULE, |
928 | }, |
929 | }; |
930 | |
931 | static int __init crypto_ccm_module_init(void) |
932 | { |
933 | return crypto_register_templates(tmpls: crypto_ccm_tmpls, |
934 | ARRAY_SIZE(crypto_ccm_tmpls)); |
935 | } |
936 | |
937 | static void __exit crypto_ccm_module_exit(void) |
938 | { |
939 | crypto_unregister_templates(tmpls: crypto_ccm_tmpls, |
940 | ARRAY_SIZE(crypto_ccm_tmpls)); |
941 | } |
942 | |
943 | subsys_initcall(crypto_ccm_module_init); |
944 | module_exit(crypto_ccm_module_exit); |
945 | |
946 | MODULE_LICENSE("GPL" ); |
947 | MODULE_DESCRIPTION("Counter with CBC MAC" ); |
948 | MODULE_ALIAS_CRYPTO("ccm_base" ); |
949 | MODULE_ALIAS_CRYPTO("rfc4309" ); |
950 | MODULE_ALIAS_CRYPTO("ccm" ); |
951 | MODULE_ALIAS_CRYPTO("cbcmac" ); |
952 | MODULE_IMPORT_NS(CRYPTO_INTERNAL); |
953 | |