]>
Commit | Line | Data |
---|---|---|
a3fd8210 AB |
1 | /* |
2 | * aes-ccm-glue.c - AES-CCM transform for ARMv8 with Crypto Extensions | |
3 | * | |
4 | * Copyright (C) 2013 - 2014 Linaro Ltd <ard.biesheuvel@linaro.org> | |
5 | * | |
6 | * This program is free software; you can redistribute it and/or modify | |
7 | * it under the terms of the GNU General Public License version 2 as | |
8 | * published by the Free Software Foundation. | |
9 | */ | |
10 | ||
11 | #include <asm/neon.h> | |
12 | #include <asm/unaligned.h> | |
13 | #include <crypto/aes.h> | |
a3fd8210 | 14 | #include <crypto/scatterwalk.h> |
34ed9a35 | 15 | #include <crypto/internal/aead.h> |
cf2c0fe7 | 16 | #include <crypto/internal/skcipher.h> |
a3fd8210 AB |
17 | #include <linux/module.h> |
18 | ||
12ac3efe AB |
19 | #include "aes-ce-setkey.h" |
20 | ||
a3fd8210 AB |
21 | static int num_rounds(struct crypto_aes_ctx *ctx) |
22 | { | |
23 | /* | |
24 | * # of rounds specified by AES: | |
25 | * 128 bit key 10 rounds | |
26 | * 192 bit key 12 rounds | |
27 | * 256 bit key 14 rounds | |
28 | * => n byte key => 6 + (n/4) rounds | |
29 | */ | |
30 | return 6 + ctx->key_length / 4; | |
31 | } | |
32 | ||
33 | asmlinkage void ce_aes_ccm_auth_data(u8 mac[], u8 const in[], u32 abytes, | |
34 | u32 *macp, u32 const rk[], u32 rounds); | |
35 | ||
36 | asmlinkage void ce_aes_ccm_encrypt(u8 out[], u8 const in[], u32 cbytes, | |
37 | u32 const rk[], u32 rounds, u8 mac[], | |
38 | u8 ctr[]); | |
39 | ||
40 | asmlinkage void ce_aes_ccm_decrypt(u8 out[], u8 const in[], u32 cbytes, | |
41 | u32 const rk[], u32 rounds, u8 mac[], | |
42 | u8 ctr[]); | |
43 | ||
44 | asmlinkage void ce_aes_ccm_final(u8 mac[], u8 const ctr[], u32 const rk[], | |
45 | u32 rounds); | |
46 | ||
47 | static int ccm_setkey(struct crypto_aead *tfm, const u8 *in_key, | |
48 | unsigned int key_len) | |
49 | { | |
50 | struct crypto_aes_ctx *ctx = crypto_aead_ctx(tfm); | |
51 | int ret; | |
52 | ||
12ac3efe | 53 | ret = ce_aes_expandkey(ctx, in_key, key_len); |
a3fd8210 AB |
54 | if (!ret) |
55 | return 0; | |
56 | ||
57 | tfm->base.crt_flags |= CRYPTO_TFM_RES_BAD_KEY_LEN; | |
58 | return -EINVAL; | |
59 | } | |
60 | ||
61 | static int ccm_setauthsize(struct crypto_aead *tfm, unsigned int authsize) | |
62 | { | |
63 | if ((authsize & 1) || authsize < 4) | |
64 | return -EINVAL; | |
65 | return 0; | |
66 | } | |
67 | ||
68 | static int ccm_init_mac(struct aead_request *req, u8 maciv[], u32 msglen) | |
69 | { | |
70 | struct crypto_aead *aead = crypto_aead_reqtfm(req); | |
71 | __be32 *n = (__be32 *)&maciv[AES_BLOCK_SIZE - 8]; | |
72 | u32 l = req->iv[0] + 1; | |
73 | ||
74 | /* verify that CCM dimension 'L' is set correctly in the IV */ | |
75 | if (l < 2 || l > 8) | |
76 | return -EINVAL; | |
77 | ||
78 | /* verify that msglen can in fact be represented in L bytes */ | |
79 | if (l < 4 && msglen >> (8 * l)) | |
80 | return -EOVERFLOW; | |
81 | ||
82 | /* | |
83 | * Even if the CCM spec allows L values of up to 8, the Linux cryptoapi | |
84 | * uses a u32 type to represent msglen so the top 4 bytes are always 0. | |
85 | */ | |
86 | n[0] = 0; | |
87 | n[1] = cpu_to_be32(msglen); | |
88 | ||
89 | memcpy(maciv, req->iv, AES_BLOCK_SIZE - l); | |
90 | ||
91 | /* | |
92 | * Meaning of byte 0 according to CCM spec (RFC 3610/NIST 800-38C) | |
93 | * - bits 0..2 : max # of bytes required to represent msglen, minus 1 | |
94 | * (already set by caller) | |
95 | * - bits 3..5 : size of auth tag (1 => 4 bytes, 2 => 6 bytes, etc) | |
96 | * - bit 6 : indicates presence of authenticate-only data | |
97 | */ | |
98 | maciv[0] |= (crypto_aead_authsize(aead) - 2) << 2; | |
99 | if (req->assoclen) | |
100 | maciv[0] |= 0x40; | |
101 | ||
102 | memset(&req->iv[AES_BLOCK_SIZE - l], 0, l); | |
103 | return 0; | |
104 | } | |
105 | ||
106 | static void ccm_calculate_auth_mac(struct aead_request *req, u8 mac[]) | |
107 | { | |
108 | struct crypto_aead *aead = crypto_aead_reqtfm(req); | |
109 | struct crypto_aes_ctx *ctx = crypto_aead_ctx(aead); | |
110 | struct __packed { __be16 l; __be32 h; u16 len; } ltag; | |
111 | struct scatter_walk walk; | |
112 | u32 len = req->assoclen; | |
113 | u32 macp = 0; | |
114 | ||
115 | /* prepend the AAD with a length tag */ | |
116 | if (len < 0xff00) { | |
117 | ltag.l = cpu_to_be16(len); | |
118 | ltag.len = 2; | |
119 | } else { | |
120 | ltag.l = cpu_to_be16(0xfffe); | |
121 | put_unaligned_be32(len, <ag.h); | |
122 | ltag.len = 6; | |
123 | } | |
124 | ||
125 | ce_aes_ccm_auth_data(mac, (u8 *)<ag, ltag.len, &macp, ctx->key_enc, | |
126 | num_rounds(ctx)); | |
2642d6ab | 127 | scatterwalk_start(&walk, req->src); |
a3fd8210 AB |
128 | |
129 | do { | |
130 | u32 n = scatterwalk_clamp(&walk, len); | |
131 | u8 *p; | |
132 | ||
133 | if (!n) { | |
134 | scatterwalk_start(&walk, sg_next(walk.sg)); | |
135 | n = scatterwalk_clamp(&walk, len); | |
136 | } | |
137 | p = scatterwalk_map(&walk); | |
138 | ce_aes_ccm_auth_data(mac, p, n, &macp, ctx->key_enc, | |
139 | num_rounds(ctx)); | |
140 | len -= n; | |
141 | ||
142 | scatterwalk_unmap(p); | |
143 | scatterwalk_advance(&walk, n); | |
144 | scatterwalk_done(&walk, 0, len); | |
145 | } while (len); | |
146 | } | |
147 | ||
148 | static int ccm_encrypt(struct aead_request *req) | |
149 | { | |
150 | struct crypto_aead *aead = crypto_aead_reqtfm(req); | |
151 | struct crypto_aes_ctx *ctx = crypto_aead_ctx(aead); | |
cf2c0fe7 | 152 | struct skcipher_walk walk; |
a3fd8210 AB |
153 | u8 __aligned(8) mac[AES_BLOCK_SIZE]; |
154 | u8 buf[AES_BLOCK_SIZE]; | |
155 | u32 len = req->cryptlen; | |
156 | int err; | |
157 | ||
158 | err = ccm_init_mac(req, mac, len); | |
159 | if (err) | |
160 | return err; | |
161 | ||
162 | kernel_neon_begin_partial(6); | |
163 | ||
164 | if (req->assoclen) | |
165 | ccm_calculate_auth_mac(req, mac); | |
166 | ||
167 | /* preserve the original iv for the final round */ | |
168 | memcpy(buf, req->iv, AES_BLOCK_SIZE); | |
169 | ||
cf2c0fe7 | 170 | err = skcipher_walk_aead(&walk, req, true); |
a3fd8210 AB |
171 | |
172 | while (walk.nbytes) { | |
173 | u32 tail = walk.nbytes % AES_BLOCK_SIZE; | |
174 | ||
cf2c0fe7 | 175 | if (walk.nbytes == walk.total) |
a3fd8210 AB |
176 | tail = 0; |
177 | ||
178 | ce_aes_ccm_encrypt(walk.dst.virt.addr, walk.src.virt.addr, | |
179 | walk.nbytes - tail, ctx->key_enc, | |
180 | num_rounds(ctx), mac, walk.iv); | |
181 | ||
cf2c0fe7 | 182 | err = skcipher_walk_done(&walk, tail); |
a3fd8210 AB |
183 | } |
184 | if (!err) | |
185 | ce_aes_ccm_final(mac, buf, ctx->key_enc, num_rounds(ctx)); | |
186 | ||
187 | kernel_neon_end(); | |
188 | ||
189 | if (err) | |
190 | return err; | |
191 | ||
192 | /* copy authtag to end of dst */ | |
cf2c0fe7 | 193 | scatterwalk_map_and_copy(mac, req->dst, req->assoclen + req->cryptlen, |
a3fd8210 AB |
194 | crypto_aead_authsize(aead), 1); |
195 | ||
196 | return 0; | |
197 | } | |
198 | ||
199 | static int ccm_decrypt(struct aead_request *req) | |
200 | { | |
201 | struct crypto_aead *aead = crypto_aead_reqtfm(req); | |
202 | struct crypto_aes_ctx *ctx = crypto_aead_ctx(aead); | |
203 | unsigned int authsize = crypto_aead_authsize(aead); | |
cf2c0fe7 | 204 | struct skcipher_walk walk; |
a3fd8210 AB |
205 | u8 __aligned(8) mac[AES_BLOCK_SIZE]; |
206 | u8 buf[AES_BLOCK_SIZE]; | |
207 | u32 len = req->cryptlen - authsize; | |
208 | int err; | |
209 | ||
210 | err = ccm_init_mac(req, mac, len); | |
211 | if (err) | |
212 | return err; | |
213 | ||
214 | kernel_neon_begin_partial(6); | |
215 | ||
216 | if (req->assoclen) | |
217 | ccm_calculate_auth_mac(req, mac); | |
218 | ||
219 | /* preserve the original iv for the final round */ | |
220 | memcpy(buf, req->iv, AES_BLOCK_SIZE); | |
221 | ||
cf2c0fe7 | 222 | err = skcipher_walk_aead(&walk, req, true); |
a3fd8210 AB |
223 | |
224 | while (walk.nbytes) { | |
225 | u32 tail = walk.nbytes % AES_BLOCK_SIZE; | |
226 | ||
cf2c0fe7 | 227 | if (walk.nbytes == walk.total) |
a3fd8210 AB |
228 | tail = 0; |
229 | ||
230 | ce_aes_ccm_decrypt(walk.dst.virt.addr, walk.src.virt.addr, | |
231 | walk.nbytes - tail, ctx->key_enc, | |
232 | num_rounds(ctx), mac, walk.iv); | |
233 | ||
cf2c0fe7 | 234 | err = skcipher_walk_done(&walk, tail); |
a3fd8210 AB |
235 | } |
236 | if (!err) | |
237 | ce_aes_ccm_final(mac, buf, ctx->key_enc, num_rounds(ctx)); | |
238 | ||
239 | kernel_neon_end(); | |
240 | ||
241 | if (err) | |
242 | return err; | |
243 | ||
244 | /* compare calculated auth tag with the stored one */ | |
cf2c0fe7 HX |
245 | scatterwalk_map_and_copy(buf, req->src, |
246 | req->assoclen + req->cryptlen - authsize, | |
a3fd8210 AB |
247 | authsize, 0); |
248 | ||
2642d6ab | 249 | if (crypto_memneq(mac, buf, authsize)) |
a3fd8210 AB |
250 | return -EBADMSG; |
251 | return 0; | |
252 | } | |
253 | ||
2642d6ab HX |
254 | static struct aead_alg ccm_aes_alg = { |
255 | .base = { | |
256 | .cra_name = "ccm(aes)", | |
257 | .cra_driver_name = "ccm-aes-ce", | |
2642d6ab HX |
258 | .cra_priority = 300, |
259 | .cra_blocksize = 1, | |
260 | .cra_ctxsize = sizeof(struct crypto_aes_ctx), | |
261 | .cra_alignmask = 7, | |
262 | .cra_module = THIS_MODULE, | |
263 | }, | |
264 | .ivsize = AES_BLOCK_SIZE, | |
cf2c0fe7 | 265 | .chunksize = AES_BLOCK_SIZE, |
2642d6ab HX |
266 | .maxauthsize = AES_BLOCK_SIZE, |
267 | .setkey = ccm_setkey, | |
268 | .setauthsize = ccm_setauthsize, | |
269 | .encrypt = ccm_encrypt, | |
270 | .decrypt = ccm_decrypt, | |
a3fd8210 AB |
271 | }; |
272 | ||
273 | static int __init aes_mod_init(void) | |
274 | { | |
275 | if (!(elf_hwcap & HWCAP_AES)) | |
276 | return -ENODEV; | |
2642d6ab | 277 | return crypto_register_aead(&ccm_aes_alg); |
a3fd8210 AB |
278 | } |
279 | ||
280 | static void __exit aes_mod_exit(void) | |
281 | { | |
2642d6ab | 282 | crypto_unregister_aead(&ccm_aes_alg); |
a3fd8210 AB |
283 | } |
284 | ||
285 | module_init(aes_mod_init); | |
286 | module_exit(aes_mod_exit); | |
287 | ||
288 | MODULE_DESCRIPTION("Synchronous AES in CCM mode using ARMv8 Crypto Extensions"); | |
289 | MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@linaro.org>"); | |
290 | MODULE_LICENSE("GPL v2"); | |
5d26a105 | 291 | MODULE_ALIAS_CRYPTO("ccm(aes)"); |