[mirror_ubuntu-bionic-kernel.git] / arch / arm64 / crypto / aes-ce-ccm-glue.c

/*
 * aes-ccm-glue.c - AES-CCM transform for ARMv8 with Crypto Extensions
 *
 * Copyright (C) 2013 - 2014 Linaro Ltd <ard.biesheuvel@linaro.org>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */

#include <asm/neon.h>
#include <asm/unaligned.h>
#include <crypto/aes.h>
#include <crypto/scatterwalk.h>
#include <crypto/internal/aead.h>
#include <crypto/internal/skcipher.h>
#include <linux/module.h>

#include "aes-ce-setkey.h"

static int num_rounds(struct crypto_aes_ctx *ctx)
{
	/*
	 * # of rounds specified by AES:
	 * 128 bit key		10 rounds
	 * 192 bit key		12 rounds
	 * 256 bit key		14 rounds
	 * => n byte key	=> 6 + (n/4) rounds
	 */
	return 6 + ctx->key_length / 4;
}

asmlinkage void ce_aes_ccm_auth_data(u8 mac[], u8 const in[], u32 abytes,
				     u32 *macp, u32 const rk[], u32 rounds);

asmlinkage void ce_aes_ccm_encrypt(u8 out[], u8 const in[], u32 cbytes,
				   u32 const rk[], u32 rounds, u8 mac[],
				   u8 ctr[]);

asmlinkage void ce_aes_ccm_decrypt(u8 out[], u8 const in[], u32 cbytes,
				   u32 const rk[], u32 rounds, u8 mac[],
				   u8 ctr[]);

asmlinkage void ce_aes_ccm_final(u8 mac[], u8 const ctr[], u32 const rk[],
				 u32 rounds);

static int ccm_setkey(struct crypto_aead *tfm, const u8 *in_key,
		      unsigned int key_len)
{
	struct crypto_aes_ctx *ctx = crypto_aead_ctx(tfm);
	int ret;

	ret = ce_aes_expandkey(ctx, in_key, key_len);
	if (!ret)
		return 0;

	tfm->base.crt_flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
	return -EINVAL;
}

static int ccm_setauthsize(struct crypto_aead *tfm, unsigned int authsize)
{
	if ((authsize & 1) || authsize < 4)
		return -EINVAL;
	return 0;
}

static int ccm_init_mac(struct aead_request *req, u8 maciv[], u32 msglen)
{
	struct crypto_aead *aead = crypto_aead_reqtfm(req);
	__be32 *n = (__be32 *)&maciv[AES_BLOCK_SIZE - 8];
	u32 l = req->iv[0] + 1;

	/* verify that CCM dimension 'L' is set correctly in the IV */
	if (l < 2 || l > 8)
		return -EINVAL;

	/* verify that msglen can in fact be represented in L bytes */
	if (l < 4 && msglen >> (8 * l))
		return -EOVERFLOW;

	/*
	 * Even if the CCM spec allows L values of up to 8, the Linux cryptoapi
	 * uses a u32 type to represent msglen so the top 4 bytes are always 0.
	 */
	n[0] = 0;
	n[1] = cpu_to_be32(msglen);

	memcpy(maciv, req->iv, AES_BLOCK_SIZE - l);

	/*
	 * Meaning of byte 0 according to CCM spec (RFC 3610/NIST 800-38C)
	 * - bits 0..2	: max # of bytes required to represent msglen, minus 1
	 *                (already set by caller)
	 * - bits 3..5	: size of auth tag (1 => 4 bytes, 2 => 6 bytes, etc)
	 * - bit 6	: indicates presence of authenticate-only data
	 */
	maciv[0] |= (crypto_aead_authsize(aead) - 2) << 2;
	if (req->assoclen)
		maciv[0] |= 0x40;

	memset(&req->iv[AES_BLOCK_SIZE - l], 0, l);
	return 0;
}

static void ccm_calculate_auth_mac(struct aead_request *req, u8 mac[])
{
	struct crypto_aead *aead = crypto_aead_reqtfm(req);
	struct crypto_aes_ctx *ctx = crypto_aead_ctx(aead);
	struct __packed { __be16 l; __be32 h; u16 len; } ltag;
	struct scatter_walk walk;
	u32 len = req->assoclen;
	u32 macp = 0;

	/* prepend the AAD with a length tag */
	if (len < 0xff00) {
		ltag.l = cpu_to_be16(len);
		ltag.len = 2;
	} else  {
		ltag.l = cpu_to_be16(0xfffe);
		put_unaligned_be32(len, &ltag.h);
		ltag.len = 6;
	}

	ce_aes_ccm_auth_data(mac, (u8 *)&ltag, ltag.len, &macp, ctx->key_enc,
			     num_rounds(ctx));
	scatterwalk_start(&walk, req->src);

	do {
		u32 n = scatterwalk_clamp(&walk, len);
		u8 *p;

		if (!n) {
			scatterwalk_start(&walk, sg_next(walk.sg));
			n = scatterwalk_clamp(&walk, len);
		}
		p = scatterwalk_map(&walk);
		ce_aes_ccm_auth_data(mac, p, n, &macp, ctx->key_enc,
				     num_rounds(ctx));
		len -= n;

		scatterwalk_unmap(p);
		scatterwalk_advance(&walk, n);
		scatterwalk_done(&walk, 0, len);
	} while (len);
}

static int ccm_encrypt(struct aead_request *req)
{
	struct crypto_aead *aead = crypto_aead_reqtfm(req);
	struct crypto_aes_ctx *ctx = crypto_aead_ctx(aead);
	struct skcipher_walk walk;
	u8 __aligned(8) mac[AES_BLOCK_SIZE];
	u8 buf[AES_BLOCK_SIZE];
	u32 len = req->cryptlen;
	int err;

	err = ccm_init_mac(req, mac, len);
	if (err)
		return err;

	kernel_neon_begin_partial(6);

	if (req->assoclen)
		ccm_calculate_auth_mac(req, mac);

	/* preserve the original iv for the final round */
	memcpy(buf, req->iv, AES_BLOCK_SIZE);

	err = skcipher_walk_aead(&walk, req, true);

	while (walk.nbytes) {
		u32 tail = walk.nbytes % AES_BLOCK_SIZE;

		if (walk.nbytes == walk.total)
			tail = 0;

		ce_aes_ccm_encrypt(walk.dst.virt.addr, walk.src.virt.addr,
				   walk.nbytes - tail, ctx->key_enc,
				   num_rounds(ctx), mac, walk.iv);

		err = skcipher_walk_done(&walk, tail);
	}
	if (!err)
		ce_aes_ccm_final(mac, buf, ctx->key_enc, num_rounds(ctx));

	kernel_neon_end();

	if (err)
		return err;

	/* copy authtag to end of dst */
	scatterwalk_map_and_copy(mac, req->dst, req->assoclen + req->cryptlen,
				 crypto_aead_authsize(aead), 1);

	return 0;
}

static int ccm_decrypt(struct aead_request *req)
{
	struct crypto_aead *aead = crypto_aead_reqtfm(req);
	struct crypto_aes_ctx *ctx = crypto_aead_ctx(aead);
	unsigned int authsize = crypto_aead_authsize(aead);
	struct skcipher_walk walk;
	u8 __aligned(8) mac[AES_BLOCK_SIZE];
	u8 buf[AES_BLOCK_SIZE];
	u32 len = req->cryptlen - authsize;
	int err;

	err = ccm_init_mac(req, mac, len);
	if (err)
		return err;

	kernel_neon_begin_partial(6);

	if (req->assoclen)
		ccm_calculate_auth_mac(req, mac);

	/* preserve the original iv for the final round */
	memcpy(buf, req->iv, AES_BLOCK_SIZE);

	err = skcipher_walk_aead(&walk, req, true);

	while (walk.nbytes) {
		u32 tail = walk.nbytes % AES_BLOCK_SIZE;

		if (walk.nbytes == walk.total)
			tail = 0;

		ce_aes_ccm_decrypt(walk.dst.virt.addr, walk.src.virt.addr,
				   walk.nbytes - tail, ctx->key_enc,
				   num_rounds(ctx), mac, walk.iv);

		err = skcipher_walk_done(&walk, tail);
	}
	if (!err)
		ce_aes_ccm_final(mac, buf, ctx->key_enc, num_rounds(ctx));

	kernel_neon_end();

	if (err)
		return err;

	/* compare calculated auth tag with the stored one */
	scatterwalk_map_and_copy(buf, req->src,
				 req->assoclen + req->cryptlen - authsize,
				 authsize, 0);

	if (crypto_memneq(mac, buf, authsize))
		return -EBADMSG;
	return 0;
}

static struct aead_alg ccm_aes_alg = {
	.base = {
		.cra_name		= "ccm(aes)",
		.cra_driver_name	= "ccm-aes-ce",
		.cra_priority		= 300,
		.cra_blocksize		= 1,
		.cra_ctxsize		= sizeof(struct crypto_aes_ctx),
		.cra_alignmask		= 7,
		.cra_module		= THIS_MODULE,
	},
	.ivsize		= AES_BLOCK_SIZE,
	.chunksize	= AES_BLOCK_SIZE,
	.maxauthsize	= AES_BLOCK_SIZE,
	.setkey		= ccm_setkey,
	.setauthsize	= ccm_setauthsize,
	.encrypt	= ccm_encrypt,
	.decrypt	= ccm_decrypt,
};

static int __init aes_mod_init(void)
{
	if (!(elf_hwcap & HWCAP_AES))
		return -ENODEV;
	return crypto_register_aead(&ccm_aes_alg);
}

static void __exit aes_mod_exit(void)
{
	crypto_unregister_aead(&ccm_aes_alg);
}

module_init(aes_mod_init);
module_exit(aes_mod_exit);

MODULE_DESCRIPTION("Synchronous AES in CCM mode using ARMv8 Crypto Extensions");
MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@linaro.org>");
MODULE_LICENSE("GPL v2");
MODULE_ALIAS_CRYPTO("ccm(aes)");
Commit	Line	Data
a3fd8210 AB	1	/*
	2	* aes-ccm-glue.c - AES-CCM transform for ARMv8 with Crypto Extensions
	3	*
	4	* Copyright (C) 2013 - 2014 Linaro Ltd <ard.biesheuvel@linaro.org>
	5	*
	6	* This program is free software; you can redistribute it and/or modify
	7	* it under the terms of the GNU General Public License version 2 as
	8	* published by the Free Software Foundation.
	9	*/
	10
	11	#include <asm/neon.h>
	12	#include <asm/unaligned.h>
	13	#include <crypto/aes.h>
a3fd8210	14	#include <crypto/scatterwalk.h>
34ed9a35	15	#include <crypto/internal/aead.h>
cf2c0fe7	16	#include <crypto/internal/skcipher.h>
a3fd8210 AB	17	#include <linux/module.h>
a3fd8210 AB	18
12ac3efe AB	19	#include "aes-ce-setkey.h"
12ac3efe AB	20
a3fd8210 AB	21	static int num_rounds(struct crypto_aes_ctx *ctx)
	22	{
	23	/*
	24	* # of rounds specified by AES:
	25	* 128 bit key 10 rounds
	26	* 192 bit key 12 rounds
	27	* 256 bit key 14 rounds
	28	* => n byte key => 6 + (n/4) rounds
	29	*/
	30	return 6 + ctx->key_length / 4;
	31	}
	32
	33	asmlinkage void ce_aes_ccm_auth_data(u8 mac[], u8 const in[], u32 abytes,
	34	u32 *macp, u32 const rk[], u32 rounds);
	35
	36	asmlinkage void ce_aes_ccm_encrypt(u8 out[], u8 const in[], u32 cbytes,
	37	u32 const rk[], u32 rounds, u8 mac[],
	38	u8 ctr[]);
	39
	40	asmlinkage void ce_aes_ccm_decrypt(u8 out[], u8 const in[], u32 cbytes,
	41	u32 const rk[], u32 rounds, u8 mac[],
	42	u8 ctr[]);
	43
	44	asmlinkage void ce_aes_ccm_final(u8 mac[], u8 const ctr[], u32 const rk[],
	45	u32 rounds);
	46
	47	static int ccm_setkey(struct crypto_aead tfm, const u8 in_key,
	48	unsigned int key_len)
	49	{
	50	struct crypto_aes_ctx *ctx = crypto_aead_ctx(tfm);
	51	int ret;
	52
12ac3efe	53	ret = ce_aes_expandkey(ctx, in_key, key_len);
a3fd8210 AB	54	if (!ret)
	55	return 0;
	56
	57	tfm->base.crt_flags \|= CRYPTO_TFM_RES_BAD_KEY_LEN;
	58	return -EINVAL;
	59	}
	60
	61	static int ccm_setauthsize(struct crypto_aead *tfm, unsigned int authsize)
	62	{
	63	if ((authsize & 1) \|\| authsize < 4)
	64	return -EINVAL;
	65	return 0;
	66	}
	67
	68	static int ccm_init_mac(struct aead_request *req, u8 maciv[], u32 msglen)
	69	{
	70	struct crypto_aead *aead = crypto_aead_reqtfm(req);
	71	__be32 n = (__be32 )&maciv[AES_BLOCK_SIZE - 8];
	72	u32 l = req->iv[0] + 1;
	73
	74	/* verify that CCM dimension 'L' is set correctly in the IV */
	75	if (l < 2 \|\| l > 8)
	76	return -EINVAL;
	77
	78	/* verify that msglen can in fact be represented in L bytes */
	79	if (l < 4 && msglen >> (8 * l))
	80	return -EOVERFLOW;
	81
	82	/*
	83	* Even if the CCM spec allows L values of up to 8, the Linux cryptoapi
	84	* uses a u32 type to represent msglen so the top 4 bytes are always 0.
	85	*/
	86	n[0] = 0;
	87	n[1] = cpu_to_be32(msglen);
	88
	89	memcpy(maciv, req->iv, AES_BLOCK_SIZE - l);
	90
	91	/*
	92	* Meaning of byte 0 according to CCM spec (RFC 3610/NIST 800-38C)
	93	* - bits 0..2 : max # of bytes required to represent msglen, minus 1
	94	* (already set by caller)
	95	* - bits 3..5 : size of auth tag (1 => 4 bytes, 2 => 6 bytes, etc)
	96	* - bit 6 : indicates presence of authenticate-only data
	97	*/
	98	maciv[0] \|= (crypto_aead_authsize(aead) - 2) << 2;
	99	if (req->assoclen)
	100	maciv[0] \|= 0x40;
	101
	102	memset(&req->iv[AES_BLOCK_SIZE - l], 0, l);
	103	return 0;
	104	}
	105
	106	static void ccm_calculate_auth_mac(struct aead_request *req, u8 mac[])
	107	{
	108	struct crypto_aead *aead = crypto_aead_reqtfm(req);
	109	struct crypto_aes_ctx *ctx = crypto_aead_ctx(aead);
	110	struct __packed { __be16 l; __be32 h; u16 len; } ltag;
	111	struct scatter_walk walk;
	112	u32 len = req->assoclen;
	113	u32 macp = 0;
	114
	115	/* prepend the AAD with a length tag */
	116	if (len < 0xff00) {
	117	ltag.l = cpu_to_be16(len);
118	ltag.len = 2;
119	} else {
120	ltag.l = cpu_to_be16(0xfffe);
121	put_unaligned_be32(len, &ltag.h);
122	ltag.len = 6;
123	}
124
125	ce_aes_ccm_auth_data(mac, (u8 *)&ltag, ltag.len, &macp, ctx->key_enc,
126	num_rounds(ctx));
2642d6ab	127	scatterwalk_start(&walk, req->src);
a3fd8210 AB	128
	129	do {
	130	u32 n = scatterwalk_clamp(&walk, len);
	131	u8 *p;
	132
	133	if (!n) {
	134	scatterwalk_start(&walk, sg_next(walk.sg));
	135	n = scatterwalk_clamp(&walk, len);
	136	}
	137	p = scatterwalk_map(&walk);
	138	ce_aes_ccm_auth_data(mac, p, n, &macp, ctx->key_enc,
	139	num_rounds(ctx));
	140	len -= n;
	141
	142	scatterwalk_unmap(p);
	143	scatterwalk_advance(&walk, n);
	144	scatterwalk_done(&walk, 0, len);
	145	} while (len);
	146	}
	147
	148	static int ccm_encrypt(struct aead_request *req)
	149	{
	150	struct crypto_aead *aead = crypto_aead_reqtfm(req);
	151	struct crypto_aes_ctx *ctx = crypto_aead_ctx(aead);
cf2c0fe7	152	struct skcipher_walk walk;
a3fd8210 AB	153	u8 __aligned(8) mac[AES_BLOCK_SIZE];
	154	u8 buf[AES_BLOCK_SIZE];
	155	u32 len = req->cryptlen;
	156	int err;
	157
	158	err = ccm_init_mac(req, mac, len);
	159	if (err)
	160	return err;
	161
	162	kernel_neon_begin_partial(6);
	163
	164	if (req->assoclen)
	165	ccm_calculate_auth_mac(req, mac);
	166
	167	/* preserve the original iv for the final round */
	168	memcpy(buf, req->iv, AES_BLOCK_SIZE);
	169
cf2c0fe7	170	err = skcipher_walk_aead(&walk, req, true);
a3fd8210 AB	171
	172	while (walk.nbytes) {
	173	u32 tail = walk.nbytes % AES_BLOCK_SIZE;
	174
cf2c0fe7	175	if (walk.nbytes == walk.total)
a3fd8210 AB	176	tail = 0;
	177
	178	ce_aes_ccm_encrypt(walk.dst.virt.addr, walk.src.virt.addr,
	179	walk.nbytes - tail, ctx->key_enc,
	180	num_rounds(ctx), mac, walk.iv);
	181
cf2c0fe7	182	err = skcipher_walk_done(&walk, tail);
a3fd8210 AB	183	}
	184	if (!err)
	185	ce_aes_ccm_final(mac, buf, ctx->key_enc, num_rounds(ctx));
	186
	187	kernel_neon_end();
	188
	189	if (err)
	190	return err;
	191
	192	/* copy authtag to end of dst */
cf2c0fe7	193	scatterwalk_map_and_copy(mac, req->dst, req->assoclen + req->cryptlen,
a3fd8210 AB	194	crypto_aead_authsize(aead), 1);
	195
	196	return 0;
	197	}
	198
	199	static int ccm_decrypt(struct aead_request *req)
	200	{
	201	struct crypto_aead *aead = crypto_aead_reqtfm(req);
	202	struct crypto_aes_ctx *ctx = crypto_aead_ctx(aead);
	203	unsigned int authsize = crypto_aead_authsize(aead);
cf2c0fe7	204	struct skcipher_walk walk;
a3fd8210 AB	205	u8 __aligned(8) mac[AES_BLOCK_SIZE];
	206	u8 buf[AES_BLOCK_SIZE];
	207	u32 len = req->cryptlen - authsize;
	208	int err;
	209
	210	err = ccm_init_mac(req, mac, len);
	211	if (err)
	212	return err;
	213
	214	kernel_neon_begin_partial(6);
	215
	216	if (req->assoclen)
	217	ccm_calculate_auth_mac(req, mac);
	218
	219	/* preserve the original iv for the final round */
	220	memcpy(buf, req->iv, AES_BLOCK_SIZE);
	221
cf2c0fe7	222	err = skcipher_walk_aead(&walk, req, true);
a3fd8210 AB	223
	224	while (walk.nbytes) {
	225	u32 tail = walk.nbytes % AES_BLOCK_SIZE;
	226
cf2c0fe7	227	if (walk.nbytes == walk.total)
a3fd8210 AB	228	tail = 0;
	229
	230	ce_aes_ccm_decrypt(walk.dst.virt.addr, walk.src.virt.addr,
	231	walk.nbytes - tail, ctx->key_enc,
	232	num_rounds(ctx), mac, walk.iv);
	233
cf2c0fe7	234	err = skcipher_walk_done(&walk, tail);
a3fd8210 AB	235	}
	236	if (!err)
	237	ce_aes_ccm_final(mac, buf, ctx->key_enc, num_rounds(ctx));
	238
	239	kernel_neon_end();
	240
	241	if (err)
	242	return err;
	243
	244	/* compare calculated auth tag with the stored one */
cf2c0fe7 HX	245	scatterwalk_map_and_copy(buf, req->src,
cf2c0fe7 HX	246	req->assoclen + req->cryptlen - authsize,
a3fd8210 AB	247	authsize, 0);
a3fd8210 AB	248
2642d6ab	249	if (crypto_memneq(mac, buf, authsize))
a3fd8210 AB	250	return -EBADMSG;
	251	return 0;
	252	}
	253
2642d6ab HX	254	static struct aead_alg ccm_aes_alg = {
	255	.base = {
	256	.cra_name = "ccm(aes)",
	257	.cra_driver_name = "ccm-aes-ce",
2642d6ab HX	258	.cra_priority = 300,
	259	.cra_blocksize = 1,
	260	.cra_ctxsize = sizeof(struct crypto_aes_ctx),
	261	.cra_alignmask = 7,
	262	.cra_module = THIS_MODULE,
	263	},
	264	.ivsize = AES_BLOCK_SIZE,
cf2c0fe7	265	.chunksize = AES_BLOCK_SIZE,
2642d6ab HX	266	.maxauthsize = AES_BLOCK_SIZE,
	267	.setkey = ccm_setkey,
	268	.setauthsize = ccm_setauthsize,
	269	.encrypt = ccm_encrypt,
	270	.decrypt = ccm_decrypt,
a3fd8210 AB	271	};
	272
	273	static int __init aes_mod_init(void)
	274	{
	275	if (!(elf_hwcap & HWCAP_AES))
	276	return -ENODEV;
2642d6ab	277	return crypto_register_aead(&ccm_aes_alg);
a3fd8210 AB	278	}
	279
	280	static void __exit aes_mod_exit(void)
	281	{
2642d6ab	282	crypto_unregister_aead(&ccm_aes_alg);
a3fd8210 AB	283	}
	284
	285	module_init(aes_mod_init);
	286	module_exit(aes_mod_exit);
	287
	288	MODULE_DESCRIPTION("Synchronous AES in CCM mode using ARMv8 Crypto Extensions");
	289	MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@linaro.org>");
	290	MODULE_LICENSE("GPL v2");
5d26a105	291	MODULE_ALIAS_CRYPTO("ccm(aes)");