]>
Commit | Line | Data |
---|---|---|
1 | /* | |
2 | * GCM: Galois/Counter Mode. | |
3 | * | |
4 | * Copyright (c) 2007 Nokia Siemens Networks - Mikko Herranen <mh1@iki.fi> | |
5 | * | |
6 | * This program is free software; you can redistribute it and/or modify it | |
7 | * under the terms of the GNU General Public License version 2 as published | |
8 | * by the Free Software Foundation. | |
9 | */ | |
10 | ||
11 | #include <crypto/gf128mul.h> | |
12 | #include <crypto/internal/aead.h> | |
13 | #include <crypto/internal/skcipher.h> | |
14 | #include <crypto/internal/hash.h> | |
15 | #include <crypto/null.h> | |
16 | #include <crypto/scatterwalk.h> | |
17 | #include <crypto/gcm.h> | |
18 | #include <crypto/hash.h> | |
19 | #include "internal.h" | |
20 | #include <linux/err.h> | |
21 | #include <linux/init.h> | |
22 | #include <linux/kernel.h> | |
23 | #include <linux/module.h> | |
24 | #include <linux/slab.h> | |
25 | ||
26 | struct gcm_instance_ctx { | |
27 | struct crypto_skcipher_spawn ctr; | |
28 | struct crypto_ahash_spawn ghash; | |
29 | }; | |
30 | ||
31 | struct crypto_gcm_ctx { | |
32 | struct crypto_skcipher *ctr; | |
33 | struct crypto_ahash *ghash; | |
34 | }; | |
35 | ||
36 | struct crypto_rfc4106_ctx { | |
37 | struct crypto_aead *child; | |
38 | u8 nonce[4]; | |
39 | }; | |
40 | ||
41 | struct crypto_rfc4106_req_ctx { | |
42 | struct scatterlist src[3]; | |
43 | struct scatterlist dst[3]; | |
44 | struct aead_request subreq; | |
45 | }; | |
46 | ||
47 | struct crypto_rfc4543_instance_ctx { | |
48 | struct crypto_aead_spawn aead; | |
49 | }; | |
50 | ||
51 | struct crypto_rfc4543_ctx { | |
52 | struct crypto_aead *child; | |
53 | struct crypto_skcipher *null; | |
54 | u8 nonce[4]; | |
55 | }; | |
56 | ||
57 | struct crypto_rfc4543_req_ctx { | |
58 | struct aead_request subreq; | |
59 | }; | |
60 | ||
61 | struct crypto_gcm_ghash_ctx { | |
62 | unsigned int cryptlen; | |
63 | struct scatterlist *src; | |
64 | int (*complete)(struct aead_request *req, u32 flags); | |
65 | }; | |
66 | ||
67 | struct crypto_gcm_req_priv_ctx { | |
68 | u8 iv[16]; | |
69 | u8 auth_tag[16]; | |
70 | u8 iauth_tag[16]; | |
71 | struct scatterlist src[3]; | |
72 | struct scatterlist dst[3]; | |
73 | struct scatterlist sg; | |
74 | struct crypto_gcm_ghash_ctx ghash_ctx; | |
75 | union { | |
76 | struct ahash_request ahreq; | |
77 | struct skcipher_request skreq; | |
78 | } u; | |
79 | }; | |
80 | ||
81 | static struct { | |
82 | u8 buf[16]; | |
83 | struct scatterlist sg; | |
84 | } *gcm_zeroes; | |
85 | ||
86 | static int crypto_rfc4543_copy_src_to_dst(struct aead_request *req, bool enc); | |
87 | ||
88 | static inline struct crypto_gcm_req_priv_ctx *crypto_gcm_reqctx( | |
89 | struct aead_request *req) | |
90 | { | |
91 | unsigned long align = crypto_aead_alignmask(crypto_aead_reqtfm(req)); | |
92 | ||
93 | return (void *)PTR_ALIGN((u8 *)aead_request_ctx(req), align + 1); | |
94 | } | |
95 | ||
96 | static int crypto_gcm_setkey(struct crypto_aead *aead, const u8 *key, | |
97 | unsigned int keylen) | |
98 | { | |
99 | struct crypto_gcm_ctx *ctx = crypto_aead_ctx(aead); | |
100 | struct crypto_ahash *ghash = ctx->ghash; | |
101 | struct crypto_skcipher *ctr = ctx->ctr; | |
102 | struct { | |
103 | be128 hash; | |
104 | u8 iv[16]; | |
105 | ||
106 | struct crypto_wait wait; | |
107 | ||
108 | struct scatterlist sg[1]; | |
109 | struct skcipher_request req; | |
110 | } *data; | |
111 | int err; | |
112 | ||
113 | crypto_skcipher_clear_flags(ctr, CRYPTO_TFM_REQ_MASK); | |
114 | crypto_skcipher_set_flags(ctr, crypto_aead_get_flags(aead) & | |
115 | CRYPTO_TFM_REQ_MASK); | |
116 | err = crypto_skcipher_setkey(ctr, key, keylen); | |
117 | crypto_aead_set_flags(aead, crypto_skcipher_get_flags(ctr) & | |
118 | CRYPTO_TFM_RES_MASK); | |
119 | if (err) | |
120 | return err; | |
121 | ||
122 | data = kzalloc(sizeof(*data) + crypto_skcipher_reqsize(ctr), | |
123 | GFP_KERNEL); | |
124 | if (!data) | |
125 | return -ENOMEM; | |
126 | ||
127 | crypto_init_wait(&data->wait); | |
128 | sg_init_one(data->sg, &data->hash, sizeof(data->hash)); | |
129 | skcipher_request_set_tfm(&data->req, ctr); | |
130 | skcipher_request_set_callback(&data->req, CRYPTO_TFM_REQ_MAY_SLEEP | | |
131 | CRYPTO_TFM_REQ_MAY_BACKLOG, | |
132 | crypto_req_done, | |
133 | &data->wait); | |
134 | skcipher_request_set_crypt(&data->req, data->sg, data->sg, | |
135 | sizeof(data->hash), data->iv); | |
136 | ||
137 | err = crypto_wait_req(crypto_skcipher_encrypt(&data->req), | |
138 | &data->wait); | |
139 | ||
140 | if (err) | |
141 | goto out; | |
142 | ||
143 | crypto_ahash_clear_flags(ghash, CRYPTO_TFM_REQ_MASK); | |
144 | crypto_ahash_set_flags(ghash, crypto_aead_get_flags(aead) & | |
145 | CRYPTO_TFM_REQ_MASK); | |
146 | err = crypto_ahash_setkey(ghash, (u8 *)&data->hash, sizeof(be128)); | |
147 | crypto_aead_set_flags(aead, crypto_ahash_get_flags(ghash) & | |
148 | CRYPTO_TFM_RES_MASK); | |
149 | ||
150 | out: | |
151 | kzfree(data); | |
152 | return err; | |
153 | } | |
154 | ||
155 | static int crypto_gcm_setauthsize(struct crypto_aead *tfm, | |
156 | unsigned int authsize) | |
157 | { | |
158 | switch (authsize) { | |
159 | case 4: | |
160 | case 8: | |
161 | case 12: | |
162 | case 13: | |
163 | case 14: | |
164 | case 15: | |
165 | case 16: | |
166 | break; | |
167 | default: | |
168 | return -EINVAL; | |
169 | } | |
170 | ||
171 | return 0; | |
172 | } | |
173 | ||
174 | static void crypto_gcm_init_common(struct aead_request *req) | |
175 | { | |
176 | struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req); | |
177 | __be32 counter = cpu_to_be32(1); | |
178 | struct scatterlist *sg; | |
179 | ||
180 | memset(pctx->auth_tag, 0, sizeof(pctx->auth_tag)); | |
181 | memcpy(pctx->iv, req->iv, GCM_AES_IV_SIZE); | |
182 | memcpy(pctx->iv + GCM_AES_IV_SIZE, &counter, 4); | |
183 | ||
184 | sg_init_table(pctx->src, 3); | |
185 | sg_set_buf(pctx->src, pctx->auth_tag, sizeof(pctx->auth_tag)); | |
186 | sg = scatterwalk_ffwd(pctx->src + 1, req->src, req->assoclen); | |
187 | if (sg != pctx->src + 1) | |
188 | sg_chain(pctx->src, 2, sg); | |
189 | ||
190 | if (req->src != req->dst) { | |
191 | sg_init_table(pctx->dst, 3); | |
192 | sg_set_buf(pctx->dst, pctx->auth_tag, sizeof(pctx->auth_tag)); | |
193 | sg = scatterwalk_ffwd(pctx->dst + 1, req->dst, req->assoclen); | |
194 | if (sg != pctx->dst + 1) | |
195 | sg_chain(pctx->dst, 2, sg); | |
196 | } | |
197 | } | |
198 | ||
199 | static void crypto_gcm_init_crypt(struct aead_request *req, | |
200 | unsigned int cryptlen) | |
201 | { | |
202 | struct crypto_aead *aead = crypto_aead_reqtfm(req); | |
203 | struct crypto_gcm_ctx *ctx = crypto_aead_ctx(aead); | |
204 | struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req); | |
205 | struct skcipher_request *skreq = &pctx->u.skreq; | |
206 | struct scatterlist *dst; | |
207 | ||
208 | dst = req->src == req->dst ? pctx->src : pctx->dst; | |
209 | ||
210 | skcipher_request_set_tfm(skreq, ctx->ctr); | |
211 | skcipher_request_set_crypt(skreq, pctx->src, dst, | |
212 | cryptlen + sizeof(pctx->auth_tag), | |
213 | pctx->iv); | |
214 | } | |
215 | ||
216 | static inline unsigned int gcm_remain(unsigned int len) | |
217 | { | |
218 | len &= 0xfU; | |
219 | return len ? 16 - len : 0; | |
220 | } | |
221 | ||
222 | static void gcm_hash_len_done(struct crypto_async_request *areq, int err); | |
223 | ||
224 | static int gcm_hash_update(struct aead_request *req, | |
225 | crypto_completion_t compl, | |
226 | struct scatterlist *src, | |
227 | unsigned int len, u32 flags) | |
228 | { | |
229 | struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req); | |
230 | struct ahash_request *ahreq = &pctx->u.ahreq; | |
231 | ||
232 | ahash_request_set_callback(ahreq, flags, compl, req); | |
233 | ahash_request_set_crypt(ahreq, src, NULL, len); | |
234 | ||
235 | return crypto_ahash_update(ahreq); | |
236 | } | |
237 | ||
238 | static int gcm_hash_remain(struct aead_request *req, | |
239 | unsigned int remain, | |
240 | crypto_completion_t compl, u32 flags) | |
241 | { | |
242 | return gcm_hash_update(req, compl, &gcm_zeroes->sg, remain, flags); | |
243 | } | |
244 | ||
245 | static int gcm_hash_len(struct aead_request *req, u32 flags) | |
246 | { | |
247 | struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req); | |
248 | struct ahash_request *ahreq = &pctx->u.ahreq; | |
249 | struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx; | |
250 | u128 lengths; | |
251 | ||
252 | lengths.a = cpu_to_be64(req->assoclen * 8); | |
253 | lengths.b = cpu_to_be64(gctx->cryptlen * 8); | |
254 | memcpy(pctx->iauth_tag, &lengths, 16); | |
255 | sg_init_one(&pctx->sg, pctx->iauth_tag, 16); | |
256 | ahash_request_set_callback(ahreq, flags, gcm_hash_len_done, req); | |
257 | ahash_request_set_crypt(ahreq, &pctx->sg, | |
258 | pctx->iauth_tag, sizeof(lengths)); | |
259 | ||
260 | return crypto_ahash_finup(ahreq); | |
261 | } | |
262 | ||
263 | static int gcm_hash_len_continue(struct aead_request *req, u32 flags) | |
264 | { | |
265 | struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req); | |
266 | struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx; | |
267 | ||
268 | return gctx->complete(req, flags); | |
269 | } | |
270 | ||
271 | static void gcm_hash_len_done(struct crypto_async_request *areq, int err) | |
272 | { | |
273 | struct aead_request *req = areq->data; | |
274 | ||
275 | if (err) | |
276 | goto out; | |
277 | ||
278 | err = gcm_hash_len_continue(req, 0); | |
279 | if (err == -EINPROGRESS) | |
280 | return; | |
281 | ||
282 | out: | |
283 | aead_request_complete(req, err); | |
284 | } | |
285 | ||
286 | static int gcm_hash_crypt_remain_continue(struct aead_request *req, u32 flags) | |
287 | { | |
288 | return gcm_hash_len(req, flags) ?: | |
289 | gcm_hash_len_continue(req, flags); | |
290 | } | |
291 | ||
292 | static void gcm_hash_crypt_remain_done(struct crypto_async_request *areq, | |
293 | int err) | |
294 | { | |
295 | struct aead_request *req = areq->data; | |
296 | ||
297 | if (err) | |
298 | goto out; | |
299 | ||
300 | err = gcm_hash_crypt_remain_continue(req, 0); | |
301 | if (err == -EINPROGRESS) | |
302 | return; | |
303 | ||
304 | out: | |
305 | aead_request_complete(req, err); | |
306 | } | |
307 | ||
308 | static int gcm_hash_crypt_continue(struct aead_request *req, u32 flags) | |
309 | { | |
310 | struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req); | |
311 | struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx; | |
312 | unsigned int remain; | |
313 | ||
314 | remain = gcm_remain(gctx->cryptlen); | |
315 | if (remain) | |
316 | return gcm_hash_remain(req, remain, | |
317 | gcm_hash_crypt_remain_done, flags) ?: | |
318 | gcm_hash_crypt_remain_continue(req, flags); | |
319 | ||
320 | return gcm_hash_crypt_remain_continue(req, flags); | |
321 | } | |
322 | ||
323 | static void gcm_hash_crypt_done(struct crypto_async_request *areq, int err) | |
324 | { | |
325 | struct aead_request *req = areq->data; | |
326 | ||
327 | if (err) | |
328 | goto out; | |
329 | ||
330 | err = gcm_hash_crypt_continue(req, 0); | |
331 | if (err == -EINPROGRESS) | |
332 | return; | |
333 | ||
334 | out: | |
335 | aead_request_complete(req, err); | |
336 | } | |
337 | ||
338 | static int gcm_hash_assoc_remain_continue(struct aead_request *req, u32 flags) | |
339 | { | |
340 | struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req); | |
341 | struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx; | |
342 | ||
343 | if (gctx->cryptlen) | |
344 | return gcm_hash_update(req, gcm_hash_crypt_done, | |
345 | gctx->src, gctx->cryptlen, flags) ?: | |
346 | gcm_hash_crypt_continue(req, flags); | |
347 | ||
348 | return gcm_hash_crypt_remain_continue(req, flags); | |
349 | } | |
350 | ||
351 | static void gcm_hash_assoc_remain_done(struct crypto_async_request *areq, | |
352 | int err) | |
353 | { | |
354 | struct aead_request *req = areq->data; | |
355 | ||
356 | if (err) | |
357 | goto out; | |
358 | ||
359 | err = gcm_hash_assoc_remain_continue(req, 0); | |
360 | if (err == -EINPROGRESS) | |
361 | return; | |
362 | ||
363 | out: | |
364 | aead_request_complete(req, err); | |
365 | } | |
366 | ||
367 | static int gcm_hash_assoc_continue(struct aead_request *req, u32 flags) | |
368 | { | |
369 | unsigned int remain; | |
370 | ||
371 | remain = gcm_remain(req->assoclen); | |
372 | if (remain) | |
373 | return gcm_hash_remain(req, remain, | |
374 | gcm_hash_assoc_remain_done, flags) ?: | |
375 | gcm_hash_assoc_remain_continue(req, flags); | |
376 | ||
377 | return gcm_hash_assoc_remain_continue(req, flags); | |
378 | } | |
379 | ||
380 | static void gcm_hash_assoc_done(struct crypto_async_request *areq, int err) | |
381 | { | |
382 | struct aead_request *req = areq->data; | |
383 | ||
384 | if (err) | |
385 | goto out; | |
386 | ||
387 | err = gcm_hash_assoc_continue(req, 0); | |
388 | if (err == -EINPROGRESS) | |
389 | return; | |
390 | ||
391 | out: | |
392 | aead_request_complete(req, err); | |
393 | } | |
394 | ||
395 | static int gcm_hash_init_continue(struct aead_request *req, u32 flags) | |
396 | { | |
397 | if (req->assoclen) | |
398 | return gcm_hash_update(req, gcm_hash_assoc_done, | |
399 | req->src, req->assoclen, flags) ?: | |
400 | gcm_hash_assoc_continue(req, flags); | |
401 | ||
402 | return gcm_hash_assoc_remain_continue(req, flags); | |
403 | } | |
404 | ||
405 | static void gcm_hash_init_done(struct crypto_async_request *areq, int err) | |
406 | { | |
407 | struct aead_request *req = areq->data; | |
408 | ||
409 | if (err) | |
410 | goto out; | |
411 | ||
412 | err = gcm_hash_init_continue(req, 0); | |
413 | if (err == -EINPROGRESS) | |
414 | return; | |
415 | ||
416 | out: | |
417 | aead_request_complete(req, err); | |
418 | } | |
419 | ||
420 | static int gcm_hash(struct aead_request *req, u32 flags) | |
421 | { | |
422 | struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req); | |
423 | struct ahash_request *ahreq = &pctx->u.ahreq; | |
424 | struct crypto_gcm_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req)); | |
425 | ||
426 | ahash_request_set_tfm(ahreq, ctx->ghash); | |
427 | ||
428 | ahash_request_set_callback(ahreq, flags, gcm_hash_init_done, req); | |
429 | return crypto_ahash_init(ahreq) ?: | |
430 | gcm_hash_init_continue(req, flags); | |
431 | } | |
432 | ||
433 | static int gcm_enc_copy_hash(struct aead_request *req, u32 flags) | |
434 | { | |
435 | struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req); | |
436 | struct crypto_aead *aead = crypto_aead_reqtfm(req); | |
437 | u8 *auth_tag = pctx->auth_tag; | |
438 | ||
439 | crypto_xor(auth_tag, pctx->iauth_tag, 16); | |
440 | scatterwalk_map_and_copy(auth_tag, req->dst, | |
441 | req->assoclen + req->cryptlen, | |
442 | crypto_aead_authsize(aead), 1); | |
443 | return 0; | |
444 | } | |
445 | ||
446 | static int gcm_encrypt_continue(struct aead_request *req, u32 flags) | |
447 | { | |
448 | struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req); | |
449 | struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx; | |
450 | ||
451 | gctx->src = sg_next(req->src == req->dst ? pctx->src : pctx->dst); | |
452 | gctx->cryptlen = req->cryptlen; | |
453 | gctx->complete = gcm_enc_copy_hash; | |
454 | ||
455 | return gcm_hash(req, flags); | |
456 | } | |
457 | ||
458 | static void gcm_encrypt_done(struct crypto_async_request *areq, int err) | |
459 | { | |
460 | struct aead_request *req = areq->data; | |
461 | ||
462 | if (err) | |
463 | goto out; | |
464 | ||
465 | err = gcm_encrypt_continue(req, 0); | |
466 | if (err == -EINPROGRESS) | |
467 | return; | |
468 | ||
469 | out: | |
470 | aead_request_complete(req, err); | |
471 | } | |
472 | ||
473 | static int crypto_gcm_encrypt(struct aead_request *req) | |
474 | { | |
475 | struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req); | |
476 | struct skcipher_request *skreq = &pctx->u.skreq; | |
477 | u32 flags = aead_request_flags(req); | |
478 | ||
479 | crypto_gcm_init_common(req); | |
480 | crypto_gcm_init_crypt(req, req->cryptlen); | |
481 | skcipher_request_set_callback(skreq, flags, gcm_encrypt_done, req); | |
482 | ||
483 | return crypto_skcipher_encrypt(skreq) ?: | |
484 | gcm_encrypt_continue(req, flags); | |
485 | } | |
486 | ||
487 | static int crypto_gcm_verify(struct aead_request *req) | |
488 | { | |
489 | struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req); | |
490 | struct crypto_aead *aead = crypto_aead_reqtfm(req); | |
491 | u8 *auth_tag = pctx->auth_tag; | |
492 | u8 *iauth_tag = pctx->iauth_tag; | |
493 | unsigned int authsize = crypto_aead_authsize(aead); | |
494 | unsigned int cryptlen = req->cryptlen - authsize; | |
495 | ||
496 | crypto_xor(auth_tag, iauth_tag, 16); | |
497 | scatterwalk_map_and_copy(iauth_tag, req->src, | |
498 | req->assoclen + cryptlen, authsize, 0); | |
499 | return crypto_memneq(iauth_tag, auth_tag, authsize) ? -EBADMSG : 0; | |
500 | } | |
501 | ||
502 | static void gcm_decrypt_done(struct crypto_async_request *areq, int err) | |
503 | { | |
504 | struct aead_request *req = areq->data; | |
505 | ||
506 | if (!err) | |
507 | err = crypto_gcm_verify(req); | |
508 | ||
509 | aead_request_complete(req, err); | |
510 | } | |
511 | ||
512 | static int gcm_dec_hash_continue(struct aead_request *req, u32 flags) | |
513 | { | |
514 | struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req); | |
515 | struct skcipher_request *skreq = &pctx->u.skreq; | |
516 | struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx; | |
517 | ||
518 | crypto_gcm_init_crypt(req, gctx->cryptlen); | |
519 | skcipher_request_set_callback(skreq, flags, gcm_decrypt_done, req); | |
520 | return crypto_skcipher_decrypt(skreq) ?: crypto_gcm_verify(req); | |
521 | } | |
522 | ||
523 | static int crypto_gcm_decrypt(struct aead_request *req) | |
524 | { | |
525 | struct crypto_aead *aead = crypto_aead_reqtfm(req); | |
526 | struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req); | |
527 | struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx; | |
528 | unsigned int authsize = crypto_aead_authsize(aead); | |
529 | unsigned int cryptlen = req->cryptlen; | |
530 | u32 flags = aead_request_flags(req); | |
531 | ||
532 | cryptlen -= authsize; | |
533 | ||
534 | crypto_gcm_init_common(req); | |
535 | ||
536 | gctx->src = sg_next(pctx->src); | |
537 | gctx->cryptlen = cryptlen; | |
538 | gctx->complete = gcm_dec_hash_continue; | |
539 | ||
540 | return gcm_hash(req, flags); | |
541 | } | |
542 | ||
543 | static int crypto_gcm_init_tfm(struct crypto_aead *tfm) | |
544 | { | |
545 | struct aead_instance *inst = aead_alg_instance(tfm); | |
546 | struct gcm_instance_ctx *ictx = aead_instance_ctx(inst); | |
547 | struct crypto_gcm_ctx *ctx = crypto_aead_ctx(tfm); | |
548 | struct crypto_skcipher *ctr; | |
549 | struct crypto_ahash *ghash; | |
550 | unsigned long align; | |
551 | int err; | |
552 | ||
553 | ghash = crypto_spawn_ahash(&ictx->ghash); | |
554 | if (IS_ERR(ghash)) | |
555 | return PTR_ERR(ghash); | |
556 | ||
557 | ctr = crypto_spawn_skcipher(&ictx->ctr); | |
558 | err = PTR_ERR(ctr); | |
559 | if (IS_ERR(ctr)) | |
560 | goto err_free_hash; | |
561 | ||
562 | ctx->ctr = ctr; | |
563 | ctx->ghash = ghash; | |
564 | ||
565 | align = crypto_aead_alignmask(tfm); | |
566 | align &= ~(crypto_tfm_ctx_alignment() - 1); | |
567 | crypto_aead_set_reqsize(tfm, | |
568 | align + offsetof(struct crypto_gcm_req_priv_ctx, u) + | |
569 | max(sizeof(struct skcipher_request) + | |
570 | crypto_skcipher_reqsize(ctr), | |
571 | sizeof(struct ahash_request) + | |
572 | crypto_ahash_reqsize(ghash))); | |
573 | ||
574 | return 0; | |
575 | ||
576 | err_free_hash: | |
577 | crypto_free_ahash(ghash); | |
578 | return err; | |
579 | } | |
580 | ||
581 | static void crypto_gcm_exit_tfm(struct crypto_aead *tfm) | |
582 | { | |
583 | struct crypto_gcm_ctx *ctx = crypto_aead_ctx(tfm); | |
584 | ||
585 | crypto_free_ahash(ctx->ghash); | |
586 | crypto_free_skcipher(ctx->ctr); | |
587 | } | |
588 | ||
589 | static void crypto_gcm_free(struct aead_instance *inst) | |
590 | { | |
591 | struct gcm_instance_ctx *ctx = aead_instance_ctx(inst); | |
592 | ||
593 | crypto_drop_skcipher(&ctx->ctr); | |
594 | crypto_drop_ahash(&ctx->ghash); | |
595 | kfree(inst); | |
596 | } | |
597 | ||
598 | static int crypto_gcm_create_common(struct crypto_template *tmpl, | |
599 | struct rtattr **tb, | |
600 | const char *full_name, | |
601 | const char *ctr_name, | |
602 | const char *ghash_name) | |
603 | { | |
604 | struct crypto_attr_type *algt; | |
605 | struct aead_instance *inst; | |
606 | struct skcipher_alg *ctr; | |
607 | struct crypto_alg *ghash_alg; | |
608 | struct hash_alg_common *ghash; | |
609 | struct gcm_instance_ctx *ctx; | |
610 | int err; | |
611 | ||
612 | algt = crypto_get_attr_type(tb); | |
613 | if (IS_ERR(algt)) | |
614 | return PTR_ERR(algt); | |
615 | ||
616 | if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask) | |
617 | return -EINVAL; | |
618 | ||
619 | ghash_alg = crypto_find_alg(ghash_name, &crypto_ahash_type, | |
620 | CRYPTO_ALG_TYPE_HASH, | |
621 | CRYPTO_ALG_TYPE_AHASH_MASK | | |
622 | crypto_requires_sync(algt->type, | |
623 | algt->mask)); | |
624 | if (IS_ERR(ghash_alg)) | |
625 | return PTR_ERR(ghash_alg); | |
626 | ||
627 | ghash = __crypto_hash_alg_common(ghash_alg); | |
628 | ||
629 | err = -ENOMEM; | |
630 | inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL); | |
631 | if (!inst) | |
632 | goto out_put_ghash; | |
633 | ||
634 | ctx = aead_instance_ctx(inst); | |
635 | err = crypto_init_ahash_spawn(&ctx->ghash, ghash, | |
636 | aead_crypto_instance(inst)); | |
637 | if (err) | |
638 | goto err_free_inst; | |
639 | ||
640 | err = -EINVAL; | |
641 | if (ghash->digestsize != 16) | |
642 | goto err_drop_ghash; | |
643 | ||
644 | crypto_set_skcipher_spawn(&ctx->ctr, aead_crypto_instance(inst)); | |
645 | err = crypto_grab_skcipher(&ctx->ctr, ctr_name, 0, | |
646 | crypto_requires_sync(algt->type, | |
647 | algt->mask)); | |
648 | if (err) | |
649 | goto err_drop_ghash; | |
650 | ||
651 | ctr = crypto_spawn_skcipher_alg(&ctx->ctr); | |
652 | ||
653 | /* We only support 16-byte blocks. */ | |
654 | err = -EINVAL; | |
655 | if (crypto_skcipher_alg_ivsize(ctr) != 16) | |
656 | goto out_put_ctr; | |
657 | ||
658 | /* Not a stream cipher? */ | |
659 | if (ctr->base.cra_blocksize != 1) | |
660 | goto out_put_ctr; | |
661 | ||
662 | err = -ENAMETOOLONG; | |
663 | if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME, | |
664 | "gcm_base(%s,%s)", ctr->base.cra_driver_name, | |
665 | ghash_alg->cra_driver_name) >= | |
666 | CRYPTO_MAX_ALG_NAME) | |
667 | goto out_put_ctr; | |
668 | ||
669 | memcpy(inst->alg.base.cra_name, full_name, CRYPTO_MAX_ALG_NAME); | |
670 | ||
671 | inst->alg.base.cra_flags = (ghash->base.cra_flags | | |
672 | ctr->base.cra_flags) & CRYPTO_ALG_ASYNC; | |
673 | inst->alg.base.cra_priority = (ghash->base.cra_priority + | |
674 | ctr->base.cra_priority) / 2; | |
675 | inst->alg.base.cra_blocksize = 1; | |
676 | inst->alg.base.cra_alignmask = ghash->base.cra_alignmask | | |
677 | ctr->base.cra_alignmask; | |
678 | inst->alg.base.cra_ctxsize = sizeof(struct crypto_gcm_ctx); | |
679 | inst->alg.ivsize = GCM_AES_IV_SIZE; | |
680 | inst->alg.chunksize = crypto_skcipher_alg_chunksize(ctr); | |
681 | inst->alg.maxauthsize = 16; | |
682 | inst->alg.init = crypto_gcm_init_tfm; | |
683 | inst->alg.exit = crypto_gcm_exit_tfm; | |
684 | inst->alg.setkey = crypto_gcm_setkey; | |
685 | inst->alg.setauthsize = crypto_gcm_setauthsize; | |
686 | inst->alg.encrypt = crypto_gcm_encrypt; | |
687 | inst->alg.decrypt = crypto_gcm_decrypt; | |
688 | ||
689 | inst->free = crypto_gcm_free; | |
690 | ||
691 | err = aead_register_instance(tmpl, inst); | |
692 | if (err) | |
693 | goto out_put_ctr; | |
694 | ||
695 | out_put_ghash: | |
696 | crypto_mod_put(ghash_alg); | |
697 | return err; | |
698 | ||
699 | out_put_ctr: | |
700 | crypto_drop_skcipher(&ctx->ctr); | |
701 | err_drop_ghash: | |
702 | crypto_drop_ahash(&ctx->ghash); | |
703 | err_free_inst: | |
704 | kfree(inst); | |
705 | goto out_put_ghash; | |
706 | } | |
707 | ||
708 | static int crypto_gcm_create(struct crypto_template *tmpl, struct rtattr **tb) | |
709 | { | |
710 | const char *cipher_name; | |
711 | char ctr_name[CRYPTO_MAX_ALG_NAME]; | |
712 | char full_name[CRYPTO_MAX_ALG_NAME]; | |
713 | ||
714 | cipher_name = crypto_attr_alg_name(tb[1]); | |
715 | if (IS_ERR(cipher_name)) | |
716 | return PTR_ERR(cipher_name); | |
717 | ||
718 | if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)", cipher_name) >= | |
719 | CRYPTO_MAX_ALG_NAME) | |
720 | return -ENAMETOOLONG; | |
721 | ||
722 | if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "gcm(%s)", cipher_name) >= | |
723 | CRYPTO_MAX_ALG_NAME) | |
724 | return -ENAMETOOLONG; | |
725 | ||
726 | return crypto_gcm_create_common(tmpl, tb, full_name, | |
727 | ctr_name, "ghash"); | |
728 | } | |
729 | ||
730 | static struct crypto_template crypto_gcm_tmpl = { | |
731 | .name = "gcm", | |
732 | .create = crypto_gcm_create, | |
733 | .module = THIS_MODULE, | |
734 | }; | |
735 | ||
736 | static int crypto_gcm_base_create(struct crypto_template *tmpl, | |
737 | struct rtattr **tb) | |
738 | { | |
739 | const char *ctr_name; | |
740 | const char *ghash_name; | |
741 | char full_name[CRYPTO_MAX_ALG_NAME]; | |
742 | ||
743 | ctr_name = crypto_attr_alg_name(tb[1]); | |
744 | if (IS_ERR(ctr_name)) | |
745 | return PTR_ERR(ctr_name); | |
746 | ||
747 | ghash_name = crypto_attr_alg_name(tb[2]); | |
748 | if (IS_ERR(ghash_name)) | |
749 | return PTR_ERR(ghash_name); | |
750 | ||
751 | if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "gcm_base(%s,%s)", | |
752 | ctr_name, ghash_name) >= CRYPTO_MAX_ALG_NAME) | |
753 | return -ENAMETOOLONG; | |
754 | ||
755 | return crypto_gcm_create_common(tmpl, tb, full_name, | |
756 | ctr_name, ghash_name); | |
757 | } | |
758 | ||
759 | static struct crypto_template crypto_gcm_base_tmpl = { | |
760 | .name = "gcm_base", | |
761 | .create = crypto_gcm_base_create, | |
762 | .module = THIS_MODULE, | |
763 | }; | |
764 | ||
765 | static int crypto_rfc4106_setkey(struct crypto_aead *parent, const u8 *key, | |
766 | unsigned int keylen) | |
767 | { | |
768 | struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(parent); | |
769 | struct crypto_aead *child = ctx->child; | |
770 | int err; | |
771 | ||
772 | if (keylen < 4) | |
773 | return -EINVAL; | |
774 | ||
775 | keylen -= 4; | |
776 | memcpy(ctx->nonce, key + keylen, 4); | |
777 | ||
778 | crypto_aead_clear_flags(child, CRYPTO_TFM_REQ_MASK); | |
779 | crypto_aead_set_flags(child, crypto_aead_get_flags(parent) & | |
780 | CRYPTO_TFM_REQ_MASK); | |
781 | err = crypto_aead_setkey(child, key, keylen); | |
782 | crypto_aead_set_flags(parent, crypto_aead_get_flags(child) & | |
783 | CRYPTO_TFM_RES_MASK); | |
784 | ||
785 | return err; | |
786 | } | |
787 | ||
788 | static int crypto_rfc4106_setauthsize(struct crypto_aead *parent, | |
789 | unsigned int authsize) | |
790 | { | |
791 | struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(parent); | |
792 | ||
793 | switch (authsize) { | |
794 | case 8: | |
795 | case 12: | |
796 | case 16: | |
797 | break; | |
798 | default: | |
799 | return -EINVAL; | |
800 | } | |
801 | ||
802 | return crypto_aead_setauthsize(ctx->child, authsize); | |
803 | } | |
804 | ||
805 | static struct aead_request *crypto_rfc4106_crypt(struct aead_request *req) | |
806 | { | |
807 | struct crypto_rfc4106_req_ctx *rctx = aead_request_ctx(req); | |
808 | struct crypto_aead *aead = crypto_aead_reqtfm(req); | |
809 | struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(aead); | |
810 | struct aead_request *subreq = &rctx->subreq; | |
811 | struct crypto_aead *child = ctx->child; | |
812 | struct scatterlist *sg; | |
813 | u8 *iv = PTR_ALIGN((u8 *)(subreq + 1) + crypto_aead_reqsize(child), | |
814 | crypto_aead_alignmask(child) + 1); | |
815 | ||
816 | scatterwalk_map_and_copy(iv + GCM_AES_IV_SIZE, req->src, 0, req->assoclen - 8, 0); | |
817 | ||
818 | memcpy(iv, ctx->nonce, 4); | |
819 | memcpy(iv + 4, req->iv, 8); | |
820 | ||
821 | sg_init_table(rctx->src, 3); | |
822 | sg_set_buf(rctx->src, iv + GCM_AES_IV_SIZE, req->assoclen - 8); | |
823 | sg = scatterwalk_ffwd(rctx->src + 1, req->src, req->assoclen); | |
824 | if (sg != rctx->src + 1) | |
825 | sg_chain(rctx->src, 2, sg); | |
826 | ||
827 | if (req->src != req->dst) { | |
828 | sg_init_table(rctx->dst, 3); | |
829 | sg_set_buf(rctx->dst, iv + GCM_AES_IV_SIZE, req->assoclen - 8); | |
830 | sg = scatterwalk_ffwd(rctx->dst + 1, req->dst, req->assoclen); | |
831 | if (sg != rctx->dst + 1) | |
832 | sg_chain(rctx->dst, 2, sg); | |
833 | } | |
834 | ||
835 | aead_request_set_tfm(subreq, child); | |
836 | aead_request_set_callback(subreq, req->base.flags, req->base.complete, | |
837 | req->base.data); | |
838 | aead_request_set_crypt(subreq, rctx->src, | |
839 | req->src == req->dst ? rctx->src : rctx->dst, | |
840 | req->cryptlen, iv); | |
841 | aead_request_set_ad(subreq, req->assoclen - 8); | |
842 | ||
843 | return subreq; | |
844 | } | |
845 | ||
846 | static int crypto_rfc4106_encrypt(struct aead_request *req) | |
847 | { | |
848 | if (req->assoclen != 16 && req->assoclen != 20) | |
849 | return -EINVAL; | |
850 | ||
851 | req = crypto_rfc4106_crypt(req); | |
852 | ||
853 | return crypto_aead_encrypt(req); | |
854 | } | |
855 | ||
856 | static int crypto_rfc4106_decrypt(struct aead_request *req) | |
857 | { | |
858 | if (req->assoclen != 16 && req->assoclen != 20) | |
859 | return -EINVAL; | |
860 | ||
861 | req = crypto_rfc4106_crypt(req); | |
862 | ||
863 | return crypto_aead_decrypt(req); | |
864 | } | |
865 | ||
866 | static int crypto_rfc4106_init_tfm(struct crypto_aead *tfm) | |
867 | { | |
868 | struct aead_instance *inst = aead_alg_instance(tfm); | |
869 | struct crypto_aead_spawn *spawn = aead_instance_ctx(inst); | |
870 | struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(tfm); | |
871 | struct crypto_aead *aead; | |
872 | unsigned long align; | |
873 | ||
874 | aead = crypto_spawn_aead(spawn); | |
875 | if (IS_ERR(aead)) | |
876 | return PTR_ERR(aead); | |
877 | ||
878 | ctx->child = aead; | |
879 | ||
880 | align = crypto_aead_alignmask(aead); | |
881 | align &= ~(crypto_tfm_ctx_alignment() - 1); | |
882 | crypto_aead_set_reqsize( | |
883 | tfm, | |
884 | sizeof(struct crypto_rfc4106_req_ctx) + | |
885 | ALIGN(crypto_aead_reqsize(aead), crypto_tfm_ctx_alignment()) + | |
886 | align + 24); | |
887 | ||
888 | return 0; | |
889 | } | |
890 | ||
891 | static void crypto_rfc4106_exit_tfm(struct crypto_aead *tfm) | |
892 | { | |
893 | struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(tfm); | |
894 | ||
895 | crypto_free_aead(ctx->child); | |
896 | } | |
897 | ||
898 | static void crypto_rfc4106_free(struct aead_instance *inst) | |
899 | { | |
900 | crypto_drop_aead(aead_instance_ctx(inst)); | |
901 | kfree(inst); | |
902 | } | |
903 | ||
904 | static int crypto_rfc4106_create(struct crypto_template *tmpl, | |
905 | struct rtattr **tb) | |
906 | { | |
907 | struct crypto_attr_type *algt; | |
908 | struct aead_instance *inst; | |
909 | struct crypto_aead_spawn *spawn; | |
910 | struct aead_alg *alg; | |
911 | const char *ccm_name; | |
912 | int err; | |
913 | ||
914 | algt = crypto_get_attr_type(tb); | |
915 | if (IS_ERR(algt)) | |
916 | return PTR_ERR(algt); | |
917 | ||
918 | if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask) | |
919 | return -EINVAL; | |
920 | ||
921 | ccm_name = crypto_attr_alg_name(tb[1]); | |
922 | if (IS_ERR(ccm_name)) | |
923 | return PTR_ERR(ccm_name); | |
924 | ||
925 | inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL); | |
926 | if (!inst) | |
927 | return -ENOMEM; | |
928 | ||
929 | spawn = aead_instance_ctx(inst); | |
930 | crypto_set_aead_spawn(spawn, aead_crypto_instance(inst)); | |
931 | err = crypto_grab_aead(spawn, ccm_name, 0, | |
932 | crypto_requires_sync(algt->type, algt->mask)); | |
933 | if (err) | |
934 | goto out_free_inst; | |
935 | ||
936 | alg = crypto_spawn_aead_alg(spawn); | |
937 | ||
938 | err = -EINVAL; | |
939 | ||
940 | /* Underlying IV size must be 12. */ | |
941 | if (crypto_aead_alg_ivsize(alg) != GCM_AES_IV_SIZE) | |
942 | goto out_drop_alg; | |
943 | ||
944 | /* Not a stream cipher? */ | |
945 | if (alg->base.cra_blocksize != 1) | |
946 | goto out_drop_alg; | |
947 | ||
948 | err = -ENAMETOOLONG; | |
949 | if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME, | |
950 | "rfc4106(%s)", alg->base.cra_name) >= | |
951 | CRYPTO_MAX_ALG_NAME || | |
952 | snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME, | |
953 | "rfc4106(%s)", alg->base.cra_driver_name) >= | |
954 | CRYPTO_MAX_ALG_NAME) | |
955 | goto out_drop_alg; | |
956 | ||
957 | inst->alg.base.cra_flags = alg->base.cra_flags & CRYPTO_ALG_ASYNC; | |
958 | inst->alg.base.cra_priority = alg->base.cra_priority; | |
959 | inst->alg.base.cra_blocksize = 1; | |
960 | inst->alg.base.cra_alignmask = alg->base.cra_alignmask; | |
961 | ||
962 | inst->alg.base.cra_ctxsize = sizeof(struct crypto_rfc4106_ctx); | |
963 | ||
964 | inst->alg.ivsize = GCM_RFC4106_IV_SIZE; | |
965 | inst->alg.chunksize = crypto_aead_alg_chunksize(alg); | |
966 | inst->alg.maxauthsize = crypto_aead_alg_maxauthsize(alg); | |
967 | ||
968 | inst->alg.init = crypto_rfc4106_init_tfm; | |
969 | inst->alg.exit = crypto_rfc4106_exit_tfm; | |
970 | ||
971 | inst->alg.setkey = crypto_rfc4106_setkey; | |
972 | inst->alg.setauthsize = crypto_rfc4106_setauthsize; | |
973 | inst->alg.encrypt = crypto_rfc4106_encrypt; | |
974 | inst->alg.decrypt = crypto_rfc4106_decrypt; | |
975 | ||
976 | inst->free = crypto_rfc4106_free; | |
977 | ||
978 | err = aead_register_instance(tmpl, inst); | |
979 | if (err) | |
980 | goto out_drop_alg; | |
981 | ||
982 | out: | |
983 | return err; | |
984 | ||
985 | out_drop_alg: | |
986 | crypto_drop_aead(spawn); | |
987 | out_free_inst: | |
988 | kfree(inst); | |
989 | goto out; | |
990 | } | |
991 | ||
992 | static struct crypto_template crypto_rfc4106_tmpl = { | |
993 | .name = "rfc4106", | |
994 | .create = crypto_rfc4106_create, | |
995 | .module = THIS_MODULE, | |
996 | }; | |
997 | ||
998 | static int crypto_rfc4543_setkey(struct crypto_aead *parent, const u8 *key, | |
999 | unsigned int keylen) | |
1000 | { | |
1001 | struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(parent); | |
1002 | struct crypto_aead *child = ctx->child; | |
1003 | int err; | |
1004 | ||
1005 | if (keylen < 4) | |
1006 | return -EINVAL; | |
1007 | ||
1008 | keylen -= 4; | |
1009 | memcpy(ctx->nonce, key + keylen, 4); | |
1010 | ||
1011 | crypto_aead_clear_flags(child, CRYPTO_TFM_REQ_MASK); | |
1012 | crypto_aead_set_flags(child, crypto_aead_get_flags(parent) & | |
1013 | CRYPTO_TFM_REQ_MASK); | |
1014 | err = crypto_aead_setkey(child, key, keylen); | |
1015 | crypto_aead_set_flags(parent, crypto_aead_get_flags(child) & | |
1016 | CRYPTO_TFM_RES_MASK); | |
1017 | ||
1018 | return err; | |
1019 | } | |
1020 | ||
1021 | static int crypto_rfc4543_setauthsize(struct crypto_aead *parent, | |
1022 | unsigned int authsize) | |
1023 | { | |
1024 | struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(parent); | |
1025 | ||
1026 | if (authsize != 16) | |
1027 | return -EINVAL; | |
1028 | ||
1029 | return crypto_aead_setauthsize(ctx->child, authsize); | |
1030 | } | |
1031 | ||
1032 | static int crypto_rfc4543_crypt(struct aead_request *req, bool enc) | |
1033 | { | |
1034 | struct crypto_aead *aead = crypto_aead_reqtfm(req); | |
1035 | struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(aead); | |
1036 | struct crypto_rfc4543_req_ctx *rctx = aead_request_ctx(req); | |
1037 | struct aead_request *subreq = &rctx->subreq; | |
1038 | unsigned int authsize = crypto_aead_authsize(aead); | |
1039 | u8 *iv = PTR_ALIGN((u8 *)(rctx + 1) + crypto_aead_reqsize(ctx->child), | |
1040 | crypto_aead_alignmask(ctx->child) + 1); | |
1041 | int err; | |
1042 | ||
1043 | if (req->src != req->dst) { | |
1044 | err = crypto_rfc4543_copy_src_to_dst(req, enc); | |
1045 | if (err) | |
1046 | return err; | |
1047 | } | |
1048 | ||
1049 | memcpy(iv, ctx->nonce, 4); | |
1050 | memcpy(iv + 4, req->iv, 8); | |
1051 | ||
1052 | aead_request_set_tfm(subreq, ctx->child); | |
1053 | aead_request_set_callback(subreq, req->base.flags, | |
1054 | req->base.complete, req->base.data); | |
1055 | aead_request_set_crypt(subreq, req->src, req->dst, | |
1056 | enc ? 0 : authsize, iv); | |
1057 | aead_request_set_ad(subreq, req->assoclen + req->cryptlen - | |
1058 | subreq->cryptlen); | |
1059 | ||
1060 | return enc ? crypto_aead_encrypt(subreq) : crypto_aead_decrypt(subreq); | |
1061 | } | |
1062 | ||
1063 | static int crypto_rfc4543_copy_src_to_dst(struct aead_request *req, bool enc) | |
1064 | { | |
1065 | struct crypto_aead *aead = crypto_aead_reqtfm(req); | |
1066 | struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(aead); | |
1067 | unsigned int authsize = crypto_aead_authsize(aead); | |
1068 | unsigned int nbytes = req->assoclen + req->cryptlen - | |
1069 | (enc ? 0 : authsize); | |
1070 | SKCIPHER_REQUEST_ON_STACK(nreq, ctx->null); | |
1071 | ||
1072 | skcipher_request_set_tfm(nreq, ctx->null); | |
1073 | skcipher_request_set_callback(nreq, req->base.flags, NULL, NULL); | |
1074 | skcipher_request_set_crypt(nreq, req->src, req->dst, nbytes, NULL); | |
1075 | ||
1076 | return crypto_skcipher_encrypt(nreq); | |
1077 | } | |
1078 | ||
1079 | static int crypto_rfc4543_encrypt(struct aead_request *req) | |
1080 | { | |
1081 | return crypto_rfc4543_crypt(req, true); | |
1082 | } | |
1083 | ||
1084 | static int crypto_rfc4543_decrypt(struct aead_request *req) | |
1085 | { | |
1086 | return crypto_rfc4543_crypt(req, false); | |
1087 | } | |
1088 | ||
1089 | static int crypto_rfc4543_init_tfm(struct crypto_aead *tfm) | |
1090 | { | |
1091 | struct aead_instance *inst = aead_alg_instance(tfm); | |
1092 | struct crypto_rfc4543_instance_ctx *ictx = aead_instance_ctx(inst); | |
1093 | struct crypto_aead_spawn *spawn = &ictx->aead; | |
1094 | struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(tfm); | |
1095 | struct crypto_aead *aead; | |
1096 | struct crypto_skcipher *null; | |
1097 | unsigned long align; | |
1098 | int err = 0; | |
1099 | ||
1100 | aead = crypto_spawn_aead(spawn); | |
1101 | if (IS_ERR(aead)) | |
1102 | return PTR_ERR(aead); | |
1103 | ||
1104 | null = crypto_get_default_null_skcipher2(); | |
1105 | err = PTR_ERR(null); | |
1106 | if (IS_ERR(null)) | |
1107 | goto err_free_aead; | |
1108 | ||
1109 | ctx->child = aead; | |
1110 | ctx->null = null; | |
1111 | ||
1112 | align = crypto_aead_alignmask(aead); | |
1113 | align &= ~(crypto_tfm_ctx_alignment() - 1); | |
1114 | crypto_aead_set_reqsize( | |
1115 | tfm, | |
1116 | sizeof(struct crypto_rfc4543_req_ctx) + | |
1117 | ALIGN(crypto_aead_reqsize(aead), crypto_tfm_ctx_alignment()) + | |
1118 | align + GCM_AES_IV_SIZE); | |
1119 | ||
1120 | return 0; | |
1121 | ||
1122 | err_free_aead: | |
1123 | crypto_free_aead(aead); | |
1124 | return err; | |
1125 | } | |
1126 | ||
1127 | static void crypto_rfc4543_exit_tfm(struct crypto_aead *tfm) | |
1128 | { | |
1129 | struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(tfm); | |
1130 | ||
1131 | crypto_free_aead(ctx->child); | |
1132 | crypto_put_default_null_skcipher2(); | |
1133 | } | |
1134 | ||
1135 | static void crypto_rfc4543_free(struct aead_instance *inst) | |
1136 | { | |
1137 | struct crypto_rfc4543_instance_ctx *ctx = aead_instance_ctx(inst); | |
1138 | ||
1139 | crypto_drop_aead(&ctx->aead); | |
1140 | ||
1141 | kfree(inst); | |
1142 | } | |
1143 | ||
1144 | static int crypto_rfc4543_create(struct crypto_template *tmpl, | |
1145 | struct rtattr **tb) | |
1146 | { | |
1147 | struct crypto_attr_type *algt; | |
1148 | struct aead_instance *inst; | |
1149 | struct crypto_aead_spawn *spawn; | |
1150 | struct aead_alg *alg; | |
1151 | struct crypto_rfc4543_instance_ctx *ctx; | |
1152 | const char *ccm_name; | |
1153 | int err; | |
1154 | ||
1155 | algt = crypto_get_attr_type(tb); | |
1156 | if (IS_ERR(algt)) | |
1157 | return PTR_ERR(algt); | |
1158 | ||
1159 | if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask) | |
1160 | return -EINVAL; | |
1161 | ||
1162 | ccm_name = crypto_attr_alg_name(tb[1]); | |
1163 | if (IS_ERR(ccm_name)) | |
1164 | return PTR_ERR(ccm_name); | |
1165 | ||
1166 | inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL); | |
1167 | if (!inst) | |
1168 | return -ENOMEM; | |
1169 | ||
1170 | ctx = aead_instance_ctx(inst); | |
1171 | spawn = &ctx->aead; | |
1172 | crypto_set_aead_spawn(spawn, aead_crypto_instance(inst)); | |
1173 | err = crypto_grab_aead(spawn, ccm_name, 0, | |
1174 | crypto_requires_sync(algt->type, algt->mask)); | |
1175 | if (err) | |
1176 | goto out_free_inst; | |
1177 | ||
1178 | alg = crypto_spawn_aead_alg(spawn); | |
1179 | ||
1180 | err = -EINVAL; | |
1181 | ||
1182 | /* Underlying IV size must be 12. */ | |
1183 | if (crypto_aead_alg_ivsize(alg) != GCM_AES_IV_SIZE) | |
1184 | goto out_drop_alg; | |
1185 | ||
1186 | /* Not a stream cipher? */ | |
1187 | if (alg->base.cra_blocksize != 1) | |
1188 | goto out_drop_alg; | |
1189 | ||
1190 | err = -ENAMETOOLONG; | |
1191 | if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME, | |
1192 | "rfc4543(%s)", alg->base.cra_name) >= | |
1193 | CRYPTO_MAX_ALG_NAME || | |
1194 | snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME, | |
1195 | "rfc4543(%s)", alg->base.cra_driver_name) >= | |
1196 | CRYPTO_MAX_ALG_NAME) | |
1197 | goto out_drop_alg; | |
1198 | ||
1199 | inst->alg.base.cra_flags = alg->base.cra_flags & CRYPTO_ALG_ASYNC; | |
1200 | inst->alg.base.cra_priority = alg->base.cra_priority; | |
1201 | inst->alg.base.cra_blocksize = 1; | |
1202 | inst->alg.base.cra_alignmask = alg->base.cra_alignmask; | |
1203 | ||
1204 | inst->alg.base.cra_ctxsize = sizeof(struct crypto_rfc4543_ctx); | |
1205 | ||
1206 | inst->alg.ivsize = GCM_RFC4543_IV_SIZE; | |
1207 | inst->alg.chunksize = crypto_aead_alg_chunksize(alg); | |
1208 | inst->alg.maxauthsize = crypto_aead_alg_maxauthsize(alg); | |
1209 | ||
1210 | inst->alg.init = crypto_rfc4543_init_tfm; | |
1211 | inst->alg.exit = crypto_rfc4543_exit_tfm; | |
1212 | ||
1213 | inst->alg.setkey = crypto_rfc4543_setkey; | |
1214 | inst->alg.setauthsize = crypto_rfc4543_setauthsize; | |
1215 | inst->alg.encrypt = crypto_rfc4543_encrypt; | |
1216 | inst->alg.decrypt = crypto_rfc4543_decrypt; | |
1217 | ||
1218 | inst->free = crypto_rfc4543_free, | |
1219 | ||
1220 | err = aead_register_instance(tmpl, inst); | |
1221 | if (err) | |
1222 | goto out_drop_alg; | |
1223 | ||
1224 | out: | |
1225 | return err; | |
1226 | ||
1227 | out_drop_alg: | |
1228 | crypto_drop_aead(spawn); | |
1229 | out_free_inst: | |
1230 | kfree(inst); | |
1231 | goto out; | |
1232 | } | |
1233 | ||
1234 | static struct crypto_template crypto_rfc4543_tmpl = { | |
1235 | .name = "rfc4543", | |
1236 | .create = crypto_rfc4543_create, | |
1237 | .module = THIS_MODULE, | |
1238 | }; | |
1239 | ||
1240 | static int __init crypto_gcm_module_init(void) | |
1241 | { | |
1242 | int err; | |
1243 | ||
1244 | gcm_zeroes = kzalloc(sizeof(*gcm_zeroes), GFP_KERNEL); | |
1245 | if (!gcm_zeroes) | |
1246 | return -ENOMEM; | |
1247 | ||
1248 | sg_init_one(&gcm_zeroes->sg, gcm_zeroes->buf, sizeof(gcm_zeroes->buf)); | |
1249 | ||
1250 | err = crypto_register_template(&crypto_gcm_base_tmpl); | |
1251 | if (err) | |
1252 | goto out; | |
1253 | ||
1254 | err = crypto_register_template(&crypto_gcm_tmpl); | |
1255 | if (err) | |
1256 | goto out_undo_base; | |
1257 | ||
1258 | err = crypto_register_template(&crypto_rfc4106_tmpl); | |
1259 | if (err) | |
1260 | goto out_undo_gcm; | |
1261 | ||
1262 | err = crypto_register_template(&crypto_rfc4543_tmpl); | |
1263 | if (err) | |
1264 | goto out_undo_rfc4106; | |
1265 | ||
1266 | return 0; | |
1267 | ||
1268 | out_undo_rfc4106: | |
1269 | crypto_unregister_template(&crypto_rfc4106_tmpl); | |
1270 | out_undo_gcm: | |
1271 | crypto_unregister_template(&crypto_gcm_tmpl); | |
1272 | out_undo_base: | |
1273 | crypto_unregister_template(&crypto_gcm_base_tmpl); | |
1274 | out: | |
1275 | kfree(gcm_zeroes); | |
1276 | return err; | |
1277 | } | |
1278 | ||
1279 | static void __exit crypto_gcm_module_exit(void) | |
1280 | { | |
1281 | kfree(gcm_zeroes); | |
1282 | crypto_unregister_template(&crypto_rfc4543_tmpl); | |
1283 | crypto_unregister_template(&crypto_rfc4106_tmpl); | |
1284 | crypto_unregister_template(&crypto_gcm_tmpl); | |
1285 | crypto_unregister_template(&crypto_gcm_base_tmpl); | |
1286 | } | |
1287 | ||
1288 | module_init(crypto_gcm_module_init); | |
1289 | module_exit(crypto_gcm_module_exit); | |
1290 | ||
1291 | MODULE_LICENSE("GPL"); | |
1292 | MODULE_DESCRIPTION("Galois/Counter Mode"); | |
1293 | MODULE_AUTHOR("Mikko Herranen <mh1@iki.fi>"); | |
1294 | MODULE_ALIAS_CRYPTO("gcm_base"); | |
1295 | MODULE_ALIAS_CRYPTO("rfc4106"); | |
1296 | MODULE_ALIAS_CRYPTO("rfc4543"); | |
1297 | MODULE_ALIAS_CRYPTO("gcm"); |