]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blob - crypto/cmac.c
Merge branch 'work.uaccess' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
[mirror_ubuntu-bionic-kernel.git] / crypto / cmac.c
1 /*
2 * CMAC: Cipher Block Mode for Authentication
3 *
4 * Copyright © 2013 Jussi Kivilinna <jussi.kivilinna@iki.fi>
5 *
6 * Based on work by:
7 * Copyright © 2013 Tom St Denis <tstdenis@elliptictech.com>
8 * Based on crypto/xcbc.c:
9 * Copyright © 2006 USAGI/WIDE Project,
10 * Author: Kazunori Miyazawa <miyazawa@linux-ipv6.org>
11 *
12 * This program is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License as published by
14 * the Free Software Foundation; either version 2 of the License, or
15 * (at your option) any later version.
16 *
17 */
18
19 #include <crypto/internal/hash.h>
20 #include <linux/err.h>
21 #include <linux/kernel.h>
22 #include <linux/module.h>
23
24 /*
25 * +------------------------
26 * | <parent tfm>
27 * +------------------------
28 * | cmac_tfm_ctx
29 * +------------------------
30 * | consts (block size * 2)
31 * +------------------------
32 */
33 struct cmac_tfm_ctx {
34 struct crypto_cipher *child;
35 u8 ctx[];
36 };
37
38 /*
39 * +------------------------
40 * | <shash desc>
41 * +------------------------
42 * | cmac_desc_ctx
43 * +------------------------
44 * | odds (block size)
45 * +------------------------
46 * | prev (block size)
47 * +------------------------
48 */
49 struct cmac_desc_ctx {
50 unsigned int len;
51 u8 ctx[];
52 };
53
54 static int crypto_cmac_digest_setkey(struct crypto_shash *parent,
55 const u8 *inkey, unsigned int keylen)
56 {
57 unsigned long alignmask = crypto_shash_alignmask(parent);
58 struct cmac_tfm_ctx *ctx = crypto_shash_ctx(parent);
59 unsigned int bs = crypto_shash_blocksize(parent);
60 __be64 *consts = PTR_ALIGN((void *)ctx->ctx,
61 (alignmask | (__alignof__(__be64) - 1)) + 1);
62 u64 _const[2];
63 int i, err = 0;
64 u8 msb_mask, gfmask;
65
66 err = crypto_cipher_setkey(ctx->child, inkey, keylen);
67 if (err)
68 return err;
69
70 /* encrypt the zero block */
71 memset(consts, 0, bs);
72 crypto_cipher_encrypt_one(ctx->child, (u8 *)consts, (u8 *)consts);
73
74 switch (bs) {
75 case 16:
76 gfmask = 0x87;
77 _const[0] = be64_to_cpu(consts[1]);
78 _const[1] = be64_to_cpu(consts[0]);
79
80 /* gf(2^128) multiply zero-ciphertext with u and u^2 */
81 for (i = 0; i < 4; i += 2) {
82 msb_mask = ((s64)_const[1] >> 63) & gfmask;
83 _const[1] = (_const[1] << 1) | (_const[0] >> 63);
84 _const[0] = (_const[0] << 1) ^ msb_mask;
85
86 consts[i + 0] = cpu_to_be64(_const[1]);
87 consts[i + 1] = cpu_to_be64(_const[0]);
88 }
89
90 break;
91 case 8:
92 gfmask = 0x1B;
93 _const[0] = be64_to_cpu(consts[0]);
94
95 /* gf(2^64) multiply zero-ciphertext with u and u^2 */
96 for (i = 0; i < 2; i++) {
97 msb_mask = ((s64)_const[0] >> 63) & gfmask;
98 _const[0] = (_const[0] << 1) ^ msb_mask;
99
100 consts[i] = cpu_to_be64(_const[0]);
101 }
102
103 break;
104 }
105
106 return 0;
107 }
108
109 static int crypto_cmac_digest_init(struct shash_desc *pdesc)
110 {
111 unsigned long alignmask = crypto_shash_alignmask(pdesc->tfm);
112 struct cmac_desc_ctx *ctx = shash_desc_ctx(pdesc);
113 int bs = crypto_shash_blocksize(pdesc->tfm);
114 u8 *prev = PTR_ALIGN((void *)ctx->ctx, alignmask + 1) + bs;
115
116 ctx->len = 0;
117 memset(prev, 0, bs);
118
119 return 0;
120 }
121
122 static int crypto_cmac_digest_update(struct shash_desc *pdesc, const u8 *p,
123 unsigned int len)
124 {
125 struct crypto_shash *parent = pdesc->tfm;
126 unsigned long alignmask = crypto_shash_alignmask(parent);
127 struct cmac_tfm_ctx *tctx = crypto_shash_ctx(parent);
128 struct cmac_desc_ctx *ctx = shash_desc_ctx(pdesc);
129 struct crypto_cipher *tfm = tctx->child;
130 int bs = crypto_shash_blocksize(parent);
131 u8 *odds = PTR_ALIGN((void *)ctx->ctx, alignmask + 1);
132 u8 *prev = odds + bs;
133
134 /* checking the data can fill the block */
135 if ((ctx->len + len) <= bs) {
136 memcpy(odds + ctx->len, p, len);
137 ctx->len += len;
138 return 0;
139 }
140
141 /* filling odds with new data and encrypting it */
142 memcpy(odds + ctx->len, p, bs - ctx->len);
143 len -= bs - ctx->len;
144 p += bs - ctx->len;
145
146 crypto_xor(prev, odds, bs);
147 crypto_cipher_encrypt_one(tfm, prev, prev);
148
149 /* clearing the length */
150 ctx->len = 0;
151
152 /* encrypting the rest of data */
153 while (len > bs) {
154 crypto_xor(prev, p, bs);
155 crypto_cipher_encrypt_one(tfm, prev, prev);
156 p += bs;
157 len -= bs;
158 }
159
160 /* keeping the surplus of blocksize */
161 if (len) {
162 memcpy(odds, p, len);
163 ctx->len = len;
164 }
165
166 return 0;
167 }
168
169 static int crypto_cmac_digest_final(struct shash_desc *pdesc, u8 *out)
170 {
171 struct crypto_shash *parent = pdesc->tfm;
172 unsigned long alignmask = crypto_shash_alignmask(parent);
173 struct cmac_tfm_ctx *tctx = crypto_shash_ctx(parent);
174 struct cmac_desc_ctx *ctx = shash_desc_ctx(pdesc);
175 struct crypto_cipher *tfm = tctx->child;
176 int bs = crypto_shash_blocksize(parent);
177 u8 *consts = PTR_ALIGN((void *)tctx->ctx,
178 (alignmask | (__alignof__(__be64) - 1)) + 1);
179 u8 *odds = PTR_ALIGN((void *)ctx->ctx, alignmask + 1);
180 u8 *prev = odds + bs;
181 unsigned int offset = 0;
182
183 if (ctx->len != bs) {
184 unsigned int rlen;
185 u8 *p = odds + ctx->len;
186
187 *p = 0x80;
188 p++;
189
190 rlen = bs - ctx->len - 1;
191 if (rlen)
192 memset(p, 0, rlen);
193
194 offset += bs;
195 }
196
197 crypto_xor(prev, odds, bs);
198 crypto_xor(prev, consts + offset, bs);
199
200 crypto_cipher_encrypt_one(tfm, out, prev);
201
202 return 0;
203 }
204
205 static int cmac_init_tfm(struct crypto_tfm *tfm)
206 {
207 struct crypto_cipher *cipher;
208 struct crypto_instance *inst = (void *)tfm->__crt_alg;
209 struct crypto_spawn *spawn = crypto_instance_ctx(inst);
210 struct cmac_tfm_ctx *ctx = crypto_tfm_ctx(tfm);
211
212 cipher = crypto_spawn_cipher(spawn);
213 if (IS_ERR(cipher))
214 return PTR_ERR(cipher);
215
216 ctx->child = cipher;
217
218 return 0;
219 };
220
221 static void cmac_exit_tfm(struct crypto_tfm *tfm)
222 {
223 struct cmac_tfm_ctx *ctx = crypto_tfm_ctx(tfm);
224 crypto_free_cipher(ctx->child);
225 }
226
227 static int cmac_create(struct crypto_template *tmpl, struct rtattr **tb)
228 {
229 struct shash_instance *inst;
230 struct crypto_alg *alg;
231 unsigned long alignmask;
232 int err;
233
234 err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_SHASH);
235 if (err)
236 return err;
237
238 alg = crypto_get_attr_alg(tb, CRYPTO_ALG_TYPE_CIPHER,
239 CRYPTO_ALG_TYPE_MASK);
240 if (IS_ERR(alg))
241 return PTR_ERR(alg);
242
243 switch (alg->cra_blocksize) {
244 case 16:
245 case 8:
246 break;
247 default:
248 err = -EINVAL;
249 goto out_put_alg;
250 }
251
252 inst = shash_alloc_instance("cmac", alg);
253 err = PTR_ERR(inst);
254 if (IS_ERR(inst))
255 goto out_put_alg;
256
257 err = crypto_init_spawn(shash_instance_ctx(inst), alg,
258 shash_crypto_instance(inst),
259 CRYPTO_ALG_TYPE_MASK);
260 if (err)
261 goto out_free_inst;
262
263 alignmask = alg->cra_alignmask;
264 inst->alg.base.cra_alignmask = alignmask;
265 inst->alg.base.cra_priority = alg->cra_priority;
266 inst->alg.base.cra_blocksize = alg->cra_blocksize;
267
268 inst->alg.digestsize = alg->cra_blocksize;
269 inst->alg.descsize =
270 ALIGN(sizeof(struct cmac_desc_ctx), crypto_tfm_ctx_alignment())
271 + (alignmask & ~(crypto_tfm_ctx_alignment() - 1))
272 + alg->cra_blocksize * 2;
273
274 inst->alg.base.cra_ctxsize =
275 ALIGN(sizeof(struct cmac_tfm_ctx), crypto_tfm_ctx_alignment())
276 + ((alignmask | (__alignof__(__be64) - 1)) &
277 ~(crypto_tfm_ctx_alignment() - 1))
278 + alg->cra_blocksize * 2;
279
280 inst->alg.base.cra_init = cmac_init_tfm;
281 inst->alg.base.cra_exit = cmac_exit_tfm;
282
283 inst->alg.init = crypto_cmac_digest_init;
284 inst->alg.update = crypto_cmac_digest_update;
285 inst->alg.final = crypto_cmac_digest_final;
286 inst->alg.setkey = crypto_cmac_digest_setkey;
287
288 err = shash_register_instance(tmpl, inst);
289 if (err) {
290 out_free_inst:
291 shash_free_instance(shash_crypto_instance(inst));
292 }
293
294 out_put_alg:
295 crypto_mod_put(alg);
296 return err;
297 }
298
299 static struct crypto_template crypto_cmac_tmpl = {
300 .name = "cmac",
301 .create = cmac_create,
302 .free = shash_free_instance,
303 .module = THIS_MODULE,
304 };
305
306 static int __init crypto_cmac_module_init(void)
307 {
308 return crypto_register_template(&crypto_cmac_tmpl);
309 }
310
311 static void __exit crypto_cmac_module_exit(void)
312 {
313 crypto_unregister_template(&crypto_cmac_tmpl);
314 }
315
316 module_init(crypto_cmac_module_init);
317 module_exit(crypto_cmac_module_exit);
318
319 MODULE_LICENSE("GPL");
320 MODULE_DESCRIPTION("CMAC keyed hash algorithm");
321 MODULE_ALIAS_CRYPTO("cmac");