0001
0002
0003
0004
0005
0006
0007
0008 #include <crypto/gf128mul.h>
0009 #include <crypto/internal/aead.h>
0010 #include <crypto/internal/skcipher.h>
0011 #include <crypto/internal/hash.h>
0012 #include <crypto/null.h>
0013 #include <crypto/scatterwalk.h>
0014 #include <crypto/gcm.h>
0015 #include <crypto/hash.h>
0016 #include <linux/err.h>
0017 #include <linux/init.h>
0018 #include <linux/kernel.h>
0019 #include <linux/module.h>
0020 #include <linux/slab.h>
0021
0022 struct gcm_instance_ctx {
0023 struct crypto_skcipher_spawn ctr;
0024 struct crypto_ahash_spawn ghash;
0025 };
0026
0027 struct crypto_gcm_ctx {
0028 struct crypto_skcipher *ctr;
0029 struct crypto_ahash *ghash;
0030 };
0031
0032 struct crypto_rfc4106_ctx {
0033 struct crypto_aead *child;
0034 u8 nonce[4];
0035 };
0036
0037 struct crypto_rfc4106_req_ctx {
0038 struct scatterlist src[3];
0039 struct scatterlist dst[3];
0040 struct aead_request subreq;
0041 };
0042
0043 struct crypto_rfc4543_instance_ctx {
0044 struct crypto_aead_spawn aead;
0045 };
0046
0047 struct crypto_rfc4543_ctx {
0048 struct crypto_aead *child;
0049 struct crypto_sync_skcipher *null;
0050 u8 nonce[4];
0051 };
0052
0053 struct crypto_rfc4543_req_ctx {
0054 struct aead_request subreq;
0055 };
0056
0057 struct crypto_gcm_ghash_ctx {
0058 unsigned int cryptlen;
0059 struct scatterlist *src;
0060 int (*complete)(struct aead_request *req, u32 flags);
0061 };
0062
0063 struct crypto_gcm_req_priv_ctx {
0064 u8 iv[16];
0065 u8 auth_tag[16];
0066 u8 iauth_tag[16];
0067 struct scatterlist src[3];
0068 struct scatterlist dst[3];
0069 struct scatterlist sg;
0070 struct crypto_gcm_ghash_ctx ghash_ctx;
0071 union {
0072 struct ahash_request ahreq;
0073 struct skcipher_request skreq;
0074 } u;
0075 };
0076
0077 static struct {
0078 u8 buf[16];
0079 struct scatterlist sg;
0080 } *gcm_zeroes;
0081
0082 static int crypto_rfc4543_copy_src_to_dst(struct aead_request *req, bool enc);
0083
0084 static inline struct crypto_gcm_req_priv_ctx *crypto_gcm_reqctx(
0085 struct aead_request *req)
0086 {
0087 unsigned long align = crypto_aead_alignmask(crypto_aead_reqtfm(req));
0088
0089 return (void *)PTR_ALIGN((u8 *)aead_request_ctx(req), align + 1);
0090 }
0091
0092 static int crypto_gcm_setkey(struct crypto_aead *aead, const u8 *key,
0093 unsigned int keylen)
0094 {
0095 struct crypto_gcm_ctx *ctx = crypto_aead_ctx(aead);
0096 struct crypto_ahash *ghash = ctx->ghash;
0097 struct crypto_skcipher *ctr = ctx->ctr;
0098 struct {
0099 be128 hash;
0100 u8 iv[16];
0101
0102 struct crypto_wait wait;
0103
0104 struct scatterlist sg[1];
0105 struct skcipher_request req;
0106 } *data;
0107 int err;
0108
0109 crypto_skcipher_clear_flags(ctr, CRYPTO_TFM_REQ_MASK);
0110 crypto_skcipher_set_flags(ctr, crypto_aead_get_flags(aead) &
0111 CRYPTO_TFM_REQ_MASK);
0112 err = crypto_skcipher_setkey(ctr, key, keylen);
0113 if (err)
0114 return err;
0115
0116 data = kzalloc(sizeof(*data) + crypto_skcipher_reqsize(ctr),
0117 GFP_KERNEL);
0118 if (!data)
0119 return -ENOMEM;
0120
0121 crypto_init_wait(&data->wait);
0122 sg_init_one(data->sg, &data->hash, sizeof(data->hash));
0123 skcipher_request_set_tfm(&data->req, ctr);
0124 skcipher_request_set_callback(&data->req, CRYPTO_TFM_REQ_MAY_SLEEP |
0125 CRYPTO_TFM_REQ_MAY_BACKLOG,
0126 crypto_req_done,
0127 &data->wait);
0128 skcipher_request_set_crypt(&data->req, data->sg, data->sg,
0129 sizeof(data->hash), data->iv);
0130
0131 err = crypto_wait_req(crypto_skcipher_encrypt(&data->req),
0132 &data->wait);
0133
0134 if (err)
0135 goto out;
0136
0137 crypto_ahash_clear_flags(ghash, CRYPTO_TFM_REQ_MASK);
0138 crypto_ahash_set_flags(ghash, crypto_aead_get_flags(aead) &
0139 CRYPTO_TFM_REQ_MASK);
0140 err = crypto_ahash_setkey(ghash, (u8 *)&data->hash, sizeof(be128));
0141 out:
0142 kfree_sensitive(data);
0143 return err;
0144 }
0145
0146 static int crypto_gcm_setauthsize(struct crypto_aead *tfm,
0147 unsigned int authsize)
0148 {
0149 return crypto_gcm_check_authsize(authsize);
0150 }
0151
0152 static void crypto_gcm_init_common(struct aead_request *req)
0153 {
0154 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
0155 __be32 counter = cpu_to_be32(1);
0156 struct scatterlist *sg;
0157
0158 memset(pctx->auth_tag, 0, sizeof(pctx->auth_tag));
0159 memcpy(pctx->iv, req->iv, GCM_AES_IV_SIZE);
0160 memcpy(pctx->iv + GCM_AES_IV_SIZE, &counter, 4);
0161
0162 sg_init_table(pctx->src, 3);
0163 sg_set_buf(pctx->src, pctx->auth_tag, sizeof(pctx->auth_tag));
0164 sg = scatterwalk_ffwd(pctx->src + 1, req->src, req->assoclen);
0165 if (sg != pctx->src + 1)
0166 sg_chain(pctx->src, 2, sg);
0167
0168 if (req->src != req->dst) {
0169 sg_init_table(pctx->dst, 3);
0170 sg_set_buf(pctx->dst, pctx->auth_tag, sizeof(pctx->auth_tag));
0171 sg = scatterwalk_ffwd(pctx->dst + 1, req->dst, req->assoclen);
0172 if (sg != pctx->dst + 1)
0173 sg_chain(pctx->dst, 2, sg);
0174 }
0175 }
0176
0177 static void crypto_gcm_init_crypt(struct aead_request *req,
0178 unsigned int cryptlen)
0179 {
0180 struct crypto_aead *aead = crypto_aead_reqtfm(req);
0181 struct crypto_gcm_ctx *ctx = crypto_aead_ctx(aead);
0182 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
0183 struct skcipher_request *skreq = &pctx->u.skreq;
0184 struct scatterlist *dst;
0185
0186 dst = req->src == req->dst ? pctx->src : pctx->dst;
0187
0188 skcipher_request_set_tfm(skreq, ctx->ctr);
0189 skcipher_request_set_crypt(skreq, pctx->src, dst,
0190 cryptlen + sizeof(pctx->auth_tag),
0191 pctx->iv);
0192 }
0193
0194 static inline unsigned int gcm_remain(unsigned int len)
0195 {
0196 len &= 0xfU;
0197 return len ? 16 - len : 0;
0198 }
0199
0200 static void gcm_hash_len_done(struct crypto_async_request *areq, int err);
0201
0202 static int gcm_hash_update(struct aead_request *req,
0203 crypto_completion_t compl,
0204 struct scatterlist *src,
0205 unsigned int len, u32 flags)
0206 {
0207 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
0208 struct ahash_request *ahreq = &pctx->u.ahreq;
0209
0210 ahash_request_set_callback(ahreq, flags, compl, req);
0211 ahash_request_set_crypt(ahreq, src, NULL, len);
0212
0213 return crypto_ahash_update(ahreq);
0214 }
0215
0216 static int gcm_hash_remain(struct aead_request *req,
0217 unsigned int remain,
0218 crypto_completion_t compl, u32 flags)
0219 {
0220 return gcm_hash_update(req, compl, &gcm_zeroes->sg, remain, flags);
0221 }
0222
0223 static int gcm_hash_len(struct aead_request *req, u32 flags)
0224 {
0225 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
0226 struct ahash_request *ahreq = &pctx->u.ahreq;
0227 struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
0228 be128 lengths;
0229
0230 lengths.a = cpu_to_be64(req->assoclen * 8);
0231 lengths.b = cpu_to_be64(gctx->cryptlen * 8);
0232 memcpy(pctx->iauth_tag, &lengths, 16);
0233 sg_init_one(&pctx->sg, pctx->iauth_tag, 16);
0234 ahash_request_set_callback(ahreq, flags, gcm_hash_len_done, req);
0235 ahash_request_set_crypt(ahreq, &pctx->sg,
0236 pctx->iauth_tag, sizeof(lengths));
0237
0238 return crypto_ahash_finup(ahreq);
0239 }
0240
0241 static int gcm_hash_len_continue(struct aead_request *req, u32 flags)
0242 {
0243 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
0244 struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
0245
0246 return gctx->complete(req, flags);
0247 }
0248
0249 static void gcm_hash_len_done(struct crypto_async_request *areq, int err)
0250 {
0251 struct aead_request *req = areq->data;
0252
0253 if (err)
0254 goto out;
0255
0256 err = gcm_hash_len_continue(req, 0);
0257 if (err == -EINPROGRESS)
0258 return;
0259
0260 out:
0261 aead_request_complete(req, err);
0262 }
0263
0264 static int gcm_hash_crypt_remain_continue(struct aead_request *req, u32 flags)
0265 {
0266 return gcm_hash_len(req, flags) ?:
0267 gcm_hash_len_continue(req, flags);
0268 }
0269
0270 static void gcm_hash_crypt_remain_done(struct crypto_async_request *areq,
0271 int err)
0272 {
0273 struct aead_request *req = areq->data;
0274
0275 if (err)
0276 goto out;
0277
0278 err = gcm_hash_crypt_remain_continue(req, 0);
0279 if (err == -EINPROGRESS)
0280 return;
0281
0282 out:
0283 aead_request_complete(req, err);
0284 }
0285
0286 static int gcm_hash_crypt_continue(struct aead_request *req, u32 flags)
0287 {
0288 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
0289 struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
0290 unsigned int remain;
0291
0292 remain = gcm_remain(gctx->cryptlen);
0293 if (remain)
0294 return gcm_hash_remain(req, remain,
0295 gcm_hash_crypt_remain_done, flags) ?:
0296 gcm_hash_crypt_remain_continue(req, flags);
0297
0298 return gcm_hash_crypt_remain_continue(req, flags);
0299 }
0300
0301 static void gcm_hash_crypt_done(struct crypto_async_request *areq, int err)
0302 {
0303 struct aead_request *req = areq->data;
0304
0305 if (err)
0306 goto out;
0307
0308 err = gcm_hash_crypt_continue(req, 0);
0309 if (err == -EINPROGRESS)
0310 return;
0311
0312 out:
0313 aead_request_complete(req, err);
0314 }
0315
0316 static int gcm_hash_assoc_remain_continue(struct aead_request *req, u32 flags)
0317 {
0318 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
0319 struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
0320
0321 if (gctx->cryptlen)
0322 return gcm_hash_update(req, gcm_hash_crypt_done,
0323 gctx->src, gctx->cryptlen, flags) ?:
0324 gcm_hash_crypt_continue(req, flags);
0325
0326 return gcm_hash_crypt_remain_continue(req, flags);
0327 }
0328
0329 static void gcm_hash_assoc_remain_done(struct crypto_async_request *areq,
0330 int err)
0331 {
0332 struct aead_request *req = areq->data;
0333
0334 if (err)
0335 goto out;
0336
0337 err = gcm_hash_assoc_remain_continue(req, 0);
0338 if (err == -EINPROGRESS)
0339 return;
0340
0341 out:
0342 aead_request_complete(req, err);
0343 }
0344
0345 static int gcm_hash_assoc_continue(struct aead_request *req, u32 flags)
0346 {
0347 unsigned int remain;
0348
0349 remain = gcm_remain(req->assoclen);
0350 if (remain)
0351 return gcm_hash_remain(req, remain,
0352 gcm_hash_assoc_remain_done, flags) ?:
0353 gcm_hash_assoc_remain_continue(req, flags);
0354
0355 return gcm_hash_assoc_remain_continue(req, flags);
0356 }
0357
0358 static void gcm_hash_assoc_done(struct crypto_async_request *areq, int err)
0359 {
0360 struct aead_request *req = areq->data;
0361
0362 if (err)
0363 goto out;
0364
0365 err = gcm_hash_assoc_continue(req, 0);
0366 if (err == -EINPROGRESS)
0367 return;
0368
0369 out:
0370 aead_request_complete(req, err);
0371 }
0372
0373 static int gcm_hash_init_continue(struct aead_request *req, u32 flags)
0374 {
0375 if (req->assoclen)
0376 return gcm_hash_update(req, gcm_hash_assoc_done,
0377 req->src, req->assoclen, flags) ?:
0378 gcm_hash_assoc_continue(req, flags);
0379
0380 return gcm_hash_assoc_remain_continue(req, flags);
0381 }
0382
0383 static void gcm_hash_init_done(struct crypto_async_request *areq, int err)
0384 {
0385 struct aead_request *req = areq->data;
0386
0387 if (err)
0388 goto out;
0389
0390 err = gcm_hash_init_continue(req, 0);
0391 if (err == -EINPROGRESS)
0392 return;
0393
0394 out:
0395 aead_request_complete(req, err);
0396 }
0397
0398 static int gcm_hash(struct aead_request *req, u32 flags)
0399 {
0400 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
0401 struct ahash_request *ahreq = &pctx->u.ahreq;
0402 struct crypto_gcm_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req));
0403
0404 ahash_request_set_tfm(ahreq, ctx->ghash);
0405
0406 ahash_request_set_callback(ahreq, flags, gcm_hash_init_done, req);
0407 return crypto_ahash_init(ahreq) ?:
0408 gcm_hash_init_continue(req, flags);
0409 }
0410
0411 static int gcm_enc_copy_hash(struct aead_request *req, u32 flags)
0412 {
0413 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
0414 struct crypto_aead *aead = crypto_aead_reqtfm(req);
0415 u8 *auth_tag = pctx->auth_tag;
0416
0417 crypto_xor(auth_tag, pctx->iauth_tag, 16);
0418 scatterwalk_map_and_copy(auth_tag, req->dst,
0419 req->assoclen + req->cryptlen,
0420 crypto_aead_authsize(aead), 1);
0421 return 0;
0422 }
0423
0424 static int gcm_encrypt_continue(struct aead_request *req, u32 flags)
0425 {
0426 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
0427 struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
0428
0429 gctx->src = sg_next(req->src == req->dst ? pctx->src : pctx->dst);
0430 gctx->cryptlen = req->cryptlen;
0431 gctx->complete = gcm_enc_copy_hash;
0432
0433 return gcm_hash(req, flags);
0434 }
0435
0436 static void gcm_encrypt_done(struct crypto_async_request *areq, int err)
0437 {
0438 struct aead_request *req = areq->data;
0439
0440 if (err)
0441 goto out;
0442
0443 err = gcm_encrypt_continue(req, 0);
0444 if (err == -EINPROGRESS)
0445 return;
0446
0447 out:
0448 aead_request_complete(req, err);
0449 }
0450
0451 static int crypto_gcm_encrypt(struct aead_request *req)
0452 {
0453 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
0454 struct skcipher_request *skreq = &pctx->u.skreq;
0455 u32 flags = aead_request_flags(req);
0456
0457 crypto_gcm_init_common(req);
0458 crypto_gcm_init_crypt(req, req->cryptlen);
0459 skcipher_request_set_callback(skreq, flags, gcm_encrypt_done, req);
0460
0461 return crypto_skcipher_encrypt(skreq) ?:
0462 gcm_encrypt_continue(req, flags);
0463 }
0464
0465 static int crypto_gcm_verify(struct aead_request *req)
0466 {
0467 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
0468 struct crypto_aead *aead = crypto_aead_reqtfm(req);
0469 u8 *auth_tag = pctx->auth_tag;
0470 u8 *iauth_tag = pctx->iauth_tag;
0471 unsigned int authsize = crypto_aead_authsize(aead);
0472 unsigned int cryptlen = req->cryptlen - authsize;
0473
0474 crypto_xor(auth_tag, iauth_tag, 16);
0475 scatterwalk_map_and_copy(iauth_tag, req->src,
0476 req->assoclen + cryptlen, authsize, 0);
0477 return crypto_memneq(iauth_tag, auth_tag, authsize) ? -EBADMSG : 0;
0478 }
0479
0480 static void gcm_decrypt_done(struct crypto_async_request *areq, int err)
0481 {
0482 struct aead_request *req = areq->data;
0483
0484 if (!err)
0485 err = crypto_gcm_verify(req);
0486
0487 aead_request_complete(req, err);
0488 }
0489
0490 static int gcm_dec_hash_continue(struct aead_request *req, u32 flags)
0491 {
0492 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
0493 struct skcipher_request *skreq = &pctx->u.skreq;
0494 struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
0495
0496 crypto_gcm_init_crypt(req, gctx->cryptlen);
0497 skcipher_request_set_callback(skreq, flags, gcm_decrypt_done, req);
0498 return crypto_skcipher_decrypt(skreq) ?: crypto_gcm_verify(req);
0499 }
0500
0501 static int crypto_gcm_decrypt(struct aead_request *req)
0502 {
0503 struct crypto_aead *aead = crypto_aead_reqtfm(req);
0504 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
0505 struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
0506 unsigned int authsize = crypto_aead_authsize(aead);
0507 unsigned int cryptlen = req->cryptlen;
0508 u32 flags = aead_request_flags(req);
0509
0510 cryptlen -= authsize;
0511
0512 crypto_gcm_init_common(req);
0513
0514 gctx->src = sg_next(pctx->src);
0515 gctx->cryptlen = cryptlen;
0516 gctx->complete = gcm_dec_hash_continue;
0517
0518 return gcm_hash(req, flags);
0519 }
0520
0521 static int crypto_gcm_init_tfm(struct crypto_aead *tfm)
0522 {
0523 struct aead_instance *inst = aead_alg_instance(tfm);
0524 struct gcm_instance_ctx *ictx = aead_instance_ctx(inst);
0525 struct crypto_gcm_ctx *ctx = crypto_aead_ctx(tfm);
0526 struct crypto_skcipher *ctr;
0527 struct crypto_ahash *ghash;
0528 unsigned long align;
0529 int err;
0530
0531 ghash = crypto_spawn_ahash(&ictx->ghash);
0532 if (IS_ERR(ghash))
0533 return PTR_ERR(ghash);
0534
0535 ctr = crypto_spawn_skcipher(&ictx->ctr);
0536 err = PTR_ERR(ctr);
0537 if (IS_ERR(ctr))
0538 goto err_free_hash;
0539
0540 ctx->ctr = ctr;
0541 ctx->ghash = ghash;
0542
0543 align = crypto_aead_alignmask(tfm);
0544 align &= ~(crypto_tfm_ctx_alignment() - 1);
0545 crypto_aead_set_reqsize(tfm,
0546 align + offsetof(struct crypto_gcm_req_priv_ctx, u) +
0547 max(sizeof(struct skcipher_request) +
0548 crypto_skcipher_reqsize(ctr),
0549 sizeof(struct ahash_request) +
0550 crypto_ahash_reqsize(ghash)));
0551
0552 return 0;
0553
0554 err_free_hash:
0555 crypto_free_ahash(ghash);
0556 return err;
0557 }
0558
0559 static void crypto_gcm_exit_tfm(struct crypto_aead *tfm)
0560 {
0561 struct crypto_gcm_ctx *ctx = crypto_aead_ctx(tfm);
0562
0563 crypto_free_ahash(ctx->ghash);
0564 crypto_free_skcipher(ctx->ctr);
0565 }
0566
0567 static void crypto_gcm_free(struct aead_instance *inst)
0568 {
0569 struct gcm_instance_ctx *ctx = aead_instance_ctx(inst);
0570
0571 crypto_drop_skcipher(&ctx->ctr);
0572 crypto_drop_ahash(&ctx->ghash);
0573 kfree(inst);
0574 }
0575
0576 static int crypto_gcm_create_common(struct crypto_template *tmpl,
0577 struct rtattr **tb,
0578 const char *ctr_name,
0579 const char *ghash_name)
0580 {
0581 u32 mask;
0582 struct aead_instance *inst;
0583 struct gcm_instance_ctx *ctx;
0584 struct skcipher_alg *ctr;
0585 struct hash_alg_common *ghash;
0586 int err;
0587
0588 err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_AEAD, &mask);
0589 if (err)
0590 return err;
0591
0592 inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
0593 if (!inst)
0594 return -ENOMEM;
0595 ctx = aead_instance_ctx(inst);
0596
0597 err = crypto_grab_ahash(&ctx->ghash, aead_crypto_instance(inst),
0598 ghash_name, 0, mask);
0599 if (err)
0600 goto err_free_inst;
0601 ghash = crypto_spawn_ahash_alg(&ctx->ghash);
0602
0603 err = -EINVAL;
0604 if (strcmp(ghash->base.cra_name, "ghash") != 0 ||
0605 ghash->digestsize != 16)
0606 goto err_free_inst;
0607
0608 err = crypto_grab_skcipher(&ctx->ctr, aead_crypto_instance(inst),
0609 ctr_name, 0, mask);
0610 if (err)
0611 goto err_free_inst;
0612 ctr = crypto_spawn_skcipher_alg(&ctx->ctr);
0613
0614
0615 err = -EINVAL;
0616 if (strncmp(ctr->base.cra_name, "ctr(", 4) != 0 ||
0617 crypto_skcipher_alg_ivsize(ctr) != 16 ||
0618 ctr->base.cra_blocksize != 1)
0619 goto err_free_inst;
0620
0621 err = -ENAMETOOLONG;
0622 if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
0623 "gcm(%s", ctr->base.cra_name + 4) >= CRYPTO_MAX_ALG_NAME)
0624 goto err_free_inst;
0625
0626 if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
0627 "gcm_base(%s,%s)", ctr->base.cra_driver_name,
0628 ghash->base.cra_driver_name) >=
0629 CRYPTO_MAX_ALG_NAME)
0630 goto err_free_inst;
0631
0632 inst->alg.base.cra_priority = (ghash->base.cra_priority +
0633 ctr->base.cra_priority) / 2;
0634 inst->alg.base.cra_blocksize = 1;
0635 inst->alg.base.cra_alignmask = ghash->base.cra_alignmask |
0636 ctr->base.cra_alignmask;
0637 inst->alg.base.cra_ctxsize = sizeof(struct crypto_gcm_ctx);
0638 inst->alg.ivsize = GCM_AES_IV_SIZE;
0639 inst->alg.chunksize = crypto_skcipher_alg_chunksize(ctr);
0640 inst->alg.maxauthsize = 16;
0641 inst->alg.init = crypto_gcm_init_tfm;
0642 inst->alg.exit = crypto_gcm_exit_tfm;
0643 inst->alg.setkey = crypto_gcm_setkey;
0644 inst->alg.setauthsize = crypto_gcm_setauthsize;
0645 inst->alg.encrypt = crypto_gcm_encrypt;
0646 inst->alg.decrypt = crypto_gcm_decrypt;
0647
0648 inst->free = crypto_gcm_free;
0649
0650 err = aead_register_instance(tmpl, inst);
0651 if (err) {
0652 err_free_inst:
0653 crypto_gcm_free(inst);
0654 }
0655 return err;
0656 }
0657
0658 static int crypto_gcm_create(struct crypto_template *tmpl, struct rtattr **tb)
0659 {
0660 const char *cipher_name;
0661 char ctr_name[CRYPTO_MAX_ALG_NAME];
0662
0663 cipher_name = crypto_attr_alg_name(tb[1]);
0664 if (IS_ERR(cipher_name))
0665 return PTR_ERR(cipher_name);
0666
0667 if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)", cipher_name) >=
0668 CRYPTO_MAX_ALG_NAME)
0669 return -ENAMETOOLONG;
0670
0671 return crypto_gcm_create_common(tmpl, tb, ctr_name, "ghash");
0672 }
0673
0674 static int crypto_gcm_base_create(struct crypto_template *tmpl,
0675 struct rtattr **tb)
0676 {
0677 const char *ctr_name;
0678 const char *ghash_name;
0679
0680 ctr_name = crypto_attr_alg_name(tb[1]);
0681 if (IS_ERR(ctr_name))
0682 return PTR_ERR(ctr_name);
0683
0684 ghash_name = crypto_attr_alg_name(tb[2]);
0685 if (IS_ERR(ghash_name))
0686 return PTR_ERR(ghash_name);
0687
0688 return crypto_gcm_create_common(tmpl, tb, ctr_name, ghash_name);
0689 }
0690
0691 static int crypto_rfc4106_setkey(struct crypto_aead *parent, const u8 *key,
0692 unsigned int keylen)
0693 {
0694 struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(parent);
0695 struct crypto_aead *child = ctx->child;
0696
0697 if (keylen < 4)
0698 return -EINVAL;
0699
0700 keylen -= 4;
0701 memcpy(ctx->nonce, key + keylen, 4);
0702
0703 crypto_aead_clear_flags(child, CRYPTO_TFM_REQ_MASK);
0704 crypto_aead_set_flags(child, crypto_aead_get_flags(parent) &
0705 CRYPTO_TFM_REQ_MASK);
0706 return crypto_aead_setkey(child, key, keylen);
0707 }
0708
0709 static int crypto_rfc4106_setauthsize(struct crypto_aead *parent,
0710 unsigned int authsize)
0711 {
0712 struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(parent);
0713 int err;
0714
0715 err = crypto_rfc4106_check_authsize(authsize);
0716 if (err)
0717 return err;
0718
0719 return crypto_aead_setauthsize(ctx->child, authsize);
0720 }
0721
0722 static struct aead_request *crypto_rfc4106_crypt(struct aead_request *req)
0723 {
0724 struct crypto_rfc4106_req_ctx *rctx = aead_request_ctx(req);
0725 struct crypto_aead *aead = crypto_aead_reqtfm(req);
0726 struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(aead);
0727 struct aead_request *subreq = &rctx->subreq;
0728 struct crypto_aead *child = ctx->child;
0729 struct scatterlist *sg;
0730 u8 *iv = PTR_ALIGN((u8 *)(subreq + 1) + crypto_aead_reqsize(child),
0731 crypto_aead_alignmask(child) + 1);
0732
0733 scatterwalk_map_and_copy(iv + GCM_AES_IV_SIZE, req->src, 0, req->assoclen - 8, 0);
0734
0735 memcpy(iv, ctx->nonce, 4);
0736 memcpy(iv + 4, req->iv, 8);
0737
0738 sg_init_table(rctx->src, 3);
0739 sg_set_buf(rctx->src, iv + GCM_AES_IV_SIZE, req->assoclen - 8);
0740 sg = scatterwalk_ffwd(rctx->src + 1, req->src, req->assoclen);
0741 if (sg != rctx->src + 1)
0742 sg_chain(rctx->src, 2, sg);
0743
0744 if (req->src != req->dst) {
0745 sg_init_table(rctx->dst, 3);
0746 sg_set_buf(rctx->dst, iv + GCM_AES_IV_SIZE, req->assoclen - 8);
0747 sg = scatterwalk_ffwd(rctx->dst + 1, req->dst, req->assoclen);
0748 if (sg != rctx->dst + 1)
0749 sg_chain(rctx->dst, 2, sg);
0750 }
0751
0752 aead_request_set_tfm(subreq, child);
0753 aead_request_set_callback(subreq, req->base.flags, req->base.complete,
0754 req->base.data);
0755 aead_request_set_crypt(subreq, rctx->src,
0756 req->src == req->dst ? rctx->src : rctx->dst,
0757 req->cryptlen, iv);
0758 aead_request_set_ad(subreq, req->assoclen - 8);
0759
0760 return subreq;
0761 }
0762
0763 static int crypto_rfc4106_encrypt(struct aead_request *req)
0764 {
0765 int err;
0766
0767 err = crypto_ipsec_check_assoclen(req->assoclen);
0768 if (err)
0769 return err;
0770
0771 req = crypto_rfc4106_crypt(req);
0772
0773 return crypto_aead_encrypt(req);
0774 }
0775
0776 static int crypto_rfc4106_decrypt(struct aead_request *req)
0777 {
0778 int err;
0779
0780 err = crypto_ipsec_check_assoclen(req->assoclen);
0781 if (err)
0782 return err;
0783
0784 req = crypto_rfc4106_crypt(req);
0785
0786 return crypto_aead_decrypt(req);
0787 }
0788
0789 static int crypto_rfc4106_init_tfm(struct crypto_aead *tfm)
0790 {
0791 struct aead_instance *inst = aead_alg_instance(tfm);
0792 struct crypto_aead_spawn *spawn = aead_instance_ctx(inst);
0793 struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(tfm);
0794 struct crypto_aead *aead;
0795 unsigned long align;
0796
0797 aead = crypto_spawn_aead(spawn);
0798 if (IS_ERR(aead))
0799 return PTR_ERR(aead);
0800
0801 ctx->child = aead;
0802
0803 align = crypto_aead_alignmask(aead);
0804 align &= ~(crypto_tfm_ctx_alignment() - 1);
0805 crypto_aead_set_reqsize(
0806 tfm,
0807 sizeof(struct crypto_rfc4106_req_ctx) +
0808 ALIGN(crypto_aead_reqsize(aead), crypto_tfm_ctx_alignment()) +
0809 align + 24);
0810
0811 return 0;
0812 }
0813
0814 static void crypto_rfc4106_exit_tfm(struct crypto_aead *tfm)
0815 {
0816 struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(tfm);
0817
0818 crypto_free_aead(ctx->child);
0819 }
0820
0821 static void crypto_rfc4106_free(struct aead_instance *inst)
0822 {
0823 crypto_drop_aead(aead_instance_ctx(inst));
0824 kfree(inst);
0825 }
0826
0827 static int crypto_rfc4106_create(struct crypto_template *tmpl,
0828 struct rtattr **tb)
0829 {
0830 u32 mask;
0831 struct aead_instance *inst;
0832 struct crypto_aead_spawn *spawn;
0833 struct aead_alg *alg;
0834 int err;
0835
0836 err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_AEAD, &mask);
0837 if (err)
0838 return err;
0839
0840 inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL);
0841 if (!inst)
0842 return -ENOMEM;
0843
0844 spawn = aead_instance_ctx(inst);
0845 err = crypto_grab_aead(spawn, aead_crypto_instance(inst),
0846 crypto_attr_alg_name(tb[1]), 0, mask);
0847 if (err)
0848 goto err_free_inst;
0849
0850 alg = crypto_spawn_aead_alg(spawn);
0851
0852 err = -EINVAL;
0853
0854
0855 if (crypto_aead_alg_ivsize(alg) != GCM_AES_IV_SIZE)
0856 goto err_free_inst;
0857
0858
0859 if (alg->base.cra_blocksize != 1)
0860 goto err_free_inst;
0861
0862 err = -ENAMETOOLONG;
0863 if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
0864 "rfc4106(%s)", alg->base.cra_name) >=
0865 CRYPTO_MAX_ALG_NAME ||
0866 snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
0867 "rfc4106(%s)", alg->base.cra_driver_name) >=
0868 CRYPTO_MAX_ALG_NAME)
0869 goto err_free_inst;
0870
0871 inst->alg.base.cra_priority = alg->base.cra_priority;
0872 inst->alg.base.cra_blocksize = 1;
0873 inst->alg.base.cra_alignmask = alg->base.cra_alignmask;
0874
0875 inst->alg.base.cra_ctxsize = sizeof(struct crypto_rfc4106_ctx);
0876
0877 inst->alg.ivsize = GCM_RFC4106_IV_SIZE;
0878 inst->alg.chunksize = crypto_aead_alg_chunksize(alg);
0879 inst->alg.maxauthsize = crypto_aead_alg_maxauthsize(alg);
0880
0881 inst->alg.init = crypto_rfc4106_init_tfm;
0882 inst->alg.exit = crypto_rfc4106_exit_tfm;
0883
0884 inst->alg.setkey = crypto_rfc4106_setkey;
0885 inst->alg.setauthsize = crypto_rfc4106_setauthsize;
0886 inst->alg.encrypt = crypto_rfc4106_encrypt;
0887 inst->alg.decrypt = crypto_rfc4106_decrypt;
0888
0889 inst->free = crypto_rfc4106_free;
0890
0891 err = aead_register_instance(tmpl, inst);
0892 if (err) {
0893 err_free_inst:
0894 crypto_rfc4106_free(inst);
0895 }
0896 return err;
0897 }
0898
0899 static int crypto_rfc4543_setkey(struct crypto_aead *parent, const u8 *key,
0900 unsigned int keylen)
0901 {
0902 struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(parent);
0903 struct crypto_aead *child = ctx->child;
0904
0905 if (keylen < 4)
0906 return -EINVAL;
0907
0908 keylen -= 4;
0909 memcpy(ctx->nonce, key + keylen, 4);
0910
0911 crypto_aead_clear_flags(child, CRYPTO_TFM_REQ_MASK);
0912 crypto_aead_set_flags(child, crypto_aead_get_flags(parent) &
0913 CRYPTO_TFM_REQ_MASK);
0914 return crypto_aead_setkey(child, key, keylen);
0915 }
0916
0917 static int crypto_rfc4543_setauthsize(struct crypto_aead *parent,
0918 unsigned int authsize)
0919 {
0920 struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(parent);
0921
0922 if (authsize != 16)
0923 return -EINVAL;
0924
0925 return crypto_aead_setauthsize(ctx->child, authsize);
0926 }
0927
0928 static int crypto_rfc4543_crypt(struct aead_request *req, bool enc)
0929 {
0930 struct crypto_aead *aead = crypto_aead_reqtfm(req);
0931 struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(aead);
0932 struct crypto_rfc4543_req_ctx *rctx = aead_request_ctx(req);
0933 struct aead_request *subreq = &rctx->subreq;
0934 unsigned int authsize = crypto_aead_authsize(aead);
0935 u8 *iv = PTR_ALIGN((u8 *)(rctx + 1) + crypto_aead_reqsize(ctx->child),
0936 crypto_aead_alignmask(ctx->child) + 1);
0937 int err;
0938
0939 if (req->src != req->dst) {
0940 err = crypto_rfc4543_copy_src_to_dst(req, enc);
0941 if (err)
0942 return err;
0943 }
0944
0945 memcpy(iv, ctx->nonce, 4);
0946 memcpy(iv + 4, req->iv, 8);
0947
0948 aead_request_set_tfm(subreq, ctx->child);
0949 aead_request_set_callback(subreq, req->base.flags,
0950 req->base.complete, req->base.data);
0951 aead_request_set_crypt(subreq, req->src, req->dst,
0952 enc ? 0 : authsize, iv);
0953 aead_request_set_ad(subreq, req->assoclen + req->cryptlen -
0954 subreq->cryptlen);
0955
0956 return enc ? crypto_aead_encrypt(subreq) : crypto_aead_decrypt(subreq);
0957 }
0958
0959 static int crypto_rfc4543_copy_src_to_dst(struct aead_request *req, bool enc)
0960 {
0961 struct crypto_aead *aead = crypto_aead_reqtfm(req);
0962 struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(aead);
0963 unsigned int authsize = crypto_aead_authsize(aead);
0964 unsigned int nbytes = req->assoclen + req->cryptlen -
0965 (enc ? 0 : authsize);
0966 SYNC_SKCIPHER_REQUEST_ON_STACK(nreq, ctx->null);
0967
0968 skcipher_request_set_sync_tfm(nreq, ctx->null);
0969 skcipher_request_set_callback(nreq, req->base.flags, NULL, NULL);
0970 skcipher_request_set_crypt(nreq, req->src, req->dst, nbytes, NULL);
0971
0972 return crypto_skcipher_encrypt(nreq);
0973 }
0974
0975 static int crypto_rfc4543_encrypt(struct aead_request *req)
0976 {
0977 return crypto_ipsec_check_assoclen(req->assoclen) ?:
0978 crypto_rfc4543_crypt(req, true);
0979 }
0980
0981 static int crypto_rfc4543_decrypt(struct aead_request *req)
0982 {
0983 return crypto_ipsec_check_assoclen(req->assoclen) ?:
0984 crypto_rfc4543_crypt(req, false);
0985 }
0986
0987 static int crypto_rfc4543_init_tfm(struct crypto_aead *tfm)
0988 {
0989 struct aead_instance *inst = aead_alg_instance(tfm);
0990 struct crypto_rfc4543_instance_ctx *ictx = aead_instance_ctx(inst);
0991 struct crypto_aead_spawn *spawn = &ictx->aead;
0992 struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(tfm);
0993 struct crypto_aead *aead;
0994 struct crypto_sync_skcipher *null;
0995 unsigned long align;
0996 int err = 0;
0997
0998 aead = crypto_spawn_aead(spawn);
0999 if (IS_ERR(aead))
1000 return PTR_ERR(aead);
1001
1002 null = crypto_get_default_null_skcipher();
1003 err = PTR_ERR(null);
1004 if (IS_ERR(null))
1005 goto err_free_aead;
1006
1007 ctx->child = aead;
1008 ctx->null = null;
1009
1010 align = crypto_aead_alignmask(aead);
1011 align &= ~(crypto_tfm_ctx_alignment() - 1);
1012 crypto_aead_set_reqsize(
1013 tfm,
1014 sizeof(struct crypto_rfc4543_req_ctx) +
1015 ALIGN(crypto_aead_reqsize(aead), crypto_tfm_ctx_alignment()) +
1016 align + GCM_AES_IV_SIZE);
1017
1018 return 0;
1019
1020 err_free_aead:
1021 crypto_free_aead(aead);
1022 return err;
1023 }
1024
1025 static void crypto_rfc4543_exit_tfm(struct crypto_aead *tfm)
1026 {
1027 struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(tfm);
1028
1029 crypto_free_aead(ctx->child);
1030 crypto_put_default_null_skcipher();
1031 }
1032
1033 static void crypto_rfc4543_free(struct aead_instance *inst)
1034 {
1035 struct crypto_rfc4543_instance_ctx *ctx = aead_instance_ctx(inst);
1036
1037 crypto_drop_aead(&ctx->aead);
1038
1039 kfree(inst);
1040 }
1041
1042 static int crypto_rfc4543_create(struct crypto_template *tmpl,
1043 struct rtattr **tb)
1044 {
1045 u32 mask;
1046 struct aead_instance *inst;
1047 struct aead_alg *alg;
1048 struct crypto_rfc4543_instance_ctx *ctx;
1049 int err;
1050
1051 err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_AEAD, &mask);
1052 if (err)
1053 return err;
1054
1055 inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
1056 if (!inst)
1057 return -ENOMEM;
1058
1059 ctx = aead_instance_ctx(inst);
1060 err = crypto_grab_aead(&ctx->aead, aead_crypto_instance(inst),
1061 crypto_attr_alg_name(tb[1]), 0, mask);
1062 if (err)
1063 goto err_free_inst;
1064
1065 alg = crypto_spawn_aead_alg(&ctx->aead);
1066
1067 err = -EINVAL;
1068
1069
1070 if (crypto_aead_alg_ivsize(alg) != GCM_AES_IV_SIZE)
1071 goto err_free_inst;
1072
1073
1074 if (alg->base.cra_blocksize != 1)
1075 goto err_free_inst;
1076
1077 err = -ENAMETOOLONG;
1078 if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
1079 "rfc4543(%s)", alg->base.cra_name) >=
1080 CRYPTO_MAX_ALG_NAME ||
1081 snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
1082 "rfc4543(%s)", alg->base.cra_driver_name) >=
1083 CRYPTO_MAX_ALG_NAME)
1084 goto err_free_inst;
1085
1086 inst->alg.base.cra_priority = alg->base.cra_priority;
1087 inst->alg.base.cra_blocksize = 1;
1088 inst->alg.base.cra_alignmask = alg->base.cra_alignmask;
1089
1090 inst->alg.base.cra_ctxsize = sizeof(struct crypto_rfc4543_ctx);
1091
1092 inst->alg.ivsize = GCM_RFC4543_IV_SIZE;
1093 inst->alg.chunksize = crypto_aead_alg_chunksize(alg);
1094 inst->alg.maxauthsize = crypto_aead_alg_maxauthsize(alg);
1095
1096 inst->alg.init = crypto_rfc4543_init_tfm;
1097 inst->alg.exit = crypto_rfc4543_exit_tfm;
1098
1099 inst->alg.setkey = crypto_rfc4543_setkey;
1100 inst->alg.setauthsize = crypto_rfc4543_setauthsize;
1101 inst->alg.encrypt = crypto_rfc4543_encrypt;
1102 inst->alg.decrypt = crypto_rfc4543_decrypt;
1103
1104 inst->free = crypto_rfc4543_free;
1105
1106 err = aead_register_instance(tmpl, inst);
1107 if (err) {
1108 err_free_inst:
1109 crypto_rfc4543_free(inst);
1110 }
1111 return err;
1112 }
1113
1114 static struct crypto_template crypto_gcm_tmpls[] = {
1115 {
1116 .name = "gcm_base",
1117 .create = crypto_gcm_base_create,
1118 .module = THIS_MODULE,
1119 }, {
1120 .name = "gcm",
1121 .create = crypto_gcm_create,
1122 .module = THIS_MODULE,
1123 }, {
1124 .name = "rfc4106",
1125 .create = crypto_rfc4106_create,
1126 .module = THIS_MODULE,
1127 }, {
1128 .name = "rfc4543",
1129 .create = crypto_rfc4543_create,
1130 .module = THIS_MODULE,
1131 },
1132 };
1133
1134 static int __init crypto_gcm_module_init(void)
1135 {
1136 int err;
1137
1138 gcm_zeroes = kzalloc(sizeof(*gcm_zeroes), GFP_KERNEL);
1139 if (!gcm_zeroes)
1140 return -ENOMEM;
1141
1142 sg_init_one(&gcm_zeroes->sg, gcm_zeroes->buf, sizeof(gcm_zeroes->buf));
1143
1144 err = crypto_register_templates(crypto_gcm_tmpls,
1145 ARRAY_SIZE(crypto_gcm_tmpls));
1146 if (err)
1147 kfree(gcm_zeroes);
1148
1149 return err;
1150 }
1151
1152 static void __exit crypto_gcm_module_exit(void)
1153 {
1154 kfree(gcm_zeroes);
1155 crypto_unregister_templates(crypto_gcm_tmpls,
1156 ARRAY_SIZE(crypto_gcm_tmpls));
1157 }
1158
1159 subsys_initcall(crypto_gcm_module_init);
1160 module_exit(crypto_gcm_module_exit);
1161
1162 MODULE_LICENSE("GPL");
1163 MODULE_DESCRIPTION("Galois/Counter Mode");
1164 MODULE_AUTHOR("Mikko Herranen <mh1@iki.fi>");
1165 MODULE_ALIAS_CRYPTO("gcm_base");
1166 MODULE_ALIAS_CRYPTO("rfc4106");
1167 MODULE_ALIAS_CRYPTO("rfc4543");
1168 MODULE_ALIAS_CRYPTO("gcm");
