Joy Latten | 4a49b49 | 2007-12-12 20:25:13 +0800 | [diff] [blame] | 1 | /* |
| 2 | * CCM: Counter with CBC-MAC |
| 3 | * |
| 4 | * (C) Copyright IBM Corp. 2007 - Joy Latten <latten@us.ibm.com> |
| 5 | * |
| 6 | * This program is free software; you can redistribute it and/or modify it |
| 7 | * under the terms of the GNU General Public License as published by the Free |
| 8 | * Software Foundation; either version 2 of the License, or (at your option) |
| 9 | * any later version. |
| 10 | * |
| 11 | */ |
| 12 | |
| 13 | #include <crypto/internal/aead.h> |
| 14 | #include <crypto/internal/skcipher.h> |
| 15 | #include <crypto/scatterwalk.h> |
| 16 | #include <linux/err.h> |
| 17 | #include <linux/init.h> |
| 18 | #include <linux/kernel.h> |
| 19 | #include <linux/module.h> |
| 20 | #include <linux/slab.h> |
| 21 | |
| 22 | #include "internal.h" |
| 23 | |
| 24 | struct ccm_instance_ctx { |
| 25 | struct crypto_skcipher_spawn ctr; |
| 26 | struct crypto_spawn cipher; |
| 27 | }; |
| 28 | |
| 29 | struct crypto_ccm_ctx { |
| 30 | struct crypto_cipher *cipher; |
| 31 | struct crypto_ablkcipher *ctr; |
| 32 | }; |
| 33 | |
| 34 | struct crypto_rfc4309_ctx { |
| 35 | struct crypto_aead *child; |
| 36 | u8 nonce[3]; |
| 37 | }; |
| 38 | |
| 39 | struct crypto_ccm_req_priv_ctx { |
| 40 | u8 odata[16]; |
| 41 | u8 idata[16]; |
| 42 | u8 auth_tag[16]; |
| 43 | u32 ilen; |
| 44 | u32 flags; |
| 45 | struct scatterlist src[2]; |
| 46 | struct scatterlist dst[2]; |
| 47 | struct ablkcipher_request abreq; |
| 48 | }; |
| 49 | |
| 50 | static inline struct crypto_ccm_req_priv_ctx *crypto_ccm_reqctx( |
| 51 | struct aead_request *req) |
| 52 | { |
| 53 | unsigned long align = crypto_aead_alignmask(crypto_aead_reqtfm(req)); |
| 54 | |
| 55 | return (void *)PTR_ALIGN((u8 *)aead_request_ctx(req), align + 1); |
| 56 | } |
| 57 | |
| 58 | static int set_msg_len(u8 *block, unsigned int msglen, int csize) |
| 59 | { |
| 60 | __be32 data; |
| 61 | |
| 62 | memset(block, 0, csize); |
| 63 | block += csize; |
| 64 | |
| 65 | if (csize >= 4) |
| 66 | csize = 4; |
| 67 | else if (msglen > (1 << (8 * csize))) |
| 68 | return -EOVERFLOW; |
| 69 | |
| 70 | data = cpu_to_be32(msglen); |
| 71 | memcpy(block - csize, (u8 *)&data + 4 - csize, csize); |
| 72 | |
| 73 | return 0; |
| 74 | } |
| 75 | |
| 76 | static int crypto_ccm_setkey(struct crypto_aead *aead, const u8 *key, |
| 77 | unsigned int keylen) |
| 78 | { |
| 79 | struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead); |
| 80 | struct crypto_ablkcipher *ctr = ctx->ctr; |
| 81 | struct crypto_cipher *tfm = ctx->cipher; |
| 82 | int err = 0; |
| 83 | |
| 84 | crypto_ablkcipher_clear_flags(ctr, CRYPTO_TFM_REQ_MASK); |
| 85 | crypto_ablkcipher_set_flags(ctr, crypto_aead_get_flags(aead) & |
| 86 | CRYPTO_TFM_REQ_MASK); |
| 87 | err = crypto_ablkcipher_setkey(ctr, key, keylen); |
| 88 | crypto_aead_set_flags(aead, crypto_ablkcipher_get_flags(ctr) & |
| 89 | CRYPTO_TFM_RES_MASK); |
| 90 | if (err) |
| 91 | goto out; |
| 92 | |
| 93 | crypto_cipher_clear_flags(tfm, CRYPTO_TFM_REQ_MASK); |
| 94 | crypto_cipher_set_flags(tfm, crypto_aead_get_flags(aead) & |
| 95 | CRYPTO_TFM_REQ_MASK); |
| 96 | err = crypto_cipher_setkey(tfm, key, keylen); |
| 97 | crypto_aead_set_flags(aead, crypto_cipher_get_flags(tfm) & |
| 98 | CRYPTO_TFM_RES_MASK); |
| 99 | |
| 100 | out: |
| 101 | return err; |
| 102 | } |
| 103 | |
| 104 | static int crypto_ccm_setauthsize(struct crypto_aead *tfm, |
| 105 | unsigned int authsize) |
| 106 | { |
| 107 | switch (authsize) { |
| 108 | case 4: |
| 109 | case 6: |
| 110 | case 8: |
| 111 | case 10: |
| 112 | case 12: |
| 113 | case 14: |
| 114 | case 16: |
| 115 | break; |
| 116 | default: |
| 117 | return -EINVAL; |
| 118 | } |
| 119 | |
| 120 | return 0; |
| 121 | } |
| 122 | |
| 123 | static int format_input(u8 *info, struct aead_request *req, |
| 124 | unsigned int cryptlen) |
| 125 | { |
| 126 | struct crypto_aead *aead = crypto_aead_reqtfm(req); |
| 127 | unsigned int lp = req->iv[0]; |
| 128 | unsigned int l = lp + 1; |
| 129 | unsigned int m; |
| 130 | |
| 131 | m = crypto_aead_authsize(aead); |
| 132 | |
| 133 | memcpy(info, req->iv, 16); |
| 134 | |
| 135 | /* format control info per RFC 3610 and |
| 136 | * NIST Special Publication 800-38C |
| 137 | */ |
| 138 | *info |= (8 * ((m - 2) / 2)); |
| 139 | if (req->assoclen) |
| 140 | *info |= 64; |
| 141 | |
| 142 | return set_msg_len(info + 16 - l, cryptlen, l); |
| 143 | } |
| 144 | |
| 145 | static int format_adata(u8 *adata, unsigned int a) |
| 146 | { |
| 147 | int len = 0; |
| 148 | |
| 149 | /* add control info for associated data |
| 150 | * RFC 3610 and NIST Special Publication 800-38C |
| 151 | */ |
| 152 | if (a < 65280) { |
| 153 | *(__be16 *)adata = cpu_to_be16(a); |
| 154 | len = 2; |
| 155 | } else { |
| 156 | *(__be16 *)adata = cpu_to_be16(0xfffe); |
| 157 | *(__be32 *)&adata[2] = cpu_to_be32(a); |
| 158 | len = 6; |
| 159 | } |
| 160 | |
| 161 | return len; |
| 162 | } |
| 163 | |
| 164 | static void compute_mac(struct crypto_cipher *tfm, u8 *data, int n, |
| 165 | struct crypto_ccm_req_priv_ctx *pctx) |
| 166 | { |
| 167 | unsigned int bs = 16; |
| 168 | u8 *odata = pctx->odata; |
| 169 | u8 *idata = pctx->idata; |
| 170 | int datalen, getlen; |
| 171 | |
| 172 | datalen = n; |
| 173 | |
| 174 | /* first time in here, block may be partially filled. */ |
| 175 | getlen = bs - pctx->ilen; |
| 176 | if (datalen >= getlen) { |
| 177 | memcpy(idata + pctx->ilen, data, getlen); |
| 178 | crypto_xor(odata, idata, bs); |
| 179 | crypto_cipher_encrypt_one(tfm, odata, odata); |
| 180 | datalen -= getlen; |
| 181 | data += getlen; |
| 182 | pctx->ilen = 0; |
| 183 | } |
| 184 | |
| 185 | /* now encrypt rest of data */ |
| 186 | while (datalen >= bs) { |
| 187 | crypto_xor(odata, data, bs); |
| 188 | crypto_cipher_encrypt_one(tfm, odata, odata); |
| 189 | |
| 190 | datalen -= bs; |
| 191 | data += bs; |
| 192 | } |
| 193 | |
| 194 | /* check and see if there's leftover data that wasn't |
| 195 | * enough to fill a block. |
| 196 | */ |
| 197 | if (datalen) { |
| 198 | memcpy(idata + pctx->ilen, data, datalen); |
| 199 | pctx->ilen += datalen; |
| 200 | } |
| 201 | } |
| 202 | |
| 203 | static void get_data_to_compute(struct crypto_cipher *tfm, |
| 204 | struct crypto_ccm_req_priv_ctx *pctx, |
| 205 | struct scatterlist *sg, unsigned int len) |
| 206 | { |
| 207 | struct scatter_walk walk; |
| 208 | u8 *data_src; |
| 209 | int n; |
| 210 | |
| 211 | scatterwalk_start(&walk, sg); |
| 212 | |
| 213 | while (len) { |
| 214 | n = scatterwalk_clamp(&walk, len); |
| 215 | if (!n) { |
| 216 | scatterwalk_start(&walk, sg_next(walk.sg)); |
| 217 | n = scatterwalk_clamp(&walk, len); |
| 218 | } |
Cong Wang | f0dfc0b | 2011-11-25 23:14:17 +0800 | [diff] [blame] | 219 | data_src = scatterwalk_map(&walk); |
Joy Latten | 4a49b49 | 2007-12-12 20:25:13 +0800 | [diff] [blame] | 220 | |
| 221 | compute_mac(tfm, data_src, n, pctx); |
| 222 | len -= n; |
| 223 | |
Cong Wang | f0dfc0b | 2011-11-25 23:14:17 +0800 | [diff] [blame] | 224 | scatterwalk_unmap(data_src); |
Joy Latten | 4a49b49 | 2007-12-12 20:25:13 +0800 | [diff] [blame] | 225 | scatterwalk_advance(&walk, n); |
| 226 | scatterwalk_done(&walk, 0, len); |
| 227 | if (len) |
| 228 | crypto_yield(pctx->flags); |
| 229 | } |
| 230 | |
| 231 | /* any leftover needs padding and then encrypted */ |
| 232 | if (pctx->ilen) { |
| 233 | int padlen; |
| 234 | u8 *odata = pctx->odata; |
| 235 | u8 *idata = pctx->idata; |
| 236 | |
| 237 | padlen = 16 - pctx->ilen; |
| 238 | memset(idata + pctx->ilen, 0, padlen); |
| 239 | crypto_xor(odata, idata, 16); |
| 240 | crypto_cipher_encrypt_one(tfm, odata, odata); |
| 241 | pctx->ilen = 0; |
| 242 | } |
| 243 | } |
| 244 | |
| 245 | static int crypto_ccm_auth(struct aead_request *req, struct scatterlist *plain, |
| 246 | unsigned int cryptlen) |
| 247 | { |
| 248 | struct crypto_aead *aead = crypto_aead_reqtfm(req); |
| 249 | struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead); |
| 250 | struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); |
| 251 | struct crypto_cipher *cipher = ctx->cipher; |
| 252 | unsigned int assoclen = req->assoclen; |
| 253 | u8 *odata = pctx->odata; |
| 254 | u8 *idata = pctx->idata; |
| 255 | int err; |
| 256 | |
| 257 | /* format control data for input */ |
| 258 | err = format_input(odata, req, cryptlen); |
| 259 | if (err) |
| 260 | goto out; |
| 261 | |
| 262 | /* encrypt first block to use as start in computing mac */ |
| 263 | crypto_cipher_encrypt_one(cipher, odata, odata); |
| 264 | |
| 265 | /* format associated data and compute into mac */ |
| 266 | if (assoclen) { |
| 267 | pctx->ilen = format_adata(idata, assoclen); |
| 268 | get_data_to_compute(cipher, pctx, req->assoc, req->assoclen); |
Jarod Wilson | 516280e | 2009-01-22 19:58:15 +1100 | [diff] [blame] | 269 | } else { |
| 270 | pctx->ilen = 0; |
Joy Latten | 4a49b49 | 2007-12-12 20:25:13 +0800 | [diff] [blame] | 271 | } |
| 272 | |
| 273 | /* compute plaintext into mac */ |
Horia Geanta | 5638cab | 2013-11-28 15:11:15 +0200 | [diff] [blame] | 274 | if (cryptlen) |
| 275 | get_data_to_compute(cipher, pctx, plain, cryptlen); |
Joy Latten | 4a49b49 | 2007-12-12 20:25:13 +0800 | [diff] [blame] | 276 | |
| 277 | out: |
| 278 | return err; |
| 279 | } |
| 280 | |
| 281 | static void crypto_ccm_encrypt_done(struct crypto_async_request *areq, int err) |
| 282 | { |
| 283 | struct aead_request *req = areq->data; |
| 284 | struct crypto_aead *aead = crypto_aead_reqtfm(req); |
| 285 | struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); |
| 286 | u8 *odata = pctx->odata; |
| 287 | |
| 288 | if (!err) |
| 289 | scatterwalk_map_and_copy(odata, req->dst, req->cryptlen, |
| 290 | crypto_aead_authsize(aead), 1); |
| 291 | aead_request_complete(req, err); |
| 292 | } |
| 293 | |
| 294 | static inline int crypto_ccm_check_iv(const u8 *iv) |
| 295 | { |
| 296 | /* 2 <= L <= 8, so 1 <= L' <= 7. */ |
| 297 | if (1 > iv[0] || iv[0] > 7) |
| 298 | return -EINVAL; |
| 299 | |
| 300 | return 0; |
| 301 | } |
| 302 | |
| 303 | static int crypto_ccm_encrypt(struct aead_request *req) |
| 304 | { |
| 305 | struct crypto_aead *aead = crypto_aead_reqtfm(req); |
| 306 | struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead); |
| 307 | struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); |
| 308 | struct ablkcipher_request *abreq = &pctx->abreq; |
| 309 | struct scatterlist *dst; |
| 310 | unsigned int cryptlen = req->cryptlen; |
| 311 | u8 *odata = pctx->odata; |
| 312 | u8 *iv = req->iv; |
| 313 | int err; |
| 314 | |
| 315 | err = crypto_ccm_check_iv(iv); |
| 316 | if (err) |
| 317 | return err; |
| 318 | |
| 319 | pctx->flags = aead_request_flags(req); |
| 320 | |
| 321 | err = crypto_ccm_auth(req, req->src, cryptlen); |
| 322 | if (err) |
| 323 | return err; |
| 324 | |
| 325 | /* Note: rfc 3610 and NIST 800-38C require counter of |
| 326 | * zero to encrypt auth tag. |
| 327 | */ |
| 328 | memset(iv + 15 - iv[0], 0, iv[0] + 1); |
| 329 | |
| 330 | sg_init_table(pctx->src, 2); |
| 331 | sg_set_buf(pctx->src, odata, 16); |
| 332 | scatterwalk_sg_chain(pctx->src, 2, req->src); |
| 333 | |
| 334 | dst = pctx->src; |
| 335 | if (req->src != req->dst) { |
| 336 | sg_init_table(pctx->dst, 2); |
| 337 | sg_set_buf(pctx->dst, odata, 16); |
| 338 | scatterwalk_sg_chain(pctx->dst, 2, req->dst); |
| 339 | dst = pctx->dst; |
| 340 | } |
| 341 | |
| 342 | ablkcipher_request_set_tfm(abreq, ctx->ctr); |
| 343 | ablkcipher_request_set_callback(abreq, pctx->flags, |
| 344 | crypto_ccm_encrypt_done, req); |
| 345 | ablkcipher_request_set_crypt(abreq, pctx->src, dst, cryptlen + 16, iv); |
| 346 | err = crypto_ablkcipher_encrypt(abreq); |
| 347 | if (err) |
| 348 | return err; |
| 349 | |
| 350 | /* copy authtag to end of dst */ |
| 351 | scatterwalk_map_and_copy(odata, req->dst, cryptlen, |
| 352 | crypto_aead_authsize(aead), 1); |
| 353 | return err; |
| 354 | } |
| 355 | |
| 356 | static void crypto_ccm_decrypt_done(struct crypto_async_request *areq, |
| 357 | int err) |
| 358 | { |
| 359 | struct aead_request *req = areq->data; |
| 360 | struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); |
| 361 | struct crypto_aead *aead = crypto_aead_reqtfm(req); |
| 362 | unsigned int authsize = crypto_aead_authsize(aead); |
| 363 | unsigned int cryptlen = req->cryptlen - authsize; |
| 364 | |
| 365 | if (!err) { |
| 366 | err = crypto_ccm_auth(req, req->dst, cryptlen); |
James Yonan | 6bf37e5 | 2013-09-26 02:20:39 -0600 | [diff] [blame] | 367 | if (!err && crypto_memneq(pctx->auth_tag, pctx->odata, authsize)) |
Joy Latten | 4a49b49 | 2007-12-12 20:25:13 +0800 | [diff] [blame] | 368 | err = -EBADMSG; |
| 369 | } |
| 370 | aead_request_complete(req, err); |
| 371 | } |
| 372 | |
| 373 | static int crypto_ccm_decrypt(struct aead_request *req) |
| 374 | { |
| 375 | struct crypto_aead *aead = crypto_aead_reqtfm(req); |
| 376 | struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead); |
| 377 | struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req); |
| 378 | struct ablkcipher_request *abreq = &pctx->abreq; |
| 379 | struct scatterlist *dst; |
| 380 | unsigned int authsize = crypto_aead_authsize(aead); |
| 381 | unsigned int cryptlen = req->cryptlen; |
| 382 | u8 *authtag = pctx->auth_tag; |
| 383 | u8 *odata = pctx->odata; |
| 384 | u8 *iv = req->iv; |
| 385 | int err; |
| 386 | |
| 387 | if (cryptlen < authsize) |
| 388 | return -EINVAL; |
| 389 | cryptlen -= authsize; |
| 390 | |
| 391 | err = crypto_ccm_check_iv(iv); |
| 392 | if (err) |
| 393 | return err; |
| 394 | |
| 395 | pctx->flags = aead_request_flags(req); |
| 396 | |
| 397 | scatterwalk_map_and_copy(authtag, req->src, cryptlen, authsize, 0); |
| 398 | |
| 399 | memset(iv + 15 - iv[0], 0, iv[0] + 1); |
| 400 | |
| 401 | sg_init_table(pctx->src, 2); |
| 402 | sg_set_buf(pctx->src, authtag, 16); |
| 403 | scatterwalk_sg_chain(pctx->src, 2, req->src); |
| 404 | |
| 405 | dst = pctx->src; |
| 406 | if (req->src != req->dst) { |
| 407 | sg_init_table(pctx->dst, 2); |
| 408 | sg_set_buf(pctx->dst, authtag, 16); |
| 409 | scatterwalk_sg_chain(pctx->dst, 2, req->dst); |
| 410 | dst = pctx->dst; |
| 411 | } |
| 412 | |
| 413 | ablkcipher_request_set_tfm(abreq, ctx->ctr); |
| 414 | ablkcipher_request_set_callback(abreq, pctx->flags, |
| 415 | crypto_ccm_decrypt_done, req); |
| 416 | ablkcipher_request_set_crypt(abreq, pctx->src, dst, cryptlen + 16, iv); |
| 417 | err = crypto_ablkcipher_decrypt(abreq); |
| 418 | if (err) |
| 419 | return err; |
| 420 | |
| 421 | err = crypto_ccm_auth(req, req->dst, cryptlen); |
| 422 | if (err) |
| 423 | return err; |
| 424 | |
| 425 | /* verify */ |
James Yonan | 6bf37e5 | 2013-09-26 02:20:39 -0600 | [diff] [blame] | 426 | if (crypto_memneq(authtag, odata, authsize)) |
Joy Latten | 4a49b49 | 2007-12-12 20:25:13 +0800 | [diff] [blame] | 427 | return -EBADMSG; |
| 428 | |
| 429 | return err; |
| 430 | } |
| 431 | |
| 432 | static int crypto_ccm_init_tfm(struct crypto_tfm *tfm) |
| 433 | { |
| 434 | struct crypto_instance *inst = (void *)tfm->__crt_alg; |
| 435 | struct ccm_instance_ctx *ictx = crypto_instance_ctx(inst); |
| 436 | struct crypto_ccm_ctx *ctx = crypto_tfm_ctx(tfm); |
| 437 | struct crypto_cipher *cipher; |
| 438 | struct crypto_ablkcipher *ctr; |
| 439 | unsigned long align; |
| 440 | int err; |
| 441 | |
| 442 | cipher = crypto_spawn_cipher(&ictx->cipher); |
| 443 | if (IS_ERR(cipher)) |
| 444 | return PTR_ERR(cipher); |
| 445 | |
| 446 | ctr = crypto_spawn_skcipher(&ictx->ctr); |
| 447 | err = PTR_ERR(ctr); |
| 448 | if (IS_ERR(ctr)) |
| 449 | goto err_free_cipher; |
| 450 | |
| 451 | ctx->cipher = cipher; |
| 452 | ctx->ctr = ctr; |
| 453 | |
| 454 | align = crypto_tfm_alg_alignmask(tfm); |
| 455 | align &= ~(crypto_tfm_ctx_alignment() - 1); |
| 456 | tfm->crt_aead.reqsize = align + |
| 457 | sizeof(struct crypto_ccm_req_priv_ctx) + |
| 458 | crypto_ablkcipher_reqsize(ctr); |
| 459 | |
| 460 | return 0; |
| 461 | |
| 462 | err_free_cipher: |
| 463 | crypto_free_cipher(cipher); |
| 464 | return err; |
| 465 | } |
| 466 | |
| 467 | static void crypto_ccm_exit_tfm(struct crypto_tfm *tfm) |
| 468 | { |
| 469 | struct crypto_ccm_ctx *ctx = crypto_tfm_ctx(tfm); |
| 470 | |
| 471 | crypto_free_cipher(ctx->cipher); |
| 472 | crypto_free_ablkcipher(ctx->ctr); |
| 473 | } |
| 474 | |
| 475 | static struct crypto_instance *crypto_ccm_alloc_common(struct rtattr **tb, |
| 476 | const char *full_name, |
| 477 | const char *ctr_name, |
| 478 | const char *cipher_name) |
| 479 | { |
| 480 | struct crypto_attr_type *algt; |
| 481 | struct crypto_instance *inst; |
| 482 | struct crypto_alg *ctr; |
| 483 | struct crypto_alg *cipher; |
| 484 | struct ccm_instance_ctx *ictx; |
| 485 | int err; |
| 486 | |
| 487 | algt = crypto_get_attr_type(tb); |
Joy Latten | 4a49b49 | 2007-12-12 20:25:13 +0800 | [diff] [blame] | 488 | if (IS_ERR(algt)) |
Julia Lawall | 3e8afe3 | 2013-01-22 12:29:26 +0100 | [diff] [blame] | 489 | return ERR_CAST(algt); |
Joy Latten | 4a49b49 | 2007-12-12 20:25:13 +0800 | [diff] [blame] | 490 | |
| 491 | if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask) |
| 492 | return ERR_PTR(-EINVAL); |
| 493 | |
| 494 | cipher = crypto_alg_mod_lookup(cipher_name, CRYPTO_ALG_TYPE_CIPHER, |
| 495 | CRYPTO_ALG_TYPE_MASK); |
Joy Latten | 4a49b49 | 2007-12-12 20:25:13 +0800 | [diff] [blame] | 496 | if (IS_ERR(cipher)) |
Julia Lawall | 3e8afe3 | 2013-01-22 12:29:26 +0100 | [diff] [blame] | 497 | return ERR_CAST(cipher); |
Joy Latten | 4a49b49 | 2007-12-12 20:25:13 +0800 | [diff] [blame] | 498 | |
| 499 | err = -EINVAL; |
| 500 | if (cipher->cra_blocksize != 16) |
| 501 | goto out_put_cipher; |
| 502 | |
| 503 | inst = kzalloc(sizeof(*inst) + sizeof(*ictx), GFP_KERNEL); |
| 504 | err = -ENOMEM; |
| 505 | if (!inst) |
| 506 | goto out_put_cipher; |
| 507 | |
| 508 | ictx = crypto_instance_ctx(inst); |
| 509 | |
| 510 | err = crypto_init_spawn(&ictx->cipher, cipher, inst, |
| 511 | CRYPTO_ALG_TYPE_MASK); |
| 512 | if (err) |
| 513 | goto err_free_inst; |
| 514 | |
| 515 | crypto_set_skcipher_spawn(&ictx->ctr, inst); |
| 516 | err = crypto_grab_skcipher(&ictx->ctr, ctr_name, 0, |
| 517 | crypto_requires_sync(algt->type, |
| 518 | algt->mask)); |
| 519 | if (err) |
| 520 | goto err_drop_cipher; |
| 521 | |
| 522 | ctr = crypto_skcipher_spawn_alg(&ictx->ctr); |
| 523 | |
| 524 | /* Not a stream cipher? */ |
| 525 | err = -EINVAL; |
| 526 | if (ctr->cra_blocksize != 1) |
| 527 | goto err_drop_ctr; |
| 528 | |
| 529 | /* We want the real thing! */ |
| 530 | if (ctr->cra_ablkcipher.ivsize != 16) |
| 531 | goto err_drop_ctr; |
| 532 | |
| 533 | err = -ENAMETOOLONG; |
| 534 | if (snprintf(inst->alg.cra_driver_name, CRYPTO_MAX_ALG_NAME, |
| 535 | "ccm_base(%s,%s)", ctr->cra_driver_name, |
| 536 | cipher->cra_driver_name) >= CRYPTO_MAX_ALG_NAME) |
| 537 | goto err_drop_ctr; |
| 538 | |
| 539 | memcpy(inst->alg.cra_name, full_name, CRYPTO_MAX_ALG_NAME); |
| 540 | |
| 541 | inst->alg.cra_flags = CRYPTO_ALG_TYPE_AEAD; |
| 542 | inst->alg.cra_flags |= ctr->cra_flags & CRYPTO_ALG_ASYNC; |
| 543 | inst->alg.cra_priority = cipher->cra_priority + ctr->cra_priority; |
| 544 | inst->alg.cra_blocksize = 1; |
| 545 | inst->alg.cra_alignmask = cipher->cra_alignmask | ctr->cra_alignmask | |
| 546 | (__alignof__(u32) - 1); |
| 547 | inst->alg.cra_type = &crypto_aead_type; |
| 548 | inst->alg.cra_aead.ivsize = 16; |
| 549 | inst->alg.cra_aead.maxauthsize = 16; |
| 550 | inst->alg.cra_ctxsize = sizeof(struct crypto_ccm_ctx); |
| 551 | inst->alg.cra_init = crypto_ccm_init_tfm; |
| 552 | inst->alg.cra_exit = crypto_ccm_exit_tfm; |
| 553 | inst->alg.cra_aead.setkey = crypto_ccm_setkey; |
| 554 | inst->alg.cra_aead.setauthsize = crypto_ccm_setauthsize; |
| 555 | inst->alg.cra_aead.encrypt = crypto_ccm_encrypt; |
| 556 | inst->alg.cra_aead.decrypt = crypto_ccm_decrypt; |
| 557 | |
| 558 | out: |
| 559 | crypto_mod_put(cipher); |
| 560 | return inst; |
| 561 | |
| 562 | err_drop_ctr: |
| 563 | crypto_drop_skcipher(&ictx->ctr); |
| 564 | err_drop_cipher: |
| 565 | crypto_drop_spawn(&ictx->cipher); |
| 566 | err_free_inst: |
| 567 | kfree(inst); |
| 568 | out_put_cipher: |
| 569 | inst = ERR_PTR(err); |
| 570 | goto out; |
| 571 | } |
| 572 | |
| 573 | static struct crypto_instance *crypto_ccm_alloc(struct rtattr **tb) |
| 574 | { |
Joy Latten | 4a49b49 | 2007-12-12 20:25:13 +0800 | [diff] [blame] | 575 | const char *cipher_name; |
| 576 | char ctr_name[CRYPTO_MAX_ALG_NAME]; |
| 577 | char full_name[CRYPTO_MAX_ALG_NAME]; |
| 578 | |
| 579 | cipher_name = crypto_attr_alg_name(tb[1]); |
Joy Latten | 4a49b49 | 2007-12-12 20:25:13 +0800 | [diff] [blame] | 580 | if (IS_ERR(cipher_name)) |
Julia Lawall | 3e8afe3 | 2013-01-22 12:29:26 +0100 | [diff] [blame] | 581 | return ERR_CAST(cipher_name); |
Joy Latten | 4a49b49 | 2007-12-12 20:25:13 +0800 | [diff] [blame] | 582 | |
| 583 | if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)", |
| 584 | cipher_name) >= CRYPTO_MAX_ALG_NAME) |
| 585 | return ERR_PTR(-ENAMETOOLONG); |
| 586 | |
| 587 | if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "ccm(%s)", cipher_name) >= |
| 588 | CRYPTO_MAX_ALG_NAME) |
| 589 | return ERR_PTR(-ENAMETOOLONG); |
| 590 | |
| 591 | return crypto_ccm_alloc_common(tb, full_name, ctr_name, cipher_name); |
| 592 | } |
| 593 | |
| 594 | static void crypto_ccm_free(struct crypto_instance *inst) |
| 595 | { |
| 596 | struct ccm_instance_ctx *ctx = crypto_instance_ctx(inst); |
| 597 | |
| 598 | crypto_drop_spawn(&ctx->cipher); |
| 599 | crypto_drop_skcipher(&ctx->ctr); |
| 600 | kfree(inst); |
| 601 | } |
| 602 | |
| 603 | static struct crypto_template crypto_ccm_tmpl = { |
| 604 | .name = "ccm", |
| 605 | .alloc = crypto_ccm_alloc, |
| 606 | .free = crypto_ccm_free, |
| 607 | .module = THIS_MODULE, |
| 608 | }; |
| 609 | |
| 610 | static struct crypto_instance *crypto_ccm_base_alloc(struct rtattr **tb) |
| 611 | { |
Joy Latten | 4a49b49 | 2007-12-12 20:25:13 +0800 | [diff] [blame] | 612 | const char *ctr_name; |
| 613 | const char *cipher_name; |
| 614 | char full_name[CRYPTO_MAX_ALG_NAME]; |
| 615 | |
| 616 | ctr_name = crypto_attr_alg_name(tb[1]); |
Joy Latten | 4a49b49 | 2007-12-12 20:25:13 +0800 | [diff] [blame] | 617 | if (IS_ERR(ctr_name)) |
Julia Lawall | 3e8afe3 | 2013-01-22 12:29:26 +0100 | [diff] [blame] | 618 | return ERR_CAST(ctr_name); |
Joy Latten | 4a49b49 | 2007-12-12 20:25:13 +0800 | [diff] [blame] | 619 | |
| 620 | cipher_name = crypto_attr_alg_name(tb[2]); |
Joy Latten | 4a49b49 | 2007-12-12 20:25:13 +0800 | [diff] [blame] | 621 | if (IS_ERR(cipher_name)) |
Julia Lawall | 3e8afe3 | 2013-01-22 12:29:26 +0100 | [diff] [blame] | 622 | return ERR_CAST(cipher_name); |
Joy Latten | 4a49b49 | 2007-12-12 20:25:13 +0800 | [diff] [blame] | 623 | |
| 624 | if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "ccm_base(%s,%s)", |
| 625 | ctr_name, cipher_name) >= CRYPTO_MAX_ALG_NAME) |
| 626 | return ERR_PTR(-ENAMETOOLONG); |
| 627 | |
| 628 | return crypto_ccm_alloc_common(tb, full_name, ctr_name, cipher_name); |
| 629 | } |
| 630 | |
| 631 | static struct crypto_template crypto_ccm_base_tmpl = { |
| 632 | .name = "ccm_base", |
| 633 | .alloc = crypto_ccm_base_alloc, |
| 634 | .free = crypto_ccm_free, |
| 635 | .module = THIS_MODULE, |
| 636 | }; |
| 637 | |
| 638 | static int crypto_rfc4309_setkey(struct crypto_aead *parent, const u8 *key, |
| 639 | unsigned int keylen) |
| 640 | { |
| 641 | struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(parent); |
| 642 | struct crypto_aead *child = ctx->child; |
| 643 | int err; |
| 644 | |
| 645 | if (keylen < 3) |
| 646 | return -EINVAL; |
| 647 | |
| 648 | keylen -= 3; |
| 649 | memcpy(ctx->nonce, key + keylen, 3); |
| 650 | |
| 651 | crypto_aead_clear_flags(child, CRYPTO_TFM_REQ_MASK); |
| 652 | crypto_aead_set_flags(child, crypto_aead_get_flags(parent) & |
| 653 | CRYPTO_TFM_REQ_MASK); |
| 654 | err = crypto_aead_setkey(child, key, keylen); |
| 655 | crypto_aead_set_flags(parent, crypto_aead_get_flags(child) & |
| 656 | CRYPTO_TFM_RES_MASK); |
| 657 | |
| 658 | return err; |
| 659 | } |
| 660 | |
| 661 | static int crypto_rfc4309_setauthsize(struct crypto_aead *parent, |
| 662 | unsigned int authsize) |
| 663 | { |
| 664 | struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(parent); |
| 665 | |
| 666 | switch (authsize) { |
| 667 | case 8: |
| 668 | case 12: |
| 669 | case 16: |
| 670 | break; |
| 671 | default: |
| 672 | return -EINVAL; |
| 673 | } |
| 674 | |
| 675 | return crypto_aead_setauthsize(ctx->child, authsize); |
| 676 | } |
| 677 | |
| 678 | static struct aead_request *crypto_rfc4309_crypt(struct aead_request *req) |
| 679 | { |
| 680 | struct aead_request *subreq = aead_request_ctx(req); |
| 681 | struct crypto_aead *aead = crypto_aead_reqtfm(req); |
| 682 | struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(aead); |
| 683 | struct crypto_aead *child = ctx->child; |
| 684 | u8 *iv = PTR_ALIGN((u8 *)(subreq + 1) + crypto_aead_reqsize(child), |
| 685 | crypto_aead_alignmask(child) + 1); |
| 686 | |
| 687 | /* L' */ |
| 688 | iv[0] = 3; |
| 689 | |
| 690 | memcpy(iv + 1, ctx->nonce, 3); |
| 691 | memcpy(iv + 4, req->iv, 8); |
| 692 | |
| 693 | aead_request_set_tfm(subreq, child); |
| 694 | aead_request_set_callback(subreq, req->base.flags, req->base.complete, |
| 695 | req->base.data); |
| 696 | aead_request_set_crypt(subreq, req->src, req->dst, req->cryptlen, iv); |
| 697 | aead_request_set_assoc(subreq, req->assoc, req->assoclen); |
| 698 | |
| 699 | return subreq; |
| 700 | } |
| 701 | |
| 702 | static int crypto_rfc4309_encrypt(struct aead_request *req) |
| 703 | { |
| 704 | req = crypto_rfc4309_crypt(req); |
| 705 | |
| 706 | return crypto_aead_encrypt(req); |
| 707 | } |
| 708 | |
| 709 | static int crypto_rfc4309_decrypt(struct aead_request *req) |
| 710 | { |
| 711 | req = crypto_rfc4309_crypt(req); |
| 712 | |
| 713 | return crypto_aead_decrypt(req); |
| 714 | } |
| 715 | |
| 716 | static int crypto_rfc4309_init_tfm(struct crypto_tfm *tfm) |
| 717 | { |
| 718 | struct crypto_instance *inst = (void *)tfm->__crt_alg; |
| 719 | struct crypto_aead_spawn *spawn = crypto_instance_ctx(inst); |
| 720 | struct crypto_rfc4309_ctx *ctx = crypto_tfm_ctx(tfm); |
| 721 | struct crypto_aead *aead; |
| 722 | unsigned long align; |
| 723 | |
| 724 | aead = crypto_spawn_aead(spawn); |
| 725 | if (IS_ERR(aead)) |
| 726 | return PTR_ERR(aead); |
| 727 | |
| 728 | ctx->child = aead; |
| 729 | |
| 730 | align = crypto_aead_alignmask(aead); |
| 731 | align &= ~(crypto_tfm_ctx_alignment() - 1); |
| 732 | tfm->crt_aead.reqsize = sizeof(struct aead_request) + |
| 733 | ALIGN(crypto_aead_reqsize(aead), |
| 734 | crypto_tfm_ctx_alignment()) + |
| 735 | align + 16; |
| 736 | |
| 737 | return 0; |
| 738 | } |
| 739 | |
| 740 | static void crypto_rfc4309_exit_tfm(struct crypto_tfm *tfm) |
| 741 | { |
| 742 | struct crypto_rfc4309_ctx *ctx = crypto_tfm_ctx(tfm); |
| 743 | |
| 744 | crypto_free_aead(ctx->child); |
| 745 | } |
| 746 | |
| 747 | static struct crypto_instance *crypto_rfc4309_alloc(struct rtattr **tb) |
| 748 | { |
| 749 | struct crypto_attr_type *algt; |
| 750 | struct crypto_instance *inst; |
| 751 | struct crypto_aead_spawn *spawn; |
| 752 | struct crypto_alg *alg; |
| 753 | const char *ccm_name; |
| 754 | int err; |
| 755 | |
| 756 | algt = crypto_get_attr_type(tb); |
Joy Latten | 4a49b49 | 2007-12-12 20:25:13 +0800 | [diff] [blame] | 757 | if (IS_ERR(algt)) |
Julia Lawall | 3e8afe3 | 2013-01-22 12:29:26 +0100 | [diff] [blame] | 758 | return ERR_CAST(algt); |
Joy Latten | 4a49b49 | 2007-12-12 20:25:13 +0800 | [diff] [blame] | 759 | |
| 760 | if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask) |
| 761 | return ERR_PTR(-EINVAL); |
| 762 | |
| 763 | ccm_name = crypto_attr_alg_name(tb[1]); |
Joy Latten | 4a49b49 | 2007-12-12 20:25:13 +0800 | [diff] [blame] | 764 | if (IS_ERR(ccm_name)) |
Julia Lawall | 3e8afe3 | 2013-01-22 12:29:26 +0100 | [diff] [blame] | 765 | return ERR_CAST(ccm_name); |
Joy Latten | 4a49b49 | 2007-12-12 20:25:13 +0800 | [diff] [blame] | 766 | |
| 767 | inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL); |
| 768 | if (!inst) |
| 769 | return ERR_PTR(-ENOMEM); |
| 770 | |
| 771 | spawn = crypto_instance_ctx(inst); |
| 772 | crypto_set_aead_spawn(spawn, inst); |
| 773 | err = crypto_grab_aead(spawn, ccm_name, 0, |
| 774 | crypto_requires_sync(algt->type, algt->mask)); |
| 775 | if (err) |
| 776 | goto out_free_inst; |
| 777 | |
| 778 | alg = crypto_aead_spawn_alg(spawn); |
| 779 | |
| 780 | err = -EINVAL; |
| 781 | |
| 782 | /* We only support 16-byte blocks. */ |
| 783 | if (alg->cra_aead.ivsize != 16) |
| 784 | goto out_drop_alg; |
| 785 | |
| 786 | /* Not a stream cipher? */ |
| 787 | if (alg->cra_blocksize != 1) |
| 788 | goto out_drop_alg; |
| 789 | |
| 790 | err = -ENAMETOOLONG; |
| 791 | if (snprintf(inst->alg.cra_name, CRYPTO_MAX_ALG_NAME, |
| 792 | "rfc4309(%s)", alg->cra_name) >= CRYPTO_MAX_ALG_NAME || |
| 793 | snprintf(inst->alg.cra_driver_name, CRYPTO_MAX_ALG_NAME, |
| 794 | "rfc4309(%s)", alg->cra_driver_name) >= |
| 795 | CRYPTO_MAX_ALG_NAME) |
| 796 | goto out_drop_alg; |
| 797 | |
| 798 | inst->alg.cra_flags = CRYPTO_ALG_TYPE_AEAD; |
| 799 | inst->alg.cra_flags |= alg->cra_flags & CRYPTO_ALG_ASYNC; |
| 800 | inst->alg.cra_priority = alg->cra_priority; |
| 801 | inst->alg.cra_blocksize = 1; |
| 802 | inst->alg.cra_alignmask = alg->cra_alignmask; |
| 803 | inst->alg.cra_type = &crypto_nivaead_type; |
| 804 | |
| 805 | inst->alg.cra_aead.ivsize = 8; |
| 806 | inst->alg.cra_aead.maxauthsize = 16; |
| 807 | |
| 808 | inst->alg.cra_ctxsize = sizeof(struct crypto_rfc4309_ctx); |
| 809 | |
| 810 | inst->alg.cra_init = crypto_rfc4309_init_tfm; |
| 811 | inst->alg.cra_exit = crypto_rfc4309_exit_tfm; |
| 812 | |
| 813 | inst->alg.cra_aead.setkey = crypto_rfc4309_setkey; |
| 814 | inst->alg.cra_aead.setauthsize = crypto_rfc4309_setauthsize; |
| 815 | inst->alg.cra_aead.encrypt = crypto_rfc4309_encrypt; |
| 816 | inst->alg.cra_aead.decrypt = crypto_rfc4309_decrypt; |
| 817 | |
| 818 | inst->alg.cra_aead.geniv = "seqiv"; |
| 819 | |
| 820 | out: |
| 821 | return inst; |
| 822 | |
| 823 | out_drop_alg: |
| 824 | crypto_drop_aead(spawn); |
| 825 | out_free_inst: |
| 826 | kfree(inst); |
| 827 | inst = ERR_PTR(err); |
| 828 | goto out; |
| 829 | } |
| 830 | |
| 831 | static void crypto_rfc4309_free(struct crypto_instance *inst) |
| 832 | { |
| 833 | crypto_drop_spawn(crypto_instance_ctx(inst)); |
| 834 | kfree(inst); |
| 835 | } |
| 836 | |
| 837 | static struct crypto_template crypto_rfc4309_tmpl = { |
| 838 | .name = "rfc4309", |
| 839 | .alloc = crypto_rfc4309_alloc, |
| 840 | .free = crypto_rfc4309_free, |
| 841 | .module = THIS_MODULE, |
| 842 | }; |
| 843 | |
| 844 | static int __init crypto_ccm_module_init(void) |
| 845 | { |
| 846 | int err; |
| 847 | |
| 848 | err = crypto_register_template(&crypto_ccm_base_tmpl); |
| 849 | if (err) |
| 850 | goto out; |
| 851 | |
| 852 | err = crypto_register_template(&crypto_ccm_tmpl); |
| 853 | if (err) |
| 854 | goto out_undo_base; |
| 855 | |
| 856 | err = crypto_register_template(&crypto_rfc4309_tmpl); |
| 857 | if (err) |
| 858 | goto out_undo_ccm; |
| 859 | |
| 860 | out: |
| 861 | return err; |
| 862 | |
| 863 | out_undo_ccm: |
| 864 | crypto_unregister_template(&crypto_ccm_tmpl); |
| 865 | out_undo_base: |
| 866 | crypto_unregister_template(&crypto_ccm_base_tmpl); |
| 867 | goto out; |
| 868 | } |
| 869 | |
| 870 | static void __exit crypto_ccm_module_exit(void) |
| 871 | { |
| 872 | crypto_unregister_template(&crypto_rfc4309_tmpl); |
| 873 | crypto_unregister_template(&crypto_ccm_tmpl); |
| 874 | crypto_unregister_template(&crypto_ccm_base_tmpl); |
| 875 | } |
| 876 | |
| 877 | module_init(crypto_ccm_module_init); |
| 878 | module_exit(crypto_ccm_module_exit); |
| 879 | |
| 880 | MODULE_LICENSE("GPL"); |
| 881 | MODULE_DESCRIPTION("Counter with CBC MAC"); |
Kees Cook | 5d26a10 | 2014-11-20 17:05:53 -0800 | [diff] [blame] | 882 | MODULE_ALIAS_CRYPTO("ccm_base"); |
| 883 | MODULE_ALIAS_CRYPTO("rfc4309"); |
Kees Cook | 4943ba1 | 2014-11-24 16:32:38 -0800 | [diff] [blame^] | 884 | MODULE_ALIAS_CRYPTO("ccm"); |