1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * GCM: Galois/Counter Mode.
4 *
5 * Copyright (c) 2007 Nokia Siemens Networks - Mikko Herranen <mh1@iki.fi>
6 */
7
8 #include <crypto/internal/aead.h>
9 #include <crypto/internal/skcipher.h>
10 #include <crypto/scatterwalk.h>
11 #include <crypto/gcm.h>
12 #include <crypto/gf128hash.h>
13 #include <linux/err.h>
14 #include <linux/init.h>
15 #include <linux/kernel.h>
16 #include <linux/module.h>
17 #include <linux/slab.h>
18
19 struct gcm_instance_ctx {
20 struct crypto_skcipher_spawn ctr;
21 };
22
23 struct crypto_gcm_ctx {
24 struct crypto_skcipher *ctr;
25 struct ghash_key ghash;
26 };
27
28 struct crypto_rfc4106_ctx {
29 struct crypto_aead *child;
30 u8 nonce[4];
31 };
32
33 struct crypto_rfc4106_req_ctx {
34 struct scatterlist src[3];
35 struct scatterlist dst[3];
36 struct aead_request subreq;
37 };
38
39 struct crypto_rfc4543_instance_ctx {
40 struct crypto_aead_spawn aead;
41 };
42
43 struct crypto_rfc4543_ctx {
44 struct crypto_aead *child;
45 u8 nonce[4];
46 };
47
48 struct crypto_rfc4543_req_ctx {
49 struct aead_request subreq;
50 };
51
52 struct crypto_gcm_req_priv_ctx {
53 u8 iv[16];
54 u8 auth_tag[16];
55 u8 iauth_tag[16];
56 struct scatterlist src[3];
57 struct scatterlist dst[3];
58 struct skcipher_request skreq; /* Must be last */
59 };
60
crypto_gcm_reqctx(struct aead_request * req)61 static inline struct crypto_gcm_req_priv_ctx *crypto_gcm_reqctx(
62 struct aead_request *req)
63 {
64 unsigned long align = crypto_aead_alignmask(crypto_aead_reqtfm(req));
65
66 return (void *)PTR_ALIGN((u8 *)aead_request_ctx(req), align + 1);
67 }
68
crypto_gcm_setkey(struct crypto_aead * aead,const u8 * key,unsigned int keylen)69 static int crypto_gcm_setkey(struct crypto_aead *aead, const u8 *key,
70 unsigned int keylen)
71 {
72 struct crypto_gcm_ctx *ctx = crypto_aead_ctx(aead);
73 struct crypto_skcipher *ctr = ctx->ctr;
74 struct {
75 u8 h[GHASH_BLOCK_SIZE];
76 u8 iv[16];
77
78 struct crypto_wait wait;
79
80 struct scatterlist sg[1];
81 struct skcipher_request req;
82 } *data;
83 int err;
84
85 crypto_skcipher_clear_flags(ctr, CRYPTO_TFM_REQ_MASK);
86 crypto_skcipher_set_flags(ctr, crypto_aead_get_flags(aead) &
87 CRYPTO_TFM_REQ_MASK);
88 err = crypto_skcipher_setkey(ctr, key, keylen);
89 if (err)
90 return err;
91
92 data = kzalloc(sizeof(*data) + crypto_skcipher_reqsize(ctr),
93 GFP_KERNEL);
94 if (!data)
95 return -ENOMEM;
96
97 crypto_init_wait(&data->wait);
98 sg_init_one(data->sg, data->h, sizeof(data->h));
99 skcipher_request_set_tfm(&data->req, ctr);
100 skcipher_request_set_callback(&data->req, CRYPTO_TFM_REQ_MAY_SLEEP |
101 CRYPTO_TFM_REQ_MAY_BACKLOG,
102 crypto_req_done,
103 &data->wait);
104 skcipher_request_set_crypt(&data->req, data->sg, data->sg,
105 sizeof(data->h), data->iv);
106
107 err = crypto_wait_req(crypto_skcipher_encrypt(&data->req),
108 &data->wait);
109
110 if (err)
111 goto out;
112
113 ghash_preparekey(&ctx->ghash, data->h);
114 out:
115 kfree_sensitive(data);
116 return err;
117 }
118
crypto_gcm_setauthsize(struct crypto_aead * tfm,unsigned int authsize)119 static int crypto_gcm_setauthsize(struct crypto_aead *tfm,
120 unsigned int authsize)
121 {
122 return crypto_gcm_check_authsize(authsize);
123 }
124
crypto_gcm_init_common(struct aead_request * req)125 static void crypto_gcm_init_common(struct aead_request *req)
126 {
127 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
128 __be32 counter = cpu_to_be32(1);
129 struct scatterlist *sg;
130
131 memset(pctx->auth_tag, 0, sizeof(pctx->auth_tag));
132 memcpy(pctx->iv, req->iv, GCM_AES_IV_SIZE);
133 memcpy(pctx->iv + GCM_AES_IV_SIZE, &counter, 4);
134
135 sg_init_table(pctx->src, 3);
136 sg_set_buf(pctx->src, pctx->auth_tag, sizeof(pctx->auth_tag));
137 sg = scatterwalk_ffwd(pctx->src + 1, req->src, req->assoclen);
138 if (sg != pctx->src + 1)
139 sg_chain(pctx->src, 2, sg);
140
141 if (req->src != req->dst) {
142 sg_init_table(pctx->dst, 3);
143 sg_set_buf(pctx->dst, pctx->auth_tag, sizeof(pctx->auth_tag));
144 sg = scatterwalk_ffwd(pctx->dst + 1, req->dst, req->assoclen);
145 if (sg != pctx->dst + 1)
146 sg_chain(pctx->dst, 2, sg);
147 }
148 }
149
crypto_gcm_init_crypt(struct aead_request * req,unsigned int cryptlen)150 static void crypto_gcm_init_crypt(struct aead_request *req,
151 unsigned int cryptlen)
152 {
153 struct crypto_aead *aead = crypto_aead_reqtfm(req);
154 struct crypto_gcm_ctx *ctx = crypto_aead_ctx(aead);
155 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
156 struct skcipher_request *skreq = &pctx->skreq;
157 struct scatterlist *dst;
158
159 dst = req->src == req->dst ? pctx->src : pctx->dst;
160
161 skcipher_request_set_tfm(skreq, ctx->ctr);
162 skcipher_request_set_crypt(skreq, pctx->src, dst,
163 cryptlen + sizeof(pctx->auth_tag),
164 pctx->iv);
165 }
166
ghash_update_sg_and_pad(struct ghash_ctx * ghash,struct scatterlist * sg,unsigned int len)167 static void ghash_update_sg_and_pad(struct ghash_ctx *ghash,
168 struct scatterlist *sg, unsigned int len)
169 {
170 static const u8 zeroes[GHASH_BLOCK_SIZE];
171
172 if (len) {
173 unsigned int pad_len = -len % GHASH_BLOCK_SIZE;
174 struct scatter_walk walk;
175
176 scatterwalk_start(&walk, sg);
177 do {
178 unsigned int n = scatterwalk_next(&walk, len);
179
180 ghash_update(ghash, walk.addr, n);
181 scatterwalk_done_src(&walk, n);
182 len -= n;
183 } while (len);
184
185 if (pad_len)
186 ghash_update(ghash, zeroes, pad_len);
187 }
188 }
189
gcm_hash(struct aead_request * req,struct scatterlist * ctext,unsigned int datalen,u8 out[GHASH_BLOCK_SIZE])190 static void gcm_hash(struct aead_request *req, struct scatterlist *ctext,
191 unsigned int datalen, u8 out[GHASH_BLOCK_SIZE])
192 {
193 const struct crypto_gcm_ctx *ctx =
194 crypto_aead_ctx(crypto_aead_reqtfm(req));
195 __be64 lengths[2] = {
196 cpu_to_be64(8 * (u64)req->assoclen),
197 cpu_to_be64(8 * (u64)datalen),
198 };
199 struct ghash_ctx ghash;
200
201 ghash_init(&ghash, &ctx->ghash);
202
203 /* Associated data, then zero-padding to the next 16-byte boundary */
204 ghash_update_sg_and_pad(&ghash, req->src, req->assoclen);
205
206 /* Ciphertext, then zero-padding to the next 16-byte boundary */
207 ghash_update_sg_and_pad(&ghash, ctext, datalen);
208
209 /* Lengths block */
210 ghash_update(&ghash, (const u8 *)lengths, sizeof(lengths));
211
212 ghash_final(&ghash, out);
213 }
214
gcm_add_auth_tag(struct aead_request * req)215 static int gcm_add_auth_tag(struct aead_request *req)
216 {
217 struct crypto_aead *aead = crypto_aead_reqtfm(req);
218 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
219
220 gcm_hash(req, sg_next(req->src == req->dst ? pctx->src : pctx->dst),
221 req->cryptlen, pctx->iauth_tag);
222 crypto_xor(pctx->auth_tag, pctx->iauth_tag, 16);
223 memcpy_to_sglist(req->dst, req->assoclen + req->cryptlen,
224 pctx->auth_tag, crypto_aead_authsize(aead));
225 return 0;
226 }
227
gcm_encrypt_done(void * data,int err)228 static void gcm_encrypt_done(void *data, int err)
229 {
230 struct aead_request *req = data;
231
232 if (err)
233 goto out;
234
235 err = gcm_add_auth_tag(req);
236
237 out:
238 aead_request_complete(req, err);
239 }
240
crypto_gcm_encrypt(struct aead_request * req)241 static int crypto_gcm_encrypt(struct aead_request *req)
242 {
243 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
244 struct skcipher_request *skreq = &pctx->skreq;
245 u32 flags = aead_request_flags(req);
246
247 crypto_gcm_init_common(req);
248 crypto_gcm_init_crypt(req, req->cryptlen);
249 skcipher_request_set_callback(skreq, flags, gcm_encrypt_done, req);
250
251 return crypto_skcipher_encrypt(skreq) ?: gcm_add_auth_tag(req);
252 }
253
crypto_gcm_verify(struct aead_request * req)254 static int crypto_gcm_verify(struct aead_request *req)
255 {
256 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
257 struct crypto_aead *aead = crypto_aead_reqtfm(req);
258 u8 *auth_tag = pctx->auth_tag;
259 u8 *iauth_tag = pctx->iauth_tag;
260 unsigned int authsize = crypto_aead_authsize(aead);
261 unsigned int cryptlen = req->cryptlen - authsize;
262
263 crypto_xor(auth_tag, iauth_tag, 16);
264 scatterwalk_map_and_copy(iauth_tag, req->src,
265 req->assoclen + cryptlen, authsize, 0);
266 return crypto_memneq(iauth_tag, auth_tag, authsize) ? -EBADMSG : 0;
267 }
268
gcm_decrypt_done(void * data,int err)269 static void gcm_decrypt_done(void *data, int err)
270 {
271 struct aead_request *req = data;
272
273 if (!err)
274 err = crypto_gcm_verify(req);
275
276 aead_request_complete(req, err);
277 }
278
crypto_gcm_decrypt(struct aead_request * req)279 static int crypto_gcm_decrypt(struct aead_request *req)
280 {
281 struct crypto_aead *aead = crypto_aead_reqtfm(req);
282 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
283 struct skcipher_request *skreq = &pctx->skreq;
284 unsigned int datalen = req->cryptlen - crypto_aead_authsize(aead);
285
286 crypto_gcm_init_common(req);
287
288 gcm_hash(req, sg_next(pctx->src), datalen, pctx->iauth_tag);
289
290 crypto_gcm_init_crypt(req, datalen);
291 skcipher_request_set_callback(skreq, aead_request_flags(req),
292 gcm_decrypt_done, req);
293 return crypto_skcipher_decrypt(skreq) ?: crypto_gcm_verify(req);
294 }
295
crypto_gcm_init_tfm(struct crypto_aead * tfm)296 static int crypto_gcm_init_tfm(struct crypto_aead *tfm)
297 {
298 struct aead_instance *inst = aead_alg_instance(tfm);
299 struct gcm_instance_ctx *ictx = aead_instance_ctx(inst);
300 struct crypto_gcm_ctx *ctx = crypto_aead_ctx(tfm);
301 struct crypto_skcipher *ctr;
302 unsigned long align;
303
304 ctr = crypto_spawn_skcipher(&ictx->ctr);
305 if (IS_ERR(ctr))
306 return PTR_ERR(ctr);
307
308 ctx->ctr = ctr;
309
310 align = crypto_aead_alignmask(tfm);
311 align &= ~(crypto_tfm_ctx_alignment() - 1);
312 crypto_aead_set_reqsize(tfm,
313 align + sizeof(struct crypto_gcm_req_priv_ctx) +
314 crypto_skcipher_reqsize(ctr));
315 return 0;
316 }
317
crypto_gcm_exit_tfm(struct crypto_aead * tfm)318 static void crypto_gcm_exit_tfm(struct crypto_aead *tfm)
319 {
320 struct crypto_gcm_ctx *ctx = crypto_aead_ctx(tfm);
321
322 crypto_free_skcipher(ctx->ctr);
323 }
324
crypto_gcm_free(struct aead_instance * inst)325 static void crypto_gcm_free(struct aead_instance *inst)
326 {
327 struct gcm_instance_ctx *ctx = aead_instance_ctx(inst);
328
329 crypto_drop_skcipher(&ctx->ctr);
330 kfree(inst);
331 }
332
crypto_gcm_create_common(struct crypto_template * tmpl,struct rtattr ** tb,const char * ctr_name)333 static int crypto_gcm_create_common(struct crypto_template *tmpl,
334 struct rtattr **tb, const char *ctr_name)
335 {
336 struct skcipher_alg_common *ctr;
337 u32 mask;
338 struct aead_instance *inst;
339 struct gcm_instance_ctx *ctx;
340 int err;
341
342 err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_AEAD, &mask);
343 if (err)
344 return err;
345
346 inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
347 if (!inst)
348 return -ENOMEM;
349 ctx = aead_instance_ctx(inst);
350
351 err = crypto_grab_skcipher(&ctx->ctr, aead_crypto_instance(inst),
352 ctr_name, 0, mask);
353 if (err)
354 goto err_free_inst;
355 ctr = crypto_spawn_skcipher_alg_common(&ctx->ctr);
356
357 /* The skcipher algorithm must be CTR mode, using 16-byte blocks. */
358 err = -EINVAL;
359 if (strncmp(ctr->base.cra_name, "ctr(", 4) != 0 ||
360 ctr->ivsize != 16 || ctr->base.cra_blocksize != 1)
361 goto err_free_inst;
362
363 err = -ENAMETOOLONG;
364 if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
365 "gcm(%s", ctr->base.cra_name + 4) >= CRYPTO_MAX_ALG_NAME)
366 goto err_free_inst;
367
368 if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
369 "gcm_base(%s,ghash-lib)",
370 ctr->base.cra_driver_name) >= CRYPTO_MAX_ALG_NAME)
371 goto err_free_inst;
372
373 inst->alg.base.cra_priority = ctr->base.cra_priority;
374 inst->alg.base.cra_blocksize = 1;
375 inst->alg.base.cra_alignmask = ctr->base.cra_alignmask;
376 inst->alg.base.cra_ctxsize = sizeof(struct crypto_gcm_ctx);
377 inst->alg.ivsize = GCM_AES_IV_SIZE;
378 inst->alg.chunksize = ctr->chunksize;
379 inst->alg.maxauthsize = 16;
380 inst->alg.init = crypto_gcm_init_tfm;
381 inst->alg.exit = crypto_gcm_exit_tfm;
382 inst->alg.setkey = crypto_gcm_setkey;
383 inst->alg.setauthsize = crypto_gcm_setauthsize;
384 inst->alg.encrypt = crypto_gcm_encrypt;
385 inst->alg.decrypt = crypto_gcm_decrypt;
386
387 inst->free = crypto_gcm_free;
388
389 err = aead_register_instance(tmpl, inst);
390 if (err) {
391 err_free_inst:
392 crypto_gcm_free(inst);
393 }
394 return err;
395 }
396
crypto_gcm_create(struct crypto_template * tmpl,struct rtattr ** tb)397 static int crypto_gcm_create(struct crypto_template *tmpl, struct rtattr **tb)
398 {
399 const char *cipher_name;
400 char ctr_name[CRYPTO_MAX_ALG_NAME];
401
402 cipher_name = crypto_attr_alg_name(tb[1]);
403 if (IS_ERR(cipher_name))
404 return PTR_ERR(cipher_name);
405
406 if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)", cipher_name) >=
407 CRYPTO_MAX_ALG_NAME)
408 return -ENAMETOOLONG;
409
410 return crypto_gcm_create_common(tmpl, tb, ctr_name);
411 }
412
crypto_gcm_base_create(struct crypto_template * tmpl,struct rtattr ** tb)413 static int crypto_gcm_base_create(struct crypto_template *tmpl,
414 struct rtattr **tb)
415 {
416 const char *ctr_name;
417 const char *ghash_name;
418
419 ctr_name = crypto_attr_alg_name(tb[1]);
420 if (IS_ERR(ctr_name))
421 return PTR_ERR(ctr_name);
422
423 ghash_name = crypto_attr_alg_name(tb[2]);
424 if (IS_ERR(ghash_name))
425 return PTR_ERR(ghash_name);
426
427 /*
428 * Originally this parameter allowed requesting a specific
429 * implementation of GHASH. This is no longer supported. Now the best
430 * implementation of GHASH is just always used.
431 */
432 if (strcmp(ghash_name, "ghash") != 0 &&
433 strcmp(ghash_name, "ghash-lib") != 0)
434 return -EINVAL;
435
436 return crypto_gcm_create_common(tmpl, tb, ctr_name);
437 }
438
crypto_rfc4106_setkey(struct crypto_aead * parent,const u8 * key,unsigned int keylen)439 static int crypto_rfc4106_setkey(struct crypto_aead *parent, const u8 *key,
440 unsigned int keylen)
441 {
442 struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(parent);
443 struct crypto_aead *child = ctx->child;
444
445 if (keylen < 4)
446 return -EINVAL;
447
448 keylen -= 4;
449 memcpy(ctx->nonce, key + keylen, 4);
450
451 crypto_aead_clear_flags(child, CRYPTO_TFM_REQ_MASK);
452 crypto_aead_set_flags(child, crypto_aead_get_flags(parent) &
453 CRYPTO_TFM_REQ_MASK);
454 return crypto_aead_setkey(child, key, keylen);
455 }
456
crypto_rfc4106_setauthsize(struct crypto_aead * parent,unsigned int authsize)457 static int crypto_rfc4106_setauthsize(struct crypto_aead *parent,
458 unsigned int authsize)
459 {
460 struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(parent);
461 int err;
462
463 err = crypto_rfc4106_check_authsize(authsize);
464 if (err)
465 return err;
466
467 return crypto_aead_setauthsize(ctx->child, authsize);
468 }
469
crypto_rfc4106_crypt(struct aead_request * req)470 static struct aead_request *crypto_rfc4106_crypt(struct aead_request *req)
471 {
472 struct crypto_rfc4106_req_ctx *rctx = aead_request_ctx(req);
473 struct crypto_aead *aead = crypto_aead_reqtfm(req);
474 struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(aead);
475 struct aead_request *subreq = &rctx->subreq;
476 struct crypto_aead *child = ctx->child;
477 struct scatterlist *sg;
478 u8 *iv = PTR_ALIGN((u8 *)(subreq + 1) + crypto_aead_reqsize(child),
479 crypto_aead_alignmask(child) + 1);
480
481 scatterwalk_map_and_copy(iv + GCM_AES_IV_SIZE, req->src, 0, req->assoclen - 8, 0);
482
483 memcpy(iv, ctx->nonce, 4);
484 memcpy(iv + 4, req->iv, 8);
485
486 sg_init_table(rctx->src, 3);
487 sg_set_buf(rctx->src, iv + GCM_AES_IV_SIZE, req->assoclen - 8);
488 sg = scatterwalk_ffwd(rctx->src + 1, req->src, req->assoclen);
489 if (sg != rctx->src + 1)
490 sg_chain(rctx->src, 2, sg);
491
492 if (req->src != req->dst) {
493 sg_init_table(rctx->dst, 3);
494 sg_set_buf(rctx->dst, iv + GCM_AES_IV_SIZE, req->assoclen - 8);
495 sg = scatterwalk_ffwd(rctx->dst + 1, req->dst, req->assoclen);
496 if (sg != rctx->dst + 1)
497 sg_chain(rctx->dst, 2, sg);
498 }
499
500 aead_request_set_tfm(subreq, child);
501 aead_request_set_callback(subreq, req->base.flags, req->base.complete,
502 req->base.data);
503 aead_request_set_crypt(subreq, rctx->src,
504 req->src == req->dst ? rctx->src : rctx->dst,
505 req->cryptlen, iv);
506 aead_request_set_ad(subreq, req->assoclen - 8);
507
508 return subreq;
509 }
510
crypto_rfc4106_encrypt(struct aead_request * req)511 static int crypto_rfc4106_encrypt(struct aead_request *req)
512 {
513 int err;
514
515 err = crypto_ipsec_check_assoclen(req->assoclen);
516 if (err)
517 return err;
518
519 req = crypto_rfc4106_crypt(req);
520
521 return crypto_aead_encrypt(req);
522 }
523
crypto_rfc4106_decrypt(struct aead_request * req)524 static int crypto_rfc4106_decrypt(struct aead_request *req)
525 {
526 int err;
527
528 err = crypto_ipsec_check_assoclen(req->assoclen);
529 if (err)
530 return err;
531
532 req = crypto_rfc4106_crypt(req);
533
534 return crypto_aead_decrypt(req);
535 }
536
crypto_rfc4106_init_tfm(struct crypto_aead * tfm)537 static int crypto_rfc4106_init_tfm(struct crypto_aead *tfm)
538 {
539 struct aead_instance *inst = aead_alg_instance(tfm);
540 struct crypto_aead_spawn *spawn = aead_instance_ctx(inst);
541 struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(tfm);
542 struct crypto_aead *aead;
543 unsigned long align;
544
545 aead = crypto_spawn_aead(spawn);
546 if (IS_ERR(aead))
547 return PTR_ERR(aead);
548
549 ctx->child = aead;
550
551 align = crypto_aead_alignmask(aead);
552 align &= ~(crypto_tfm_ctx_alignment() - 1);
553 crypto_aead_set_reqsize(
554 tfm,
555 sizeof(struct crypto_rfc4106_req_ctx) +
556 ALIGN(crypto_aead_reqsize(aead), crypto_tfm_ctx_alignment()) +
557 align + 24);
558
559 return 0;
560 }
561
crypto_rfc4106_exit_tfm(struct crypto_aead * tfm)562 static void crypto_rfc4106_exit_tfm(struct crypto_aead *tfm)
563 {
564 struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(tfm);
565
566 crypto_free_aead(ctx->child);
567 }
568
crypto_rfc4106_free(struct aead_instance * inst)569 static void crypto_rfc4106_free(struct aead_instance *inst)
570 {
571 crypto_drop_aead(aead_instance_ctx(inst));
572 kfree(inst);
573 }
574
crypto_rfc4106_create(struct crypto_template * tmpl,struct rtattr ** tb)575 static int crypto_rfc4106_create(struct crypto_template *tmpl,
576 struct rtattr **tb)
577 {
578 u32 mask;
579 struct aead_instance *inst;
580 struct crypto_aead_spawn *spawn;
581 struct aead_alg *alg;
582 int err;
583
584 err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_AEAD, &mask);
585 if (err)
586 return err;
587
588 inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL);
589 if (!inst)
590 return -ENOMEM;
591
592 spawn = aead_instance_ctx(inst);
593 err = crypto_grab_aead(spawn, aead_crypto_instance(inst),
594 crypto_attr_alg_name(tb[1]), 0, mask);
595 if (err)
596 goto err_free_inst;
597
598 alg = crypto_spawn_aead_alg(spawn);
599
600 err = -EINVAL;
601
602 /* Underlying IV size must be 12. */
603 if (crypto_aead_alg_ivsize(alg) != GCM_AES_IV_SIZE)
604 goto err_free_inst;
605
606 /* Not a stream cipher? */
607 if (alg->base.cra_blocksize != 1)
608 goto err_free_inst;
609
610 err = -ENAMETOOLONG;
611 if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
612 "rfc4106(%s)", alg->base.cra_name) >=
613 CRYPTO_MAX_ALG_NAME ||
614 snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
615 "rfc4106(%s)", alg->base.cra_driver_name) >=
616 CRYPTO_MAX_ALG_NAME)
617 goto err_free_inst;
618
619 inst->alg.base.cra_priority = alg->base.cra_priority;
620 inst->alg.base.cra_blocksize = 1;
621 inst->alg.base.cra_alignmask = alg->base.cra_alignmask;
622
623 inst->alg.base.cra_ctxsize = sizeof(struct crypto_rfc4106_ctx);
624
625 inst->alg.ivsize = GCM_RFC4106_IV_SIZE;
626 inst->alg.chunksize = crypto_aead_alg_chunksize(alg);
627 inst->alg.maxauthsize = crypto_aead_alg_maxauthsize(alg);
628
629 inst->alg.init = crypto_rfc4106_init_tfm;
630 inst->alg.exit = crypto_rfc4106_exit_tfm;
631
632 inst->alg.setkey = crypto_rfc4106_setkey;
633 inst->alg.setauthsize = crypto_rfc4106_setauthsize;
634 inst->alg.encrypt = crypto_rfc4106_encrypt;
635 inst->alg.decrypt = crypto_rfc4106_decrypt;
636
637 inst->free = crypto_rfc4106_free;
638
639 err = aead_register_instance(tmpl, inst);
640 if (err) {
641 err_free_inst:
642 crypto_rfc4106_free(inst);
643 }
644 return err;
645 }
646
crypto_rfc4543_setkey(struct crypto_aead * parent,const u8 * key,unsigned int keylen)647 static int crypto_rfc4543_setkey(struct crypto_aead *parent, const u8 *key,
648 unsigned int keylen)
649 {
650 struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(parent);
651 struct crypto_aead *child = ctx->child;
652
653 if (keylen < 4)
654 return -EINVAL;
655
656 keylen -= 4;
657 memcpy(ctx->nonce, key + keylen, 4);
658
659 crypto_aead_clear_flags(child, CRYPTO_TFM_REQ_MASK);
660 crypto_aead_set_flags(child, crypto_aead_get_flags(parent) &
661 CRYPTO_TFM_REQ_MASK);
662 return crypto_aead_setkey(child, key, keylen);
663 }
664
crypto_rfc4543_setauthsize(struct crypto_aead * parent,unsigned int authsize)665 static int crypto_rfc4543_setauthsize(struct crypto_aead *parent,
666 unsigned int authsize)
667 {
668 struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(parent);
669
670 if (authsize != 16)
671 return -EINVAL;
672
673 return crypto_aead_setauthsize(ctx->child, authsize);
674 }
675
crypto_rfc4543_crypt(struct aead_request * req,bool enc)676 static int crypto_rfc4543_crypt(struct aead_request *req, bool enc)
677 {
678 struct crypto_aead *aead = crypto_aead_reqtfm(req);
679 struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(aead);
680 struct crypto_rfc4543_req_ctx *rctx = aead_request_ctx(req);
681 struct aead_request *subreq = &rctx->subreq;
682 unsigned int authsize = crypto_aead_authsize(aead);
683 u8 *iv = PTR_ALIGN((u8 *)(rctx + 1) + crypto_aead_reqsize(ctx->child),
684 crypto_aead_alignmask(ctx->child) + 1);
685
686 if (req->src != req->dst) {
687 unsigned int nbytes = req->assoclen + req->cryptlen -
688 (enc ? 0 : authsize);
689
690 memcpy_sglist(req->dst, req->src, nbytes);
691 }
692
693 memcpy(iv, ctx->nonce, 4);
694 memcpy(iv + 4, req->iv, 8);
695
696 aead_request_set_tfm(subreq, ctx->child);
697 aead_request_set_callback(subreq, req->base.flags,
698 req->base.complete, req->base.data);
699 aead_request_set_crypt(subreq, req->src, req->dst,
700 enc ? 0 : authsize, iv);
701 aead_request_set_ad(subreq, req->assoclen + req->cryptlen -
702 subreq->cryptlen);
703
704 return enc ? crypto_aead_encrypt(subreq) : crypto_aead_decrypt(subreq);
705 }
706
crypto_rfc4543_encrypt(struct aead_request * req)707 static int crypto_rfc4543_encrypt(struct aead_request *req)
708 {
709 return crypto_ipsec_check_assoclen(req->assoclen) ?:
710 crypto_rfc4543_crypt(req, true);
711 }
712
crypto_rfc4543_decrypt(struct aead_request * req)713 static int crypto_rfc4543_decrypt(struct aead_request *req)
714 {
715 return crypto_ipsec_check_assoclen(req->assoclen) ?:
716 crypto_rfc4543_crypt(req, false);
717 }
718
crypto_rfc4543_init_tfm(struct crypto_aead * tfm)719 static int crypto_rfc4543_init_tfm(struct crypto_aead *tfm)
720 {
721 struct aead_instance *inst = aead_alg_instance(tfm);
722 struct crypto_rfc4543_instance_ctx *ictx = aead_instance_ctx(inst);
723 struct crypto_aead_spawn *spawn = &ictx->aead;
724 struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(tfm);
725 struct crypto_aead *aead;
726 unsigned long align;
727
728 aead = crypto_spawn_aead(spawn);
729 if (IS_ERR(aead))
730 return PTR_ERR(aead);
731
732 ctx->child = aead;
733
734 align = crypto_aead_alignmask(aead);
735 align &= ~(crypto_tfm_ctx_alignment() - 1);
736 crypto_aead_set_reqsize(
737 tfm,
738 sizeof(struct crypto_rfc4543_req_ctx) +
739 ALIGN(crypto_aead_reqsize(aead), crypto_tfm_ctx_alignment()) +
740 align + GCM_AES_IV_SIZE);
741
742 return 0;
743 }
744
crypto_rfc4543_exit_tfm(struct crypto_aead * tfm)745 static void crypto_rfc4543_exit_tfm(struct crypto_aead *tfm)
746 {
747 struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(tfm);
748
749 crypto_free_aead(ctx->child);
750 }
751
crypto_rfc4543_free(struct aead_instance * inst)752 static void crypto_rfc4543_free(struct aead_instance *inst)
753 {
754 struct crypto_rfc4543_instance_ctx *ctx = aead_instance_ctx(inst);
755
756 crypto_drop_aead(&ctx->aead);
757
758 kfree(inst);
759 }
760
crypto_rfc4543_create(struct crypto_template * tmpl,struct rtattr ** tb)761 static int crypto_rfc4543_create(struct crypto_template *tmpl,
762 struct rtattr **tb)
763 {
764 u32 mask;
765 struct aead_instance *inst;
766 struct aead_alg *alg;
767 struct crypto_rfc4543_instance_ctx *ctx;
768 int err;
769
770 err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_AEAD, &mask);
771 if (err)
772 return err;
773
774 inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
775 if (!inst)
776 return -ENOMEM;
777
778 ctx = aead_instance_ctx(inst);
779 err = crypto_grab_aead(&ctx->aead, aead_crypto_instance(inst),
780 crypto_attr_alg_name(tb[1]), 0, mask);
781 if (err)
782 goto err_free_inst;
783
784 alg = crypto_spawn_aead_alg(&ctx->aead);
785
786 err = -EINVAL;
787
788 /* Underlying IV size must be 12. */
789 if (crypto_aead_alg_ivsize(alg) != GCM_AES_IV_SIZE)
790 goto err_free_inst;
791
792 /* Not a stream cipher? */
793 if (alg->base.cra_blocksize != 1)
794 goto err_free_inst;
795
796 err = -ENAMETOOLONG;
797 if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
798 "rfc4543(%s)", alg->base.cra_name) >=
799 CRYPTO_MAX_ALG_NAME ||
800 snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
801 "rfc4543(%s)", alg->base.cra_driver_name) >=
802 CRYPTO_MAX_ALG_NAME)
803 goto err_free_inst;
804
805 inst->alg.base.cra_priority = alg->base.cra_priority;
806 inst->alg.base.cra_blocksize = 1;
807 inst->alg.base.cra_alignmask = alg->base.cra_alignmask;
808
809 inst->alg.base.cra_ctxsize = sizeof(struct crypto_rfc4543_ctx);
810
811 inst->alg.ivsize = GCM_RFC4543_IV_SIZE;
812 inst->alg.chunksize = crypto_aead_alg_chunksize(alg);
813 inst->alg.maxauthsize = crypto_aead_alg_maxauthsize(alg);
814
815 inst->alg.init = crypto_rfc4543_init_tfm;
816 inst->alg.exit = crypto_rfc4543_exit_tfm;
817
818 inst->alg.setkey = crypto_rfc4543_setkey;
819 inst->alg.setauthsize = crypto_rfc4543_setauthsize;
820 inst->alg.encrypt = crypto_rfc4543_encrypt;
821 inst->alg.decrypt = crypto_rfc4543_decrypt;
822
823 inst->free = crypto_rfc4543_free;
824
825 err = aead_register_instance(tmpl, inst);
826 if (err) {
827 err_free_inst:
828 crypto_rfc4543_free(inst);
829 }
830 return err;
831 }
832
833 static struct crypto_template crypto_gcm_tmpls[] = {
834 {
835 .name = "gcm_base",
836 .create = crypto_gcm_base_create,
837 .module = THIS_MODULE,
838 }, {
839 .name = "gcm",
840 .create = crypto_gcm_create,
841 .module = THIS_MODULE,
842 }, {
843 .name = "rfc4106",
844 .create = crypto_rfc4106_create,
845 .module = THIS_MODULE,
846 }, {
847 .name = "rfc4543",
848 .create = crypto_rfc4543_create,
849 .module = THIS_MODULE,
850 },
851 };
852
crypto_gcm_module_init(void)853 static int __init crypto_gcm_module_init(void)
854 {
855 return crypto_register_templates(crypto_gcm_tmpls,
856 ARRAY_SIZE(crypto_gcm_tmpls));
857 }
858
crypto_gcm_module_exit(void)859 static void __exit crypto_gcm_module_exit(void)
860 {
861 crypto_unregister_templates(crypto_gcm_tmpls,
862 ARRAY_SIZE(crypto_gcm_tmpls));
863 }
864
865 module_init(crypto_gcm_module_init);
866 module_exit(crypto_gcm_module_exit);
867
868 MODULE_LICENSE("GPL");
869 MODULE_DESCRIPTION("Galois/Counter Mode");
870 MODULE_AUTHOR("Mikko Herranen <mh1@iki.fi>");
871 MODULE_ALIAS_CRYPTO("gcm_base");
872 MODULE_ALIAS_CRYPTO("rfc4106");
873 MODULE_ALIAS_CRYPTO("rfc4543");
874 MODULE_ALIAS_CRYPTO("gcm");
875