2 * GCM: Galois/Counter Mode.
4 * Copyright (c) 2007 Nokia Siemens Networks - Mikko Herranen <mh1@iki.fi>
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License version 2 as published
8 * by the Free Software Foundation.
11 #include <crypto/gf128mul.h>
12 #include <crypto/internal/aead.h>
13 #include <crypto/internal/skcipher.h>
14 #include <crypto/internal/hash.h>
15 #include <crypto/scatterwalk.h>
16 #include <crypto/hash.h>
18 #include <linux/completion.h>
19 #include <linux/err.h>
20 #include <linux/init.h>
21 #include <linux/kernel.h>
22 #include <linux/module.h>
23 #include <linux/slab.h>
25 struct gcm_instance_ctx {
26 struct crypto_skcipher_spawn ctr;
27 struct crypto_ahash_spawn ghash;
30 struct crypto_gcm_ctx {
31 struct crypto_ablkcipher *ctr;
32 struct crypto_ahash *ghash;
35 struct crypto_rfc4106_ctx {
36 struct crypto_aead *child;
40 struct crypto_rfc4543_ctx {
41 struct crypto_aead *child;
45 struct crypto_rfc4543_req_ctx {
47 struct scatterlist cipher[1];
48 struct scatterlist payload[2];
49 struct scatterlist assoc[2];
50 struct aead_request subreq;
53 struct crypto_gcm_ghash_ctx {
54 unsigned int cryptlen;
55 struct scatterlist *src;
56 void (*complete)(struct aead_request *req, int err);
59 struct crypto_gcm_req_priv_ctx {
62 struct scatterlist src[2];
63 struct scatterlist dst[2];
64 struct crypto_gcm_ghash_ctx ghash_ctx;
66 struct ahash_request ahreq;
67 struct ablkcipher_request abreq;
71 struct crypto_gcm_setkey_result {
73 struct completion completion;
76 static void *gcm_zeroes;
78 static inline struct crypto_gcm_req_priv_ctx *crypto_gcm_reqctx(
79 struct aead_request *req)
81 unsigned long align = crypto_aead_alignmask(crypto_aead_reqtfm(req));
83 return (void *)PTR_ALIGN((u8 *)aead_request_ctx(req), align + 1);
86 static void crypto_gcm_setkey_done(struct crypto_async_request *req, int err)
88 struct crypto_gcm_setkey_result *result = req->data;
90 if (err == -EINPROGRESS)
94 complete(&result->completion);
97 static int crypto_gcm_setkey(struct crypto_aead *aead, const u8 *key,
100 struct crypto_gcm_ctx *ctx = crypto_aead_ctx(aead);
101 struct crypto_ahash *ghash = ctx->ghash;
102 struct crypto_ablkcipher *ctr = ctx->ctr;
107 struct crypto_gcm_setkey_result result;
109 struct scatterlist sg[1];
110 struct ablkcipher_request req;
114 crypto_ablkcipher_clear_flags(ctr, CRYPTO_TFM_REQ_MASK);
115 crypto_ablkcipher_set_flags(ctr, crypto_aead_get_flags(aead) &
116 CRYPTO_TFM_REQ_MASK);
118 err = crypto_ablkcipher_setkey(ctr, key, keylen);
122 crypto_aead_set_flags(aead, crypto_ablkcipher_get_flags(ctr) &
123 CRYPTO_TFM_RES_MASK);
125 data = kzalloc(sizeof(*data) + crypto_ablkcipher_reqsize(ctr),
130 init_completion(&data->result.completion);
131 sg_init_one(data->sg, &data->hash, sizeof(data->hash));
132 ablkcipher_request_set_tfm(&data->req, ctr);
133 ablkcipher_request_set_callback(&data->req, CRYPTO_TFM_REQ_MAY_SLEEP |
134 CRYPTO_TFM_REQ_MAY_BACKLOG,
135 crypto_gcm_setkey_done,
137 ablkcipher_request_set_crypt(&data->req, data->sg, data->sg,
138 sizeof(data->hash), data->iv);
140 err = crypto_ablkcipher_encrypt(&data->req);
141 if (err == -EINPROGRESS || err == -EBUSY) {
142 err = wait_for_completion_interruptible(
143 &data->result.completion);
145 err = data->result.err;
151 crypto_ahash_clear_flags(ghash, CRYPTO_TFM_REQ_MASK);
152 crypto_ahash_set_flags(ghash, crypto_aead_get_flags(aead) &
153 CRYPTO_TFM_REQ_MASK);
154 err = crypto_ahash_setkey(ghash, (u8 *)&data->hash, sizeof(be128));
155 crypto_aead_set_flags(aead, crypto_ahash_get_flags(ghash) &
156 CRYPTO_TFM_RES_MASK);
163 static int crypto_gcm_setauthsize(struct crypto_aead *tfm,
164 unsigned int authsize)
182 static void crypto_gcm_init_crypt(struct ablkcipher_request *ablk_req,
183 struct aead_request *req,
184 unsigned int cryptlen)
186 struct crypto_aead *aead = crypto_aead_reqtfm(req);
187 struct crypto_gcm_ctx *ctx = crypto_aead_ctx(aead);
188 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
189 struct scatterlist *dst;
190 __be32 counter = cpu_to_be32(1);
192 memset(pctx->auth_tag, 0, sizeof(pctx->auth_tag));
193 memcpy(req->iv + 12, &counter, 4);
195 sg_init_table(pctx->src, 2);
196 sg_set_buf(pctx->src, pctx->auth_tag, sizeof(pctx->auth_tag));
197 scatterwalk_sg_chain(pctx->src, 2, req->src);
200 if (req->src != req->dst) {
201 sg_init_table(pctx->dst, 2);
202 sg_set_buf(pctx->dst, pctx->auth_tag, sizeof(pctx->auth_tag));
203 scatterwalk_sg_chain(pctx->dst, 2, req->dst);
207 ablkcipher_request_set_tfm(ablk_req, ctx->ctr);
208 ablkcipher_request_set_crypt(ablk_req, pctx->src, dst,
209 cryptlen + sizeof(pctx->auth_tag),
213 static inline unsigned int gcm_remain(unsigned int len)
216 return len ? 16 - len : 0;
219 static void gcm_hash_len_done(struct crypto_async_request *areq, int err);
220 static void gcm_hash_final_done(struct crypto_async_request *areq, int err);
222 static int gcm_hash_update(struct aead_request *req,
223 struct crypto_gcm_req_priv_ctx *pctx,
224 crypto_completion_t complete,
225 struct scatterlist *src,
228 struct ahash_request *ahreq = &pctx->u.ahreq;
230 ahash_request_set_callback(ahreq, aead_request_flags(req),
232 ahash_request_set_crypt(ahreq, src, NULL, len);
234 return crypto_ahash_update(ahreq);
237 static int gcm_hash_remain(struct aead_request *req,
238 struct crypto_gcm_req_priv_ctx *pctx,
240 crypto_completion_t complete)
242 struct ahash_request *ahreq = &pctx->u.ahreq;
244 ahash_request_set_callback(ahreq, aead_request_flags(req),
246 sg_init_one(pctx->src, gcm_zeroes, remain);
247 ahash_request_set_crypt(ahreq, pctx->src, NULL, remain);
249 return crypto_ahash_update(ahreq);
252 static int gcm_hash_len(struct aead_request *req,
253 struct crypto_gcm_req_priv_ctx *pctx)
255 struct ahash_request *ahreq = &pctx->u.ahreq;
256 struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
259 lengths.a = cpu_to_be64(req->assoclen * 8);
260 lengths.b = cpu_to_be64(gctx->cryptlen * 8);
261 memcpy(pctx->iauth_tag, &lengths, 16);
262 sg_init_one(pctx->src, pctx->iauth_tag, 16);
263 ahash_request_set_callback(ahreq, aead_request_flags(req),
264 gcm_hash_len_done, req);
265 ahash_request_set_crypt(ahreq, pctx->src,
266 NULL, sizeof(lengths));
268 return crypto_ahash_update(ahreq);
271 static int gcm_hash_final(struct aead_request *req,
272 struct crypto_gcm_req_priv_ctx *pctx)
274 struct ahash_request *ahreq = &pctx->u.ahreq;
276 ahash_request_set_callback(ahreq, aead_request_flags(req),
277 gcm_hash_final_done, req);
278 ahash_request_set_crypt(ahreq, NULL, pctx->iauth_tag, 0);
280 return crypto_ahash_final(ahreq);
283 static void __gcm_hash_final_done(struct aead_request *req, int err)
285 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
286 struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
289 crypto_xor(pctx->auth_tag, pctx->iauth_tag, 16);
291 gctx->complete(req, err);
294 static void gcm_hash_final_done(struct crypto_async_request *areq, int err)
296 struct aead_request *req = areq->data;
298 __gcm_hash_final_done(req, err);
301 static void __gcm_hash_len_done(struct aead_request *req, int err)
303 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
306 err = gcm_hash_final(req, pctx);
307 if (err == -EINPROGRESS || err == -EBUSY)
311 __gcm_hash_final_done(req, err);
314 static void gcm_hash_len_done(struct crypto_async_request *areq, int err)
316 struct aead_request *req = areq->data;
318 __gcm_hash_len_done(req, err);
321 static void __gcm_hash_crypt_remain_done(struct aead_request *req, int err)
323 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
326 err = gcm_hash_len(req, pctx);
327 if (err == -EINPROGRESS || err == -EBUSY)
331 __gcm_hash_len_done(req, err);
334 static void gcm_hash_crypt_remain_done(struct crypto_async_request *areq,
337 struct aead_request *req = areq->data;
339 __gcm_hash_crypt_remain_done(req, err);
342 static void __gcm_hash_crypt_done(struct aead_request *req, int err)
344 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
345 struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
349 remain = gcm_remain(gctx->cryptlen);
351 err = gcm_hash_remain(req, pctx, remain,
352 gcm_hash_crypt_remain_done);
353 if (err == -EINPROGRESS || err == -EBUSY)
357 __gcm_hash_crypt_remain_done(req, err);
360 static void gcm_hash_crypt_done(struct crypto_async_request *areq, int err)
362 struct aead_request *req = areq->data;
364 __gcm_hash_crypt_done(req, err);
367 static void __gcm_hash_assoc_remain_done(struct aead_request *req, int err)
369 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
370 struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
371 crypto_completion_t complete;
372 unsigned int remain = 0;
374 if (!err && gctx->cryptlen) {
375 remain = gcm_remain(gctx->cryptlen);
376 complete = remain ? gcm_hash_crypt_done :
377 gcm_hash_crypt_remain_done;
378 err = gcm_hash_update(req, pctx, complete,
379 gctx->src, gctx->cryptlen);
380 if (err == -EINPROGRESS || err == -EBUSY)
385 __gcm_hash_crypt_done(req, err);
387 __gcm_hash_crypt_remain_done(req, err);
390 static void gcm_hash_assoc_remain_done(struct crypto_async_request *areq,
393 struct aead_request *req = areq->data;
395 __gcm_hash_assoc_remain_done(req, err);
398 static void __gcm_hash_assoc_done(struct aead_request *req, int err)
400 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
404 remain = gcm_remain(req->assoclen);
406 err = gcm_hash_remain(req, pctx, remain,
407 gcm_hash_assoc_remain_done);
408 if (err == -EINPROGRESS || err == -EBUSY)
412 __gcm_hash_assoc_remain_done(req, err);
415 static void gcm_hash_assoc_done(struct crypto_async_request *areq, int err)
417 struct aead_request *req = areq->data;
419 __gcm_hash_assoc_done(req, err);
422 static void __gcm_hash_init_done(struct aead_request *req, int err)
424 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
425 crypto_completion_t complete;
426 unsigned int remain = 0;
428 if (!err && req->assoclen) {
429 remain = gcm_remain(req->assoclen);
430 complete = remain ? gcm_hash_assoc_done :
431 gcm_hash_assoc_remain_done;
432 err = gcm_hash_update(req, pctx, complete,
433 req->assoc, req->assoclen);
434 if (err == -EINPROGRESS || err == -EBUSY)
439 __gcm_hash_assoc_done(req, err);
441 __gcm_hash_assoc_remain_done(req, err);
444 static void gcm_hash_init_done(struct crypto_async_request *areq, int err)
446 struct aead_request *req = areq->data;
448 __gcm_hash_init_done(req, err);
451 static int gcm_hash(struct aead_request *req,
452 struct crypto_gcm_req_priv_ctx *pctx)
454 struct ahash_request *ahreq = &pctx->u.ahreq;
455 struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
456 struct crypto_gcm_ctx *ctx = crypto_tfm_ctx(req->base.tfm);
458 crypto_completion_t complete;
461 ahash_request_set_tfm(ahreq, ctx->ghash);
463 ahash_request_set_callback(ahreq, aead_request_flags(req),
464 gcm_hash_init_done, req);
465 err = crypto_ahash_init(ahreq);
468 remain = gcm_remain(req->assoclen);
469 complete = remain ? gcm_hash_assoc_done : gcm_hash_assoc_remain_done;
470 err = gcm_hash_update(req, pctx, complete, req->assoc, req->assoclen);
474 err = gcm_hash_remain(req, pctx, remain,
475 gcm_hash_assoc_remain_done);
479 remain = gcm_remain(gctx->cryptlen);
480 complete = remain ? gcm_hash_crypt_done : gcm_hash_crypt_remain_done;
481 err = gcm_hash_update(req, pctx, complete, gctx->src, gctx->cryptlen);
485 err = gcm_hash_remain(req, pctx, remain,
486 gcm_hash_crypt_remain_done);
490 err = gcm_hash_len(req, pctx);
493 err = gcm_hash_final(req, pctx);
500 static void gcm_enc_copy_hash(struct aead_request *req,
501 struct crypto_gcm_req_priv_ctx *pctx)
503 struct crypto_aead *aead = crypto_aead_reqtfm(req);
504 u8 *auth_tag = pctx->auth_tag;
506 scatterwalk_map_and_copy(auth_tag, req->dst, req->cryptlen,
507 crypto_aead_authsize(aead), 1);
510 static void gcm_enc_hash_done(struct aead_request *req, int err)
512 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
515 gcm_enc_copy_hash(req, pctx);
517 aead_request_complete(req, err);
520 static void gcm_encrypt_done(struct crypto_async_request *areq, int err)
522 struct aead_request *req = areq->data;
523 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
526 err = gcm_hash(req, pctx);
527 if (err == -EINPROGRESS || err == -EBUSY)
530 crypto_xor(pctx->auth_tag, pctx->iauth_tag, 16);
531 gcm_enc_copy_hash(req, pctx);
535 aead_request_complete(req, err);
538 static int crypto_gcm_encrypt(struct aead_request *req)
540 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
541 struct ablkcipher_request *abreq = &pctx->u.abreq;
542 struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
545 crypto_gcm_init_crypt(abreq, req, req->cryptlen);
546 ablkcipher_request_set_callback(abreq, aead_request_flags(req),
547 gcm_encrypt_done, req);
549 gctx->src = req->dst;
550 gctx->cryptlen = req->cryptlen;
551 gctx->complete = gcm_enc_hash_done;
553 err = crypto_ablkcipher_encrypt(abreq);
557 err = gcm_hash(req, pctx);
561 crypto_xor(pctx->auth_tag, pctx->iauth_tag, 16);
562 gcm_enc_copy_hash(req, pctx);
567 static int crypto_gcm_verify(struct aead_request *req,
568 struct crypto_gcm_req_priv_ctx *pctx)
570 struct crypto_aead *aead = crypto_aead_reqtfm(req);
571 u8 *auth_tag = pctx->auth_tag;
572 u8 *iauth_tag = pctx->iauth_tag;
573 unsigned int authsize = crypto_aead_authsize(aead);
574 unsigned int cryptlen = req->cryptlen - authsize;
576 crypto_xor(auth_tag, iauth_tag, 16);
577 scatterwalk_map_and_copy(iauth_tag, req->src, cryptlen, authsize, 0);
578 return memcmp(iauth_tag, auth_tag, authsize) ? -EBADMSG : 0;
581 static void gcm_decrypt_done(struct crypto_async_request *areq, int err)
583 struct aead_request *req = areq->data;
584 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
587 err = crypto_gcm_verify(req, pctx);
589 aead_request_complete(req, err);
592 static void gcm_dec_hash_done(struct aead_request *req, int err)
594 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
595 struct ablkcipher_request *abreq = &pctx->u.abreq;
596 struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
599 ablkcipher_request_set_callback(abreq, aead_request_flags(req),
600 gcm_decrypt_done, req);
601 crypto_gcm_init_crypt(abreq, req, gctx->cryptlen);
602 err = crypto_ablkcipher_decrypt(abreq);
603 if (err == -EINPROGRESS || err == -EBUSY)
606 err = crypto_gcm_verify(req, pctx);
609 aead_request_complete(req, err);
612 static int crypto_gcm_decrypt(struct aead_request *req)
614 struct crypto_aead *aead = crypto_aead_reqtfm(req);
615 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
616 struct ablkcipher_request *abreq = &pctx->u.abreq;
617 struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
618 unsigned int authsize = crypto_aead_authsize(aead);
619 unsigned int cryptlen = req->cryptlen;
622 if (cryptlen < authsize)
624 cryptlen -= authsize;
626 gctx->src = req->src;
627 gctx->cryptlen = cryptlen;
628 gctx->complete = gcm_dec_hash_done;
630 err = gcm_hash(req, pctx);
634 ablkcipher_request_set_callback(abreq, aead_request_flags(req),
635 gcm_decrypt_done, req);
636 crypto_gcm_init_crypt(abreq, req, cryptlen);
637 err = crypto_ablkcipher_decrypt(abreq);
641 return crypto_gcm_verify(req, pctx);
644 static int crypto_gcm_init_tfm(struct crypto_tfm *tfm)
646 struct crypto_instance *inst = (void *)tfm->__crt_alg;
647 struct gcm_instance_ctx *ictx = crypto_instance_ctx(inst);
648 struct crypto_gcm_ctx *ctx = crypto_tfm_ctx(tfm);
649 struct crypto_ablkcipher *ctr;
650 struct crypto_ahash *ghash;
654 ghash = crypto_spawn_ahash(&ictx->ghash);
656 return PTR_ERR(ghash);
658 ctr = crypto_spawn_skcipher(&ictx->ctr);
666 align = crypto_tfm_alg_alignmask(tfm);
667 align &= ~(crypto_tfm_ctx_alignment() - 1);
668 tfm->crt_aead.reqsize = align +
669 offsetof(struct crypto_gcm_req_priv_ctx, u) +
670 max(sizeof(struct ablkcipher_request) +
671 crypto_ablkcipher_reqsize(ctr),
672 sizeof(struct ahash_request) +
673 crypto_ahash_reqsize(ghash));
678 crypto_free_ahash(ghash);
682 static void crypto_gcm_exit_tfm(struct crypto_tfm *tfm)
684 struct crypto_gcm_ctx *ctx = crypto_tfm_ctx(tfm);
686 crypto_free_ahash(ctx->ghash);
687 crypto_free_ablkcipher(ctx->ctr);
690 static struct crypto_instance *crypto_gcm_alloc_common(struct rtattr **tb,
691 const char *full_name,
692 const char *ctr_name,
693 const char *ghash_name)
695 struct crypto_attr_type *algt;
696 struct crypto_instance *inst;
697 struct crypto_alg *ctr;
698 struct crypto_alg *ghash_alg;
699 struct ahash_alg *ghash_ahash_alg;
700 struct gcm_instance_ctx *ctx;
703 algt = crypto_get_attr_type(tb);
705 return ERR_CAST(algt);
707 if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask)
708 return ERR_PTR(-EINVAL);
710 ghash_alg = crypto_find_alg(ghash_name, &crypto_ahash_type,
711 CRYPTO_ALG_TYPE_HASH,
712 CRYPTO_ALG_TYPE_AHASH_MASK);
713 if (IS_ERR(ghash_alg))
714 return ERR_CAST(ghash_alg);
717 inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
721 ctx = crypto_instance_ctx(inst);
722 ghash_ahash_alg = container_of(ghash_alg, struct ahash_alg, halg.base);
723 err = crypto_init_ahash_spawn(&ctx->ghash, &ghash_ahash_alg->halg,
728 crypto_set_skcipher_spawn(&ctx->ctr, inst);
729 err = crypto_grab_skcipher(&ctx->ctr, ctr_name, 0,
730 crypto_requires_sync(algt->type,
735 ctr = crypto_skcipher_spawn_alg(&ctx->ctr);
737 /* We only support 16-byte blocks. */
738 if (ctr->cra_ablkcipher.ivsize != 16)
741 /* Not a stream cipher? */
743 if (ctr->cra_blocksize != 1)
747 if (snprintf(inst->alg.cra_driver_name, CRYPTO_MAX_ALG_NAME,
748 "gcm_base(%s,%s)", ctr->cra_driver_name,
749 ghash_alg->cra_driver_name) >=
753 memcpy(inst->alg.cra_name, full_name, CRYPTO_MAX_ALG_NAME);
755 inst->alg.cra_flags = CRYPTO_ALG_TYPE_AEAD;
756 inst->alg.cra_flags |= ctr->cra_flags & CRYPTO_ALG_ASYNC;
757 inst->alg.cra_priority = ctr->cra_priority;
758 inst->alg.cra_blocksize = 1;
759 inst->alg.cra_alignmask = ctr->cra_alignmask | (__alignof__(u64) - 1);
760 inst->alg.cra_type = &crypto_aead_type;
761 inst->alg.cra_aead.ivsize = 16;
762 inst->alg.cra_aead.maxauthsize = 16;
763 inst->alg.cra_ctxsize = sizeof(struct crypto_gcm_ctx);
764 inst->alg.cra_init = crypto_gcm_init_tfm;
765 inst->alg.cra_exit = crypto_gcm_exit_tfm;
766 inst->alg.cra_aead.setkey = crypto_gcm_setkey;
767 inst->alg.cra_aead.setauthsize = crypto_gcm_setauthsize;
768 inst->alg.cra_aead.encrypt = crypto_gcm_encrypt;
769 inst->alg.cra_aead.decrypt = crypto_gcm_decrypt;
772 crypto_mod_put(ghash_alg);
776 crypto_drop_skcipher(&ctx->ctr);
778 crypto_drop_ahash(&ctx->ghash);
786 static struct crypto_instance *crypto_gcm_alloc(struct rtattr **tb)
788 const char *cipher_name;
789 char ctr_name[CRYPTO_MAX_ALG_NAME];
790 char full_name[CRYPTO_MAX_ALG_NAME];
792 cipher_name = crypto_attr_alg_name(tb[1]);
793 if (IS_ERR(cipher_name))
794 return ERR_CAST(cipher_name);
796 if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)", cipher_name) >=
798 return ERR_PTR(-ENAMETOOLONG);
800 if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "gcm(%s)", cipher_name) >=
802 return ERR_PTR(-ENAMETOOLONG);
804 return crypto_gcm_alloc_common(tb, full_name, ctr_name, "ghash");
807 static void crypto_gcm_free(struct crypto_instance *inst)
809 struct gcm_instance_ctx *ctx = crypto_instance_ctx(inst);
811 crypto_drop_skcipher(&ctx->ctr);
812 crypto_drop_ahash(&ctx->ghash);
816 static struct crypto_template crypto_gcm_tmpl = {
818 .alloc = crypto_gcm_alloc,
819 .free = crypto_gcm_free,
820 .module = THIS_MODULE,
823 static struct crypto_instance *crypto_gcm_base_alloc(struct rtattr **tb)
825 const char *ctr_name;
826 const char *ghash_name;
827 char full_name[CRYPTO_MAX_ALG_NAME];
829 ctr_name = crypto_attr_alg_name(tb[1]);
830 if (IS_ERR(ctr_name))
831 return ERR_CAST(ctr_name);
833 ghash_name = crypto_attr_alg_name(tb[2]);
834 if (IS_ERR(ghash_name))
835 return ERR_CAST(ghash_name);
837 if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "gcm_base(%s,%s)",
838 ctr_name, ghash_name) >= CRYPTO_MAX_ALG_NAME)
839 return ERR_PTR(-ENAMETOOLONG);
841 return crypto_gcm_alloc_common(tb, full_name, ctr_name, ghash_name);
844 static struct crypto_template crypto_gcm_base_tmpl = {
846 .alloc = crypto_gcm_base_alloc,
847 .free = crypto_gcm_free,
848 .module = THIS_MODULE,
851 static int crypto_rfc4106_setkey(struct crypto_aead *parent, const u8 *key,
854 struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(parent);
855 struct crypto_aead *child = ctx->child;
862 memcpy(ctx->nonce, key + keylen, 4);
864 crypto_aead_clear_flags(child, CRYPTO_TFM_REQ_MASK);
865 crypto_aead_set_flags(child, crypto_aead_get_flags(parent) &
866 CRYPTO_TFM_REQ_MASK);
867 err = crypto_aead_setkey(child, key, keylen);
868 crypto_aead_set_flags(parent, crypto_aead_get_flags(child) &
869 CRYPTO_TFM_RES_MASK);
874 static int crypto_rfc4106_setauthsize(struct crypto_aead *parent,
875 unsigned int authsize)
877 struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(parent);
888 return crypto_aead_setauthsize(ctx->child, authsize);
891 static struct aead_request *crypto_rfc4106_crypt(struct aead_request *req)
893 struct aead_request *subreq = aead_request_ctx(req);
894 struct crypto_aead *aead = crypto_aead_reqtfm(req);
895 struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(aead);
896 struct crypto_aead *child = ctx->child;
897 u8 *iv = PTR_ALIGN((u8 *)(subreq + 1) + crypto_aead_reqsize(child),
898 crypto_aead_alignmask(child) + 1);
900 memcpy(iv, ctx->nonce, 4);
901 memcpy(iv + 4, req->iv, 8);
903 aead_request_set_tfm(subreq, child);
904 aead_request_set_callback(subreq, req->base.flags, req->base.complete,
906 aead_request_set_crypt(subreq, req->src, req->dst, req->cryptlen, iv);
907 aead_request_set_assoc(subreq, req->assoc, req->assoclen);
912 static int crypto_rfc4106_encrypt(struct aead_request *req)
914 req = crypto_rfc4106_crypt(req);
916 return crypto_aead_encrypt(req);
919 static int crypto_rfc4106_decrypt(struct aead_request *req)
921 req = crypto_rfc4106_crypt(req);
923 return crypto_aead_decrypt(req);
926 static int crypto_rfc4106_init_tfm(struct crypto_tfm *tfm)
928 struct crypto_instance *inst = (void *)tfm->__crt_alg;
929 struct crypto_aead_spawn *spawn = crypto_instance_ctx(inst);
930 struct crypto_rfc4106_ctx *ctx = crypto_tfm_ctx(tfm);
931 struct crypto_aead *aead;
934 aead = crypto_spawn_aead(spawn);
936 return PTR_ERR(aead);
940 align = crypto_aead_alignmask(aead);
941 align &= ~(crypto_tfm_ctx_alignment() - 1);
942 tfm->crt_aead.reqsize = sizeof(struct aead_request) +
943 ALIGN(crypto_aead_reqsize(aead),
944 crypto_tfm_ctx_alignment()) +
950 static void crypto_rfc4106_exit_tfm(struct crypto_tfm *tfm)
952 struct crypto_rfc4106_ctx *ctx = crypto_tfm_ctx(tfm);
954 crypto_free_aead(ctx->child);
957 static struct crypto_instance *crypto_rfc4106_alloc(struct rtattr **tb)
959 struct crypto_attr_type *algt;
960 struct crypto_instance *inst;
961 struct crypto_aead_spawn *spawn;
962 struct crypto_alg *alg;
963 const char *ccm_name;
966 algt = crypto_get_attr_type(tb);
968 return ERR_CAST(algt);
970 if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask)
971 return ERR_PTR(-EINVAL);
973 ccm_name = crypto_attr_alg_name(tb[1]);
974 if (IS_ERR(ccm_name))
975 return ERR_CAST(ccm_name);
977 inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL);
979 return ERR_PTR(-ENOMEM);
981 spawn = crypto_instance_ctx(inst);
982 crypto_set_aead_spawn(spawn, inst);
983 err = crypto_grab_aead(spawn, ccm_name, 0,
984 crypto_requires_sync(algt->type, algt->mask));
988 alg = crypto_aead_spawn_alg(spawn);
992 /* We only support 16-byte blocks. */
993 if (alg->cra_aead.ivsize != 16)
996 /* Not a stream cipher? */
997 if (alg->cra_blocksize != 1)
1000 err = -ENAMETOOLONG;
1001 if (snprintf(inst->alg.cra_name, CRYPTO_MAX_ALG_NAME,
1002 "rfc4106(%s)", alg->cra_name) >= CRYPTO_MAX_ALG_NAME ||
1003 snprintf(inst->alg.cra_driver_name, CRYPTO_MAX_ALG_NAME,
1004 "rfc4106(%s)", alg->cra_driver_name) >=
1005 CRYPTO_MAX_ALG_NAME)
1008 inst->alg.cra_flags = CRYPTO_ALG_TYPE_AEAD;
1009 inst->alg.cra_flags |= alg->cra_flags & CRYPTO_ALG_ASYNC;
1010 inst->alg.cra_priority = alg->cra_priority;
1011 inst->alg.cra_blocksize = 1;
1012 inst->alg.cra_alignmask = alg->cra_alignmask;
1013 inst->alg.cra_type = &crypto_nivaead_type;
1015 inst->alg.cra_aead.ivsize = 8;
1016 inst->alg.cra_aead.maxauthsize = 16;
1018 inst->alg.cra_ctxsize = sizeof(struct crypto_rfc4106_ctx);
1020 inst->alg.cra_init = crypto_rfc4106_init_tfm;
1021 inst->alg.cra_exit = crypto_rfc4106_exit_tfm;
1023 inst->alg.cra_aead.setkey = crypto_rfc4106_setkey;
1024 inst->alg.cra_aead.setauthsize = crypto_rfc4106_setauthsize;
1025 inst->alg.cra_aead.encrypt = crypto_rfc4106_encrypt;
1026 inst->alg.cra_aead.decrypt = crypto_rfc4106_decrypt;
1028 inst->alg.cra_aead.geniv = "seqiv";
1034 crypto_drop_aead(spawn);
1037 inst = ERR_PTR(err);
1041 static void crypto_rfc4106_free(struct crypto_instance *inst)
1043 crypto_drop_spawn(crypto_instance_ctx(inst));
1047 static struct crypto_template crypto_rfc4106_tmpl = {
1049 .alloc = crypto_rfc4106_alloc,
1050 .free = crypto_rfc4106_free,
1051 .module = THIS_MODULE,
1054 static inline struct crypto_rfc4543_req_ctx *crypto_rfc4543_reqctx(
1055 struct aead_request *req)
1057 unsigned long align = crypto_aead_alignmask(crypto_aead_reqtfm(req));
1059 return (void *)PTR_ALIGN((u8 *)aead_request_ctx(req), align + 1);
1062 static int crypto_rfc4543_setkey(struct crypto_aead *parent, const u8 *key,
1063 unsigned int keylen)
1065 struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(parent);
1066 struct crypto_aead *child = ctx->child;
1073 memcpy(ctx->nonce, key + keylen, 4);
1075 crypto_aead_clear_flags(child, CRYPTO_TFM_REQ_MASK);
1076 crypto_aead_set_flags(child, crypto_aead_get_flags(parent) &
1077 CRYPTO_TFM_REQ_MASK);
1078 err = crypto_aead_setkey(child, key, keylen);
1079 crypto_aead_set_flags(parent, crypto_aead_get_flags(child) &
1080 CRYPTO_TFM_RES_MASK);
1085 static int crypto_rfc4543_setauthsize(struct crypto_aead *parent,
1086 unsigned int authsize)
1088 struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(parent);
1093 return crypto_aead_setauthsize(ctx->child, authsize);
1096 static struct aead_request *crypto_rfc4543_crypt(struct aead_request *req,
1099 struct crypto_aead *aead = crypto_aead_reqtfm(req);
1100 struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(aead);
1101 struct crypto_rfc4543_req_ctx *rctx = crypto_rfc4543_reqctx(req);
1102 struct aead_request *subreq = &rctx->subreq;
1103 struct scatterlist *dst = req->dst;
1104 struct scatterlist *cipher = rctx->cipher;
1105 struct scatterlist *payload = rctx->payload;
1106 struct scatterlist *assoc = rctx->assoc;
1107 unsigned int authsize = crypto_aead_authsize(aead);
1108 unsigned int assoclen = req->assoclen;
1111 u8 *iv = PTR_ALIGN((u8 *)(rctx + 1) + crypto_aead_reqsize(ctx->child),
1112 crypto_aead_alignmask(ctx->child) + 1);
1114 memcpy(iv, ctx->nonce, 4);
1115 memcpy(iv + 4, req->iv, 8);
1117 /* construct cipher/plaintext */
1119 memset(rctx->auth_tag, 0, authsize);
1121 scatterwalk_map_and_copy(rctx->auth_tag, dst,
1122 req->cryptlen - authsize,
1125 sg_init_one(cipher, rctx->auth_tag, authsize);
1127 /* construct the aad */
1128 dstp = sg_page(dst);
1129 vdst = PageHighMem(dstp) ? NULL : page_address(dstp) + dst->offset;
1131 sg_init_table(payload, 2);
1132 sg_set_buf(payload, req->iv, 8);
1133 scatterwalk_crypto_chain(payload, dst, vdst == req->iv + 8, 2);
1134 assoclen += 8 + req->cryptlen - (enc ? 0 : authsize);
1136 sg_init_table(assoc, 2);
1137 sg_set_page(assoc, sg_page(req->assoc), req->assoc->length,
1138 req->assoc->offset);
1139 scatterwalk_crypto_chain(assoc, payload, 0, 2);
1141 aead_request_set_tfm(subreq, ctx->child);
1142 aead_request_set_callback(subreq, req->base.flags, req->base.complete,
1144 aead_request_set_crypt(subreq, cipher, cipher, enc ? 0 : authsize, iv);
1145 aead_request_set_assoc(subreq, assoc, assoclen);
1150 static int crypto_rfc4543_encrypt(struct aead_request *req)
1152 struct crypto_aead *aead = crypto_aead_reqtfm(req);
1153 struct crypto_rfc4543_req_ctx *rctx = crypto_rfc4543_reqctx(req);
1154 struct aead_request *subreq;
1157 subreq = crypto_rfc4543_crypt(req, 1);
1158 err = crypto_aead_encrypt(subreq);
1162 scatterwalk_map_and_copy(rctx->auth_tag, req->dst, req->cryptlen,
1163 crypto_aead_authsize(aead), 1);
1168 static int crypto_rfc4543_decrypt(struct aead_request *req)
1170 req = crypto_rfc4543_crypt(req, 0);
1172 return crypto_aead_decrypt(req);
1175 static int crypto_rfc4543_init_tfm(struct crypto_tfm *tfm)
1177 struct crypto_instance *inst = (void *)tfm->__crt_alg;
1178 struct crypto_aead_spawn *spawn = crypto_instance_ctx(inst);
1179 struct crypto_rfc4543_ctx *ctx = crypto_tfm_ctx(tfm);
1180 struct crypto_aead *aead;
1181 unsigned long align;
1183 aead = crypto_spawn_aead(spawn);
1185 return PTR_ERR(aead);
1189 align = crypto_aead_alignmask(aead);
1190 align &= ~(crypto_tfm_ctx_alignment() - 1);
1191 tfm->crt_aead.reqsize = sizeof(struct crypto_rfc4543_req_ctx) +
1192 ALIGN(crypto_aead_reqsize(aead),
1193 crypto_tfm_ctx_alignment()) +
1199 static void crypto_rfc4543_exit_tfm(struct crypto_tfm *tfm)
1201 struct crypto_rfc4543_ctx *ctx = crypto_tfm_ctx(tfm);
1203 crypto_free_aead(ctx->child);
1206 static struct crypto_instance *crypto_rfc4543_alloc(struct rtattr **tb)
1208 struct crypto_attr_type *algt;
1209 struct crypto_instance *inst;
1210 struct crypto_aead_spawn *spawn;
1211 struct crypto_alg *alg;
1212 const char *ccm_name;
1215 algt = crypto_get_attr_type(tb);
1217 return ERR_CAST(algt);
1219 if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask)
1220 return ERR_PTR(-EINVAL);
1222 ccm_name = crypto_attr_alg_name(tb[1]);
1223 if (IS_ERR(ccm_name))
1224 return ERR_CAST(ccm_name);
1226 inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL);
1228 return ERR_PTR(-ENOMEM);
1230 spawn = crypto_instance_ctx(inst);
1231 crypto_set_aead_spawn(spawn, inst);
1232 err = crypto_grab_aead(spawn, ccm_name, 0,
1233 crypto_requires_sync(algt->type, algt->mask));
1237 alg = crypto_aead_spawn_alg(spawn);
1241 /* We only support 16-byte blocks. */
1242 if (alg->cra_aead.ivsize != 16)
1245 /* Not a stream cipher? */
1246 if (alg->cra_blocksize != 1)
1249 err = -ENAMETOOLONG;
1250 if (snprintf(inst->alg.cra_name, CRYPTO_MAX_ALG_NAME,
1251 "rfc4543(%s)", alg->cra_name) >= CRYPTO_MAX_ALG_NAME ||
1252 snprintf(inst->alg.cra_driver_name, CRYPTO_MAX_ALG_NAME,
1253 "rfc4543(%s)", alg->cra_driver_name) >=
1254 CRYPTO_MAX_ALG_NAME)
1257 inst->alg.cra_flags = CRYPTO_ALG_TYPE_AEAD;
1258 inst->alg.cra_flags |= alg->cra_flags & CRYPTO_ALG_ASYNC;
1259 inst->alg.cra_priority = alg->cra_priority;
1260 inst->alg.cra_blocksize = 1;
1261 inst->alg.cra_alignmask = alg->cra_alignmask;
1262 inst->alg.cra_type = &crypto_nivaead_type;
1264 inst->alg.cra_aead.ivsize = 8;
1265 inst->alg.cra_aead.maxauthsize = 16;
1267 inst->alg.cra_ctxsize = sizeof(struct crypto_rfc4543_ctx);
1269 inst->alg.cra_init = crypto_rfc4543_init_tfm;
1270 inst->alg.cra_exit = crypto_rfc4543_exit_tfm;
1272 inst->alg.cra_aead.setkey = crypto_rfc4543_setkey;
1273 inst->alg.cra_aead.setauthsize = crypto_rfc4543_setauthsize;
1274 inst->alg.cra_aead.encrypt = crypto_rfc4543_encrypt;
1275 inst->alg.cra_aead.decrypt = crypto_rfc4543_decrypt;
1277 inst->alg.cra_aead.geniv = "seqiv";
1283 crypto_drop_aead(spawn);
1286 inst = ERR_PTR(err);
1290 static void crypto_rfc4543_free(struct crypto_instance *inst)
1292 crypto_drop_spawn(crypto_instance_ctx(inst));
1296 static struct crypto_template crypto_rfc4543_tmpl = {
1298 .alloc = crypto_rfc4543_alloc,
1299 .free = crypto_rfc4543_free,
1300 .module = THIS_MODULE,
1303 static int __init crypto_gcm_module_init(void)
1307 gcm_zeroes = kzalloc(16, GFP_KERNEL);
1311 err = crypto_register_template(&crypto_gcm_base_tmpl);
1315 err = crypto_register_template(&crypto_gcm_tmpl);
1319 err = crypto_register_template(&crypto_rfc4106_tmpl);
1323 err = crypto_register_template(&crypto_rfc4543_tmpl);
1325 goto out_undo_rfc4106;
1330 crypto_unregister_template(&crypto_rfc4106_tmpl);
1332 crypto_unregister_template(&crypto_gcm_tmpl);
1334 crypto_unregister_template(&crypto_gcm_base_tmpl);
1340 static void __exit crypto_gcm_module_exit(void)
1343 crypto_unregister_template(&crypto_rfc4543_tmpl);
1344 crypto_unregister_template(&crypto_rfc4106_tmpl);
1345 crypto_unregister_template(&crypto_gcm_tmpl);
1346 crypto_unregister_template(&crypto_gcm_base_tmpl);
1349 module_init(crypto_gcm_module_init);
1350 module_exit(crypto_gcm_module_exit);
1352 MODULE_LICENSE("GPL");
1353 MODULE_DESCRIPTION("Galois/Counter Mode");
1354 MODULE_AUTHOR("Mikko Herranen <mh1@iki.fi>");
1355 MODULE_ALIAS("gcm_base");
1356 MODULE_ALIAS("rfc4106");
1357 MODULE_ALIAS("rfc4543");
projects / ~andy / linux / blob