net: mv643xx_eth: use managed devm_kzalloc
[linux-2.6.git] / crypto / gcm.c
blob137ad1ec54383ceda3e515490ffc794a0242f907
1 /*
2 * GCM: Galois/Counter Mode.
4 * Copyright (c) 2007 Nokia Siemens Networks - Mikko Herranen <mh1@iki.fi>
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License version 2 as published
8 * by the Free Software Foundation.
9 */
11 #include <crypto/gf128mul.h>
12 #include <crypto/internal/aead.h>
13 #include <crypto/internal/skcipher.h>
14 #include <crypto/internal/hash.h>
15 #include <crypto/scatterwalk.h>
16 #include <crypto/hash.h>
17 #include "internal.h"
18 #include <linux/completion.h>
19 #include <linux/err.h>
20 #include <linux/init.h>
21 #include <linux/kernel.h>
22 #include <linux/module.h>
23 #include <linux/slab.h>
25 struct gcm_instance_ctx {
26 struct crypto_skcipher_spawn ctr;
27 struct crypto_ahash_spawn ghash;
30 struct crypto_gcm_ctx {
31 struct crypto_ablkcipher *ctr;
32 struct crypto_ahash *ghash;
35 struct crypto_rfc4106_ctx {
36 struct crypto_aead *child;
37 u8 nonce[4];
40 struct crypto_rfc4543_ctx {
41 struct crypto_aead *child;
42 u8 nonce[4];
45 struct crypto_rfc4543_req_ctx {
46 u8 auth_tag[16];
47 struct scatterlist cipher[1];
48 struct scatterlist payload[2];
49 struct scatterlist assoc[2];
50 struct aead_request subreq;
53 struct crypto_gcm_ghash_ctx {
54 unsigned int cryptlen;
55 struct scatterlist *src;
56 void (*complete)(struct aead_request *req, int err);
59 struct crypto_gcm_req_priv_ctx {
60 u8 auth_tag[16];
61 u8 iauth_tag[16];
62 struct scatterlist src[2];
63 struct scatterlist dst[2];
64 struct crypto_gcm_ghash_ctx ghash_ctx;
65 union {
66 struct ahash_request ahreq;
67 struct ablkcipher_request abreq;
68 } u;
71 struct crypto_gcm_setkey_result {
72 int err;
73 struct completion completion;
76 static void *gcm_zeroes;
78 static inline struct crypto_gcm_req_priv_ctx *crypto_gcm_reqctx(
79 struct aead_request *req)
81 unsigned long align = crypto_aead_alignmask(crypto_aead_reqtfm(req));
83 return (void *)PTR_ALIGN((u8 *)aead_request_ctx(req), align + 1);
86 static void crypto_gcm_setkey_done(struct crypto_async_request *req, int err)
88 struct crypto_gcm_setkey_result *result = req->data;
90 if (err == -EINPROGRESS)
91 return;
93 result->err = err;
94 complete(&result->completion);
97 static int crypto_gcm_setkey(struct crypto_aead *aead, const u8 *key,
98 unsigned int keylen)
100 struct crypto_gcm_ctx *ctx = crypto_aead_ctx(aead);
101 struct crypto_ahash *ghash = ctx->ghash;
102 struct crypto_ablkcipher *ctr = ctx->ctr;
103 struct {
104 be128 hash;
105 u8 iv[8];
107 struct crypto_gcm_setkey_result result;
109 struct scatterlist sg[1];
110 struct ablkcipher_request req;
111 } *data;
112 int err;
114 crypto_ablkcipher_clear_flags(ctr, CRYPTO_TFM_REQ_MASK);
115 crypto_ablkcipher_set_flags(ctr, crypto_aead_get_flags(aead) &
116 CRYPTO_TFM_REQ_MASK);
118 err = crypto_ablkcipher_setkey(ctr, key, keylen);
119 if (err)
120 return err;
122 crypto_aead_set_flags(aead, crypto_ablkcipher_get_flags(ctr) &
123 CRYPTO_TFM_RES_MASK);
125 data = kzalloc(sizeof(*data) + crypto_ablkcipher_reqsize(ctr),
126 GFP_KERNEL);
127 if (!data)
128 return -ENOMEM;
130 init_completion(&data->result.completion);
131 sg_init_one(data->sg, &data->hash, sizeof(data->hash));
132 ablkcipher_request_set_tfm(&data->req, ctr);
133 ablkcipher_request_set_callback(&data->req, CRYPTO_TFM_REQ_MAY_SLEEP |
134 CRYPTO_TFM_REQ_MAY_BACKLOG,
135 crypto_gcm_setkey_done,
136 &data->result);
137 ablkcipher_request_set_crypt(&data->req, data->sg, data->sg,
138 sizeof(data->hash), data->iv);
140 err = crypto_ablkcipher_encrypt(&data->req);
141 if (err == -EINPROGRESS || err == -EBUSY) {
142 err = wait_for_completion_interruptible(
143 &data->result.completion);
144 if (!err)
145 err = data->result.err;
148 if (err)
149 goto out;
151 crypto_ahash_clear_flags(ghash, CRYPTO_TFM_REQ_MASK);
152 crypto_ahash_set_flags(ghash, crypto_aead_get_flags(aead) &
153 CRYPTO_TFM_REQ_MASK);
154 err = crypto_ahash_setkey(ghash, (u8 *)&data->hash, sizeof(be128));
155 crypto_aead_set_flags(aead, crypto_ahash_get_flags(ghash) &
156 CRYPTO_TFM_RES_MASK);
158 out:
159 kfree(data);
160 return err;
163 static int crypto_gcm_setauthsize(struct crypto_aead *tfm,
164 unsigned int authsize)
166 switch (authsize) {
167 case 4:
168 case 8:
169 case 12:
170 case 13:
171 case 14:
172 case 15:
173 case 16:
174 break;
175 default:
176 return -EINVAL;
179 return 0;
182 static void crypto_gcm_init_crypt(struct ablkcipher_request *ablk_req,
183 struct aead_request *req,
184 unsigned int cryptlen)
186 struct crypto_aead *aead = crypto_aead_reqtfm(req);
187 struct crypto_gcm_ctx *ctx = crypto_aead_ctx(aead);
188 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
189 struct scatterlist *dst;
190 __be32 counter = cpu_to_be32(1);
192 memset(pctx->auth_tag, 0, sizeof(pctx->auth_tag));
193 memcpy(req->iv + 12, &counter, 4);
195 sg_init_table(pctx->src, 2);
196 sg_set_buf(pctx->src, pctx->auth_tag, sizeof(pctx->auth_tag));
197 scatterwalk_sg_chain(pctx->src, 2, req->src);
199 dst = pctx->src;
200 if (req->src != req->dst) {
201 sg_init_table(pctx->dst, 2);
202 sg_set_buf(pctx->dst, pctx->auth_tag, sizeof(pctx->auth_tag));
203 scatterwalk_sg_chain(pctx->dst, 2, req->dst);
204 dst = pctx->dst;
207 ablkcipher_request_set_tfm(ablk_req, ctx->ctr);
208 ablkcipher_request_set_crypt(ablk_req, pctx->src, dst,
209 cryptlen + sizeof(pctx->auth_tag),
210 req->iv);
213 static inline unsigned int gcm_remain(unsigned int len)
215 len &= 0xfU;
216 return len ? 16 - len : 0;
219 static void gcm_hash_len_done(struct crypto_async_request *areq, int err);
220 static void gcm_hash_final_done(struct crypto_async_request *areq, int err);
222 static int gcm_hash_update(struct aead_request *req,
223 struct crypto_gcm_req_priv_ctx *pctx,
224 crypto_completion_t complete,
225 struct scatterlist *src,
226 unsigned int len)
228 struct ahash_request *ahreq = &pctx->u.ahreq;
230 ahash_request_set_callback(ahreq, aead_request_flags(req),
231 complete, req);
232 ahash_request_set_crypt(ahreq, src, NULL, len);
234 return crypto_ahash_update(ahreq);
237 static int gcm_hash_remain(struct aead_request *req,
238 struct crypto_gcm_req_priv_ctx *pctx,
239 unsigned int remain,
240 crypto_completion_t complete)
242 struct ahash_request *ahreq = &pctx->u.ahreq;
244 ahash_request_set_callback(ahreq, aead_request_flags(req),
245 complete, req);
246 sg_init_one(pctx->src, gcm_zeroes, remain);
247 ahash_request_set_crypt(ahreq, pctx->src, NULL, remain);
249 return crypto_ahash_update(ahreq);
252 static int gcm_hash_len(struct aead_request *req,
253 struct crypto_gcm_req_priv_ctx *pctx)
255 struct ahash_request *ahreq = &pctx->u.ahreq;
256 struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
257 u128 lengths;
259 lengths.a = cpu_to_be64(req->assoclen * 8);
260 lengths.b = cpu_to_be64(gctx->cryptlen * 8);
261 memcpy(pctx->iauth_tag, &lengths, 16);
262 sg_init_one(pctx->src, pctx->iauth_tag, 16);
263 ahash_request_set_callback(ahreq, aead_request_flags(req),
264 gcm_hash_len_done, req);
265 ahash_request_set_crypt(ahreq, pctx->src,
266 NULL, sizeof(lengths));
268 return crypto_ahash_update(ahreq);
271 static int gcm_hash_final(struct aead_request *req,
272 struct crypto_gcm_req_priv_ctx *pctx)
274 struct ahash_request *ahreq = &pctx->u.ahreq;
276 ahash_request_set_callback(ahreq, aead_request_flags(req),
277 gcm_hash_final_done, req);
278 ahash_request_set_crypt(ahreq, NULL, pctx->iauth_tag, 0);
280 return crypto_ahash_final(ahreq);
283 static void __gcm_hash_final_done(struct aead_request *req, int err)
285 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
286 struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
288 if (!err)
289 crypto_xor(pctx->auth_tag, pctx->iauth_tag, 16);
291 gctx->complete(req, err);
294 static void gcm_hash_final_done(struct crypto_async_request *areq, int err)
296 struct aead_request *req = areq->data;
298 __gcm_hash_final_done(req, err);
301 static void __gcm_hash_len_done(struct aead_request *req, int err)
303 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
305 if (!err) {
306 err = gcm_hash_final(req, pctx);
307 if (err == -EINPROGRESS || err == -EBUSY)
308 return;
311 __gcm_hash_final_done(req, err);
314 static void gcm_hash_len_done(struct crypto_async_request *areq, int err)
316 struct aead_request *req = areq->data;
318 __gcm_hash_len_done(req, err);
321 static void __gcm_hash_crypt_remain_done(struct aead_request *req, int err)
323 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
325 if (!err) {
326 err = gcm_hash_len(req, pctx);
327 if (err == -EINPROGRESS || err == -EBUSY)
328 return;
331 __gcm_hash_len_done(req, err);
334 static void gcm_hash_crypt_remain_done(struct crypto_async_request *areq,
335 int err)
337 struct aead_request *req = areq->data;
339 __gcm_hash_crypt_remain_done(req, err);
342 static void __gcm_hash_crypt_done(struct aead_request *req, int err)
344 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
345 struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
346 unsigned int remain;
348 if (!err) {
349 remain = gcm_remain(gctx->cryptlen);
350 BUG_ON(!remain);
351 err = gcm_hash_remain(req, pctx, remain,
352 gcm_hash_crypt_remain_done);
353 if (err == -EINPROGRESS || err == -EBUSY)
354 return;
357 __gcm_hash_crypt_remain_done(req, err);
360 static void gcm_hash_crypt_done(struct crypto_async_request *areq, int err)
362 struct aead_request *req = areq->data;
364 __gcm_hash_crypt_done(req, err);
367 static void __gcm_hash_assoc_remain_done(struct aead_request *req, int err)
369 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
370 struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
371 crypto_completion_t complete;
372 unsigned int remain = 0;
374 if (!err && gctx->cryptlen) {
375 remain = gcm_remain(gctx->cryptlen);
376 complete = remain ? gcm_hash_crypt_done :
377 gcm_hash_crypt_remain_done;
378 err = gcm_hash_update(req, pctx, complete,
379 gctx->src, gctx->cryptlen);
380 if (err == -EINPROGRESS || err == -EBUSY)
381 return;
384 if (remain)
385 __gcm_hash_crypt_done(req, err);
386 else
387 __gcm_hash_crypt_remain_done(req, err);
390 static void gcm_hash_assoc_remain_done(struct crypto_async_request *areq,
391 int err)
393 struct aead_request *req = areq->data;
395 __gcm_hash_assoc_remain_done(req, err);
398 static void __gcm_hash_assoc_done(struct aead_request *req, int err)
400 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
401 unsigned int remain;
403 if (!err) {
404 remain = gcm_remain(req->assoclen);
405 BUG_ON(!remain);
406 err = gcm_hash_remain(req, pctx, remain,
407 gcm_hash_assoc_remain_done);
408 if (err == -EINPROGRESS || err == -EBUSY)
409 return;
412 __gcm_hash_assoc_remain_done(req, err);
415 static void gcm_hash_assoc_done(struct crypto_async_request *areq, int err)
417 struct aead_request *req = areq->data;
419 __gcm_hash_assoc_done(req, err);
422 static void __gcm_hash_init_done(struct aead_request *req, int err)
424 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
425 crypto_completion_t complete;
426 unsigned int remain = 0;
428 if (!err && req->assoclen) {
429 remain = gcm_remain(req->assoclen);
430 complete = remain ? gcm_hash_assoc_done :
431 gcm_hash_assoc_remain_done;
432 err = gcm_hash_update(req, pctx, complete,
433 req->assoc, req->assoclen);
434 if (err == -EINPROGRESS || err == -EBUSY)
435 return;
438 if (remain)
439 __gcm_hash_assoc_done(req, err);
440 else
441 __gcm_hash_assoc_remain_done(req, err);
444 static void gcm_hash_init_done(struct crypto_async_request *areq, int err)
446 struct aead_request *req = areq->data;
448 __gcm_hash_init_done(req, err);
451 static int gcm_hash(struct aead_request *req,
452 struct crypto_gcm_req_priv_ctx *pctx)
454 struct ahash_request *ahreq = &pctx->u.ahreq;
455 struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
456 struct crypto_gcm_ctx *ctx = crypto_tfm_ctx(req->base.tfm);
457 unsigned int remain;
458 crypto_completion_t complete;
459 int err;
461 ahash_request_set_tfm(ahreq, ctx->ghash);
463 ahash_request_set_callback(ahreq, aead_request_flags(req),
464 gcm_hash_init_done, req);
465 err = crypto_ahash_init(ahreq);
466 if (err)
467 return err;
468 remain = gcm_remain(req->assoclen);
469 complete = remain ? gcm_hash_assoc_done : gcm_hash_assoc_remain_done;
470 err = gcm_hash_update(req, pctx, complete, req->assoc, req->assoclen);
471 if (err)
472 return err;
473 if (remain) {
474 err = gcm_hash_remain(req, pctx, remain,
475 gcm_hash_assoc_remain_done);
476 if (err)
477 return err;
479 remain = gcm_remain(gctx->cryptlen);
480 complete = remain ? gcm_hash_crypt_done : gcm_hash_crypt_remain_done;
481 err = gcm_hash_update(req, pctx, complete, gctx->src, gctx->cryptlen);
482 if (err)
483 return err;
484 if (remain) {
485 err = gcm_hash_remain(req, pctx, remain,
486 gcm_hash_crypt_remain_done);
487 if (err)
488 return err;
490 err = gcm_hash_len(req, pctx);
491 if (err)
492 return err;
493 err = gcm_hash_final(req, pctx);
494 if (err)
495 return err;
497 return 0;
500 static void gcm_enc_copy_hash(struct aead_request *req,
501 struct crypto_gcm_req_priv_ctx *pctx)
503 struct crypto_aead *aead = crypto_aead_reqtfm(req);
504 u8 *auth_tag = pctx->auth_tag;
506 scatterwalk_map_and_copy(auth_tag, req->dst, req->cryptlen,
507 crypto_aead_authsize(aead), 1);
510 static void gcm_enc_hash_done(struct aead_request *req, int err)
512 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
514 if (!err)
515 gcm_enc_copy_hash(req, pctx);
517 aead_request_complete(req, err);
520 static void gcm_encrypt_done(struct crypto_async_request *areq, int err)
522 struct aead_request *req = areq->data;
523 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
525 if (!err) {
526 err = gcm_hash(req, pctx);
527 if (err == -EINPROGRESS || err == -EBUSY)
528 return;
529 else if (!err) {
530 crypto_xor(pctx->auth_tag, pctx->iauth_tag, 16);
531 gcm_enc_copy_hash(req, pctx);
535 aead_request_complete(req, err);
538 static int crypto_gcm_encrypt(struct aead_request *req)
540 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
541 struct ablkcipher_request *abreq = &pctx->u.abreq;
542 struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
543 int err;
545 crypto_gcm_init_crypt(abreq, req, req->cryptlen);
546 ablkcipher_request_set_callback(abreq, aead_request_flags(req),
547 gcm_encrypt_done, req);
549 gctx->src = req->dst;
550 gctx->cryptlen = req->cryptlen;
551 gctx->complete = gcm_enc_hash_done;
553 err = crypto_ablkcipher_encrypt(abreq);
554 if (err)
555 return err;
557 err = gcm_hash(req, pctx);
558 if (err)
559 return err;
561 crypto_xor(pctx->auth_tag, pctx->iauth_tag, 16);
562 gcm_enc_copy_hash(req, pctx);
564 return 0;
567 static int crypto_gcm_verify(struct aead_request *req,
568 struct crypto_gcm_req_priv_ctx *pctx)
570 struct crypto_aead *aead = crypto_aead_reqtfm(req);
571 u8 *auth_tag = pctx->auth_tag;
572 u8 *iauth_tag = pctx->iauth_tag;
573 unsigned int authsize = crypto_aead_authsize(aead);
574 unsigned int cryptlen = req->cryptlen - authsize;
576 crypto_xor(auth_tag, iauth_tag, 16);
577 scatterwalk_map_and_copy(iauth_tag, req->src, cryptlen, authsize, 0);
578 return memcmp(iauth_tag, auth_tag, authsize) ? -EBADMSG : 0;
581 static void gcm_decrypt_done(struct crypto_async_request *areq, int err)
583 struct aead_request *req = areq->data;
584 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
586 if (!err)
587 err = crypto_gcm_verify(req, pctx);
589 aead_request_complete(req, err);
592 static void gcm_dec_hash_done(struct aead_request *req, int err)
594 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
595 struct ablkcipher_request *abreq = &pctx->u.abreq;
596 struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
598 if (!err) {
599 ablkcipher_request_set_callback(abreq, aead_request_flags(req),
600 gcm_decrypt_done, req);
601 crypto_gcm_init_crypt(abreq, req, gctx->cryptlen);
602 err = crypto_ablkcipher_decrypt(abreq);
603 if (err == -EINPROGRESS || err == -EBUSY)
604 return;
605 else if (!err)
606 err = crypto_gcm_verify(req, pctx);
609 aead_request_complete(req, err);
612 static int crypto_gcm_decrypt(struct aead_request *req)
614 struct crypto_aead *aead = crypto_aead_reqtfm(req);
615 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
616 struct ablkcipher_request *abreq = &pctx->u.abreq;
617 struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
618 unsigned int authsize = crypto_aead_authsize(aead);
619 unsigned int cryptlen = req->cryptlen;
620 int err;
622 if (cryptlen < authsize)
623 return -EINVAL;
624 cryptlen -= authsize;
626 gctx->src = req->src;
627 gctx->cryptlen = cryptlen;
628 gctx->complete = gcm_dec_hash_done;
630 err = gcm_hash(req, pctx);
631 if (err)
632 return err;
634 ablkcipher_request_set_callback(abreq, aead_request_flags(req),
635 gcm_decrypt_done, req);
636 crypto_gcm_init_crypt(abreq, req, cryptlen);
637 err = crypto_ablkcipher_decrypt(abreq);
638 if (err)
639 return err;
641 return crypto_gcm_verify(req, pctx);
644 static int crypto_gcm_init_tfm(struct crypto_tfm *tfm)
646 struct crypto_instance *inst = (void *)tfm->__crt_alg;
647 struct gcm_instance_ctx *ictx = crypto_instance_ctx(inst);
648 struct crypto_gcm_ctx *ctx = crypto_tfm_ctx(tfm);
649 struct crypto_ablkcipher *ctr;
650 struct crypto_ahash *ghash;
651 unsigned long align;
652 int err;
654 ghash = crypto_spawn_ahash(&ictx->ghash);
655 if (IS_ERR(ghash))
656 return PTR_ERR(ghash);
658 ctr = crypto_spawn_skcipher(&ictx->ctr);
659 err = PTR_ERR(ctr);
660 if (IS_ERR(ctr))
661 goto err_free_hash;
663 ctx->ctr = ctr;
664 ctx->ghash = ghash;
666 align = crypto_tfm_alg_alignmask(tfm);
667 align &= ~(crypto_tfm_ctx_alignment() - 1);
668 tfm->crt_aead.reqsize = align +
669 offsetof(struct crypto_gcm_req_priv_ctx, u) +
670 max(sizeof(struct ablkcipher_request) +
671 crypto_ablkcipher_reqsize(ctr),
672 sizeof(struct ahash_request) +
673 crypto_ahash_reqsize(ghash));
675 return 0;
677 err_free_hash:
678 crypto_free_ahash(ghash);
679 return err;
682 static void crypto_gcm_exit_tfm(struct crypto_tfm *tfm)
684 struct crypto_gcm_ctx *ctx = crypto_tfm_ctx(tfm);
686 crypto_free_ahash(ctx->ghash);
687 crypto_free_ablkcipher(ctx->ctr);
690 static struct crypto_instance *crypto_gcm_alloc_common(struct rtattr **tb,
691 const char *full_name,
692 const char *ctr_name,
693 const char *ghash_name)
695 struct crypto_attr_type *algt;
696 struct crypto_instance *inst;
697 struct crypto_alg *ctr;
698 struct crypto_alg *ghash_alg;
699 struct ahash_alg *ghash_ahash_alg;
700 struct gcm_instance_ctx *ctx;
701 int err;
703 algt = crypto_get_attr_type(tb);
704 if (IS_ERR(algt))
705 return ERR_CAST(algt);
707 if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask)
708 return ERR_PTR(-EINVAL);
710 ghash_alg = crypto_find_alg(ghash_name, &crypto_ahash_type,
711 CRYPTO_ALG_TYPE_HASH,
712 CRYPTO_ALG_TYPE_AHASH_MASK);
713 if (IS_ERR(ghash_alg))
714 return ERR_CAST(ghash_alg);
716 err = -ENOMEM;
717 inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
718 if (!inst)
719 goto out_put_ghash;
721 ctx = crypto_instance_ctx(inst);
722 ghash_ahash_alg = container_of(ghash_alg, struct ahash_alg, halg.base);
723 err = crypto_init_ahash_spawn(&ctx->ghash, &ghash_ahash_alg->halg,
724 inst);
725 if (err)
726 goto err_free_inst;
728 crypto_set_skcipher_spawn(&ctx->ctr, inst);
729 err = crypto_grab_skcipher(&ctx->ctr, ctr_name, 0,
730 crypto_requires_sync(algt->type,
731 algt->mask));
732 if (err)
733 goto err_drop_ghash;
735 ctr = crypto_skcipher_spawn_alg(&ctx->ctr);
737 /* We only support 16-byte blocks. */
738 if (ctr->cra_ablkcipher.ivsize != 16)
739 goto out_put_ctr;
741 /* Not a stream cipher? */
742 err = -EINVAL;
743 if (ctr->cra_blocksize != 1)
744 goto out_put_ctr;
746 err = -ENAMETOOLONG;
747 if (snprintf(inst->alg.cra_driver_name, CRYPTO_MAX_ALG_NAME,
748 "gcm_base(%s,%s)", ctr->cra_driver_name,
749 ghash_alg->cra_driver_name) >=
750 CRYPTO_MAX_ALG_NAME)
751 goto out_put_ctr;
753 memcpy(inst->alg.cra_name, full_name, CRYPTO_MAX_ALG_NAME);
755 inst->alg.cra_flags = CRYPTO_ALG_TYPE_AEAD;
756 inst->alg.cra_flags |= ctr->cra_flags & CRYPTO_ALG_ASYNC;
757 inst->alg.cra_priority = ctr->cra_priority;
758 inst->alg.cra_blocksize = 1;
759 inst->alg.cra_alignmask = ctr->cra_alignmask | (__alignof__(u64) - 1);
760 inst->alg.cra_type = &crypto_aead_type;
761 inst->alg.cra_aead.ivsize = 16;
762 inst->alg.cra_aead.maxauthsize = 16;
763 inst->alg.cra_ctxsize = sizeof(struct crypto_gcm_ctx);
764 inst->alg.cra_init = crypto_gcm_init_tfm;
765 inst->alg.cra_exit = crypto_gcm_exit_tfm;
766 inst->alg.cra_aead.setkey = crypto_gcm_setkey;
767 inst->alg.cra_aead.setauthsize = crypto_gcm_setauthsize;
768 inst->alg.cra_aead.encrypt = crypto_gcm_encrypt;
769 inst->alg.cra_aead.decrypt = crypto_gcm_decrypt;
771 out:
772 crypto_mod_put(ghash_alg);
773 return inst;
775 out_put_ctr:
776 crypto_drop_skcipher(&ctx->ctr);
777 err_drop_ghash:
778 crypto_drop_ahash(&ctx->ghash);
779 err_free_inst:
780 kfree(inst);
781 out_put_ghash:
782 inst = ERR_PTR(err);
783 goto out;
786 static struct crypto_instance *crypto_gcm_alloc(struct rtattr **tb)
788 const char *cipher_name;
789 char ctr_name[CRYPTO_MAX_ALG_NAME];
790 char full_name[CRYPTO_MAX_ALG_NAME];
792 cipher_name = crypto_attr_alg_name(tb[1]);
793 if (IS_ERR(cipher_name))
794 return ERR_CAST(cipher_name);
796 if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)", cipher_name) >=
797 CRYPTO_MAX_ALG_NAME)
798 return ERR_PTR(-ENAMETOOLONG);
800 if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "gcm(%s)", cipher_name) >=
801 CRYPTO_MAX_ALG_NAME)
802 return ERR_PTR(-ENAMETOOLONG);
804 return crypto_gcm_alloc_common(tb, full_name, ctr_name, "ghash");
807 static void crypto_gcm_free(struct crypto_instance *inst)
809 struct gcm_instance_ctx *ctx = crypto_instance_ctx(inst);
811 crypto_drop_skcipher(&ctx->ctr);
812 crypto_drop_ahash(&ctx->ghash);
813 kfree(inst);
816 static struct crypto_template crypto_gcm_tmpl = {
817 .name = "gcm",
818 .alloc = crypto_gcm_alloc,
819 .free = crypto_gcm_free,
820 .module = THIS_MODULE,
823 static struct crypto_instance *crypto_gcm_base_alloc(struct rtattr **tb)
825 const char *ctr_name;
826 const char *ghash_name;
827 char full_name[CRYPTO_MAX_ALG_NAME];
829 ctr_name = crypto_attr_alg_name(tb[1]);
830 if (IS_ERR(ctr_name))
831 return ERR_CAST(ctr_name);
833 ghash_name = crypto_attr_alg_name(tb[2]);
834 if (IS_ERR(ghash_name))
835 return ERR_CAST(ghash_name);
837 if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "gcm_base(%s,%s)",
838 ctr_name, ghash_name) >= CRYPTO_MAX_ALG_NAME)
839 return ERR_PTR(-ENAMETOOLONG);
841 return crypto_gcm_alloc_common(tb, full_name, ctr_name, ghash_name);
844 static struct crypto_template crypto_gcm_base_tmpl = {
845 .name = "gcm_base",
846 .alloc = crypto_gcm_base_alloc,
847 .free = crypto_gcm_free,
848 .module = THIS_MODULE,
851 static int crypto_rfc4106_setkey(struct crypto_aead *parent, const u8 *key,
852 unsigned int keylen)
854 struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(parent);
855 struct crypto_aead *child = ctx->child;
856 int err;
858 if (keylen < 4)
859 return -EINVAL;
861 keylen -= 4;
862 memcpy(ctx->nonce, key + keylen, 4);
864 crypto_aead_clear_flags(child, CRYPTO_TFM_REQ_MASK);
865 crypto_aead_set_flags(child, crypto_aead_get_flags(parent) &
866 CRYPTO_TFM_REQ_MASK);
867 err = crypto_aead_setkey(child, key, keylen);
868 crypto_aead_set_flags(parent, crypto_aead_get_flags(child) &
869 CRYPTO_TFM_RES_MASK);
871 return err;
874 static int crypto_rfc4106_setauthsize(struct crypto_aead *parent,
875 unsigned int authsize)
877 struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(parent);
879 switch (authsize) {
880 case 8:
881 case 12:
882 case 16:
883 break;
884 default:
885 return -EINVAL;
888 return crypto_aead_setauthsize(ctx->child, authsize);
891 static struct aead_request *crypto_rfc4106_crypt(struct aead_request *req)
893 struct aead_request *subreq = aead_request_ctx(req);
894 struct crypto_aead *aead = crypto_aead_reqtfm(req);
895 struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(aead);
896 struct crypto_aead *child = ctx->child;
897 u8 *iv = PTR_ALIGN((u8 *)(subreq + 1) + crypto_aead_reqsize(child),
898 crypto_aead_alignmask(child) + 1);
900 memcpy(iv, ctx->nonce, 4);
901 memcpy(iv + 4, req->iv, 8);
903 aead_request_set_tfm(subreq, child);
904 aead_request_set_callback(subreq, req->base.flags, req->base.complete,
905 req->base.data);
906 aead_request_set_crypt(subreq, req->src, req->dst, req->cryptlen, iv);
907 aead_request_set_assoc(subreq, req->assoc, req->assoclen);
909 return subreq;
912 static int crypto_rfc4106_encrypt(struct aead_request *req)
914 req = crypto_rfc4106_crypt(req);
916 return crypto_aead_encrypt(req);
919 static int crypto_rfc4106_decrypt(struct aead_request *req)
921 req = crypto_rfc4106_crypt(req);
923 return crypto_aead_decrypt(req);
926 static int crypto_rfc4106_init_tfm(struct crypto_tfm *tfm)
928 struct crypto_instance *inst = (void *)tfm->__crt_alg;
929 struct crypto_aead_spawn *spawn = crypto_instance_ctx(inst);
930 struct crypto_rfc4106_ctx *ctx = crypto_tfm_ctx(tfm);
931 struct crypto_aead *aead;
932 unsigned long align;
934 aead = crypto_spawn_aead(spawn);
935 if (IS_ERR(aead))
936 return PTR_ERR(aead);
938 ctx->child = aead;
940 align = crypto_aead_alignmask(aead);
941 align &= ~(crypto_tfm_ctx_alignment() - 1);
942 tfm->crt_aead.reqsize = sizeof(struct aead_request) +
943 ALIGN(crypto_aead_reqsize(aead),
944 crypto_tfm_ctx_alignment()) +
945 align + 16;
947 return 0;
950 static void crypto_rfc4106_exit_tfm(struct crypto_tfm *tfm)
952 struct crypto_rfc4106_ctx *ctx = crypto_tfm_ctx(tfm);
954 crypto_free_aead(ctx->child);
957 static struct crypto_instance *crypto_rfc4106_alloc(struct rtattr **tb)
959 struct crypto_attr_type *algt;
960 struct crypto_instance *inst;
961 struct crypto_aead_spawn *spawn;
962 struct crypto_alg *alg;
963 const char *ccm_name;
964 int err;
966 algt = crypto_get_attr_type(tb);
967 if (IS_ERR(algt))
968 return ERR_CAST(algt);
970 if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask)
971 return ERR_PTR(-EINVAL);
973 ccm_name = crypto_attr_alg_name(tb[1]);
974 if (IS_ERR(ccm_name))
975 return ERR_CAST(ccm_name);
977 inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL);
978 if (!inst)
979 return ERR_PTR(-ENOMEM);
981 spawn = crypto_instance_ctx(inst);
982 crypto_set_aead_spawn(spawn, inst);
983 err = crypto_grab_aead(spawn, ccm_name, 0,
984 crypto_requires_sync(algt->type, algt->mask));
985 if (err)
986 goto out_free_inst;
988 alg = crypto_aead_spawn_alg(spawn);
990 err = -EINVAL;
992 /* We only support 16-byte blocks. */
993 if (alg->cra_aead.ivsize != 16)
994 goto out_drop_alg;
996 /* Not a stream cipher? */
997 if (alg->cra_blocksize != 1)
998 goto out_drop_alg;
1000 err = -ENAMETOOLONG;
1001 if (snprintf(inst->alg.cra_name, CRYPTO_MAX_ALG_NAME,
1002 "rfc4106(%s)", alg->cra_name) >= CRYPTO_MAX_ALG_NAME ||
1003 snprintf(inst->alg.cra_driver_name, CRYPTO_MAX_ALG_NAME,
1004 "rfc4106(%s)", alg->cra_driver_name) >=
1005 CRYPTO_MAX_ALG_NAME)
1006 goto out_drop_alg;
1008 inst->alg.cra_flags = CRYPTO_ALG_TYPE_AEAD;
1009 inst->alg.cra_flags |= alg->cra_flags & CRYPTO_ALG_ASYNC;
1010 inst->alg.cra_priority = alg->cra_priority;
1011 inst->alg.cra_blocksize = 1;
1012 inst->alg.cra_alignmask = alg->cra_alignmask;
1013 inst->alg.cra_type = &crypto_nivaead_type;
1015 inst->alg.cra_aead.ivsize = 8;
1016 inst->alg.cra_aead.maxauthsize = 16;
1018 inst->alg.cra_ctxsize = sizeof(struct crypto_rfc4106_ctx);
1020 inst->alg.cra_init = crypto_rfc4106_init_tfm;
1021 inst->alg.cra_exit = crypto_rfc4106_exit_tfm;
1023 inst->alg.cra_aead.setkey = crypto_rfc4106_setkey;
1024 inst->alg.cra_aead.setauthsize = crypto_rfc4106_setauthsize;
1025 inst->alg.cra_aead.encrypt = crypto_rfc4106_encrypt;
1026 inst->alg.cra_aead.decrypt = crypto_rfc4106_decrypt;
1028 inst->alg.cra_aead.geniv = "seqiv";
1030 out:
1031 return inst;
1033 out_drop_alg:
1034 crypto_drop_aead(spawn);
1035 out_free_inst:
1036 kfree(inst);
1037 inst = ERR_PTR(err);
1038 goto out;
1041 static void crypto_rfc4106_free(struct crypto_instance *inst)
1043 crypto_drop_spawn(crypto_instance_ctx(inst));
1044 kfree(inst);
1047 static struct crypto_template crypto_rfc4106_tmpl = {
1048 .name = "rfc4106",
1049 .alloc = crypto_rfc4106_alloc,
1050 .free = crypto_rfc4106_free,
1051 .module = THIS_MODULE,
1054 static inline struct crypto_rfc4543_req_ctx *crypto_rfc4543_reqctx(
1055 struct aead_request *req)
1057 unsigned long align = crypto_aead_alignmask(crypto_aead_reqtfm(req));
1059 return (void *)PTR_ALIGN((u8 *)aead_request_ctx(req), align + 1);
1062 static int crypto_rfc4543_setkey(struct crypto_aead *parent, const u8 *key,
1063 unsigned int keylen)
1065 struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(parent);
1066 struct crypto_aead *child = ctx->child;
1067 int err;
1069 if (keylen < 4)
1070 return -EINVAL;
1072 keylen -= 4;
1073 memcpy(ctx->nonce, key + keylen, 4);
1075 crypto_aead_clear_flags(child, CRYPTO_TFM_REQ_MASK);
1076 crypto_aead_set_flags(child, crypto_aead_get_flags(parent) &
1077 CRYPTO_TFM_REQ_MASK);
1078 err = crypto_aead_setkey(child, key, keylen);
1079 crypto_aead_set_flags(parent, crypto_aead_get_flags(child) &
1080 CRYPTO_TFM_RES_MASK);
1082 return err;
1085 static int crypto_rfc4543_setauthsize(struct crypto_aead *parent,
1086 unsigned int authsize)
1088 struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(parent);
1090 if (authsize != 16)
1091 return -EINVAL;
1093 return crypto_aead_setauthsize(ctx->child, authsize);
1096 static struct aead_request *crypto_rfc4543_crypt(struct aead_request *req,
1097 int enc)
1099 struct crypto_aead *aead = crypto_aead_reqtfm(req);
1100 struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(aead);
1101 struct crypto_rfc4543_req_ctx *rctx = crypto_rfc4543_reqctx(req);
1102 struct aead_request *subreq = &rctx->subreq;
1103 struct scatterlist *dst = req->dst;
1104 struct scatterlist *cipher = rctx->cipher;
1105 struct scatterlist *payload = rctx->payload;
1106 struct scatterlist *assoc = rctx->assoc;
1107 unsigned int authsize = crypto_aead_authsize(aead);
1108 unsigned int assoclen = req->assoclen;
1109 struct page *dstp;
1110 u8 *vdst;
1111 u8 *iv = PTR_ALIGN((u8 *)(rctx + 1) + crypto_aead_reqsize(ctx->child),
1112 crypto_aead_alignmask(ctx->child) + 1);
1114 memcpy(iv, ctx->nonce, 4);
1115 memcpy(iv + 4, req->iv, 8);
1117 /* construct cipher/plaintext */
1118 if (enc)
1119 memset(rctx->auth_tag, 0, authsize);
1120 else
1121 scatterwalk_map_and_copy(rctx->auth_tag, dst,
1122 req->cryptlen - authsize,
1123 authsize, 0);
1125 sg_init_one(cipher, rctx->auth_tag, authsize);
1127 /* construct the aad */
1128 dstp = sg_page(dst);
1129 vdst = PageHighMem(dstp) ? NULL : page_address(dstp) + dst->offset;
1131 sg_init_table(payload, 2);
1132 sg_set_buf(payload, req->iv, 8);
1133 scatterwalk_crypto_chain(payload, dst, vdst == req->iv + 8, 2);
1134 assoclen += 8 + req->cryptlen - (enc ? 0 : authsize);
1136 sg_init_table(assoc, 2);
1137 sg_set_page(assoc, sg_page(req->assoc), req->assoc->length,
1138 req->assoc->offset);
1139 scatterwalk_crypto_chain(assoc, payload, 0, 2);
1141 aead_request_set_tfm(subreq, ctx->child);
1142 aead_request_set_callback(subreq, req->base.flags, req->base.complete,
1143 req->base.data);
1144 aead_request_set_crypt(subreq, cipher, cipher, enc ? 0 : authsize, iv);
1145 aead_request_set_assoc(subreq, assoc, assoclen);
1147 return subreq;
1150 static int crypto_rfc4543_encrypt(struct aead_request *req)
1152 struct crypto_aead *aead = crypto_aead_reqtfm(req);
1153 struct crypto_rfc4543_req_ctx *rctx = crypto_rfc4543_reqctx(req);
1154 struct aead_request *subreq;
1155 int err;
1157 subreq = crypto_rfc4543_crypt(req, 1);
1158 err = crypto_aead_encrypt(subreq);
1159 if (err)
1160 return err;
1162 scatterwalk_map_and_copy(rctx->auth_tag, req->dst, req->cryptlen,
1163 crypto_aead_authsize(aead), 1);
1165 return 0;
1168 static int crypto_rfc4543_decrypt(struct aead_request *req)
1170 req = crypto_rfc4543_crypt(req, 0);
1172 return crypto_aead_decrypt(req);
1175 static int crypto_rfc4543_init_tfm(struct crypto_tfm *tfm)
1177 struct crypto_instance *inst = (void *)tfm->__crt_alg;
1178 struct crypto_aead_spawn *spawn = crypto_instance_ctx(inst);
1179 struct crypto_rfc4543_ctx *ctx = crypto_tfm_ctx(tfm);
1180 struct crypto_aead *aead;
1181 unsigned long align;
1183 aead = crypto_spawn_aead(spawn);
1184 if (IS_ERR(aead))
1185 return PTR_ERR(aead);
1187 ctx->child = aead;
1189 align = crypto_aead_alignmask(aead);
1190 align &= ~(crypto_tfm_ctx_alignment() - 1);
1191 tfm->crt_aead.reqsize = sizeof(struct crypto_rfc4543_req_ctx) +
1192 ALIGN(crypto_aead_reqsize(aead),
1193 crypto_tfm_ctx_alignment()) +
1194 align + 16;
1196 return 0;
1199 static void crypto_rfc4543_exit_tfm(struct crypto_tfm *tfm)
1201 struct crypto_rfc4543_ctx *ctx = crypto_tfm_ctx(tfm);
1203 crypto_free_aead(ctx->child);
1206 static struct crypto_instance *crypto_rfc4543_alloc(struct rtattr **tb)
1208 struct crypto_attr_type *algt;
1209 struct crypto_instance *inst;
1210 struct crypto_aead_spawn *spawn;
1211 struct crypto_alg *alg;
1212 const char *ccm_name;
1213 int err;
1215 algt = crypto_get_attr_type(tb);
1216 if (IS_ERR(algt))
1217 return ERR_CAST(algt);
1219 if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask)
1220 return ERR_PTR(-EINVAL);
1222 ccm_name = crypto_attr_alg_name(tb[1]);
1223 if (IS_ERR(ccm_name))
1224 return ERR_CAST(ccm_name);
1226 inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL);
1227 if (!inst)
1228 return ERR_PTR(-ENOMEM);
1230 spawn = crypto_instance_ctx(inst);
1231 crypto_set_aead_spawn(spawn, inst);
1232 err = crypto_grab_aead(spawn, ccm_name, 0,
1233 crypto_requires_sync(algt->type, algt->mask));
1234 if (err)
1235 goto out_free_inst;
1237 alg = crypto_aead_spawn_alg(spawn);
1239 err = -EINVAL;
1241 /* We only support 16-byte blocks. */
1242 if (alg->cra_aead.ivsize != 16)
1243 goto out_drop_alg;
1245 /* Not a stream cipher? */
1246 if (alg->cra_blocksize != 1)
1247 goto out_drop_alg;
1249 err = -ENAMETOOLONG;
1250 if (snprintf(inst->alg.cra_name, CRYPTO_MAX_ALG_NAME,
1251 "rfc4543(%s)", alg->cra_name) >= CRYPTO_MAX_ALG_NAME ||
1252 snprintf(inst->alg.cra_driver_name, CRYPTO_MAX_ALG_NAME,
1253 "rfc4543(%s)", alg->cra_driver_name) >=
1254 CRYPTO_MAX_ALG_NAME)
1255 goto out_drop_alg;
1257 inst->alg.cra_flags = CRYPTO_ALG_TYPE_AEAD;
1258 inst->alg.cra_flags |= alg->cra_flags & CRYPTO_ALG_ASYNC;
1259 inst->alg.cra_priority = alg->cra_priority;
1260 inst->alg.cra_blocksize = 1;
1261 inst->alg.cra_alignmask = alg->cra_alignmask;
1262 inst->alg.cra_type = &crypto_nivaead_type;
1264 inst->alg.cra_aead.ivsize = 8;
1265 inst->alg.cra_aead.maxauthsize = 16;
1267 inst->alg.cra_ctxsize = sizeof(struct crypto_rfc4543_ctx);
1269 inst->alg.cra_init = crypto_rfc4543_init_tfm;
1270 inst->alg.cra_exit = crypto_rfc4543_exit_tfm;
1272 inst->alg.cra_aead.setkey = crypto_rfc4543_setkey;
1273 inst->alg.cra_aead.setauthsize = crypto_rfc4543_setauthsize;
1274 inst->alg.cra_aead.encrypt = crypto_rfc4543_encrypt;
1275 inst->alg.cra_aead.decrypt = crypto_rfc4543_decrypt;
1277 inst->alg.cra_aead.geniv = "seqiv";
1279 out:
1280 return inst;
1282 out_drop_alg:
1283 crypto_drop_aead(spawn);
1284 out_free_inst:
1285 kfree(inst);
1286 inst = ERR_PTR(err);
1287 goto out;
1290 static void crypto_rfc4543_free(struct crypto_instance *inst)
1292 crypto_drop_spawn(crypto_instance_ctx(inst));
1293 kfree(inst);
1296 static struct crypto_template crypto_rfc4543_tmpl = {
1297 .name = "rfc4543",
1298 .alloc = crypto_rfc4543_alloc,
1299 .free = crypto_rfc4543_free,
1300 .module = THIS_MODULE,
1303 static int __init crypto_gcm_module_init(void)
1305 int err;
1307 gcm_zeroes = kzalloc(16, GFP_KERNEL);
1308 if (!gcm_zeroes)
1309 return -ENOMEM;
1311 err = crypto_register_template(&crypto_gcm_base_tmpl);
1312 if (err)
1313 goto out;
1315 err = crypto_register_template(&crypto_gcm_tmpl);
1316 if (err)
1317 goto out_undo_base;
1319 err = crypto_register_template(&crypto_rfc4106_tmpl);
1320 if (err)
1321 goto out_undo_gcm;
1323 err = crypto_register_template(&crypto_rfc4543_tmpl);
1324 if (err)
1325 goto out_undo_rfc4106;
1327 return 0;
1329 out_undo_rfc4106:
1330 crypto_unregister_template(&crypto_rfc4106_tmpl);
1331 out_undo_gcm:
1332 crypto_unregister_template(&crypto_gcm_tmpl);
1333 out_undo_base:
1334 crypto_unregister_template(&crypto_gcm_base_tmpl);
1335 out:
1336 kfree(gcm_zeroes);
1337 return err;
1340 static void __exit crypto_gcm_module_exit(void)
1342 kfree(gcm_zeroes);
1343 crypto_unregister_template(&crypto_rfc4543_tmpl);
1344 crypto_unregister_template(&crypto_rfc4106_tmpl);
1345 crypto_unregister_template(&crypto_gcm_tmpl);
1346 crypto_unregister_template(&crypto_gcm_base_tmpl);
1349 module_init(crypto_gcm_module_init);
1350 module_exit(crypto_gcm_module_exit);
1352 MODULE_LICENSE("GPL");
1353 MODULE_DESCRIPTION("Galois/Counter Mode");
1354 MODULE_AUTHOR("Mikko Herranen <mh1@iki.fi>");
1355 MODULE_ALIAS("gcm_base");
1356 MODULE_ALIAS("rfc4106");
1357 MODULE_ALIAS("rfc4543");