1 // SPDX-License-Identifier: GPL-2.0-only
3 * GCM: Galois/Counter Mode.
5 * Copyright (c) 2007 Nokia Siemens Networks - Mikko Herranen <mh1@iki.fi>
8 #include <crypto/gf128mul.h>
9 #include <crypto/internal/aead.h>
10 #include <crypto/internal/skcipher.h>
11 #include <crypto/internal/hash.h>
12 #include <crypto/null.h>
13 #include <crypto/scatterwalk.h>
14 #include <crypto/gcm.h>
15 #include <crypto/hash.h>
16 #include <linux/err.h>
17 #include <linux/init.h>
18 #include <linux/kernel.h>
19 #include <linux/module.h>
20 #include <linux/slab.h>
22 struct gcm_instance_ctx
{
23 struct crypto_skcipher_spawn ctr
;
24 struct crypto_ahash_spawn ghash
;
27 struct crypto_gcm_ctx
{
28 struct crypto_skcipher
*ctr
;
29 struct crypto_ahash
*ghash
;
32 struct crypto_rfc4106_ctx
{
33 struct crypto_aead
*child
;
37 struct crypto_rfc4106_req_ctx
{
38 struct scatterlist src
[3];
39 struct scatterlist dst
[3];
40 struct aead_request subreq
;
43 struct crypto_rfc4543_instance_ctx
{
44 struct crypto_aead_spawn aead
;
47 struct crypto_rfc4543_ctx
{
48 struct crypto_aead
*child
;
49 struct crypto_sync_skcipher
*null
;
53 struct crypto_rfc4543_req_ctx
{
54 struct aead_request subreq
;
57 struct crypto_gcm_ghash_ctx
{
58 unsigned int cryptlen
;
59 struct scatterlist
*src
;
60 int (*complete
)(struct aead_request
*req
, u32 flags
);
63 struct crypto_gcm_req_priv_ctx
{
67 struct scatterlist src
[3];
68 struct scatterlist dst
[3];
69 struct scatterlist sg
;
70 struct crypto_gcm_ghash_ctx ghash_ctx
;
72 struct ahash_request ahreq
;
73 struct skcipher_request skreq
;
79 struct scatterlist sg
;
82 static int crypto_rfc4543_copy_src_to_dst(struct aead_request
*req
, bool enc
);
84 static inline struct crypto_gcm_req_priv_ctx
*crypto_gcm_reqctx(
85 struct aead_request
*req
)
87 unsigned long align
= crypto_aead_alignmask(crypto_aead_reqtfm(req
));
89 return (void *)PTR_ALIGN((u8
*)aead_request_ctx(req
), align
+ 1);
92 static int crypto_gcm_setkey(struct crypto_aead
*aead
, const u8
*key
,
95 struct crypto_gcm_ctx
*ctx
= crypto_aead_ctx(aead
);
96 struct crypto_ahash
*ghash
= ctx
->ghash
;
97 struct crypto_skcipher
*ctr
= ctx
->ctr
;
102 struct crypto_wait wait
;
104 struct scatterlist sg
[1];
105 struct skcipher_request req
;
109 crypto_skcipher_clear_flags(ctr
, CRYPTO_TFM_REQ_MASK
);
110 crypto_skcipher_set_flags(ctr
, crypto_aead_get_flags(aead
) &
111 CRYPTO_TFM_REQ_MASK
);
112 err
= crypto_skcipher_setkey(ctr
, key
, keylen
);
116 data
= kzalloc(sizeof(*data
) + crypto_skcipher_reqsize(ctr
),
121 crypto_init_wait(&data
->wait
);
122 sg_init_one(data
->sg
, &data
->hash
, sizeof(data
->hash
));
123 skcipher_request_set_tfm(&data
->req
, ctr
);
124 skcipher_request_set_callback(&data
->req
, CRYPTO_TFM_REQ_MAY_SLEEP
|
125 CRYPTO_TFM_REQ_MAY_BACKLOG
,
128 skcipher_request_set_crypt(&data
->req
, data
->sg
, data
->sg
,
129 sizeof(data
->hash
), data
->iv
);
131 err
= crypto_wait_req(crypto_skcipher_encrypt(&data
->req
),
137 crypto_ahash_clear_flags(ghash
, CRYPTO_TFM_REQ_MASK
);
138 crypto_ahash_set_flags(ghash
, crypto_aead_get_flags(aead
) &
139 CRYPTO_TFM_REQ_MASK
);
140 err
= crypto_ahash_setkey(ghash
, (u8
*)&data
->hash
, sizeof(be128
));
146 static int crypto_gcm_setauthsize(struct crypto_aead
*tfm
,
147 unsigned int authsize
)
149 return crypto_gcm_check_authsize(authsize
);
152 static void crypto_gcm_init_common(struct aead_request
*req
)
154 struct crypto_gcm_req_priv_ctx
*pctx
= crypto_gcm_reqctx(req
);
155 __be32 counter
= cpu_to_be32(1);
156 struct scatterlist
*sg
;
158 memset(pctx
->auth_tag
, 0, sizeof(pctx
->auth_tag
));
159 memcpy(pctx
->iv
, req
->iv
, GCM_AES_IV_SIZE
);
160 memcpy(pctx
->iv
+ GCM_AES_IV_SIZE
, &counter
, 4);
162 sg_init_table(pctx
->src
, 3);
163 sg_set_buf(pctx
->src
, pctx
->auth_tag
, sizeof(pctx
->auth_tag
));
164 sg
= scatterwalk_ffwd(pctx
->src
+ 1, req
->src
, req
->assoclen
);
165 if (sg
!= pctx
->src
+ 1)
166 sg_chain(pctx
->src
, 2, sg
);
168 if (req
->src
!= req
->dst
) {
169 sg_init_table(pctx
->dst
, 3);
170 sg_set_buf(pctx
->dst
, pctx
->auth_tag
, sizeof(pctx
->auth_tag
));
171 sg
= scatterwalk_ffwd(pctx
->dst
+ 1, req
->dst
, req
->assoclen
);
172 if (sg
!= pctx
->dst
+ 1)
173 sg_chain(pctx
->dst
, 2, sg
);
177 static void crypto_gcm_init_crypt(struct aead_request
*req
,
178 unsigned int cryptlen
)
180 struct crypto_aead
*aead
= crypto_aead_reqtfm(req
);
181 struct crypto_gcm_ctx
*ctx
= crypto_aead_ctx(aead
);
182 struct crypto_gcm_req_priv_ctx
*pctx
= crypto_gcm_reqctx(req
);
183 struct skcipher_request
*skreq
= &pctx
->u
.skreq
;
184 struct scatterlist
*dst
;
186 dst
= req
->src
== req
->dst
? pctx
->src
: pctx
->dst
;
188 skcipher_request_set_tfm(skreq
, ctx
->ctr
);
189 skcipher_request_set_crypt(skreq
, pctx
->src
, dst
,
190 cryptlen
+ sizeof(pctx
->auth_tag
),
194 static inline unsigned int gcm_remain(unsigned int len
)
197 return len
? 16 - len
: 0;
200 static void gcm_hash_len_done(struct crypto_async_request
*areq
, int err
);
202 static int gcm_hash_update(struct aead_request
*req
,
203 crypto_completion_t
compl,
204 struct scatterlist
*src
,
205 unsigned int len
, u32 flags
)
207 struct crypto_gcm_req_priv_ctx
*pctx
= crypto_gcm_reqctx(req
);
208 struct ahash_request
*ahreq
= &pctx
->u
.ahreq
;
210 ahash_request_set_callback(ahreq
, flags
, compl, req
);
211 ahash_request_set_crypt(ahreq
, src
, NULL
, len
);
213 return crypto_ahash_update(ahreq
);
216 static int gcm_hash_remain(struct aead_request
*req
,
218 crypto_completion_t
compl, u32 flags
)
220 return gcm_hash_update(req
, compl, &gcm_zeroes
->sg
, remain
, flags
);
223 static int gcm_hash_len(struct aead_request
*req
, u32 flags
)
225 struct crypto_gcm_req_priv_ctx
*pctx
= crypto_gcm_reqctx(req
);
226 struct ahash_request
*ahreq
= &pctx
->u
.ahreq
;
227 struct crypto_gcm_ghash_ctx
*gctx
= &pctx
->ghash_ctx
;
230 lengths
.a
= cpu_to_be64(req
->assoclen
* 8);
231 lengths
.b
= cpu_to_be64(gctx
->cryptlen
* 8);
232 memcpy(pctx
->iauth_tag
, &lengths
, 16);
233 sg_init_one(&pctx
->sg
, pctx
->iauth_tag
, 16);
234 ahash_request_set_callback(ahreq
, flags
, gcm_hash_len_done
, req
);
235 ahash_request_set_crypt(ahreq
, &pctx
->sg
,
236 pctx
->iauth_tag
, sizeof(lengths
));
238 return crypto_ahash_finup(ahreq
);
241 static int gcm_hash_len_continue(struct aead_request
*req
, u32 flags
)
243 struct crypto_gcm_req_priv_ctx
*pctx
= crypto_gcm_reqctx(req
);
244 struct crypto_gcm_ghash_ctx
*gctx
= &pctx
->ghash_ctx
;
246 return gctx
->complete(req
, flags
);
249 static void gcm_hash_len_done(struct crypto_async_request
*areq
, int err
)
251 struct aead_request
*req
= areq
->data
;
256 err
= gcm_hash_len_continue(req
, 0);
257 if (err
== -EINPROGRESS
)
261 aead_request_complete(req
, err
);
264 static int gcm_hash_crypt_remain_continue(struct aead_request
*req
, u32 flags
)
266 return gcm_hash_len(req
, flags
) ?:
267 gcm_hash_len_continue(req
, flags
);
270 static void gcm_hash_crypt_remain_done(struct crypto_async_request
*areq
,
273 struct aead_request
*req
= areq
->data
;
278 err
= gcm_hash_crypt_remain_continue(req
, 0);
279 if (err
== -EINPROGRESS
)
283 aead_request_complete(req
, err
);
286 static int gcm_hash_crypt_continue(struct aead_request
*req
, u32 flags
)
288 struct crypto_gcm_req_priv_ctx
*pctx
= crypto_gcm_reqctx(req
);
289 struct crypto_gcm_ghash_ctx
*gctx
= &pctx
->ghash_ctx
;
292 remain
= gcm_remain(gctx
->cryptlen
);
294 return gcm_hash_remain(req
, remain
,
295 gcm_hash_crypt_remain_done
, flags
) ?:
296 gcm_hash_crypt_remain_continue(req
, flags
);
298 return gcm_hash_crypt_remain_continue(req
, flags
);
301 static void gcm_hash_crypt_done(struct crypto_async_request
*areq
, int err
)
303 struct aead_request
*req
= areq
->data
;
308 err
= gcm_hash_crypt_continue(req
, 0);
309 if (err
== -EINPROGRESS
)
313 aead_request_complete(req
, err
);
316 static int gcm_hash_assoc_remain_continue(struct aead_request
*req
, u32 flags
)
318 struct crypto_gcm_req_priv_ctx
*pctx
= crypto_gcm_reqctx(req
);
319 struct crypto_gcm_ghash_ctx
*gctx
= &pctx
->ghash_ctx
;
322 return gcm_hash_update(req
, gcm_hash_crypt_done
,
323 gctx
->src
, gctx
->cryptlen
, flags
) ?:
324 gcm_hash_crypt_continue(req
, flags
);
326 return gcm_hash_crypt_remain_continue(req
, flags
);
329 static void gcm_hash_assoc_remain_done(struct crypto_async_request
*areq
,
332 struct aead_request
*req
= areq
->data
;
337 err
= gcm_hash_assoc_remain_continue(req
, 0);
338 if (err
== -EINPROGRESS
)
342 aead_request_complete(req
, err
);
345 static int gcm_hash_assoc_continue(struct aead_request
*req
, u32 flags
)
349 remain
= gcm_remain(req
->assoclen
);
351 return gcm_hash_remain(req
, remain
,
352 gcm_hash_assoc_remain_done
, flags
) ?:
353 gcm_hash_assoc_remain_continue(req
, flags
);
355 return gcm_hash_assoc_remain_continue(req
, flags
);
358 static void gcm_hash_assoc_done(struct crypto_async_request
*areq
, int err
)
360 struct aead_request
*req
= areq
->data
;
365 err
= gcm_hash_assoc_continue(req
, 0);
366 if (err
== -EINPROGRESS
)
370 aead_request_complete(req
, err
);
373 static int gcm_hash_init_continue(struct aead_request
*req
, u32 flags
)
376 return gcm_hash_update(req
, gcm_hash_assoc_done
,
377 req
->src
, req
->assoclen
, flags
) ?:
378 gcm_hash_assoc_continue(req
, flags
);
380 return gcm_hash_assoc_remain_continue(req
, flags
);
383 static void gcm_hash_init_done(struct crypto_async_request
*areq
, int err
)
385 struct aead_request
*req
= areq
->data
;
390 err
= gcm_hash_init_continue(req
, 0);
391 if (err
== -EINPROGRESS
)
395 aead_request_complete(req
, err
);
398 static int gcm_hash(struct aead_request
*req
, u32 flags
)
400 struct crypto_gcm_req_priv_ctx
*pctx
= crypto_gcm_reqctx(req
);
401 struct ahash_request
*ahreq
= &pctx
->u
.ahreq
;
402 struct crypto_gcm_ctx
*ctx
= crypto_aead_ctx(crypto_aead_reqtfm(req
));
404 ahash_request_set_tfm(ahreq
, ctx
->ghash
);
406 ahash_request_set_callback(ahreq
, flags
, gcm_hash_init_done
, req
);
407 return crypto_ahash_init(ahreq
) ?:
408 gcm_hash_init_continue(req
, flags
);
411 static int gcm_enc_copy_hash(struct aead_request
*req
, u32 flags
)
413 struct crypto_gcm_req_priv_ctx
*pctx
= crypto_gcm_reqctx(req
);
414 struct crypto_aead
*aead
= crypto_aead_reqtfm(req
);
415 u8
*auth_tag
= pctx
->auth_tag
;
417 crypto_xor(auth_tag
, pctx
->iauth_tag
, 16);
418 scatterwalk_map_and_copy(auth_tag
, req
->dst
,
419 req
->assoclen
+ req
->cryptlen
,
420 crypto_aead_authsize(aead
), 1);
424 static int gcm_encrypt_continue(struct aead_request
*req
, u32 flags
)
426 struct crypto_gcm_req_priv_ctx
*pctx
= crypto_gcm_reqctx(req
);
427 struct crypto_gcm_ghash_ctx
*gctx
= &pctx
->ghash_ctx
;
429 gctx
->src
= sg_next(req
->src
== req
->dst
? pctx
->src
: pctx
->dst
);
430 gctx
->cryptlen
= req
->cryptlen
;
431 gctx
->complete
= gcm_enc_copy_hash
;
433 return gcm_hash(req
, flags
);
436 static void gcm_encrypt_done(struct crypto_async_request
*areq
, int err
)
438 struct aead_request
*req
= areq
->data
;
443 err
= gcm_encrypt_continue(req
, 0);
444 if (err
== -EINPROGRESS
)
448 aead_request_complete(req
, err
);
451 static int crypto_gcm_encrypt(struct aead_request
*req
)
453 struct crypto_gcm_req_priv_ctx
*pctx
= crypto_gcm_reqctx(req
);
454 struct skcipher_request
*skreq
= &pctx
->u
.skreq
;
455 u32 flags
= aead_request_flags(req
);
457 crypto_gcm_init_common(req
);
458 crypto_gcm_init_crypt(req
, req
->cryptlen
);
459 skcipher_request_set_callback(skreq
, flags
, gcm_encrypt_done
, req
);
461 return crypto_skcipher_encrypt(skreq
) ?:
462 gcm_encrypt_continue(req
, flags
);
465 static int crypto_gcm_verify(struct aead_request
*req
)
467 struct crypto_gcm_req_priv_ctx
*pctx
= crypto_gcm_reqctx(req
);
468 struct crypto_aead
*aead
= crypto_aead_reqtfm(req
);
469 u8
*auth_tag
= pctx
->auth_tag
;
470 u8
*iauth_tag
= pctx
->iauth_tag
;
471 unsigned int authsize
= crypto_aead_authsize(aead
);
472 unsigned int cryptlen
= req
->cryptlen
- authsize
;
474 crypto_xor(auth_tag
, iauth_tag
, 16);
475 scatterwalk_map_and_copy(iauth_tag
, req
->src
,
476 req
->assoclen
+ cryptlen
, authsize
, 0);
477 return crypto_memneq(iauth_tag
, auth_tag
, authsize
) ? -EBADMSG
: 0;
480 static void gcm_decrypt_done(struct crypto_async_request
*areq
, int err
)
482 struct aead_request
*req
= areq
->data
;
485 err
= crypto_gcm_verify(req
);
487 aead_request_complete(req
, err
);
490 static int gcm_dec_hash_continue(struct aead_request
*req
, u32 flags
)
492 struct crypto_gcm_req_priv_ctx
*pctx
= crypto_gcm_reqctx(req
);
493 struct skcipher_request
*skreq
= &pctx
->u
.skreq
;
494 struct crypto_gcm_ghash_ctx
*gctx
= &pctx
->ghash_ctx
;
496 crypto_gcm_init_crypt(req
, gctx
->cryptlen
);
497 skcipher_request_set_callback(skreq
, flags
, gcm_decrypt_done
, req
);
498 return crypto_skcipher_decrypt(skreq
) ?: crypto_gcm_verify(req
);
501 static int crypto_gcm_decrypt(struct aead_request
*req
)
503 struct crypto_aead
*aead
= crypto_aead_reqtfm(req
);
504 struct crypto_gcm_req_priv_ctx
*pctx
= crypto_gcm_reqctx(req
);
505 struct crypto_gcm_ghash_ctx
*gctx
= &pctx
->ghash_ctx
;
506 unsigned int authsize
= crypto_aead_authsize(aead
);
507 unsigned int cryptlen
= req
->cryptlen
;
508 u32 flags
= aead_request_flags(req
);
510 cryptlen
-= authsize
;
512 crypto_gcm_init_common(req
);
514 gctx
->src
= sg_next(pctx
->src
);
515 gctx
->cryptlen
= cryptlen
;
516 gctx
->complete
= gcm_dec_hash_continue
;
518 return gcm_hash(req
, flags
);
521 static int crypto_gcm_init_tfm(struct crypto_aead
*tfm
)
523 struct aead_instance
*inst
= aead_alg_instance(tfm
);
524 struct gcm_instance_ctx
*ictx
= aead_instance_ctx(inst
);
525 struct crypto_gcm_ctx
*ctx
= crypto_aead_ctx(tfm
);
526 struct crypto_skcipher
*ctr
;
527 struct crypto_ahash
*ghash
;
531 ghash
= crypto_spawn_ahash(&ictx
->ghash
);
533 return PTR_ERR(ghash
);
535 ctr
= crypto_spawn_skcipher(&ictx
->ctr
);
543 align
= crypto_aead_alignmask(tfm
);
544 align
&= ~(crypto_tfm_ctx_alignment() - 1);
545 crypto_aead_set_reqsize(tfm
,
546 align
+ offsetof(struct crypto_gcm_req_priv_ctx
, u
) +
547 max(sizeof(struct skcipher_request
) +
548 crypto_skcipher_reqsize(ctr
),
549 sizeof(struct ahash_request
) +
550 crypto_ahash_reqsize(ghash
)));
555 crypto_free_ahash(ghash
);
559 static void crypto_gcm_exit_tfm(struct crypto_aead
*tfm
)
561 struct crypto_gcm_ctx
*ctx
= crypto_aead_ctx(tfm
);
563 crypto_free_ahash(ctx
->ghash
);
564 crypto_free_skcipher(ctx
->ctr
);
567 static void crypto_gcm_free(struct aead_instance
*inst
)
569 struct gcm_instance_ctx
*ctx
= aead_instance_ctx(inst
);
571 crypto_drop_skcipher(&ctx
->ctr
);
572 crypto_drop_ahash(&ctx
->ghash
);
576 static int crypto_gcm_create_common(struct crypto_template
*tmpl
,
578 const char *ctr_name
,
579 const char *ghash_name
)
581 struct crypto_attr_type
*algt
;
583 struct aead_instance
*inst
;
584 struct gcm_instance_ctx
*ctx
;
585 struct skcipher_alg
*ctr
;
586 struct hash_alg_common
*ghash
;
589 algt
= crypto_get_attr_type(tb
);
591 return PTR_ERR(algt
);
593 if ((algt
->type
^ CRYPTO_ALG_TYPE_AEAD
) & algt
->mask
)
596 mask
= crypto_requires_sync(algt
->type
, algt
->mask
);
598 inst
= kzalloc(sizeof(*inst
) + sizeof(*ctx
), GFP_KERNEL
);
601 ctx
= aead_instance_ctx(inst
);
603 err
= crypto_grab_ahash(&ctx
->ghash
, aead_crypto_instance(inst
),
604 ghash_name
, 0, mask
);
607 ghash
= crypto_spawn_ahash_alg(&ctx
->ghash
);
610 if (strcmp(ghash
->base
.cra_name
, "ghash") != 0 ||
611 ghash
->digestsize
!= 16)
614 err
= crypto_grab_skcipher(&ctx
->ctr
, aead_crypto_instance(inst
),
618 ctr
= crypto_spawn_skcipher_alg(&ctx
->ctr
);
620 /* The skcipher algorithm must be CTR mode, using 16-byte blocks. */
622 if (strncmp(ctr
->base
.cra_name
, "ctr(", 4) != 0 ||
623 crypto_skcipher_alg_ivsize(ctr
) != 16 ||
624 ctr
->base
.cra_blocksize
!= 1)
628 if (snprintf(inst
->alg
.base
.cra_name
, CRYPTO_MAX_ALG_NAME
,
629 "gcm(%s", ctr
->base
.cra_name
+ 4) >= CRYPTO_MAX_ALG_NAME
)
632 if (snprintf(inst
->alg
.base
.cra_driver_name
, CRYPTO_MAX_ALG_NAME
,
633 "gcm_base(%s,%s)", ctr
->base
.cra_driver_name
,
634 ghash
->base
.cra_driver_name
) >=
638 inst
->alg
.base
.cra_flags
= (ghash
->base
.cra_flags
|
639 ctr
->base
.cra_flags
) & CRYPTO_ALG_ASYNC
;
640 inst
->alg
.base
.cra_priority
= (ghash
->base
.cra_priority
+
641 ctr
->base
.cra_priority
) / 2;
642 inst
->alg
.base
.cra_blocksize
= 1;
643 inst
->alg
.base
.cra_alignmask
= ghash
->base
.cra_alignmask
|
644 ctr
->base
.cra_alignmask
;
645 inst
->alg
.base
.cra_ctxsize
= sizeof(struct crypto_gcm_ctx
);
646 inst
->alg
.ivsize
= GCM_AES_IV_SIZE
;
647 inst
->alg
.chunksize
= crypto_skcipher_alg_chunksize(ctr
);
648 inst
->alg
.maxauthsize
= 16;
649 inst
->alg
.init
= crypto_gcm_init_tfm
;
650 inst
->alg
.exit
= crypto_gcm_exit_tfm
;
651 inst
->alg
.setkey
= crypto_gcm_setkey
;
652 inst
->alg
.setauthsize
= crypto_gcm_setauthsize
;
653 inst
->alg
.encrypt
= crypto_gcm_encrypt
;
654 inst
->alg
.decrypt
= crypto_gcm_decrypt
;
656 inst
->free
= crypto_gcm_free
;
658 err
= aead_register_instance(tmpl
, inst
);
661 crypto_gcm_free(inst
);
666 static int crypto_gcm_create(struct crypto_template
*tmpl
, struct rtattr
**tb
)
668 const char *cipher_name
;
669 char ctr_name
[CRYPTO_MAX_ALG_NAME
];
671 cipher_name
= crypto_attr_alg_name(tb
[1]);
672 if (IS_ERR(cipher_name
))
673 return PTR_ERR(cipher_name
);
675 if (snprintf(ctr_name
, CRYPTO_MAX_ALG_NAME
, "ctr(%s)", cipher_name
) >=
677 return -ENAMETOOLONG
;
679 return crypto_gcm_create_common(tmpl
, tb
, ctr_name
, "ghash");
682 static int crypto_gcm_base_create(struct crypto_template
*tmpl
,
685 const char *ctr_name
;
686 const char *ghash_name
;
688 ctr_name
= crypto_attr_alg_name(tb
[1]);
689 if (IS_ERR(ctr_name
))
690 return PTR_ERR(ctr_name
);
692 ghash_name
= crypto_attr_alg_name(tb
[2]);
693 if (IS_ERR(ghash_name
))
694 return PTR_ERR(ghash_name
);
696 return crypto_gcm_create_common(tmpl
, tb
, ctr_name
, ghash_name
);
699 static int crypto_rfc4106_setkey(struct crypto_aead
*parent
, const u8
*key
,
702 struct crypto_rfc4106_ctx
*ctx
= crypto_aead_ctx(parent
);
703 struct crypto_aead
*child
= ctx
->child
;
709 memcpy(ctx
->nonce
, key
+ keylen
, 4);
711 crypto_aead_clear_flags(child
, CRYPTO_TFM_REQ_MASK
);
712 crypto_aead_set_flags(child
, crypto_aead_get_flags(parent
) &
713 CRYPTO_TFM_REQ_MASK
);
714 return crypto_aead_setkey(child
, key
, keylen
);
717 static int crypto_rfc4106_setauthsize(struct crypto_aead
*parent
,
718 unsigned int authsize
)
720 struct crypto_rfc4106_ctx
*ctx
= crypto_aead_ctx(parent
);
723 err
= crypto_rfc4106_check_authsize(authsize
);
727 return crypto_aead_setauthsize(ctx
->child
, authsize
);
730 static struct aead_request
*crypto_rfc4106_crypt(struct aead_request
*req
)
732 struct crypto_rfc4106_req_ctx
*rctx
= aead_request_ctx(req
);
733 struct crypto_aead
*aead
= crypto_aead_reqtfm(req
);
734 struct crypto_rfc4106_ctx
*ctx
= crypto_aead_ctx(aead
);
735 struct aead_request
*subreq
= &rctx
->subreq
;
736 struct crypto_aead
*child
= ctx
->child
;
737 struct scatterlist
*sg
;
738 u8
*iv
= PTR_ALIGN((u8
*)(subreq
+ 1) + crypto_aead_reqsize(child
),
739 crypto_aead_alignmask(child
) + 1);
741 scatterwalk_map_and_copy(iv
+ GCM_AES_IV_SIZE
, req
->src
, 0, req
->assoclen
- 8, 0);
743 memcpy(iv
, ctx
->nonce
, 4);
744 memcpy(iv
+ 4, req
->iv
, 8);
746 sg_init_table(rctx
->src
, 3);
747 sg_set_buf(rctx
->src
, iv
+ GCM_AES_IV_SIZE
, req
->assoclen
- 8);
748 sg
= scatterwalk_ffwd(rctx
->src
+ 1, req
->src
, req
->assoclen
);
749 if (sg
!= rctx
->src
+ 1)
750 sg_chain(rctx
->src
, 2, sg
);
752 if (req
->src
!= req
->dst
) {
753 sg_init_table(rctx
->dst
, 3);
754 sg_set_buf(rctx
->dst
, iv
+ GCM_AES_IV_SIZE
, req
->assoclen
- 8);
755 sg
= scatterwalk_ffwd(rctx
->dst
+ 1, req
->dst
, req
->assoclen
);
756 if (sg
!= rctx
->dst
+ 1)
757 sg_chain(rctx
->dst
, 2, sg
);
760 aead_request_set_tfm(subreq
, child
);
761 aead_request_set_callback(subreq
, req
->base
.flags
, req
->base
.complete
,
763 aead_request_set_crypt(subreq
, rctx
->src
,
764 req
->src
== req
->dst
? rctx
->src
: rctx
->dst
,
766 aead_request_set_ad(subreq
, req
->assoclen
- 8);
771 static int crypto_rfc4106_encrypt(struct aead_request
*req
)
775 err
= crypto_ipsec_check_assoclen(req
->assoclen
);
779 req
= crypto_rfc4106_crypt(req
);
781 return crypto_aead_encrypt(req
);
784 static int crypto_rfc4106_decrypt(struct aead_request
*req
)
788 err
= crypto_ipsec_check_assoclen(req
->assoclen
);
792 req
= crypto_rfc4106_crypt(req
);
794 return crypto_aead_decrypt(req
);
797 static int crypto_rfc4106_init_tfm(struct crypto_aead
*tfm
)
799 struct aead_instance
*inst
= aead_alg_instance(tfm
);
800 struct crypto_aead_spawn
*spawn
= aead_instance_ctx(inst
);
801 struct crypto_rfc4106_ctx
*ctx
= crypto_aead_ctx(tfm
);
802 struct crypto_aead
*aead
;
805 aead
= crypto_spawn_aead(spawn
);
807 return PTR_ERR(aead
);
811 align
= crypto_aead_alignmask(aead
);
812 align
&= ~(crypto_tfm_ctx_alignment() - 1);
813 crypto_aead_set_reqsize(
815 sizeof(struct crypto_rfc4106_req_ctx
) +
816 ALIGN(crypto_aead_reqsize(aead
), crypto_tfm_ctx_alignment()) +
822 static void crypto_rfc4106_exit_tfm(struct crypto_aead
*tfm
)
824 struct crypto_rfc4106_ctx
*ctx
= crypto_aead_ctx(tfm
);
826 crypto_free_aead(ctx
->child
);
829 static void crypto_rfc4106_free(struct aead_instance
*inst
)
831 crypto_drop_aead(aead_instance_ctx(inst
));
835 static int crypto_rfc4106_create(struct crypto_template
*tmpl
,
838 struct crypto_attr_type
*algt
;
840 struct aead_instance
*inst
;
841 struct crypto_aead_spawn
*spawn
;
842 struct aead_alg
*alg
;
843 const char *ccm_name
;
846 algt
= crypto_get_attr_type(tb
);
848 return PTR_ERR(algt
);
850 if ((algt
->type
^ CRYPTO_ALG_TYPE_AEAD
) & algt
->mask
)
853 mask
= crypto_requires_sync(algt
->type
, algt
->mask
);
855 ccm_name
= crypto_attr_alg_name(tb
[1]);
856 if (IS_ERR(ccm_name
))
857 return PTR_ERR(ccm_name
);
859 inst
= kzalloc(sizeof(*inst
) + sizeof(*spawn
), GFP_KERNEL
);
863 spawn
= aead_instance_ctx(inst
);
864 err
= crypto_grab_aead(spawn
, aead_crypto_instance(inst
),
869 alg
= crypto_spawn_aead_alg(spawn
);
873 /* Underlying IV size must be 12. */
874 if (crypto_aead_alg_ivsize(alg
) != GCM_AES_IV_SIZE
)
877 /* Not a stream cipher? */
878 if (alg
->base
.cra_blocksize
!= 1)
882 if (snprintf(inst
->alg
.base
.cra_name
, CRYPTO_MAX_ALG_NAME
,
883 "rfc4106(%s)", alg
->base
.cra_name
) >=
884 CRYPTO_MAX_ALG_NAME
||
885 snprintf(inst
->alg
.base
.cra_driver_name
, CRYPTO_MAX_ALG_NAME
,
886 "rfc4106(%s)", alg
->base
.cra_driver_name
) >=
890 inst
->alg
.base
.cra_flags
= alg
->base
.cra_flags
& CRYPTO_ALG_ASYNC
;
891 inst
->alg
.base
.cra_priority
= alg
->base
.cra_priority
;
892 inst
->alg
.base
.cra_blocksize
= 1;
893 inst
->alg
.base
.cra_alignmask
= alg
->base
.cra_alignmask
;
895 inst
->alg
.base
.cra_ctxsize
= sizeof(struct crypto_rfc4106_ctx
);
897 inst
->alg
.ivsize
= GCM_RFC4106_IV_SIZE
;
898 inst
->alg
.chunksize
= crypto_aead_alg_chunksize(alg
);
899 inst
->alg
.maxauthsize
= crypto_aead_alg_maxauthsize(alg
);
901 inst
->alg
.init
= crypto_rfc4106_init_tfm
;
902 inst
->alg
.exit
= crypto_rfc4106_exit_tfm
;
904 inst
->alg
.setkey
= crypto_rfc4106_setkey
;
905 inst
->alg
.setauthsize
= crypto_rfc4106_setauthsize
;
906 inst
->alg
.encrypt
= crypto_rfc4106_encrypt
;
907 inst
->alg
.decrypt
= crypto_rfc4106_decrypt
;
909 inst
->free
= crypto_rfc4106_free
;
911 err
= aead_register_instance(tmpl
, inst
);
919 crypto_drop_aead(spawn
);
925 static int crypto_rfc4543_setkey(struct crypto_aead
*parent
, const u8
*key
,
928 struct crypto_rfc4543_ctx
*ctx
= crypto_aead_ctx(parent
);
929 struct crypto_aead
*child
= ctx
->child
;
935 memcpy(ctx
->nonce
, key
+ keylen
, 4);
937 crypto_aead_clear_flags(child
, CRYPTO_TFM_REQ_MASK
);
938 crypto_aead_set_flags(child
, crypto_aead_get_flags(parent
) &
939 CRYPTO_TFM_REQ_MASK
);
940 return crypto_aead_setkey(child
, key
, keylen
);
943 static int crypto_rfc4543_setauthsize(struct crypto_aead
*parent
,
944 unsigned int authsize
)
946 struct crypto_rfc4543_ctx
*ctx
= crypto_aead_ctx(parent
);
951 return crypto_aead_setauthsize(ctx
->child
, authsize
);
954 static int crypto_rfc4543_crypt(struct aead_request
*req
, bool enc
)
956 struct crypto_aead
*aead
= crypto_aead_reqtfm(req
);
957 struct crypto_rfc4543_ctx
*ctx
= crypto_aead_ctx(aead
);
958 struct crypto_rfc4543_req_ctx
*rctx
= aead_request_ctx(req
);
959 struct aead_request
*subreq
= &rctx
->subreq
;
960 unsigned int authsize
= crypto_aead_authsize(aead
);
961 u8
*iv
= PTR_ALIGN((u8
*)(rctx
+ 1) + crypto_aead_reqsize(ctx
->child
),
962 crypto_aead_alignmask(ctx
->child
) + 1);
965 if (req
->src
!= req
->dst
) {
966 err
= crypto_rfc4543_copy_src_to_dst(req
, enc
);
971 memcpy(iv
, ctx
->nonce
, 4);
972 memcpy(iv
+ 4, req
->iv
, 8);
974 aead_request_set_tfm(subreq
, ctx
->child
);
975 aead_request_set_callback(subreq
, req
->base
.flags
,
976 req
->base
.complete
, req
->base
.data
);
977 aead_request_set_crypt(subreq
, req
->src
, req
->dst
,
978 enc
? 0 : authsize
, iv
);
979 aead_request_set_ad(subreq
, req
->assoclen
+ req
->cryptlen
-
982 return enc
? crypto_aead_encrypt(subreq
) : crypto_aead_decrypt(subreq
);
985 static int crypto_rfc4543_copy_src_to_dst(struct aead_request
*req
, bool enc
)
987 struct crypto_aead
*aead
= crypto_aead_reqtfm(req
);
988 struct crypto_rfc4543_ctx
*ctx
= crypto_aead_ctx(aead
);
989 unsigned int authsize
= crypto_aead_authsize(aead
);
990 unsigned int nbytes
= req
->assoclen
+ req
->cryptlen
-
991 (enc
? 0 : authsize
);
992 SYNC_SKCIPHER_REQUEST_ON_STACK(nreq
, ctx
->null
);
994 skcipher_request_set_sync_tfm(nreq
, ctx
->null
);
995 skcipher_request_set_callback(nreq
, req
->base
.flags
, NULL
, NULL
);
996 skcipher_request_set_crypt(nreq
, req
->src
, req
->dst
, nbytes
, NULL
);
998 return crypto_skcipher_encrypt(nreq
);
1001 static int crypto_rfc4543_encrypt(struct aead_request
*req
)
1003 return crypto_ipsec_check_assoclen(req
->assoclen
) ?:
1004 crypto_rfc4543_crypt(req
, true);
1007 static int crypto_rfc4543_decrypt(struct aead_request
*req
)
1009 return crypto_ipsec_check_assoclen(req
->assoclen
) ?:
1010 crypto_rfc4543_crypt(req
, false);
1013 static int crypto_rfc4543_init_tfm(struct crypto_aead
*tfm
)
1015 struct aead_instance
*inst
= aead_alg_instance(tfm
);
1016 struct crypto_rfc4543_instance_ctx
*ictx
= aead_instance_ctx(inst
);
1017 struct crypto_aead_spawn
*spawn
= &ictx
->aead
;
1018 struct crypto_rfc4543_ctx
*ctx
= crypto_aead_ctx(tfm
);
1019 struct crypto_aead
*aead
;
1020 struct crypto_sync_skcipher
*null
;
1021 unsigned long align
;
1024 aead
= crypto_spawn_aead(spawn
);
1026 return PTR_ERR(aead
);
1028 null
= crypto_get_default_null_skcipher();
1029 err
= PTR_ERR(null
);
1036 align
= crypto_aead_alignmask(aead
);
1037 align
&= ~(crypto_tfm_ctx_alignment() - 1);
1038 crypto_aead_set_reqsize(
1040 sizeof(struct crypto_rfc4543_req_ctx
) +
1041 ALIGN(crypto_aead_reqsize(aead
), crypto_tfm_ctx_alignment()) +
1042 align
+ GCM_AES_IV_SIZE
);
1047 crypto_free_aead(aead
);
1051 static void crypto_rfc4543_exit_tfm(struct crypto_aead
*tfm
)
1053 struct crypto_rfc4543_ctx
*ctx
= crypto_aead_ctx(tfm
);
1055 crypto_free_aead(ctx
->child
);
1056 crypto_put_default_null_skcipher();
1059 static void crypto_rfc4543_free(struct aead_instance
*inst
)
1061 struct crypto_rfc4543_instance_ctx
*ctx
= aead_instance_ctx(inst
);
1063 crypto_drop_aead(&ctx
->aead
);
1068 static int crypto_rfc4543_create(struct crypto_template
*tmpl
,
1071 struct crypto_attr_type
*algt
;
1073 struct aead_instance
*inst
;
1074 struct crypto_aead_spawn
*spawn
;
1075 struct aead_alg
*alg
;
1076 struct crypto_rfc4543_instance_ctx
*ctx
;
1077 const char *ccm_name
;
1080 algt
= crypto_get_attr_type(tb
);
1082 return PTR_ERR(algt
);
1084 if ((algt
->type
^ CRYPTO_ALG_TYPE_AEAD
) & algt
->mask
)
1087 mask
= crypto_requires_sync(algt
->type
, algt
->mask
);
1089 ccm_name
= crypto_attr_alg_name(tb
[1]);
1090 if (IS_ERR(ccm_name
))
1091 return PTR_ERR(ccm_name
);
1093 inst
= kzalloc(sizeof(*inst
) + sizeof(*ctx
), GFP_KERNEL
);
1097 ctx
= aead_instance_ctx(inst
);
1099 err
= crypto_grab_aead(spawn
, aead_crypto_instance(inst
),
1104 alg
= crypto_spawn_aead_alg(spawn
);
1108 /* Underlying IV size must be 12. */
1109 if (crypto_aead_alg_ivsize(alg
) != GCM_AES_IV_SIZE
)
1112 /* Not a stream cipher? */
1113 if (alg
->base
.cra_blocksize
!= 1)
1116 err
= -ENAMETOOLONG
;
1117 if (snprintf(inst
->alg
.base
.cra_name
, CRYPTO_MAX_ALG_NAME
,
1118 "rfc4543(%s)", alg
->base
.cra_name
) >=
1119 CRYPTO_MAX_ALG_NAME
||
1120 snprintf(inst
->alg
.base
.cra_driver_name
, CRYPTO_MAX_ALG_NAME
,
1121 "rfc4543(%s)", alg
->base
.cra_driver_name
) >=
1122 CRYPTO_MAX_ALG_NAME
)
1125 inst
->alg
.base
.cra_flags
= alg
->base
.cra_flags
& CRYPTO_ALG_ASYNC
;
1126 inst
->alg
.base
.cra_priority
= alg
->base
.cra_priority
;
1127 inst
->alg
.base
.cra_blocksize
= 1;
1128 inst
->alg
.base
.cra_alignmask
= alg
->base
.cra_alignmask
;
1130 inst
->alg
.base
.cra_ctxsize
= sizeof(struct crypto_rfc4543_ctx
);
1132 inst
->alg
.ivsize
= GCM_RFC4543_IV_SIZE
;
1133 inst
->alg
.chunksize
= crypto_aead_alg_chunksize(alg
);
1134 inst
->alg
.maxauthsize
= crypto_aead_alg_maxauthsize(alg
);
1136 inst
->alg
.init
= crypto_rfc4543_init_tfm
;
1137 inst
->alg
.exit
= crypto_rfc4543_exit_tfm
;
1139 inst
->alg
.setkey
= crypto_rfc4543_setkey
;
1140 inst
->alg
.setauthsize
= crypto_rfc4543_setauthsize
;
1141 inst
->alg
.encrypt
= crypto_rfc4543_encrypt
;
1142 inst
->alg
.decrypt
= crypto_rfc4543_decrypt
;
1144 inst
->free
= crypto_rfc4543_free
,
1146 err
= aead_register_instance(tmpl
, inst
);
1154 crypto_drop_aead(spawn
);
1160 static struct crypto_template crypto_gcm_tmpls
[] = {
1163 .create
= crypto_gcm_base_create
,
1164 .module
= THIS_MODULE
,
1167 .create
= crypto_gcm_create
,
1168 .module
= THIS_MODULE
,
1171 .create
= crypto_rfc4106_create
,
1172 .module
= THIS_MODULE
,
1175 .create
= crypto_rfc4543_create
,
1176 .module
= THIS_MODULE
,
1180 static int __init
crypto_gcm_module_init(void)
1184 gcm_zeroes
= kzalloc(sizeof(*gcm_zeroes
), GFP_KERNEL
);
1188 sg_init_one(&gcm_zeroes
->sg
, gcm_zeroes
->buf
, sizeof(gcm_zeroes
->buf
));
1190 err
= crypto_register_templates(crypto_gcm_tmpls
,
1191 ARRAY_SIZE(crypto_gcm_tmpls
));
1198 static void __exit
crypto_gcm_module_exit(void)
1201 crypto_unregister_templates(crypto_gcm_tmpls
,
1202 ARRAY_SIZE(crypto_gcm_tmpls
));
1205 subsys_initcall(crypto_gcm_module_init
);
1206 module_exit(crypto_gcm_module_exit
);
1208 MODULE_LICENSE("GPL");
1209 MODULE_DESCRIPTION("Galois/Counter Mode");
1210 MODULE_AUTHOR("Mikko Herranen <mh1@iki.fi>");
1211 MODULE_ALIAS_CRYPTO("gcm_base");
1212 MODULE_ALIAS_CRYPTO("rfc4106");
1213 MODULE_ALIAS_CRYPTO("rfc4543");
1214 MODULE_ALIAS_CRYPTO("gcm");