1/*
2 * GCM: Galois/Counter Mode.
3 *
4 * Copyright (c) 2007 Nokia Siemens Networks - Mikko Herranen <mh1@iki.fi>
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License version 2 as published
8 * by the Free Software Foundation.
9 */
10
11#include <crypto/gf128mul.h>
12#include <crypto/internal/aead.h>
13#include <crypto/internal/skcipher.h>
14#include <crypto/internal/hash.h>
15#include <crypto/null.h>
16#include <crypto/scatterwalk.h>
17#include <crypto/hash.h>
18#include "internal.h"
19#include <linux/completion.h>
20#include <linux/err.h>
21#include <linux/init.h>
22#include <linux/kernel.h>
23#include <linux/module.h>
24#include <linux/slab.h>
25
26struct gcm_instance_ctx {
27	struct crypto_skcipher_spawn ctr;
28	struct crypto_ahash_spawn ghash;
29};
30
31struct crypto_gcm_ctx {
32	struct crypto_ablkcipher *ctr;
33	struct crypto_ahash *ghash;
34};
35
36struct crypto_rfc4106_ctx {
37	struct crypto_aead *child;
38	u8 nonce[4];
39};
40
41struct crypto_rfc4106_req_ctx {
42	struct scatterlist src[3];
43	struct scatterlist dst[3];
44	struct aead_request subreq;
45};
46
47struct crypto_rfc4543_instance_ctx {
48	struct crypto_aead_spawn aead;
49};
50
51struct crypto_rfc4543_ctx {
52	struct crypto_aead *child;
53	struct crypto_blkcipher *null;
54	u8 nonce[4];
55};
56
57struct crypto_rfc4543_req_ctx {
58	struct aead_request subreq;
59};
60
61struct crypto_gcm_ghash_ctx {
62	unsigned int cryptlen;
63	struct scatterlist *src;
64	int (*complete)(struct aead_request *req, u32 flags);
65};
66
67struct crypto_gcm_req_priv_ctx {
68	u8 iv[16];
69	u8 auth_tag[16];
70	u8 iauth_tag[16];
71	struct scatterlist src[3];
72	struct scatterlist dst[3];
73	struct scatterlist sg;
74	struct crypto_gcm_ghash_ctx ghash_ctx;
75	union {
76		struct ahash_request ahreq;
77		struct ablkcipher_request abreq;
78	} u;
79};
80
81struct crypto_gcm_setkey_result {
82	int err;
83	struct completion completion;
84};
85
86static struct {
87	u8 buf[16];
88	struct scatterlist sg;
89} *gcm_zeroes;
90
91static int crypto_rfc4543_copy_src_to_dst(struct aead_request *req, bool enc);
92
93static inline struct crypto_gcm_req_priv_ctx *crypto_gcm_reqctx(
94	struct aead_request *req)
95{
96	unsigned long align = crypto_aead_alignmask(crypto_aead_reqtfm(req));
97
98	return (void *)PTR_ALIGN((u8 *)aead_request_ctx(req), align + 1);
99}
100
101static void crypto_gcm_setkey_done(struct crypto_async_request *req, int err)
102{
103	struct crypto_gcm_setkey_result *result = req->data;
104
105	if (err == -EINPROGRESS)
106		return;
107
108	result->err = err;
109	complete(&result->completion);
110}
111
112static int crypto_gcm_setkey(struct crypto_aead *aead, const u8 *key,
113			     unsigned int keylen)
114{
115	struct crypto_gcm_ctx *ctx = crypto_aead_ctx(aead);
116	struct crypto_ahash *ghash = ctx->ghash;
117	struct crypto_ablkcipher *ctr = ctx->ctr;
118	struct {
119		be128 hash;
120		u8 iv[8];
121
122		struct crypto_gcm_setkey_result result;
123
124		struct scatterlist sg[1];
125		struct ablkcipher_request req;
126	} *data;
127	int err;
128
129	crypto_ablkcipher_clear_flags(ctr, CRYPTO_TFM_REQ_MASK);
130	crypto_ablkcipher_set_flags(ctr, crypto_aead_get_flags(aead) &
131					 CRYPTO_TFM_REQ_MASK);
132	err = crypto_ablkcipher_setkey(ctr, key, keylen);
133	crypto_aead_set_flags(aead, crypto_ablkcipher_get_flags(ctr) &
134				    CRYPTO_TFM_RES_MASK);
135	if (err)
136		return err;
137
138	data = kzalloc(sizeof(*data) + crypto_ablkcipher_reqsize(ctr),
139		       GFP_KERNEL);
140	if (!data)
141		return -ENOMEM;
142
143	init_completion(&data->result.completion);
144	sg_init_one(data->sg, &data->hash, sizeof(data->hash));
145	ablkcipher_request_set_tfm(&data->req, ctr);
146	ablkcipher_request_set_callback(&data->req, CRYPTO_TFM_REQ_MAY_SLEEP |
147						    CRYPTO_TFM_REQ_MAY_BACKLOG,
148					crypto_gcm_setkey_done,
149					&data->result);
150	ablkcipher_request_set_crypt(&data->req, data->sg, data->sg,
151				     sizeof(data->hash), data->iv);
152
153	err = crypto_ablkcipher_encrypt(&data->req);
154	if (err == -EINPROGRESS || err == -EBUSY) {
155		err = wait_for_completion_interruptible(
156			&data->result.completion);
157		if (!err)
158			err = data->result.err;
159	}
160
161	if (err)
162		goto out;
163
164	crypto_ahash_clear_flags(ghash, CRYPTO_TFM_REQ_MASK);
165	crypto_ahash_set_flags(ghash, crypto_aead_get_flags(aead) &
166			       CRYPTO_TFM_REQ_MASK);
167	err = crypto_ahash_setkey(ghash, (u8 *)&data->hash, sizeof(be128));
168	crypto_aead_set_flags(aead, crypto_ahash_get_flags(ghash) &
169			      CRYPTO_TFM_RES_MASK);
170
171out:
172	kzfree(data);
173	return err;
174}
175
176static int crypto_gcm_setauthsize(struct crypto_aead *tfm,
177				  unsigned int authsize)
178{
179	switch (authsize) {
180	case 4:
181	case 8:
182	case 12:
183	case 13:
184	case 14:
185	case 15:
186	case 16:
187		break;
188	default:
189		return -EINVAL;
190	}
191
192	return 0;
193}
194
195static void crypto_gcm_init_common(struct aead_request *req)
196{
197	struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
198	__be32 counter = cpu_to_be32(1);
199	struct scatterlist *sg;
200
201	memset(pctx->auth_tag, 0, sizeof(pctx->auth_tag));
202	memcpy(pctx->iv, req->iv, 12);
203	memcpy(pctx->iv + 12, &counter, 4);
204
205	sg_init_table(pctx->src, 3);
206	sg_set_buf(pctx->src, pctx->auth_tag, sizeof(pctx->auth_tag));
207	sg = scatterwalk_ffwd(pctx->src + 1, req->src, req->assoclen);
208	if (sg != pctx->src + 1)
209		sg_chain(pctx->src, 2, sg);
210
211	if (req->src != req->dst) {
212		sg_init_table(pctx->dst, 3);
213		sg_set_buf(pctx->dst, pctx->auth_tag, sizeof(pctx->auth_tag));
214		sg = scatterwalk_ffwd(pctx->dst + 1, req->dst, req->assoclen);
215		if (sg != pctx->dst + 1)
216			sg_chain(pctx->dst, 2, sg);
217	}
218}
219
220static void crypto_gcm_init_crypt(struct aead_request *req,
221				  unsigned int cryptlen)
222{
223	struct crypto_aead *aead = crypto_aead_reqtfm(req);
224	struct crypto_gcm_ctx *ctx = crypto_aead_ctx(aead);
225	struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
226	struct ablkcipher_request *ablk_req = &pctx->u.abreq;
227	struct scatterlist *dst;
228
229	dst = req->src == req->dst ? pctx->src : pctx->dst;
230
231	ablkcipher_request_set_tfm(ablk_req, ctx->ctr);
232	ablkcipher_request_set_crypt(ablk_req, pctx->src, dst,
233				     cryptlen + sizeof(pctx->auth_tag),
234				     pctx->iv);
235}
236
237static inline unsigned int gcm_remain(unsigned int len)
238{
239	len &= 0xfU;
240	return len ? 16 - len : 0;
241}
242
243static void gcm_hash_len_done(struct crypto_async_request *areq, int err);
244
245static int gcm_hash_update(struct aead_request *req,
246			   crypto_completion_t compl,
247			   struct scatterlist *src,
248			   unsigned int len, u32 flags)
249{
250	struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
251	struct ahash_request *ahreq = &pctx->u.ahreq;
252
253	ahash_request_set_callback(ahreq, flags, compl, req);
254	ahash_request_set_crypt(ahreq, src, NULL, len);
255
256	return crypto_ahash_update(ahreq);
257}
258
259static int gcm_hash_remain(struct aead_request *req,
260			   unsigned int remain,
261			   crypto_completion_t compl, u32 flags)
262{
263	return gcm_hash_update(req, compl, &gcm_zeroes->sg, remain, flags);
264}
265
266static int gcm_hash_len(struct aead_request *req, u32 flags)
267{
268	struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
269	struct ahash_request *ahreq = &pctx->u.ahreq;
270	struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
271	u128 lengths;
272
273	lengths.a = cpu_to_be64(req->assoclen * 8);
274	lengths.b = cpu_to_be64(gctx->cryptlen * 8);
275	memcpy(pctx->iauth_tag, &lengths, 16);
276	sg_init_one(&pctx->sg, pctx->iauth_tag, 16);
277	ahash_request_set_callback(ahreq, flags, gcm_hash_len_done, req);
278	ahash_request_set_crypt(ahreq, &pctx->sg,
279				pctx->iauth_tag, sizeof(lengths));
280
281	return crypto_ahash_finup(ahreq);
282}
283
284static int gcm_hash_len_continue(struct aead_request *req, u32 flags)
285{
286	struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
287	struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
288
289	return gctx->complete(req, flags);
290}
291
292static void gcm_hash_len_done(struct crypto_async_request *areq, int err)
293{
294	struct aead_request *req = areq->data;
295
296	if (err)
297		goto out;
298
299	err = gcm_hash_len_continue(req, 0);
300	if (err == -EINPROGRESS)
301		return;
302
303out:
304	aead_request_complete(req, err);
305}
306
307static int gcm_hash_crypt_remain_continue(struct aead_request *req, u32 flags)
308{
309	return gcm_hash_len(req, flags) ?:
310	       gcm_hash_len_continue(req, flags);
311}
312
313static void gcm_hash_crypt_remain_done(struct crypto_async_request *areq,
314				       int err)
315{
316	struct aead_request *req = areq->data;
317
318	if (err)
319		goto out;
320
321	err = gcm_hash_crypt_remain_continue(req, 0);
322	if (err == -EINPROGRESS)
323		return;
324
325out:
326	aead_request_complete(req, err);
327}
328
329static int gcm_hash_crypt_continue(struct aead_request *req, u32 flags)
330{
331	struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
332	struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
333	unsigned int remain;
334
335	remain = gcm_remain(gctx->cryptlen);
336	if (remain)
337		return gcm_hash_remain(req, remain,
338				       gcm_hash_crypt_remain_done, flags) ?:
339		       gcm_hash_crypt_remain_continue(req, flags);
340
341	return gcm_hash_crypt_remain_continue(req, flags);
342}
343
344static void gcm_hash_crypt_done(struct crypto_async_request *areq, int err)
345{
346	struct aead_request *req = areq->data;
347
348	if (err)
349		goto out;
350
351	err = gcm_hash_crypt_continue(req, 0);
352	if (err == -EINPROGRESS)
353		return;
354
355out:
356	aead_request_complete(req, err);
357}
358
359static int gcm_hash_assoc_remain_continue(struct aead_request *req, u32 flags)
360{
361	struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
362	struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
363
364	if (gctx->cryptlen)
365		return gcm_hash_update(req, gcm_hash_crypt_done,
366				       gctx->src, gctx->cryptlen, flags) ?:
367		       gcm_hash_crypt_continue(req, flags);
368
369	return gcm_hash_crypt_remain_continue(req, flags);
370}
371
372static void gcm_hash_assoc_remain_done(struct crypto_async_request *areq,
373				       int err)
374{
375	struct aead_request *req = areq->data;
376
377	if (err)
378		goto out;
379
380	err = gcm_hash_assoc_remain_continue(req, 0);
381	if (err == -EINPROGRESS)
382		return;
383
384out:
385	aead_request_complete(req, err);
386}
387
388static int gcm_hash_assoc_continue(struct aead_request *req, u32 flags)
389{
390	unsigned int remain;
391
392	remain = gcm_remain(req->assoclen);
393	if (remain)
394		return gcm_hash_remain(req, remain,
395				       gcm_hash_assoc_remain_done, flags) ?:
396		       gcm_hash_assoc_remain_continue(req, flags);
397
398	return gcm_hash_assoc_remain_continue(req, flags);
399}
400
401static void gcm_hash_assoc_done(struct crypto_async_request *areq, int err)
402{
403	struct aead_request *req = areq->data;
404
405	if (err)
406		goto out;
407
408	err = gcm_hash_assoc_continue(req, 0);
409	if (err == -EINPROGRESS)
410		return;
411
412out:
413	aead_request_complete(req, err);
414}
415
416static int gcm_hash_init_continue(struct aead_request *req, u32 flags)
417{
418	if (req->assoclen)
419		return gcm_hash_update(req, gcm_hash_assoc_done,
420				       req->src, req->assoclen, flags) ?:
421		       gcm_hash_assoc_continue(req, flags);
422
423	return gcm_hash_assoc_remain_continue(req, flags);
424}
425
426static void gcm_hash_init_done(struct crypto_async_request *areq, int err)
427{
428	struct aead_request *req = areq->data;
429
430	if (err)
431		goto out;
432
433	err = gcm_hash_init_continue(req, 0);
434	if (err == -EINPROGRESS)
435		return;
436
437out:
438	aead_request_complete(req, err);
439}
440
441static int gcm_hash(struct aead_request *req, u32 flags)
442{
443	struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
444	struct ahash_request *ahreq = &pctx->u.ahreq;
445	struct crypto_gcm_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req));
446
447	ahash_request_set_tfm(ahreq, ctx->ghash);
448
449	ahash_request_set_callback(ahreq, flags, gcm_hash_init_done, req);
450	return crypto_ahash_init(ahreq) ?:
451	       gcm_hash_init_continue(req, flags);
452}
453
454static int gcm_enc_copy_hash(struct aead_request *req, u32 flags)
455{
456	struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
457	struct crypto_aead *aead = crypto_aead_reqtfm(req);
458	u8 *auth_tag = pctx->auth_tag;
459
460	crypto_xor(auth_tag, pctx->iauth_tag, 16);
461	scatterwalk_map_and_copy(auth_tag, req->dst,
462				 req->assoclen + req->cryptlen,
463				 crypto_aead_authsize(aead), 1);
464	return 0;
465}
466
467static int gcm_encrypt_continue(struct aead_request *req, u32 flags)
468{
469	struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
470	struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
471
472	gctx->src = sg_next(req->src == req->dst ? pctx->src : pctx->dst);
473	gctx->cryptlen = req->cryptlen;
474	gctx->complete = gcm_enc_copy_hash;
475
476	return gcm_hash(req, flags);
477}
478
479static void gcm_encrypt_done(struct crypto_async_request *areq, int err)
480{
481	struct aead_request *req = areq->data;
482
483	if (err)
484		goto out;
485
486	err = gcm_encrypt_continue(req, 0);
487	if (err == -EINPROGRESS)
488		return;
489
490out:
491	aead_request_complete(req, err);
492}
493
494static int crypto_gcm_encrypt(struct aead_request *req)
495{
496	struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
497	struct ablkcipher_request *abreq = &pctx->u.abreq;
498	u32 flags = aead_request_flags(req);
499
500	crypto_gcm_init_common(req);
501	crypto_gcm_init_crypt(req, req->cryptlen);
502	ablkcipher_request_set_callback(abreq, flags, gcm_encrypt_done, req);
503
504	return crypto_ablkcipher_encrypt(abreq) ?:
505	       gcm_encrypt_continue(req, flags);
506}
507
508static int crypto_gcm_verify(struct aead_request *req)
509{
510	struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
511	struct crypto_aead *aead = crypto_aead_reqtfm(req);
512	u8 *auth_tag = pctx->auth_tag;
513	u8 *iauth_tag = pctx->iauth_tag;
514	unsigned int authsize = crypto_aead_authsize(aead);
515	unsigned int cryptlen = req->cryptlen - authsize;
516
517	crypto_xor(auth_tag, iauth_tag, 16);
518	scatterwalk_map_and_copy(iauth_tag, req->src,
519				 req->assoclen + cryptlen, authsize, 0);
520	return crypto_memneq(iauth_tag, auth_tag, authsize) ? -EBADMSG : 0;
521}
522
523static void gcm_decrypt_done(struct crypto_async_request *areq, int err)
524{
525	struct aead_request *req = areq->data;
526
527	if (!err)
528		err = crypto_gcm_verify(req);
529
530	aead_request_complete(req, err);
531}
532
533static int gcm_dec_hash_continue(struct aead_request *req, u32 flags)
534{
535	struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
536	struct ablkcipher_request *abreq = &pctx->u.abreq;
537	struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
538
539	crypto_gcm_init_crypt(req, gctx->cryptlen);
540	ablkcipher_request_set_callback(abreq, flags, gcm_decrypt_done, req);
541	return crypto_ablkcipher_decrypt(abreq) ?: crypto_gcm_verify(req);
542}
543
544static int crypto_gcm_decrypt(struct aead_request *req)
545{
546	struct crypto_aead *aead = crypto_aead_reqtfm(req);
547	struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
548	struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
549	unsigned int authsize = crypto_aead_authsize(aead);
550	unsigned int cryptlen = req->cryptlen;
551	u32 flags = aead_request_flags(req);
552
553	cryptlen -= authsize;
554
555	crypto_gcm_init_common(req);
556
557	gctx->src = sg_next(pctx->src);
558	gctx->cryptlen = cryptlen;
559	gctx->complete = gcm_dec_hash_continue;
560
561	return gcm_hash(req, flags);
562}
563
564static int crypto_gcm_init_tfm(struct crypto_aead *tfm)
565{
566	struct aead_instance *inst = aead_alg_instance(tfm);
567	struct gcm_instance_ctx *ictx = aead_instance_ctx(inst);
568	struct crypto_gcm_ctx *ctx = crypto_aead_ctx(tfm);
569	struct crypto_ablkcipher *ctr;
570	struct crypto_ahash *ghash;
571	unsigned long align;
572	int err;
573
574	ghash = crypto_spawn_ahash(&ictx->ghash);
575	if (IS_ERR(ghash))
576		return PTR_ERR(ghash);
577
578	ctr = crypto_spawn_skcipher(&ictx->ctr);
579	err = PTR_ERR(ctr);
580	if (IS_ERR(ctr))
581		goto err_free_hash;
582
583	ctx->ctr = ctr;
584	ctx->ghash = ghash;
585
586	align = crypto_aead_alignmask(tfm);
587	align &= ~(crypto_tfm_ctx_alignment() - 1);
588	crypto_aead_set_reqsize(tfm,
589		align + offsetof(struct crypto_gcm_req_priv_ctx, u) +
590		max(sizeof(struct ablkcipher_request) +
591		    crypto_ablkcipher_reqsize(ctr),
592		    sizeof(struct ahash_request) +
593		    crypto_ahash_reqsize(ghash)));
594
595	return 0;
596
597err_free_hash:
598	crypto_free_ahash(ghash);
599	return err;
600}
601
602static void crypto_gcm_exit_tfm(struct crypto_aead *tfm)
603{
604	struct crypto_gcm_ctx *ctx = crypto_aead_ctx(tfm);
605
606	crypto_free_ahash(ctx->ghash);
607	crypto_free_ablkcipher(ctx->ctr);
608}
609
610static void crypto_gcm_free(struct aead_instance *inst)
611{
612	struct gcm_instance_ctx *ctx = aead_instance_ctx(inst);
613
614	crypto_drop_skcipher(&ctx->ctr);
615	crypto_drop_ahash(&ctx->ghash);
616	kfree(inst);
617}
618
619static int crypto_gcm_create_common(struct crypto_template *tmpl,
620				    struct rtattr **tb,
621				    const char *full_name,
622				    const char *ctr_name,
623				    const char *ghash_name)
624{
625	struct crypto_attr_type *algt;
626	struct aead_instance *inst;
627	struct crypto_alg *ctr;
628	struct crypto_alg *ghash_alg;
629	struct hash_alg_common *ghash;
630	struct gcm_instance_ctx *ctx;
631	int err;
632
633	algt = crypto_get_attr_type(tb);
634	if (IS_ERR(algt))
635		return PTR_ERR(algt);
636
637	if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask)
638		return -EINVAL;
639
640	ghash_alg = crypto_find_alg(ghash_name, &crypto_ahash_type,
641				    CRYPTO_ALG_TYPE_HASH,
642				    CRYPTO_ALG_TYPE_AHASH_MASK);
643	if (IS_ERR(ghash_alg))
644		return PTR_ERR(ghash_alg);
645
646	ghash = __crypto_hash_alg_common(ghash_alg);
647
648	err = -ENOMEM;
649	inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
650	if (!inst)
651		goto out_put_ghash;
652
653	ctx = aead_instance_ctx(inst);
654	err = crypto_init_ahash_spawn(&ctx->ghash, ghash,
655				      aead_crypto_instance(inst));
656	if (err)
657		goto err_free_inst;
658
659	err = -EINVAL;
660	if (ghash->digestsize != 16)
661		goto err_drop_ghash;
662
663	crypto_set_skcipher_spawn(&ctx->ctr, aead_crypto_instance(inst));
664	err = crypto_grab_skcipher(&ctx->ctr, ctr_name, 0,
665				   crypto_requires_sync(algt->type,
666							algt->mask));
667	if (err)
668		goto err_drop_ghash;
669
670	ctr = crypto_skcipher_spawn_alg(&ctx->ctr);
671
672	/* We only support 16-byte blocks. */
673	if (ctr->cra_ablkcipher.ivsize != 16)
674		goto out_put_ctr;
675
676	/* Not a stream cipher? */
677	err = -EINVAL;
678	if (ctr->cra_blocksize != 1)
679		goto out_put_ctr;
680
681	err = -ENAMETOOLONG;
682	if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
683		     "gcm_base(%s,%s)", ctr->cra_driver_name,
684		     ghash_alg->cra_driver_name) >=
685	    CRYPTO_MAX_ALG_NAME)
686		goto out_put_ctr;
687
688	memcpy(inst->alg.base.cra_name, full_name, CRYPTO_MAX_ALG_NAME);
689
690	inst->alg.base.cra_flags = (ghash->base.cra_flags | ctr->cra_flags) &
691				   CRYPTO_ALG_ASYNC;
692	inst->alg.base.cra_priority = (ghash->base.cra_priority +
693				       ctr->cra_priority) / 2;
694	inst->alg.base.cra_blocksize = 1;
695	inst->alg.base.cra_alignmask = ghash->base.cra_alignmask |
696				       ctr->cra_alignmask;
697	inst->alg.base.cra_ctxsize = sizeof(struct crypto_gcm_ctx);
698	inst->alg.ivsize = 12;
699	inst->alg.maxauthsize = 16;
700	inst->alg.init = crypto_gcm_init_tfm;
701	inst->alg.exit = crypto_gcm_exit_tfm;
702	inst->alg.setkey = crypto_gcm_setkey;
703	inst->alg.setauthsize = crypto_gcm_setauthsize;
704	inst->alg.encrypt = crypto_gcm_encrypt;
705	inst->alg.decrypt = crypto_gcm_decrypt;
706
707	inst->free = crypto_gcm_free;
708
709	err = aead_register_instance(tmpl, inst);
710	if (err)
711		goto out_put_ctr;
712
713out_put_ghash:
714	crypto_mod_put(ghash_alg);
715	return err;
716
717out_put_ctr:
718	crypto_drop_skcipher(&ctx->ctr);
719err_drop_ghash:
720	crypto_drop_ahash(&ctx->ghash);
721err_free_inst:
722	kfree(inst);
723	goto out_put_ghash;
724}
725
726static int crypto_gcm_create(struct crypto_template *tmpl, struct rtattr **tb)
727{
728	const char *cipher_name;
729	char ctr_name[CRYPTO_MAX_ALG_NAME];
730	char full_name[CRYPTO_MAX_ALG_NAME];
731
732	cipher_name = crypto_attr_alg_name(tb[1]);
733	if (IS_ERR(cipher_name))
734		return PTR_ERR(cipher_name);
735
736	if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)", cipher_name) >=
737	    CRYPTO_MAX_ALG_NAME)
738		return -ENAMETOOLONG;
739
740	if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "gcm(%s)", cipher_name) >=
741	    CRYPTO_MAX_ALG_NAME)
742		return -ENAMETOOLONG;
743
744	return crypto_gcm_create_common(tmpl, tb, full_name,
745					ctr_name, "ghash");
746}
747
748static struct crypto_template crypto_gcm_tmpl = {
749	.name = "gcm",
750	.create = crypto_gcm_create,
751	.module = THIS_MODULE,
752};
753
754static int crypto_gcm_base_create(struct crypto_template *tmpl,
755				  struct rtattr **tb)
756{
757	const char *ctr_name;
758	const char *ghash_name;
759	char full_name[CRYPTO_MAX_ALG_NAME];
760
761	ctr_name = crypto_attr_alg_name(tb[1]);
762	if (IS_ERR(ctr_name))
763		return PTR_ERR(ctr_name);
764
765	ghash_name = crypto_attr_alg_name(tb[2]);
766	if (IS_ERR(ghash_name))
767		return PTR_ERR(ghash_name);
768
769	if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "gcm_base(%s,%s)",
770		     ctr_name, ghash_name) >= CRYPTO_MAX_ALG_NAME)
771		return -ENAMETOOLONG;
772
773	return crypto_gcm_create_common(tmpl, tb, full_name,
774					ctr_name, ghash_name);
775}
776
777static struct crypto_template crypto_gcm_base_tmpl = {
778	.name = "gcm_base",
779	.create = crypto_gcm_base_create,
780	.module = THIS_MODULE,
781};
782
783static int crypto_rfc4106_setkey(struct crypto_aead *parent, const u8 *key,
784				 unsigned int keylen)
785{
786	struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(parent);
787	struct crypto_aead *child = ctx->child;
788	int err;
789
790	if (keylen < 4)
791		return -EINVAL;
792
793	keylen -= 4;
794	memcpy(ctx->nonce, key + keylen, 4);
795
796	crypto_aead_clear_flags(child, CRYPTO_TFM_REQ_MASK);
797	crypto_aead_set_flags(child, crypto_aead_get_flags(parent) &
798				     CRYPTO_TFM_REQ_MASK);
799	err = crypto_aead_setkey(child, key, keylen);
800	crypto_aead_set_flags(parent, crypto_aead_get_flags(child) &
801				      CRYPTO_TFM_RES_MASK);
802
803	return err;
804}
805
806static int crypto_rfc4106_setauthsize(struct crypto_aead *parent,
807				      unsigned int authsize)
808{
809	struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(parent);
810
811	switch (authsize) {
812	case 8:
813	case 12:
814	case 16:
815		break;
816	default:
817		return -EINVAL;
818	}
819
820	return crypto_aead_setauthsize(ctx->child, authsize);
821}
822
823static struct aead_request *crypto_rfc4106_crypt(struct aead_request *req)
824{
825	struct crypto_rfc4106_req_ctx *rctx = aead_request_ctx(req);
826	struct crypto_aead *aead = crypto_aead_reqtfm(req);
827	struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(aead);
828	struct aead_request *subreq = &rctx->subreq;
829	struct crypto_aead *child = ctx->child;
830	struct scatterlist *sg;
831	u8 *iv = PTR_ALIGN((u8 *)(subreq + 1) + crypto_aead_reqsize(child),
832			   crypto_aead_alignmask(child) + 1);
833
834	scatterwalk_map_and_copy(iv + 12, req->src, 0, req->assoclen - 8, 0);
835
836	memcpy(iv, ctx->nonce, 4);
837	memcpy(iv + 4, req->iv, 8);
838
839	sg_init_table(rctx->src, 3);
840	sg_set_buf(rctx->src, iv + 12, req->assoclen - 8);
841	sg = scatterwalk_ffwd(rctx->src + 1, req->src, req->assoclen);
842	if (sg != rctx->src + 1)
843		sg_chain(rctx->src, 2, sg);
844
845	if (req->src != req->dst) {
846		sg_init_table(rctx->dst, 3);
847		sg_set_buf(rctx->dst, iv + 12, req->assoclen - 8);
848		sg = scatterwalk_ffwd(rctx->dst + 1, req->dst, req->assoclen);
849		if (sg != rctx->dst + 1)
850			sg_chain(rctx->dst, 2, sg);
851	}
852
853	aead_request_set_tfm(subreq, child);
854	aead_request_set_callback(subreq, req->base.flags, req->base.complete,
855				  req->base.data);
856	aead_request_set_crypt(subreq, rctx->src,
857			       req->src == req->dst ? rctx->src : rctx->dst,
858			       req->cryptlen, iv);
859	aead_request_set_ad(subreq, req->assoclen - 8);
860
861	return subreq;
862}
863
864static int crypto_rfc4106_encrypt(struct aead_request *req)
865{
866	if (req->assoclen != 16 && req->assoclen != 20)
867		return -EINVAL;
868
869	req = crypto_rfc4106_crypt(req);
870
871	return crypto_aead_encrypt(req);
872}
873
874static int crypto_rfc4106_decrypt(struct aead_request *req)
875{
876	if (req->assoclen != 16 && req->assoclen != 20)
877		return -EINVAL;
878
879	req = crypto_rfc4106_crypt(req);
880
881	return crypto_aead_decrypt(req);
882}
883
884static int crypto_rfc4106_init_tfm(struct crypto_aead *tfm)
885{
886	struct aead_instance *inst = aead_alg_instance(tfm);
887	struct crypto_aead_spawn *spawn = aead_instance_ctx(inst);
888	struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(tfm);
889	struct crypto_aead *aead;
890	unsigned long align;
891
892	aead = crypto_spawn_aead(spawn);
893	if (IS_ERR(aead))
894		return PTR_ERR(aead);
895
896	ctx->child = aead;
897
898	align = crypto_aead_alignmask(aead);
899	align &= ~(crypto_tfm_ctx_alignment() - 1);
900	crypto_aead_set_reqsize(
901		tfm,
902		sizeof(struct crypto_rfc4106_req_ctx) +
903		ALIGN(crypto_aead_reqsize(aead), crypto_tfm_ctx_alignment()) +
904		align + 24);
905
906	return 0;
907}
908
909static void crypto_rfc4106_exit_tfm(struct crypto_aead *tfm)
910{
911	struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(tfm);
912
913	crypto_free_aead(ctx->child);
914}
915
916static void crypto_rfc4106_free(struct aead_instance *inst)
917{
918	crypto_drop_aead(aead_instance_ctx(inst));
919	kfree(inst);
920}
921
922static int crypto_rfc4106_create(struct crypto_template *tmpl,
923				 struct rtattr **tb)
924{
925	struct crypto_attr_type *algt;
926	struct aead_instance *inst;
927	struct crypto_aead_spawn *spawn;
928	struct aead_alg *alg;
929	const char *ccm_name;
930	int err;
931
932	algt = crypto_get_attr_type(tb);
933	if (IS_ERR(algt))
934		return PTR_ERR(algt);
935
936	if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask)
937		return -EINVAL;
938
939	ccm_name = crypto_attr_alg_name(tb[1]);
940	if (IS_ERR(ccm_name))
941		return PTR_ERR(ccm_name);
942
943	inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL);
944	if (!inst)
945		return -ENOMEM;
946
947	spawn = aead_instance_ctx(inst);
948	crypto_set_aead_spawn(spawn, aead_crypto_instance(inst));
949	err = crypto_grab_aead(spawn, ccm_name, 0,
950			       crypto_requires_sync(algt->type, algt->mask));
951	if (err)
952		goto out_free_inst;
953
954	alg = crypto_spawn_aead_alg(spawn);
955
956	err = -EINVAL;
957
958	/* Underlying IV size must be 12. */
959	if (crypto_aead_alg_ivsize(alg) != 12)
960		goto out_drop_alg;
961
962	/* Not a stream cipher? */
963	if (alg->base.cra_blocksize != 1)
964		goto out_drop_alg;
965
966	err = -ENAMETOOLONG;
967	if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
968		     "rfc4106(%s)", alg->base.cra_name) >=
969	    CRYPTO_MAX_ALG_NAME ||
970	    snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
971		     "rfc4106(%s)", alg->base.cra_driver_name) >=
972	    CRYPTO_MAX_ALG_NAME)
973		goto out_drop_alg;
974
975	inst->alg.base.cra_flags = alg->base.cra_flags & CRYPTO_ALG_ASYNC;
976	inst->alg.base.cra_priority = alg->base.cra_priority;
977	inst->alg.base.cra_blocksize = 1;
978	inst->alg.base.cra_alignmask = alg->base.cra_alignmask;
979
980	inst->alg.base.cra_ctxsize = sizeof(struct crypto_rfc4106_ctx);
981
982	inst->alg.ivsize = 8;
983	inst->alg.maxauthsize = crypto_aead_alg_maxauthsize(alg);
984
985	inst->alg.init = crypto_rfc4106_init_tfm;
986	inst->alg.exit = crypto_rfc4106_exit_tfm;
987
988	inst->alg.setkey = crypto_rfc4106_setkey;
989	inst->alg.setauthsize = crypto_rfc4106_setauthsize;
990	inst->alg.encrypt = crypto_rfc4106_encrypt;
991	inst->alg.decrypt = crypto_rfc4106_decrypt;
992
993	inst->free = crypto_rfc4106_free;
994
995	err = aead_register_instance(tmpl, inst);
996	if (err)
997		goto out_drop_alg;
998
999out:
1000	return err;
1001
1002out_drop_alg:
1003	crypto_drop_aead(spawn);
1004out_free_inst:
1005	kfree(inst);
1006	goto out;
1007}
1008
1009static struct crypto_template crypto_rfc4106_tmpl = {
1010	.name = "rfc4106",
1011	.create = crypto_rfc4106_create,
1012	.module = THIS_MODULE,
1013};
1014
1015static int crypto_rfc4543_setkey(struct crypto_aead *parent, const u8 *key,
1016				 unsigned int keylen)
1017{
1018	struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(parent);
1019	struct crypto_aead *child = ctx->child;
1020	int err;
1021
1022	if (keylen < 4)
1023		return -EINVAL;
1024
1025	keylen -= 4;
1026	memcpy(ctx->nonce, key + keylen, 4);
1027
1028	crypto_aead_clear_flags(child, CRYPTO_TFM_REQ_MASK);
1029	crypto_aead_set_flags(child, crypto_aead_get_flags(parent) &
1030				     CRYPTO_TFM_REQ_MASK);
1031	err = crypto_aead_setkey(child, key, keylen);
1032	crypto_aead_set_flags(parent, crypto_aead_get_flags(child) &
1033				      CRYPTO_TFM_RES_MASK);
1034
1035	return err;
1036}
1037
1038static int crypto_rfc4543_setauthsize(struct crypto_aead *parent,
1039				      unsigned int authsize)
1040{
1041	struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(parent);
1042
1043	if (authsize != 16)
1044		return -EINVAL;
1045
1046	return crypto_aead_setauthsize(ctx->child, authsize);
1047}
1048
1049static int crypto_rfc4543_crypt(struct aead_request *req, bool enc)
1050{
1051	struct crypto_aead *aead = crypto_aead_reqtfm(req);
1052	struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(aead);
1053	struct crypto_rfc4543_req_ctx *rctx = aead_request_ctx(req);
1054	struct aead_request *subreq = &rctx->subreq;
1055	unsigned int authsize = crypto_aead_authsize(aead);
1056	u8 *iv = PTR_ALIGN((u8 *)(rctx + 1) + crypto_aead_reqsize(ctx->child),
1057			   crypto_aead_alignmask(ctx->child) + 1);
1058	int err;
1059
1060	if (req->src != req->dst) {
1061		err = crypto_rfc4543_copy_src_to_dst(req, enc);
1062		if (err)
1063			return err;
1064	}
1065
1066	memcpy(iv, ctx->nonce, 4);
1067	memcpy(iv + 4, req->iv, 8);
1068
1069	aead_request_set_tfm(subreq, ctx->child);
1070	aead_request_set_callback(subreq, req->base.flags,
1071				  req->base.complete, req->base.data);
1072	aead_request_set_crypt(subreq, req->src, req->dst,
1073			       enc ? 0 : authsize, iv);
1074	aead_request_set_ad(subreq, req->assoclen + req->cryptlen -
1075				    subreq->cryptlen);
1076
1077	return enc ? crypto_aead_encrypt(subreq) : crypto_aead_decrypt(subreq);
1078}
1079
1080static int crypto_rfc4543_copy_src_to_dst(struct aead_request *req, bool enc)
1081{
1082	struct crypto_aead *aead = crypto_aead_reqtfm(req);
1083	struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(aead);
1084	unsigned int authsize = crypto_aead_authsize(aead);
1085	unsigned int nbytes = req->assoclen + req->cryptlen -
1086			      (enc ? 0 : authsize);
1087	struct blkcipher_desc desc = {
1088		.tfm = ctx->null,
1089	};
1090
1091	return crypto_blkcipher_encrypt(&desc, req->dst, req->src, nbytes);
1092}
1093
1094static int crypto_rfc4543_encrypt(struct aead_request *req)
1095{
1096	return crypto_rfc4543_crypt(req, true);
1097}
1098
1099static int crypto_rfc4543_decrypt(struct aead_request *req)
1100{
1101	return crypto_rfc4543_crypt(req, false);
1102}
1103
1104static int crypto_rfc4543_init_tfm(struct crypto_aead *tfm)
1105{
1106	struct aead_instance *inst = aead_alg_instance(tfm);
1107	struct crypto_rfc4543_instance_ctx *ictx = aead_instance_ctx(inst);
1108	struct crypto_aead_spawn *spawn = &ictx->aead;
1109	struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(tfm);
1110	struct crypto_aead *aead;
1111	struct crypto_blkcipher *null;
1112	unsigned long align;
1113	int err = 0;
1114
1115	aead = crypto_spawn_aead(spawn);
1116	if (IS_ERR(aead))
1117		return PTR_ERR(aead);
1118
1119	null = crypto_get_default_null_skcipher();
1120	err = PTR_ERR(null);
1121	if (IS_ERR(null))
1122		goto err_free_aead;
1123
1124	ctx->child = aead;
1125	ctx->null = null;
1126
1127	align = crypto_aead_alignmask(aead);
1128	align &= ~(crypto_tfm_ctx_alignment() - 1);
1129	crypto_aead_set_reqsize(
1130		tfm,
1131		sizeof(struct crypto_rfc4543_req_ctx) +
1132		ALIGN(crypto_aead_reqsize(aead), crypto_tfm_ctx_alignment()) +
1133		align + 12);
1134
1135	return 0;
1136
1137err_free_aead:
1138	crypto_free_aead(aead);
1139	return err;
1140}
1141
1142static void crypto_rfc4543_exit_tfm(struct crypto_aead *tfm)
1143{
1144	struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(tfm);
1145
1146	crypto_free_aead(ctx->child);
1147	crypto_put_default_null_skcipher();
1148}
1149
1150static void crypto_rfc4543_free(struct aead_instance *inst)
1151{
1152	struct crypto_rfc4543_instance_ctx *ctx = aead_instance_ctx(inst);
1153
1154	crypto_drop_aead(&ctx->aead);
1155
1156	kfree(inst);
1157}
1158
1159static int crypto_rfc4543_create(struct crypto_template *tmpl,
1160				struct rtattr **tb)
1161{
1162	struct crypto_attr_type *algt;
1163	struct aead_instance *inst;
1164	struct crypto_aead_spawn *spawn;
1165	struct aead_alg *alg;
1166	struct crypto_rfc4543_instance_ctx *ctx;
1167	const char *ccm_name;
1168	int err;
1169
1170	algt = crypto_get_attr_type(tb);
1171	if (IS_ERR(algt))
1172		return PTR_ERR(algt);
1173
1174	if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask)
1175		return -EINVAL;
1176
1177	ccm_name = crypto_attr_alg_name(tb[1]);
1178	if (IS_ERR(ccm_name))
1179		return PTR_ERR(ccm_name);
1180
1181	inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
1182	if (!inst)
1183		return -ENOMEM;
1184
1185	ctx = aead_instance_ctx(inst);
1186	spawn = &ctx->aead;
1187	crypto_set_aead_spawn(spawn, aead_crypto_instance(inst));
1188	err = crypto_grab_aead(spawn, ccm_name, 0,
1189			       crypto_requires_sync(algt->type, algt->mask));
1190	if (err)
1191		goto out_free_inst;
1192
1193	alg = crypto_spawn_aead_alg(spawn);
1194
1195	err = -EINVAL;
1196
1197	/* Underlying IV size must be 12. */
1198	if (crypto_aead_alg_ivsize(alg) != 12)
1199		goto out_drop_alg;
1200
1201	/* Not a stream cipher? */
1202	if (alg->base.cra_blocksize != 1)
1203		goto out_drop_alg;
1204
1205	err = -ENAMETOOLONG;
1206	if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
1207		     "rfc4543(%s)", alg->base.cra_name) >=
1208	    CRYPTO_MAX_ALG_NAME ||
1209	    snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
1210		     "rfc4543(%s)", alg->base.cra_driver_name) >=
1211	    CRYPTO_MAX_ALG_NAME)
1212		goto out_drop_alg;
1213
1214	inst->alg.base.cra_flags = alg->base.cra_flags & CRYPTO_ALG_ASYNC;
1215	inst->alg.base.cra_priority = alg->base.cra_priority;
1216	inst->alg.base.cra_blocksize = 1;
1217	inst->alg.base.cra_alignmask = alg->base.cra_alignmask;
1218
1219	inst->alg.base.cra_ctxsize = sizeof(struct crypto_rfc4543_ctx);
1220
1221	inst->alg.ivsize = 8;
1222	inst->alg.maxauthsize = crypto_aead_alg_maxauthsize(alg);
1223
1224	inst->alg.init = crypto_rfc4543_init_tfm;
1225	inst->alg.exit = crypto_rfc4543_exit_tfm;
1226
1227	inst->alg.setkey = crypto_rfc4543_setkey;
1228	inst->alg.setauthsize = crypto_rfc4543_setauthsize;
1229	inst->alg.encrypt = crypto_rfc4543_encrypt;
1230	inst->alg.decrypt = crypto_rfc4543_decrypt;
1231
1232	inst->free = crypto_rfc4543_free,
1233
1234	err = aead_register_instance(tmpl, inst);
1235	if (err)
1236		goto out_drop_alg;
1237
1238out:
1239	return err;
1240
1241out_drop_alg:
1242	crypto_drop_aead(spawn);
1243out_free_inst:
1244	kfree(inst);
1245	goto out;
1246}
1247
1248static struct crypto_template crypto_rfc4543_tmpl = {
1249	.name = "rfc4543",
1250	.create = crypto_rfc4543_create,
1251	.module = THIS_MODULE,
1252};
1253
1254static int __init crypto_gcm_module_init(void)
1255{
1256	int err;
1257
1258	gcm_zeroes = kzalloc(sizeof(*gcm_zeroes), GFP_KERNEL);
1259	if (!gcm_zeroes)
1260		return -ENOMEM;
1261
1262	sg_init_one(&gcm_zeroes->sg, gcm_zeroes->buf, sizeof(gcm_zeroes->buf));
1263
1264	err = crypto_register_template(&crypto_gcm_base_tmpl);
1265	if (err)
1266		goto out;
1267
1268	err = crypto_register_template(&crypto_gcm_tmpl);
1269	if (err)
1270		goto out_undo_base;
1271
1272	err = crypto_register_template(&crypto_rfc4106_tmpl);
1273	if (err)
1274		goto out_undo_gcm;
1275
1276	err = crypto_register_template(&crypto_rfc4543_tmpl);
1277	if (err)
1278		goto out_undo_rfc4106;
1279
1280	return 0;
1281
1282out_undo_rfc4106:
1283	crypto_unregister_template(&crypto_rfc4106_tmpl);
1284out_undo_gcm:
1285	crypto_unregister_template(&crypto_gcm_tmpl);
1286out_undo_base:
1287	crypto_unregister_template(&crypto_gcm_base_tmpl);
1288out:
1289	kfree(gcm_zeroes);
1290	return err;
1291}
1292
1293static void __exit crypto_gcm_module_exit(void)
1294{
1295	kfree(gcm_zeroes);
1296	crypto_unregister_template(&crypto_rfc4543_tmpl);
1297	crypto_unregister_template(&crypto_rfc4106_tmpl);
1298	crypto_unregister_template(&crypto_gcm_tmpl);
1299	crypto_unregister_template(&crypto_gcm_base_tmpl);
1300}
1301
1302module_init(crypto_gcm_module_init);
1303module_exit(crypto_gcm_module_exit);
1304
1305MODULE_LICENSE("GPL");
1306MODULE_DESCRIPTION("Galois/Counter Mode");
1307MODULE_AUTHOR("Mikko Herranen <mh1@iki.fi>");
1308MODULE_ALIAS_CRYPTO("gcm_base");
1309MODULE_ALIAS_CRYPTO("rfc4106");
1310MODULE_ALIAS_CRYPTO("rfc4543");
1311MODULE_ALIAS_CRYPTO("gcm");
1312