1/* 2 * GCM: Galois/Counter Mode. 3 * 4 * Copyright (c) 2007 Nokia Siemens Networks - Mikko Herranen <mh1@iki.fi> 5 * 6 * This program is free software; you can redistribute it and/or modify it 7 * under the terms of the GNU General Public License version 2 as published 8 * by the Free Software Foundation. 9 */ 10 11#include <crypto/gf128mul.h> 12#include <crypto/internal/aead.h> 13#include <crypto/internal/skcipher.h> 14#include <crypto/internal/hash.h> 15#include <crypto/null.h> 16#include <crypto/scatterwalk.h> 17#include <crypto/hash.h> 18#include "internal.h" 19#include <linux/completion.h> 20#include <linux/err.h> 21#include <linux/init.h> 22#include <linux/kernel.h> 23#include <linux/module.h> 24#include <linux/slab.h> 25 26struct gcm_instance_ctx { 27 struct crypto_skcipher_spawn ctr; 28 struct crypto_ahash_spawn ghash; 29}; 30 31struct crypto_gcm_ctx { 32 struct crypto_ablkcipher *ctr; 33 struct crypto_ahash *ghash; 34}; 35 36struct crypto_rfc4106_ctx { 37 struct crypto_aead *child; 38 u8 nonce[4]; 39}; 40 41struct crypto_rfc4106_req_ctx { 42 struct scatterlist src[3]; 43 struct scatterlist dst[3]; 44 struct aead_request subreq; 45}; 46 47struct crypto_rfc4543_instance_ctx { 48 struct crypto_aead_spawn aead; 49}; 50 51struct crypto_rfc4543_ctx { 52 struct crypto_aead *child; 53 struct crypto_blkcipher *null; 54 u8 nonce[4]; 55}; 56 57struct crypto_rfc4543_req_ctx { 58 struct aead_request subreq; 59}; 60 61struct crypto_gcm_ghash_ctx { 62 unsigned int cryptlen; 63 struct scatterlist *src; 64 int (*complete)(struct aead_request *req, u32 flags); 65}; 66 67struct crypto_gcm_req_priv_ctx { 68 u8 iv[16]; 69 u8 auth_tag[16]; 70 u8 iauth_tag[16]; 71 struct scatterlist src[3]; 72 struct scatterlist dst[3]; 73 struct scatterlist sg; 74 struct crypto_gcm_ghash_ctx ghash_ctx; 75 union { 76 struct ahash_request ahreq; 77 struct ablkcipher_request abreq; 78 } u; 79}; 80 81struct crypto_gcm_setkey_result { 82 int err; 83 struct completion completion; 84}; 85 86static struct { 87 u8 buf[16]; 88 struct scatterlist sg; 89} *gcm_zeroes; 90 91static int crypto_rfc4543_copy_src_to_dst(struct aead_request *req, bool enc); 92 93static inline struct crypto_gcm_req_priv_ctx *crypto_gcm_reqctx( 94 struct aead_request *req) 95{ 96 unsigned long align = crypto_aead_alignmask(crypto_aead_reqtfm(req)); 97 98 return (void *)PTR_ALIGN((u8 *)aead_request_ctx(req), align + 1); 99} 100 101static void crypto_gcm_setkey_done(struct crypto_async_request *req, int err) 102{ 103 struct crypto_gcm_setkey_result *result = req->data; 104 105 if (err == -EINPROGRESS) 106 return; 107 108 result->err = err; 109 complete(&result->completion); 110} 111 112static int crypto_gcm_setkey(struct crypto_aead *aead, const u8 *key, 113 unsigned int keylen) 114{ 115 struct crypto_gcm_ctx *ctx = crypto_aead_ctx(aead); 116 struct crypto_ahash *ghash = ctx->ghash; 117 struct crypto_ablkcipher *ctr = ctx->ctr; 118 struct { 119 be128 hash; 120 u8 iv[8]; 121 122 struct crypto_gcm_setkey_result result; 123 124 struct scatterlist sg[1]; 125 struct ablkcipher_request req; 126 } *data; 127 int err; 128 129 crypto_ablkcipher_clear_flags(ctr, CRYPTO_TFM_REQ_MASK); 130 crypto_ablkcipher_set_flags(ctr, crypto_aead_get_flags(aead) & 131 CRYPTO_TFM_REQ_MASK); 132 err = crypto_ablkcipher_setkey(ctr, key, keylen); 133 crypto_aead_set_flags(aead, crypto_ablkcipher_get_flags(ctr) & 134 CRYPTO_TFM_RES_MASK); 135 if (err) 136 return err; 137 138 data = kzalloc(sizeof(*data) + crypto_ablkcipher_reqsize(ctr), 139 GFP_KERNEL); 140 if (!data) 141 return -ENOMEM; 142 143 init_completion(&data->result.completion); 144 sg_init_one(data->sg, &data->hash, sizeof(data->hash)); 145 ablkcipher_request_set_tfm(&data->req, ctr); 146 ablkcipher_request_set_callback(&data->req, CRYPTO_TFM_REQ_MAY_SLEEP | 147 CRYPTO_TFM_REQ_MAY_BACKLOG, 148 crypto_gcm_setkey_done, 149 &data->result); 150 ablkcipher_request_set_crypt(&data->req, data->sg, data->sg, 151 sizeof(data->hash), data->iv); 152 153 err = crypto_ablkcipher_encrypt(&data->req); 154 if (err == -EINPROGRESS || err == -EBUSY) { 155 err = wait_for_completion_interruptible( 156 &data->result.completion); 157 if (!err) 158 err = data->result.err; 159 } 160 161 if (err) 162 goto out; 163 164 crypto_ahash_clear_flags(ghash, CRYPTO_TFM_REQ_MASK); 165 crypto_ahash_set_flags(ghash, crypto_aead_get_flags(aead) & 166 CRYPTO_TFM_REQ_MASK); 167 err = crypto_ahash_setkey(ghash, (u8 *)&data->hash, sizeof(be128)); 168 crypto_aead_set_flags(aead, crypto_ahash_get_flags(ghash) & 169 CRYPTO_TFM_RES_MASK); 170 171out: 172 kzfree(data); 173 return err; 174} 175 176static int crypto_gcm_setauthsize(struct crypto_aead *tfm, 177 unsigned int authsize) 178{ 179 switch (authsize) { 180 case 4: 181 case 8: 182 case 12: 183 case 13: 184 case 14: 185 case 15: 186 case 16: 187 break; 188 default: 189 return -EINVAL; 190 } 191 192 return 0; 193} 194 195static void crypto_gcm_init_common(struct aead_request *req) 196{ 197 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req); 198 __be32 counter = cpu_to_be32(1); 199 struct scatterlist *sg; 200 201 memset(pctx->auth_tag, 0, sizeof(pctx->auth_tag)); 202 memcpy(pctx->iv, req->iv, 12); 203 memcpy(pctx->iv + 12, &counter, 4); 204 205 sg_init_table(pctx->src, 3); 206 sg_set_buf(pctx->src, pctx->auth_tag, sizeof(pctx->auth_tag)); 207 sg = scatterwalk_ffwd(pctx->src + 1, req->src, req->assoclen); 208 if (sg != pctx->src + 1) 209 sg_chain(pctx->src, 2, sg); 210 211 if (req->src != req->dst) { 212 sg_init_table(pctx->dst, 3); 213 sg_set_buf(pctx->dst, pctx->auth_tag, sizeof(pctx->auth_tag)); 214 sg = scatterwalk_ffwd(pctx->dst + 1, req->dst, req->assoclen); 215 if (sg != pctx->dst + 1) 216 sg_chain(pctx->dst, 2, sg); 217 } 218} 219 220static void crypto_gcm_init_crypt(struct aead_request *req, 221 unsigned int cryptlen) 222{ 223 struct crypto_aead *aead = crypto_aead_reqtfm(req); 224 struct crypto_gcm_ctx *ctx = crypto_aead_ctx(aead); 225 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req); 226 struct ablkcipher_request *ablk_req = &pctx->u.abreq; 227 struct scatterlist *dst; 228 229 dst = req->src == req->dst ? pctx->src : pctx->dst; 230 231 ablkcipher_request_set_tfm(ablk_req, ctx->ctr); 232 ablkcipher_request_set_crypt(ablk_req, pctx->src, dst, 233 cryptlen + sizeof(pctx->auth_tag), 234 pctx->iv); 235} 236 237static inline unsigned int gcm_remain(unsigned int len) 238{ 239 len &= 0xfU; 240 return len ? 16 - len : 0; 241} 242 243static void gcm_hash_len_done(struct crypto_async_request *areq, int err); 244 245static int gcm_hash_update(struct aead_request *req, 246 crypto_completion_t compl, 247 struct scatterlist *src, 248 unsigned int len, u32 flags) 249{ 250 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req); 251 struct ahash_request *ahreq = &pctx->u.ahreq; 252 253 ahash_request_set_callback(ahreq, flags, compl, req); 254 ahash_request_set_crypt(ahreq, src, NULL, len); 255 256 return crypto_ahash_update(ahreq); 257} 258 259static int gcm_hash_remain(struct aead_request *req, 260 unsigned int remain, 261 crypto_completion_t compl, u32 flags) 262{ 263 return gcm_hash_update(req, compl, &gcm_zeroes->sg, remain, flags); 264} 265 266static int gcm_hash_len(struct aead_request *req, u32 flags) 267{ 268 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req); 269 struct ahash_request *ahreq = &pctx->u.ahreq; 270 struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx; 271 u128 lengths; 272 273 lengths.a = cpu_to_be64(req->assoclen * 8); 274 lengths.b = cpu_to_be64(gctx->cryptlen * 8); 275 memcpy(pctx->iauth_tag, &lengths, 16); 276 sg_init_one(&pctx->sg, pctx->iauth_tag, 16); 277 ahash_request_set_callback(ahreq, flags, gcm_hash_len_done, req); 278 ahash_request_set_crypt(ahreq, &pctx->sg, 279 pctx->iauth_tag, sizeof(lengths)); 280 281 return crypto_ahash_finup(ahreq); 282} 283 284static int gcm_hash_len_continue(struct aead_request *req, u32 flags) 285{ 286 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req); 287 struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx; 288 289 return gctx->complete(req, flags); 290} 291 292static void gcm_hash_len_done(struct crypto_async_request *areq, int err) 293{ 294 struct aead_request *req = areq->data; 295 296 if (err) 297 goto out; 298 299 err = gcm_hash_len_continue(req, 0); 300 if (err == -EINPROGRESS) 301 return; 302 303out: 304 aead_request_complete(req, err); 305} 306 307static int gcm_hash_crypt_remain_continue(struct aead_request *req, u32 flags) 308{ 309 return gcm_hash_len(req, flags) ?: 310 gcm_hash_len_continue(req, flags); 311} 312 313static void gcm_hash_crypt_remain_done(struct crypto_async_request *areq, 314 int err) 315{ 316 struct aead_request *req = areq->data; 317 318 if (err) 319 goto out; 320 321 err = gcm_hash_crypt_remain_continue(req, 0); 322 if (err == -EINPROGRESS) 323 return; 324 325out: 326 aead_request_complete(req, err); 327} 328 329static int gcm_hash_crypt_continue(struct aead_request *req, u32 flags) 330{ 331 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req); 332 struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx; 333 unsigned int remain; 334 335 remain = gcm_remain(gctx->cryptlen); 336 if (remain) 337 return gcm_hash_remain(req, remain, 338 gcm_hash_crypt_remain_done, flags) ?: 339 gcm_hash_crypt_remain_continue(req, flags); 340 341 return gcm_hash_crypt_remain_continue(req, flags); 342} 343 344static void gcm_hash_crypt_done(struct crypto_async_request *areq, int err) 345{ 346 struct aead_request *req = areq->data; 347 348 if (err) 349 goto out; 350 351 err = gcm_hash_crypt_continue(req, 0); 352 if (err == -EINPROGRESS) 353 return; 354 355out: 356 aead_request_complete(req, err); 357} 358 359static int gcm_hash_assoc_remain_continue(struct aead_request *req, u32 flags) 360{ 361 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req); 362 struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx; 363 364 if (gctx->cryptlen) 365 return gcm_hash_update(req, gcm_hash_crypt_done, 366 gctx->src, gctx->cryptlen, flags) ?: 367 gcm_hash_crypt_continue(req, flags); 368 369 return gcm_hash_crypt_remain_continue(req, flags); 370} 371 372static void gcm_hash_assoc_remain_done(struct crypto_async_request *areq, 373 int err) 374{ 375 struct aead_request *req = areq->data; 376 377 if (err) 378 goto out; 379 380 err = gcm_hash_assoc_remain_continue(req, 0); 381 if (err == -EINPROGRESS) 382 return; 383 384out: 385 aead_request_complete(req, err); 386} 387 388static int gcm_hash_assoc_continue(struct aead_request *req, u32 flags) 389{ 390 unsigned int remain; 391 392 remain = gcm_remain(req->assoclen); 393 if (remain) 394 return gcm_hash_remain(req, remain, 395 gcm_hash_assoc_remain_done, flags) ?: 396 gcm_hash_assoc_remain_continue(req, flags); 397 398 return gcm_hash_assoc_remain_continue(req, flags); 399} 400 401static void gcm_hash_assoc_done(struct crypto_async_request *areq, int err) 402{ 403 struct aead_request *req = areq->data; 404 405 if (err) 406 goto out; 407 408 err = gcm_hash_assoc_continue(req, 0); 409 if (err == -EINPROGRESS) 410 return; 411 412out: 413 aead_request_complete(req, err); 414} 415 416static int gcm_hash_init_continue(struct aead_request *req, u32 flags) 417{ 418 if (req->assoclen) 419 return gcm_hash_update(req, gcm_hash_assoc_done, 420 req->src, req->assoclen, flags) ?: 421 gcm_hash_assoc_continue(req, flags); 422 423 return gcm_hash_assoc_remain_continue(req, flags); 424} 425 426static void gcm_hash_init_done(struct crypto_async_request *areq, int err) 427{ 428 struct aead_request *req = areq->data; 429 430 if (err) 431 goto out; 432 433 err = gcm_hash_init_continue(req, 0); 434 if (err == -EINPROGRESS) 435 return; 436 437out: 438 aead_request_complete(req, err); 439} 440 441static int gcm_hash(struct aead_request *req, u32 flags) 442{ 443 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req); 444 struct ahash_request *ahreq = &pctx->u.ahreq; 445 struct crypto_gcm_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req)); 446 447 ahash_request_set_tfm(ahreq, ctx->ghash); 448 449 ahash_request_set_callback(ahreq, flags, gcm_hash_init_done, req); 450 return crypto_ahash_init(ahreq) ?: 451 gcm_hash_init_continue(req, flags); 452} 453 454static int gcm_enc_copy_hash(struct aead_request *req, u32 flags) 455{ 456 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req); 457 struct crypto_aead *aead = crypto_aead_reqtfm(req); 458 u8 *auth_tag = pctx->auth_tag; 459 460 crypto_xor(auth_tag, pctx->iauth_tag, 16); 461 scatterwalk_map_and_copy(auth_tag, req->dst, 462 req->assoclen + req->cryptlen, 463 crypto_aead_authsize(aead), 1); 464 return 0; 465} 466 467static int gcm_encrypt_continue(struct aead_request *req, u32 flags) 468{ 469 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req); 470 struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx; 471 472 gctx->src = sg_next(req->src == req->dst ? pctx->src : pctx->dst); 473 gctx->cryptlen = req->cryptlen; 474 gctx->complete = gcm_enc_copy_hash; 475 476 return gcm_hash(req, flags); 477} 478 479static void gcm_encrypt_done(struct crypto_async_request *areq, int err) 480{ 481 struct aead_request *req = areq->data; 482 483 if (err) 484 goto out; 485 486 err = gcm_encrypt_continue(req, 0); 487 if (err == -EINPROGRESS) 488 return; 489 490out: 491 aead_request_complete(req, err); 492} 493 494static int crypto_gcm_encrypt(struct aead_request *req) 495{ 496 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req); 497 struct ablkcipher_request *abreq = &pctx->u.abreq; 498 u32 flags = aead_request_flags(req); 499 500 crypto_gcm_init_common(req); 501 crypto_gcm_init_crypt(req, req->cryptlen); 502 ablkcipher_request_set_callback(abreq, flags, gcm_encrypt_done, req); 503 504 return crypto_ablkcipher_encrypt(abreq) ?: 505 gcm_encrypt_continue(req, flags); 506} 507 508static int crypto_gcm_verify(struct aead_request *req) 509{ 510 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req); 511 struct crypto_aead *aead = crypto_aead_reqtfm(req); 512 u8 *auth_tag = pctx->auth_tag; 513 u8 *iauth_tag = pctx->iauth_tag; 514 unsigned int authsize = crypto_aead_authsize(aead); 515 unsigned int cryptlen = req->cryptlen - authsize; 516 517 crypto_xor(auth_tag, iauth_tag, 16); 518 scatterwalk_map_and_copy(iauth_tag, req->src, 519 req->assoclen + cryptlen, authsize, 0); 520 return crypto_memneq(iauth_tag, auth_tag, authsize) ? -EBADMSG : 0; 521} 522 523static void gcm_decrypt_done(struct crypto_async_request *areq, int err) 524{ 525 struct aead_request *req = areq->data; 526 527 if (!err) 528 err = crypto_gcm_verify(req); 529 530 aead_request_complete(req, err); 531} 532 533static int gcm_dec_hash_continue(struct aead_request *req, u32 flags) 534{ 535 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req); 536 struct ablkcipher_request *abreq = &pctx->u.abreq; 537 struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx; 538 539 crypto_gcm_init_crypt(req, gctx->cryptlen); 540 ablkcipher_request_set_callback(abreq, flags, gcm_decrypt_done, req); 541 return crypto_ablkcipher_decrypt(abreq) ?: crypto_gcm_verify(req); 542} 543 544static int crypto_gcm_decrypt(struct aead_request *req) 545{ 546 struct crypto_aead *aead = crypto_aead_reqtfm(req); 547 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req); 548 struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx; 549 unsigned int authsize = crypto_aead_authsize(aead); 550 unsigned int cryptlen = req->cryptlen; 551 u32 flags = aead_request_flags(req); 552 553 cryptlen -= authsize; 554 555 crypto_gcm_init_common(req); 556 557 gctx->src = sg_next(pctx->src); 558 gctx->cryptlen = cryptlen; 559 gctx->complete = gcm_dec_hash_continue; 560 561 return gcm_hash(req, flags); 562} 563 564static int crypto_gcm_init_tfm(struct crypto_aead *tfm) 565{ 566 struct aead_instance *inst = aead_alg_instance(tfm); 567 struct gcm_instance_ctx *ictx = aead_instance_ctx(inst); 568 struct crypto_gcm_ctx *ctx = crypto_aead_ctx(tfm); 569 struct crypto_ablkcipher *ctr; 570 struct crypto_ahash *ghash; 571 unsigned long align; 572 int err; 573 574 ghash = crypto_spawn_ahash(&ictx->ghash); 575 if (IS_ERR(ghash)) 576 return PTR_ERR(ghash); 577 578 ctr = crypto_spawn_skcipher(&ictx->ctr); 579 err = PTR_ERR(ctr); 580 if (IS_ERR(ctr)) 581 goto err_free_hash; 582 583 ctx->ctr = ctr; 584 ctx->ghash = ghash; 585 586 align = crypto_aead_alignmask(tfm); 587 align &= ~(crypto_tfm_ctx_alignment() - 1); 588 crypto_aead_set_reqsize(tfm, 589 align + offsetof(struct crypto_gcm_req_priv_ctx, u) + 590 max(sizeof(struct ablkcipher_request) + 591 crypto_ablkcipher_reqsize(ctr), 592 sizeof(struct ahash_request) + 593 crypto_ahash_reqsize(ghash))); 594 595 return 0; 596 597err_free_hash: 598 crypto_free_ahash(ghash); 599 return err; 600} 601 602static void crypto_gcm_exit_tfm(struct crypto_aead *tfm) 603{ 604 struct crypto_gcm_ctx *ctx = crypto_aead_ctx(tfm); 605 606 crypto_free_ahash(ctx->ghash); 607 crypto_free_ablkcipher(ctx->ctr); 608} 609 610static void crypto_gcm_free(struct aead_instance *inst) 611{ 612 struct gcm_instance_ctx *ctx = aead_instance_ctx(inst); 613 614 crypto_drop_skcipher(&ctx->ctr); 615 crypto_drop_ahash(&ctx->ghash); 616 kfree(inst); 617} 618 619static int crypto_gcm_create_common(struct crypto_template *tmpl, 620 struct rtattr **tb, 621 const char *full_name, 622 const char *ctr_name, 623 const char *ghash_name) 624{ 625 struct crypto_attr_type *algt; 626 struct aead_instance *inst; 627 struct crypto_alg *ctr; 628 struct crypto_alg *ghash_alg; 629 struct hash_alg_common *ghash; 630 struct gcm_instance_ctx *ctx; 631 int err; 632 633 algt = crypto_get_attr_type(tb); 634 if (IS_ERR(algt)) 635 return PTR_ERR(algt); 636 637 if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask) 638 return -EINVAL; 639 640 ghash_alg = crypto_find_alg(ghash_name, &crypto_ahash_type, 641 CRYPTO_ALG_TYPE_HASH, 642 CRYPTO_ALG_TYPE_AHASH_MASK); 643 if (IS_ERR(ghash_alg)) 644 return PTR_ERR(ghash_alg); 645 646 ghash = __crypto_hash_alg_common(ghash_alg); 647 648 err = -ENOMEM; 649 inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL); 650 if (!inst) 651 goto out_put_ghash; 652 653 ctx = aead_instance_ctx(inst); 654 err = crypto_init_ahash_spawn(&ctx->ghash, ghash, 655 aead_crypto_instance(inst)); 656 if (err) 657 goto err_free_inst; 658 659 err = -EINVAL; 660 if (ghash->digestsize != 16) 661 goto err_drop_ghash; 662 663 crypto_set_skcipher_spawn(&ctx->ctr, aead_crypto_instance(inst)); 664 err = crypto_grab_skcipher(&ctx->ctr, ctr_name, 0, 665 crypto_requires_sync(algt->type, 666 algt->mask)); 667 if (err) 668 goto err_drop_ghash; 669 670 ctr = crypto_skcipher_spawn_alg(&ctx->ctr); 671 672 /* We only support 16-byte blocks. */ 673 if (ctr->cra_ablkcipher.ivsize != 16) 674 goto out_put_ctr; 675 676 /* Not a stream cipher? */ 677 err = -EINVAL; 678 if (ctr->cra_blocksize != 1) 679 goto out_put_ctr; 680 681 err = -ENAMETOOLONG; 682 if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME, 683 "gcm_base(%s,%s)", ctr->cra_driver_name, 684 ghash_alg->cra_driver_name) >= 685 CRYPTO_MAX_ALG_NAME) 686 goto out_put_ctr; 687 688 memcpy(inst->alg.base.cra_name, full_name, CRYPTO_MAX_ALG_NAME); 689 690 inst->alg.base.cra_flags = (ghash->base.cra_flags | ctr->cra_flags) & 691 CRYPTO_ALG_ASYNC; 692 inst->alg.base.cra_priority = (ghash->base.cra_priority + 693 ctr->cra_priority) / 2; 694 inst->alg.base.cra_blocksize = 1; 695 inst->alg.base.cra_alignmask = ghash->base.cra_alignmask | 696 ctr->cra_alignmask; 697 inst->alg.base.cra_ctxsize = sizeof(struct crypto_gcm_ctx); 698 inst->alg.ivsize = 12; 699 inst->alg.maxauthsize = 16; 700 inst->alg.init = crypto_gcm_init_tfm; 701 inst->alg.exit = crypto_gcm_exit_tfm; 702 inst->alg.setkey = crypto_gcm_setkey; 703 inst->alg.setauthsize = crypto_gcm_setauthsize; 704 inst->alg.encrypt = crypto_gcm_encrypt; 705 inst->alg.decrypt = crypto_gcm_decrypt; 706 707 inst->free = crypto_gcm_free; 708 709 err = aead_register_instance(tmpl, inst); 710 if (err) 711 goto out_put_ctr; 712 713out_put_ghash: 714 crypto_mod_put(ghash_alg); 715 return err; 716 717out_put_ctr: 718 crypto_drop_skcipher(&ctx->ctr); 719err_drop_ghash: 720 crypto_drop_ahash(&ctx->ghash); 721err_free_inst: 722 kfree(inst); 723 goto out_put_ghash; 724} 725 726static int crypto_gcm_create(struct crypto_template *tmpl, struct rtattr **tb) 727{ 728 const char *cipher_name; 729 char ctr_name[CRYPTO_MAX_ALG_NAME]; 730 char full_name[CRYPTO_MAX_ALG_NAME]; 731 732 cipher_name = crypto_attr_alg_name(tb[1]); 733 if (IS_ERR(cipher_name)) 734 return PTR_ERR(cipher_name); 735 736 if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)", cipher_name) >= 737 CRYPTO_MAX_ALG_NAME) 738 return -ENAMETOOLONG; 739 740 if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "gcm(%s)", cipher_name) >= 741 CRYPTO_MAX_ALG_NAME) 742 return -ENAMETOOLONG; 743 744 return crypto_gcm_create_common(tmpl, tb, full_name, 745 ctr_name, "ghash"); 746} 747 748static struct crypto_template crypto_gcm_tmpl = { 749 .name = "gcm", 750 .create = crypto_gcm_create, 751 .module = THIS_MODULE, 752}; 753 754static int crypto_gcm_base_create(struct crypto_template *tmpl, 755 struct rtattr **tb) 756{ 757 const char *ctr_name; 758 const char *ghash_name; 759 char full_name[CRYPTO_MAX_ALG_NAME]; 760 761 ctr_name = crypto_attr_alg_name(tb[1]); 762 if (IS_ERR(ctr_name)) 763 return PTR_ERR(ctr_name); 764 765 ghash_name = crypto_attr_alg_name(tb[2]); 766 if (IS_ERR(ghash_name)) 767 return PTR_ERR(ghash_name); 768 769 if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "gcm_base(%s,%s)", 770 ctr_name, ghash_name) >= CRYPTO_MAX_ALG_NAME) 771 return -ENAMETOOLONG; 772 773 return crypto_gcm_create_common(tmpl, tb, full_name, 774 ctr_name, ghash_name); 775} 776 777static struct crypto_template crypto_gcm_base_tmpl = { 778 .name = "gcm_base", 779 .create = crypto_gcm_base_create, 780 .module = THIS_MODULE, 781}; 782 783static int crypto_rfc4106_setkey(struct crypto_aead *parent, const u8 *key, 784 unsigned int keylen) 785{ 786 struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(parent); 787 struct crypto_aead *child = ctx->child; 788 int err; 789 790 if (keylen < 4) 791 return -EINVAL; 792 793 keylen -= 4; 794 memcpy(ctx->nonce, key + keylen, 4); 795 796 crypto_aead_clear_flags(child, CRYPTO_TFM_REQ_MASK); 797 crypto_aead_set_flags(child, crypto_aead_get_flags(parent) & 798 CRYPTO_TFM_REQ_MASK); 799 err = crypto_aead_setkey(child, key, keylen); 800 crypto_aead_set_flags(parent, crypto_aead_get_flags(child) & 801 CRYPTO_TFM_RES_MASK); 802 803 return err; 804} 805 806static int crypto_rfc4106_setauthsize(struct crypto_aead *parent, 807 unsigned int authsize) 808{ 809 struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(parent); 810 811 switch (authsize) { 812 case 8: 813 case 12: 814 case 16: 815 break; 816 default: 817 return -EINVAL; 818 } 819 820 return crypto_aead_setauthsize(ctx->child, authsize); 821} 822 823static struct aead_request *crypto_rfc4106_crypt(struct aead_request *req) 824{ 825 struct crypto_rfc4106_req_ctx *rctx = aead_request_ctx(req); 826 struct crypto_aead *aead = crypto_aead_reqtfm(req); 827 struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(aead); 828 struct aead_request *subreq = &rctx->subreq; 829 struct crypto_aead *child = ctx->child; 830 struct scatterlist *sg; 831 u8 *iv = PTR_ALIGN((u8 *)(subreq + 1) + crypto_aead_reqsize(child), 832 crypto_aead_alignmask(child) + 1); 833 834 scatterwalk_map_and_copy(iv + 12, req->src, 0, req->assoclen - 8, 0); 835 836 memcpy(iv, ctx->nonce, 4); 837 memcpy(iv + 4, req->iv, 8); 838 839 sg_init_table(rctx->src, 3); 840 sg_set_buf(rctx->src, iv + 12, req->assoclen - 8); 841 sg = scatterwalk_ffwd(rctx->src + 1, req->src, req->assoclen); 842 if (sg != rctx->src + 1) 843 sg_chain(rctx->src, 2, sg); 844 845 if (req->src != req->dst) { 846 sg_init_table(rctx->dst, 3); 847 sg_set_buf(rctx->dst, iv + 12, req->assoclen - 8); 848 sg = scatterwalk_ffwd(rctx->dst + 1, req->dst, req->assoclen); 849 if (sg != rctx->dst + 1) 850 sg_chain(rctx->dst, 2, sg); 851 } 852 853 aead_request_set_tfm(subreq, child); 854 aead_request_set_callback(subreq, req->base.flags, req->base.complete, 855 req->base.data); 856 aead_request_set_crypt(subreq, rctx->src, 857 req->src == req->dst ? rctx->src : rctx->dst, 858 req->cryptlen, iv); 859 aead_request_set_ad(subreq, req->assoclen - 8); 860 861 return subreq; 862} 863 864static int crypto_rfc4106_encrypt(struct aead_request *req) 865{ 866 if (req->assoclen != 16 && req->assoclen != 20) 867 return -EINVAL; 868 869 req = crypto_rfc4106_crypt(req); 870 871 return crypto_aead_encrypt(req); 872} 873 874static int crypto_rfc4106_decrypt(struct aead_request *req) 875{ 876 if (req->assoclen != 16 && req->assoclen != 20) 877 return -EINVAL; 878 879 req = crypto_rfc4106_crypt(req); 880 881 return crypto_aead_decrypt(req); 882} 883 884static int crypto_rfc4106_init_tfm(struct crypto_aead *tfm) 885{ 886 struct aead_instance *inst = aead_alg_instance(tfm); 887 struct crypto_aead_spawn *spawn = aead_instance_ctx(inst); 888 struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(tfm); 889 struct crypto_aead *aead; 890 unsigned long align; 891 892 aead = crypto_spawn_aead(spawn); 893 if (IS_ERR(aead)) 894 return PTR_ERR(aead); 895 896 ctx->child = aead; 897 898 align = crypto_aead_alignmask(aead); 899 align &= ~(crypto_tfm_ctx_alignment() - 1); 900 crypto_aead_set_reqsize( 901 tfm, 902 sizeof(struct crypto_rfc4106_req_ctx) + 903 ALIGN(crypto_aead_reqsize(aead), crypto_tfm_ctx_alignment()) + 904 align + 24); 905 906 return 0; 907} 908 909static void crypto_rfc4106_exit_tfm(struct crypto_aead *tfm) 910{ 911 struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(tfm); 912 913 crypto_free_aead(ctx->child); 914} 915 916static void crypto_rfc4106_free(struct aead_instance *inst) 917{ 918 crypto_drop_aead(aead_instance_ctx(inst)); 919 kfree(inst); 920} 921 922static int crypto_rfc4106_create(struct crypto_template *tmpl, 923 struct rtattr **tb) 924{ 925 struct crypto_attr_type *algt; 926 struct aead_instance *inst; 927 struct crypto_aead_spawn *spawn; 928 struct aead_alg *alg; 929 const char *ccm_name; 930 int err; 931 932 algt = crypto_get_attr_type(tb); 933 if (IS_ERR(algt)) 934 return PTR_ERR(algt); 935 936 if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask) 937 return -EINVAL; 938 939 ccm_name = crypto_attr_alg_name(tb[1]); 940 if (IS_ERR(ccm_name)) 941 return PTR_ERR(ccm_name); 942 943 inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL); 944 if (!inst) 945 return -ENOMEM; 946 947 spawn = aead_instance_ctx(inst); 948 crypto_set_aead_spawn(spawn, aead_crypto_instance(inst)); 949 err = crypto_grab_aead(spawn, ccm_name, 0, 950 crypto_requires_sync(algt->type, algt->mask)); 951 if (err) 952 goto out_free_inst; 953 954 alg = crypto_spawn_aead_alg(spawn); 955 956 err = -EINVAL; 957 958 /* Underlying IV size must be 12. */ 959 if (crypto_aead_alg_ivsize(alg) != 12) 960 goto out_drop_alg; 961 962 /* Not a stream cipher? */ 963 if (alg->base.cra_blocksize != 1) 964 goto out_drop_alg; 965 966 err = -ENAMETOOLONG; 967 if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME, 968 "rfc4106(%s)", alg->base.cra_name) >= 969 CRYPTO_MAX_ALG_NAME || 970 snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME, 971 "rfc4106(%s)", alg->base.cra_driver_name) >= 972 CRYPTO_MAX_ALG_NAME) 973 goto out_drop_alg; 974 975 inst->alg.base.cra_flags = alg->base.cra_flags & CRYPTO_ALG_ASYNC; 976 inst->alg.base.cra_priority = alg->base.cra_priority; 977 inst->alg.base.cra_blocksize = 1; 978 inst->alg.base.cra_alignmask = alg->base.cra_alignmask; 979 980 inst->alg.base.cra_ctxsize = sizeof(struct crypto_rfc4106_ctx); 981 982 inst->alg.ivsize = 8; 983 inst->alg.maxauthsize = crypto_aead_alg_maxauthsize(alg); 984 985 inst->alg.init = crypto_rfc4106_init_tfm; 986 inst->alg.exit = crypto_rfc4106_exit_tfm; 987 988 inst->alg.setkey = crypto_rfc4106_setkey; 989 inst->alg.setauthsize = crypto_rfc4106_setauthsize; 990 inst->alg.encrypt = crypto_rfc4106_encrypt; 991 inst->alg.decrypt = crypto_rfc4106_decrypt; 992 993 inst->free = crypto_rfc4106_free; 994 995 err = aead_register_instance(tmpl, inst); 996 if (err) 997 goto out_drop_alg; 998 999out: 1000 return err; 1001 1002out_drop_alg: 1003 crypto_drop_aead(spawn); 1004out_free_inst: 1005 kfree(inst); 1006 goto out; 1007} 1008 1009static struct crypto_template crypto_rfc4106_tmpl = { 1010 .name = "rfc4106", 1011 .create = crypto_rfc4106_create, 1012 .module = THIS_MODULE, 1013}; 1014 1015static int crypto_rfc4543_setkey(struct crypto_aead *parent, const u8 *key, 1016 unsigned int keylen) 1017{ 1018 struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(parent); 1019 struct crypto_aead *child = ctx->child; 1020 int err; 1021 1022 if (keylen < 4) 1023 return -EINVAL; 1024 1025 keylen -= 4; 1026 memcpy(ctx->nonce, key + keylen, 4); 1027 1028 crypto_aead_clear_flags(child, CRYPTO_TFM_REQ_MASK); 1029 crypto_aead_set_flags(child, crypto_aead_get_flags(parent) & 1030 CRYPTO_TFM_REQ_MASK); 1031 err = crypto_aead_setkey(child, key, keylen); 1032 crypto_aead_set_flags(parent, crypto_aead_get_flags(child) & 1033 CRYPTO_TFM_RES_MASK); 1034 1035 return err; 1036} 1037 1038static int crypto_rfc4543_setauthsize(struct crypto_aead *parent, 1039 unsigned int authsize) 1040{ 1041 struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(parent); 1042 1043 if (authsize != 16) 1044 return -EINVAL; 1045 1046 return crypto_aead_setauthsize(ctx->child, authsize); 1047} 1048 1049static int crypto_rfc4543_crypt(struct aead_request *req, bool enc) 1050{ 1051 struct crypto_aead *aead = crypto_aead_reqtfm(req); 1052 struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(aead); 1053 struct crypto_rfc4543_req_ctx *rctx = aead_request_ctx(req); 1054 struct aead_request *subreq = &rctx->subreq; 1055 unsigned int authsize = crypto_aead_authsize(aead); 1056 u8 *iv = PTR_ALIGN((u8 *)(rctx + 1) + crypto_aead_reqsize(ctx->child), 1057 crypto_aead_alignmask(ctx->child) + 1); 1058 int err; 1059 1060 if (req->src != req->dst) { 1061 err = crypto_rfc4543_copy_src_to_dst(req, enc); 1062 if (err) 1063 return err; 1064 } 1065 1066 memcpy(iv, ctx->nonce, 4); 1067 memcpy(iv + 4, req->iv, 8); 1068 1069 aead_request_set_tfm(subreq, ctx->child); 1070 aead_request_set_callback(subreq, req->base.flags, 1071 req->base.complete, req->base.data); 1072 aead_request_set_crypt(subreq, req->src, req->dst, 1073 enc ? 0 : authsize, iv); 1074 aead_request_set_ad(subreq, req->assoclen + req->cryptlen - 1075 subreq->cryptlen); 1076 1077 return enc ? crypto_aead_encrypt(subreq) : crypto_aead_decrypt(subreq); 1078} 1079 1080static int crypto_rfc4543_copy_src_to_dst(struct aead_request *req, bool enc) 1081{ 1082 struct crypto_aead *aead = crypto_aead_reqtfm(req); 1083 struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(aead); 1084 unsigned int authsize = crypto_aead_authsize(aead); 1085 unsigned int nbytes = req->assoclen + req->cryptlen - 1086 (enc ? 0 : authsize); 1087 struct blkcipher_desc desc = { 1088 .tfm = ctx->null, 1089 }; 1090 1091 return crypto_blkcipher_encrypt(&desc, req->dst, req->src, nbytes); 1092} 1093 1094static int crypto_rfc4543_encrypt(struct aead_request *req) 1095{ 1096 return crypto_rfc4543_crypt(req, true); 1097} 1098 1099static int crypto_rfc4543_decrypt(struct aead_request *req) 1100{ 1101 return crypto_rfc4543_crypt(req, false); 1102} 1103 1104static int crypto_rfc4543_init_tfm(struct crypto_aead *tfm) 1105{ 1106 struct aead_instance *inst = aead_alg_instance(tfm); 1107 struct crypto_rfc4543_instance_ctx *ictx = aead_instance_ctx(inst); 1108 struct crypto_aead_spawn *spawn = &ictx->aead; 1109 struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(tfm); 1110 struct crypto_aead *aead; 1111 struct crypto_blkcipher *null; 1112 unsigned long align; 1113 int err = 0; 1114 1115 aead = crypto_spawn_aead(spawn); 1116 if (IS_ERR(aead)) 1117 return PTR_ERR(aead); 1118 1119 null = crypto_get_default_null_skcipher(); 1120 err = PTR_ERR(null); 1121 if (IS_ERR(null)) 1122 goto err_free_aead; 1123 1124 ctx->child = aead; 1125 ctx->null = null; 1126 1127 align = crypto_aead_alignmask(aead); 1128 align &= ~(crypto_tfm_ctx_alignment() - 1); 1129 crypto_aead_set_reqsize( 1130 tfm, 1131 sizeof(struct crypto_rfc4543_req_ctx) + 1132 ALIGN(crypto_aead_reqsize(aead), crypto_tfm_ctx_alignment()) + 1133 align + 12); 1134 1135 return 0; 1136 1137err_free_aead: 1138 crypto_free_aead(aead); 1139 return err; 1140} 1141 1142static void crypto_rfc4543_exit_tfm(struct crypto_aead *tfm) 1143{ 1144 struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(tfm); 1145 1146 crypto_free_aead(ctx->child); 1147 crypto_put_default_null_skcipher(); 1148} 1149 1150static void crypto_rfc4543_free(struct aead_instance *inst) 1151{ 1152 struct crypto_rfc4543_instance_ctx *ctx = aead_instance_ctx(inst); 1153 1154 crypto_drop_aead(&ctx->aead); 1155 1156 kfree(inst); 1157} 1158 1159static int crypto_rfc4543_create(struct crypto_template *tmpl, 1160 struct rtattr **tb) 1161{ 1162 struct crypto_attr_type *algt; 1163 struct aead_instance *inst; 1164 struct crypto_aead_spawn *spawn; 1165 struct aead_alg *alg; 1166 struct crypto_rfc4543_instance_ctx *ctx; 1167 const char *ccm_name; 1168 int err; 1169 1170 algt = crypto_get_attr_type(tb); 1171 if (IS_ERR(algt)) 1172 return PTR_ERR(algt); 1173 1174 if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask) 1175 return -EINVAL; 1176 1177 ccm_name = crypto_attr_alg_name(tb[1]); 1178 if (IS_ERR(ccm_name)) 1179 return PTR_ERR(ccm_name); 1180 1181 inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL); 1182 if (!inst) 1183 return -ENOMEM; 1184 1185 ctx = aead_instance_ctx(inst); 1186 spawn = &ctx->aead; 1187 crypto_set_aead_spawn(spawn, aead_crypto_instance(inst)); 1188 err = crypto_grab_aead(spawn, ccm_name, 0, 1189 crypto_requires_sync(algt->type, algt->mask)); 1190 if (err) 1191 goto out_free_inst; 1192 1193 alg = crypto_spawn_aead_alg(spawn); 1194 1195 err = -EINVAL; 1196 1197 /* Underlying IV size must be 12. */ 1198 if (crypto_aead_alg_ivsize(alg) != 12) 1199 goto out_drop_alg; 1200 1201 /* Not a stream cipher? */ 1202 if (alg->base.cra_blocksize != 1) 1203 goto out_drop_alg; 1204 1205 err = -ENAMETOOLONG; 1206 if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME, 1207 "rfc4543(%s)", alg->base.cra_name) >= 1208 CRYPTO_MAX_ALG_NAME || 1209 snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME, 1210 "rfc4543(%s)", alg->base.cra_driver_name) >= 1211 CRYPTO_MAX_ALG_NAME) 1212 goto out_drop_alg; 1213 1214 inst->alg.base.cra_flags = alg->base.cra_flags & CRYPTO_ALG_ASYNC; 1215 inst->alg.base.cra_priority = alg->base.cra_priority; 1216 inst->alg.base.cra_blocksize = 1; 1217 inst->alg.base.cra_alignmask = alg->base.cra_alignmask; 1218 1219 inst->alg.base.cra_ctxsize = sizeof(struct crypto_rfc4543_ctx); 1220 1221 inst->alg.ivsize = 8; 1222 inst->alg.maxauthsize = crypto_aead_alg_maxauthsize(alg); 1223 1224 inst->alg.init = crypto_rfc4543_init_tfm; 1225 inst->alg.exit = crypto_rfc4543_exit_tfm; 1226 1227 inst->alg.setkey = crypto_rfc4543_setkey; 1228 inst->alg.setauthsize = crypto_rfc4543_setauthsize; 1229 inst->alg.encrypt = crypto_rfc4543_encrypt; 1230 inst->alg.decrypt = crypto_rfc4543_decrypt; 1231 1232 inst->free = crypto_rfc4543_free, 1233 1234 err = aead_register_instance(tmpl, inst); 1235 if (err) 1236 goto out_drop_alg; 1237 1238out: 1239 return err; 1240 1241out_drop_alg: 1242 crypto_drop_aead(spawn); 1243out_free_inst: 1244 kfree(inst); 1245 goto out; 1246} 1247 1248static struct crypto_template crypto_rfc4543_tmpl = { 1249 .name = "rfc4543", 1250 .create = crypto_rfc4543_create, 1251 .module = THIS_MODULE, 1252}; 1253 1254static int __init crypto_gcm_module_init(void) 1255{ 1256 int err; 1257 1258 gcm_zeroes = kzalloc(sizeof(*gcm_zeroes), GFP_KERNEL); 1259 if (!gcm_zeroes) 1260 return -ENOMEM; 1261 1262 sg_init_one(&gcm_zeroes->sg, gcm_zeroes->buf, sizeof(gcm_zeroes->buf)); 1263 1264 err = crypto_register_template(&crypto_gcm_base_tmpl); 1265 if (err) 1266 goto out; 1267 1268 err = crypto_register_template(&crypto_gcm_tmpl); 1269 if (err) 1270 goto out_undo_base; 1271 1272 err = crypto_register_template(&crypto_rfc4106_tmpl); 1273 if (err) 1274 goto out_undo_gcm; 1275 1276 err = crypto_register_template(&crypto_rfc4543_tmpl); 1277 if (err) 1278 goto out_undo_rfc4106; 1279 1280 return 0; 1281 1282out_undo_rfc4106: 1283 crypto_unregister_template(&crypto_rfc4106_tmpl); 1284out_undo_gcm: 1285 crypto_unregister_template(&crypto_gcm_tmpl); 1286out_undo_base: 1287 crypto_unregister_template(&crypto_gcm_base_tmpl); 1288out: 1289 kfree(gcm_zeroes); 1290 return err; 1291} 1292 1293static void __exit crypto_gcm_module_exit(void) 1294{ 1295 kfree(gcm_zeroes); 1296 crypto_unregister_template(&crypto_rfc4543_tmpl); 1297 crypto_unregister_template(&crypto_rfc4106_tmpl); 1298 crypto_unregister_template(&crypto_gcm_tmpl); 1299 crypto_unregister_template(&crypto_gcm_base_tmpl); 1300} 1301 1302module_init(crypto_gcm_module_init); 1303module_exit(crypto_gcm_module_exit); 1304 1305MODULE_LICENSE("GPL"); 1306MODULE_DESCRIPTION("Galois/Counter Mode"); 1307MODULE_AUTHOR("Mikko Herranen <mh1@iki.fi>"); 1308MODULE_ALIAS_CRYPTO("gcm_base"); 1309MODULE_ALIAS_CRYPTO("rfc4106"); 1310MODULE_ALIAS_CRYPTO("rfc4543"); 1311MODULE_ALIAS_CRYPTO("gcm"); 1312