1 // SPDX-License-Identifier: GPL-2.0-or-later
3 * CCM: Counter with CBC-MAC
5 * (C) Copyright IBM Corp. 2007 - Joy Latten <latten@us.ibm.com>
8 #include <crypto/internal/aead.h>
9 #include <crypto/internal/cipher.h>
10 #include <crypto/internal/hash.h>
11 #include <crypto/internal/skcipher.h>
12 #include <crypto/scatterwalk.h>
13 #include <linux/err.h>
14 #include <linux/init.h>
15 #include <linux/kernel.h>
16 #include <linux/module.h>
17 #include <linux/slab.h>
19 struct ccm_instance_ctx
{
20 struct crypto_skcipher_spawn ctr
;
21 struct crypto_ahash_spawn mac
;
24 struct crypto_ccm_ctx
{
25 struct crypto_ahash
*mac
;
26 struct crypto_skcipher
*ctr
;
29 struct crypto_rfc4309_ctx
{
30 struct crypto_aead
*child
;
34 struct crypto_rfc4309_req_ctx
{
35 struct scatterlist src
[3];
36 struct scatterlist dst
[3];
37 struct aead_request subreq
;
40 struct crypto_ccm_req_priv_ctx
{
45 struct scatterlist src
[3];
46 struct scatterlist dst
[3];
48 struct ahash_request ahreq
;
49 struct skcipher_request skreq
;
53 struct cbcmac_tfm_ctx
{
54 struct crypto_cipher
*child
;
57 struct cbcmac_desc_ctx
{
62 static inline struct crypto_ccm_req_priv_ctx
*crypto_ccm_reqctx(
63 struct aead_request
*req
)
65 unsigned long align
= crypto_aead_alignmask(crypto_aead_reqtfm(req
));
67 return (void *)PTR_ALIGN((u8
*)aead_request_ctx(req
), align
+ 1);
70 static int set_msg_len(u8
*block
, unsigned int msglen
, int csize
)
74 memset(block
, 0, csize
);
79 else if (msglen
> (1 << (8 * csize
)))
82 data
= cpu_to_be32(msglen
);
83 memcpy(block
- csize
, (u8
*)&data
+ 4 - csize
, csize
);
88 static int crypto_ccm_setkey(struct crypto_aead
*aead
, const u8
*key
,
91 struct crypto_ccm_ctx
*ctx
= crypto_aead_ctx(aead
);
92 struct crypto_skcipher
*ctr
= ctx
->ctr
;
93 struct crypto_ahash
*mac
= ctx
->mac
;
96 crypto_skcipher_clear_flags(ctr
, CRYPTO_TFM_REQ_MASK
);
97 crypto_skcipher_set_flags(ctr
, crypto_aead_get_flags(aead
) &
99 err
= crypto_skcipher_setkey(ctr
, key
, keylen
);
103 crypto_ahash_clear_flags(mac
, CRYPTO_TFM_REQ_MASK
);
104 crypto_ahash_set_flags(mac
, crypto_aead_get_flags(aead
) &
105 CRYPTO_TFM_REQ_MASK
);
106 return crypto_ahash_setkey(mac
, key
, keylen
);
109 static int crypto_ccm_setauthsize(struct crypto_aead
*tfm
,
110 unsigned int authsize
)
128 static int format_input(u8
*info
, struct aead_request
*req
,
129 unsigned int cryptlen
)
131 struct crypto_aead
*aead
= crypto_aead_reqtfm(req
);
132 unsigned int lp
= req
->iv
[0];
133 unsigned int l
= lp
+ 1;
136 m
= crypto_aead_authsize(aead
);
138 memcpy(info
, req
->iv
, 16);
140 /* format control info per RFC 3610 and
141 * NIST Special Publication 800-38C
143 *info
|= (8 * ((m
- 2) / 2));
147 return set_msg_len(info
+ 16 - l
, cryptlen
, l
);
150 static int format_adata(u8
*adata
, unsigned int a
)
154 /* add control info for associated data
155 * RFC 3610 and NIST Special Publication 800-38C
158 *(__be16
*)adata
= cpu_to_be16(a
);
161 *(__be16
*)adata
= cpu_to_be16(0xfffe);
162 *(__be32
*)&adata
[2] = cpu_to_be32(a
);
169 static int crypto_ccm_auth(struct aead_request
*req
, struct scatterlist
*plain
,
170 unsigned int cryptlen
)
172 struct crypto_ccm_req_priv_ctx
*pctx
= crypto_ccm_reqctx(req
);
173 struct crypto_aead
*aead
= crypto_aead_reqtfm(req
);
174 struct crypto_ccm_ctx
*ctx
= crypto_aead_ctx(aead
);
175 struct ahash_request
*ahreq
= &pctx
->ahreq
;
176 unsigned int assoclen
= req
->assoclen
;
177 struct scatterlist sg
[3];
178 u8
*odata
= pctx
->odata
;
179 u8
*idata
= pctx
->idata
;
182 /* format control data for input */
183 err
= format_input(odata
, req
, cryptlen
);
187 sg_init_table(sg
, 3);
188 sg_set_buf(&sg
[0], odata
, 16);
190 /* format associated data and compute into mac */
192 ilen
= format_adata(idata
, assoclen
);
193 sg_set_buf(&sg
[1], idata
, ilen
);
194 sg_chain(sg
, 3, req
->src
);
197 sg_chain(sg
, 2, req
->src
);
200 ahash_request_set_tfm(ahreq
, ctx
->mac
);
201 ahash_request_set_callback(ahreq
, pctx
->flags
, NULL
, NULL
);
202 ahash_request_set_crypt(ahreq
, sg
, NULL
, assoclen
+ ilen
+ 16);
203 err
= crypto_ahash_init(ahreq
);
206 err
= crypto_ahash_update(ahreq
);
210 /* we need to pad the MAC input to a round multiple of the block size */
211 ilen
= 16 - (assoclen
+ ilen
) % 16;
213 memset(idata
, 0, ilen
);
214 sg_init_table(sg
, 2);
215 sg_set_buf(&sg
[0], idata
, ilen
);
217 sg_chain(sg
, 2, plain
);
222 ahash_request_set_crypt(ahreq
, plain
, odata
, cryptlen
);
223 err
= crypto_ahash_finup(ahreq
);
228 static void crypto_ccm_encrypt_done(void *data
, int err
)
230 struct aead_request
*req
= data
;
231 struct crypto_aead
*aead
= crypto_aead_reqtfm(req
);
232 struct crypto_ccm_req_priv_ctx
*pctx
= crypto_ccm_reqctx(req
);
233 u8
*odata
= pctx
->odata
;
236 scatterwalk_map_and_copy(odata
, req
->dst
,
237 req
->assoclen
+ req
->cryptlen
,
238 crypto_aead_authsize(aead
), 1);
239 aead_request_complete(req
, err
);
242 static inline int crypto_ccm_check_iv(const u8
*iv
)
244 /* 2 <= L <= 8, so 1 <= L' <= 7. */
245 if (1 > iv
[0] || iv
[0] > 7)
251 static int crypto_ccm_init_crypt(struct aead_request
*req
, u8
*tag
)
253 struct crypto_ccm_req_priv_ctx
*pctx
= crypto_ccm_reqctx(req
);
254 struct scatterlist
*sg
;
258 err
= crypto_ccm_check_iv(iv
);
262 pctx
->flags
= aead_request_flags(req
);
264 /* Note: rfc 3610 and NIST 800-38C require counter of
265 * zero to encrypt auth tag.
267 memset(iv
+ 15 - iv
[0], 0, iv
[0] + 1);
269 sg_init_table(pctx
->src
, 3);
270 sg_set_buf(pctx
->src
, tag
, 16);
271 sg
= scatterwalk_ffwd(pctx
->src
+ 1, req
->src
, req
->assoclen
);
272 if (sg
!= pctx
->src
+ 1)
273 sg_chain(pctx
->src
, 2, sg
);
275 if (req
->src
!= req
->dst
) {
276 sg_init_table(pctx
->dst
, 3);
277 sg_set_buf(pctx
->dst
, tag
, 16);
278 sg
= scatterwalk_ffwd(pctx
->dst
+ 1, req
->dst
, req
->assoclen
);
279 if (sg
!= pctx
->dst
+ 1)
280 sg_chain(pctx
->dst
, 2, sg
);
286 static int crypto_ccm_encrypt(struct aead_request
*req
)
288 struct crypto_aead
*aead
= crypto_aead_reqtfm(req
);
289 struct crypto_ccm_ctx
*ctx
= crypto_aead_ctx(aead
);
290 struct crypto_ccm_req_priv_ctx
*pctx
= crypto_ccm_reqctx(req
);
291 struct skcipher_request
*skreq
= &pctx
->skreq
;
292 struct scatterlist
*dst
;
293 unsigned int cryptlen
= req
->cryptlen
;
294 u8
*odata
= pctx
->odata
;
298 err
= crypto_ccm_init_crypt(req
, odata
);
302 err
= crypto_ccm_auth(req
, sg_next(pctx
->src
), cryptlen
);
307 if (req
->src
!= req
->dst
)
310 skcipher_request_set_tfm(skreq
, ctx
->ctr
);
311 skcipher_request_set_callback(skreq
, pctx
->flags
,
312 crypto_ccm_encrypt_done
, req
);
313 skcipher_request_set_crypt(skreq
, pctx
->src
, dst
, cryptlen
+ 16, iv
);
314 err
= crypto_skcipher_encrypt(skreq
);
318 /* copy authtag to end of dst */
319 scatterwalk_map_and_copy(odata
, sg_next(dst
), cryptlen
,
320 crypto_aead_authsize(aead
), 1);
324 static void crypto_ccm_decrypt_done(void *data
, int err
)
326 struct aead_request
*req
= data
;
327 struct crypto_ccm_req_priv_ctx
*pctx
= crypto_ccm_reqctx(req
);
328 struct crypto_aead
*aead
= crypto_aead_reqtfm(req
);
329 unsigned int authsize
= crypto_aead_authsize(aead
);
330 unsigned int cryptlen
= req
->cryptlen
- authsize
;
331 struct scatterlist
*dst
;
335 dst
= sg_next(req
->src
== req
->dst
? pctx
->src
: pctx
->dst
);
338 err
= crypto_ccm_auth(req
, dst
, cryptlen
);
339 if (!err
&& crypto_memneq(pctx
->auth_tag
, pctx
->odata
, authsize
))
342 aead_request_complete(req
, err
);
345 static int crypto_ccm_decrypt(struct aead_request
*req
)
347 struct crypto_aead
*aead
= crypto_aead_reqtfm(req
);
348 struct crypto_ccm_ctx
*ctx
= crypto_aead_ctx(aead
);
349 struct crypto_ccm_req_priv_ctx
*pctx
= crypto_ccm_reqctx(req
);
350 struct skcipher_request
*skreq
= &pctx
->skreq
;
351 struct scatterlist
*dst
;
352 unsigned int authsize
= crypto_aead_authsize(aead
);
353 unsigned int cryptlen
= req
->cryptlen
;
354 u8
*authtag
= pctx
->auth_tag
;
355 u8
*odata
= pctx
->odata
;
356 u8
*iv
= pctx
->idata
;
359 cryptlen
-= authsize
;
361 err
= crypto_ccm_init_crypt(req
, authtag
);
365 scatterwalk_map_and_copy(authtag
, sg_next(pctx
->src
), cryptlen
,
369 if (req
->src
!= req
->dst
)
372 memcpy(iv
, req
->iv
, 16);
374 skcipher_request_set_tfm(skreq
, ctx
->ctr
);
375 skcipher_request_set_callback(skreq
, pctx
->flags
,
376 crypto_ccm_decrypt_done
, req
);
377 skcipher_request_set_crypt(skreq
, pctx
->src
, dst
, cryptlen
+ 16, iv
);
378 err
= crypto_skcipher_decrypt(skreq
);
382 err
= crypto_ccm_auth(req
, sg_next(dst
), cryptlen
);
387 if (crypto_memneq(authtag
, odata
, authsize
))
393 static int crypto_ccm_init_tfm(struct crypto_aead
*tfm
)
395 struct aead_instance
*inst
= aead_alg_instance(tfm
);
396 struct ccm_instance_ctx
*ictx
= aead_instance_ctx(inst
);
397 struct crypto_ccm_ctx
*ctx
= crypto_aead_ctx(tfm
);
398 struct crypto_ahash
*mac
;
399 struct crypto_skcipher
*ctr
;
403 mac
= crypto_spawn_ahash(&ictx
->mac
);
407 ctr
= crypto_spawn_skcipher(&ictx
->ctr
);
415 align
= crypto_aead_alignmask(tfm
);
416 align
&= ~(crypto_tfm_ctx_alignment() - 1);
417 crypto_aead_set_reqsize(
419 align
+ sizeof(struct crypto_ccm_req_priv_ctx
) +
420 max(crypto_ahash_reqsize(mac
), crypto_skcipher_reqsize(ctr
)));
425 crypto_free_ahash(mac
);
429 static void crypto_ccm_exit_tfm(struct crypto_aead
*tfm
)
431 struct crypto_ccm_ctx
*ctx
= crypto_aead_ctx(tfm
);
433 crypto_free_ahash(ctx
->mac
);
434 crypto_free_skcipher(ctx
->ctr
);
437 static void crypto_ccm_free(struct aead_instance
*inst
)
439 struct ccm_instance_ctx
*ctx
= aead_instance_ctx(inst
);
441 crypto_drop_ahash(&ctx
->mac
);
442 crypto_drop_skcipher(&ctx
->ctr
);
446 static int crypto_ccm_create_common(struct crypto_template
*tmpl
,
448 const char *ctr_name
,
449 const char *mac_name
)
451 struct skcipher_alg_common
*ctr
;
453 struct aead_instance
*inst
;
454 struct ccm_instance_ctx
*ictx
;
455 struct hash_alg_common
*mac
;
458 err
= crypto_check_attr_type(tb
, CRYPTO_ALG_TYPE_AEAD
, &mask
);
462 inst
= kzalloc(sizeof(*inst
) + sizeof(*ictx
), GFP_KERNEL
);
465 ictx
= aead_instance_ctx(inst
);
467 err
= crypto_grab_ahash(&ictx
->mac
, aead_crypto_instance(inst
),
468 mac_name
, 0, mask
| CRYPTO_ALG_ASYNC
);
471 mac
= crypto_spawn_ahash_alg(&ictx
->mac
);
474 if (strncmp(mac
->base
.cra_name
, "cbcmac(", 7) != 0 ||
475 mac
->digestsize
!= 16)
478 err
= crypto_grab_skcipher(&ictx
->ctr
, aead_crypto_instance(inst
),
482 ctr
= crypto_spawn_skcipher_alg_common(&ictx
->ctr
);
484 /* The skcipher algorithm must be CTR mode, using 16-byte blocks. */
486 if (strncmp(ctr
->base
.cra_name
, "ctr(", 4) != 0 ||
487 ctr
->ivsize
!= 16 || ctr
->base
.cra_blocksize
!= 1)
490 /* ctr and cbcmac must use the same underlying block cipher. */
491 if (strcmp(ctr
->base
.cra_name
+ 4, mac
->base
.cra_name
+ 7) != 0)
495 if (snprintf(inst
->alg
.base
.cra_name
, CRYPTO_MAX_ALG_NAME
,
496 "ccm(%s", ctr
->base
.cra_name
+ 4) >= CRYPTO_MAX_ALG_NAME
)
499 if (snprintf(inst
->alg
.base
.cra_driver_name
, CRYPTO_MAX_ALG_NAME
,
500 "ccm_base(%s,%s)", ctr
->base
.cra_driver_name
,
501 mac
->base
.cra_driver_name
) >= CRYPTO_MAX_ALG_NAME
)
504 inst
->alg
.base
.cra_priority
= (mac
->base
.cra_priority
+
505 ctr
->base
.cra_priority
) / 2;
506 inst
->alg
.base
.cra_blocksize
= 1;
507 inst
->alg
.base
.cra_alignmask
= mac
->base
.cra_alignmask
|
508 ctr
->base
.cra_alignmask
;
509 inst
->alg
.ivsize
= 16;
510 inst
->alg
.chunksize
= ctr
->chunksize
;
511 inst
->alg
.maxauthsize
= 16;
512 inst
->alg
.base
.cra_ctxsize
= sizeof(struct crypto_ccm_ctx
);
513 inst
->alg
.init
= crypto_ccm_init_tfm
;
514 inst
->alg
.exit
= crypto_ccm_exit_tfm
;
515 inst
->alg
.setkey
= crypto_ccm_setkey
;
516 inst
->alg
.setauthsize
= crypto_ccm_setauthsize
;
517 inst
->alg
.encrypt
= crypto_ccm_encrypt
;
518 inst
->alg
.decrypt
= crypto_ccm_decrypt
;
520 inst
->free
= crypto_ccm_free
;
522 err
= aead_register_instance(tmpl
, inst
);
525 crypto_ccm_free(inst
);
530 static int crypto_ccm_create(struct crypto_template
*tmpl
, struct rtattr
**tb
)
532 const char *cipher_name
;
533 char ctr_name
[CRYPTO_MAX_ALG_NAME
];
534 char mac_name
[CRYPTO_MAX_ALG_NAME
];
536 cipher_name
= crypto_attr_alg_name(tb
[1]);
537 if (IS_ERR(cipher_name
))
538 return PTR_ERR(cipher_name
);
540 if (snprintf(ctr_name
, CRYPTO_MAX_ALG_NAME
, "ctr(%s)",
541 cipher_name
) >= CRYPTO_MAX_ALG_NAME
)
542 return -ENAMETOOLONG
;
544 if (snprintf(mac_name
, CRYPTO_MAX_ALG_NAME
, "cbcmac(%s)",
545 cipher_name
) >= CRYPTO_MAX_ALG_NAME
)
546 return -ENAMETOOLONG
;
548 return crypto_ccm_create_common(tmpl
, tb
, ctr_name
, mac_name
);
551 static int crypto_ccm_base_create(struct crypto_template
*tmpl
,
554 const char *ctr_name
;
555 const char *mac_name
;
557 ctr_name
= crypto_attr_alg_name(tb
[1]);
558 if (IS_ERR(ctr_name
))
559 return PTR_ERR(ctr_name
);
561 mac_name
= crypto_attr_alg_name(tb
[2]);
562 if (IS_ERR(mac_name
))
563 return PTR_ERR(mac_name
);
565 return crypto_ccm_create_common(tmpl
, tb
, ctr_name
, mac_name
);
568 static int crypto_rfc4309_setkey(struct crypto_aead
*parent
, const u8
*key
,
571 struct crypto_rfc4309_ctx
*ctx
= crypto_aead_ctx(parent
);
572 struct crypto_aead
*child
= ctx
->child
;
578 memcpy(ctx
->nonce
, key
+ keylen
, 3);
580 crypto_aead_clear_flags(child
, CRYPTO_TFM_REQ_MASK
);
581 crypto_aead_set_flags(child
, crypto_aead_get_flags(parent
) &
582 CRYPTO_TFM_REQ_MASK
);
583 return crypto_aead_setkey(child
, key
, keylen
);
586 static int crypto_rfc4309_setauthsize(struct crypto_aead
*parent
,
587 unsigned int authsize
)
589 struct crypto_rfc4309_ctx
*ctx
= crypto_aead_ctx(parent
);
600 return crypto_aead_setauthsize(ctx
->child
, authsize
);
603 static struct aead_request
*crypto_rfc4309_crypt(struct aead_request
*req
)
605 struct crypto_rfc4309_req_ctx
*rctx
= aead_request_ctx(req
);
606 struct aead_request
*subreq
= &rctx
->subreq
;
607 struct crypto_aead
*aead
= crypto_aead_reqtfm(req
);
608 struct crypto_rfc4309_ctx
*ctx
= crypto_aead_ctx(aead
);
609 struct crypto_aead
*child
= ctx
->child
;
610 struct scatterlist
*sg
;
611 u8
*iv
= PTR_ALIGN((u8
*)(subreq
+ 1) + crypto_aead_reqsize(child
),
612 crypto_aead_alignmask(child
) + 1);
617 memcpy(iv
+ 1, ctx
->nonce
, 3);
618 memcpy(iv
+ 4, req
->iv
, 8);
620 scatterwalk_map_and_copy(iv
+ 16, req
->src
, 0, req
->assoclen
- 8, 0);
622 sg_init_table(rctx
->src
, 3);
623 sg_set_buf(rctx
->src
, iv
+ 16, req
->assoclen
- 8);
624 sg
= scatterwalk_ffwd(rctx
->src
+ 1, req
->src
, req
->assoclen
);
625 if (sg
!= rctx
->src
+ 1)
626 sg_chain(rctx
->src
, 2, sg
);
628 if (req
->src
!= req
->dst
) {
629 sg_init_table(rctx
->dst
, 3);
630 sg_set_buf(rctx
->dst
, iv
+ 16, req
->assoclen
- 8);
631 sg
= scatterwalk_ffwd(rctx
->dst
+ 1, req
->dst
, req
->assoclen
);
632 if (sg
!= rctx
->dst
+ 1)
633 sg_chain(rctx
->dst
, 2, sg
);
636 aead_request_set_tfm(subreq
, child
);
637 aead_request_set_callback(subreq
, req
->base
.flags
, req
->base
.complete
,
639 aead_request_set_crypt(subreq
, rctx
->src
,
640 req
->src
== req
->dst
? rctx
->src
: rctx
->dst
,
642 aead_request_set_ad(subreq
, req
->assoclen
- 8);
647 static int crypto_rfc4309_encrypt(struct aead_request
*req
)
649 if (req
->assoclen
!= 16 && req
->assoclen
!= 20)
652 req
= crypto_rfc4309_crypt(req
);
654 return crypto_aead_encrypt(req
);
657 static int crypto_rfc4309_decrypt(struct aead_request
*req
)
659 if (req
->assoclen
!= 16 && req
->assoclen
!= 20)
662 req
= crypto_rfc4309_crypt(req
);
664 return crypto_aead_decrypt(req
);
667 static int crypto_rfc4309_init_tfm(struct crypto_aead
*tfm
)
669 struct aead_instance
*inst
= aead_alg_instance(tfm
);
670 struct crypto_aead_spawn
*spawn
= aead_instance_ctx(inst
);
671 struct crypto_rfc4309_ctx
*ctx
= crypto_aead_ctx(tfm
);
672 struct crypto_aead
*aead
;
675 aead
= crypto_spawn_aead(spawn
);
677 return PTR_ERR(aead
);
681 align
= crypto_aead_alignmask(aead
);
682 align
&= ~(crypto_tfm_ctx_alignment() - 1);
683 crypto_aead_set_reqsize(
685 sizeof(struct crypto_rfc4309_req_ctx
) +
686 ALIGN(crypto_aead_reqsize(aead
), crypto_tfm_ctx_alignment()) +
692 static void crypto_rfc4309_exit_tfm(struct crypto_aead
*tfm
)
694 struct crypto_rfc4309_ctx
*ctx
= crypto_aead_ctx(tfm
);
696 crypto_free_aead(ctx
->child
);
699 static void crypto_rfc4309_free(struct aead_instance
*inst
)
701 crypto_drop_aead(aead_instance_ctx(inst
));
705 static int crypto_rfc4309_create(struct crypto_template
*tmpl
,
709 struct aead_instance
*inst
;
710 struct crypto_aead_spawn
*spawn
;
711 struct aead_alg
*alg
;
714 err
= crypto_check_attr_type(tb
, CRYPTO_ALG_TYPE_AEAD
, &mask
);
718 inst
= kzalloc(sizeof(*inst
) + sizeof(*spawn
), GFP_KERNEL
);
722 spawn
= aead_instance_ctx(inst
);
723 err
= crypto_grab_aead(spawn
, aead_crypto_instance(inst
),
724 crypto_attr_alg_name(tb
[1]), 0, mask
);
728 alg
= crypto_spawn_aead_alg(spawn
);
732 /* We only support 16-byte blocks. */
733 if (crypto_aead_alg_ivsize(alg
) != 16)
736 /* Not a stream cipher? */
737 if (alg
->base
.cra_blocksize
!= 1)
741 if (snprintf(inst
->alg
.base
.cra_name
, CRYPTO_MAX_ALG_NAME
,
742 "rfc4309(%s)", alg
->base
.cra_name
) >=
743 CRYPTO_MAX_ALG_NAME
||
744 snprintf(inst
->alg
.base
.cra_driver_name
, CRYPTO_MAX_ALG_NAME
,
745 "rfc4309(%s)", alg
->base
.cra_driver_name
) >=
749 inst
->alg
.base
.cra_priority
= alg
->base
.cra_priority
;
750 inst
->alg
.base
.cra_blocksize
= 1;
751 inst
->alg
.base
.cra_alignmask
= alg
->base
.cra_alignmask
;
753 inst
->alg
.ivsize
= 8;
754 inst
->alg
.chunksize
= crypto_aead_alg_chunksize(alg
);
755 inst
->alg
.maxauthsize
= 16;
757 inst
->alg
.base
.cra_ctxsize
= sizeof(struct crypto_rfc4309_ctx
);
759 inst
->alg
.init
= crypto_rfc4309_init_tfm
;
760 inst
->alg
.exit
= crypto_rfc4309_exit_tfm
;
762 inst
->alg
.setkey
= crypto_rfc4309_setkey
;
763 inst
->alg
.setauthsize
= crypto_rfc4309_setauthsize
;
764 inst
->alg
.encrypt
= crypto_rfc4309_encrypt
;
765 inst
->alg
.decrypt
= crypto_rfc4309_decrypt
;
767 inst
->free
= crypto_rfc4309_free
;
769 err
= aead_register_instance(tmpl
, inst
);
772 crypto_rfc4309_free(inst
);
777 static int crypto_cbcmac_digest_setkey(struct crypto_shash
*parent
,
778 const u8
*inkey
, unsigned int keylen
)
780 struct cbcmac_tfm_ctx
*ctx
= crypto_shash_ctx(parent
);
782 return crypto_cipher_setkey(ctx
->child
, inkey
, keylen
);
785 static int crypto_cbcmac_digest_init(struct shash_desc
*pdesc
)
787 struct cbcmac_desc_ctx
*ctx
= shash_desc_ctx(pdesc
);
788 int bs
= crypto_shash_digestsize(pdesc
->tfm
);
791 memset(ctx
->dg
, 0, bs
);
796 static int crypto_cbcmac_digest_update(struct shash_desc
*pdesc
, const u8
*p
,
799 struct crypto_shash
*parent
= pdesc
->tfm
;
800 struct cbcmac_tfm_ctx
*tctx
= crypto_shash_ctx(parent
);
801 struct cbcmac_desc_ctx
*ctx
= shash_desc_ctx(pdesc
);
802 struct crypto_cipher
*tfm
= tctx
->child
;
803 int bs
= crypto_shash_digestsize(parent
);
806 unsigned int l
= min(len
, bs
- ctx
->len
);
808 crypto_xor(&ctx
->dg
[ctx
->len
], p
, l
);
813 if (ctx
->len
== bs
) {
814 crypto_cipher_encrypt_one(tfm
, ctx
->dg
, ctx
->dg
);
822 static int crypto_cbcmac_digest_final(struct shash_desc
*pdesc
, u8
*out
)
824 struct crypto_shash
*parent
= pdesc
->tfm
;
825 struct cbcmac_tfm_ctx
*tctx
= crypto_shash_ctx(parent
);
826 struct cbcmac_desc_ctx
*ctx
= shash_desc_ctx(pdesc
);
827 struct crypto_cipher
*tfm
= tctx
->child
;
828 int bs
= crypto_shash_digestsize(parent
);
831 crypto_cipher_encrypt_one(tfm
, ctx
->dg
, ctx
->dg
);
833 memcpy(out
, ctx
->dg
, bs
);
837 static int cbcmac_init_tfm(struct crypto_tfm
*tfm
)
839 struct crypto_cipher
*cipher
;
840 struct crypto_instance
*inst
= (void *)tfm
->__crt_alg
;
841 struct crypto_cipher_spawn
*spawn
= crypto_instance_ctx(inst
);
842 struct cbcmac_tfm_ctx
*ctx
= crypto_tfm_ctx(tfm
);
844 cipher
= crypto_spawn_cipher(spawn
);
846 return PTR_ERR(cipher
);
853 static void cbcmac_exit_tfm(struct crypto_tfm
*tfm
)
855 struct cbcmac_tfm_ctx
*ctx
= crypto_tfm_ctx(tfm
);
856 crypto_free_cipher(ctx
->child
);
859 static int cbcmac_create(struct crypto_template
*tmpl
, struct rtattr
**tb
)
861 struct shash_instance
*inst
;
862 struct crypto_cipher_spawn
*spawn
;
863 struct crypto_alg
*alg
;
867 err
= crypto_check_attr_type(tb
, CRYPTO_ALG_TYPE_SHASH
, &mask
);
871 inst
= kzalloc(sizeof(*inst
) + sizeof(*spawn
), GFP_KERNEL
);
874 spawn
= shash_instance_ctx(inst
);
876 err
= crypto_grab_cipher(spawn
, shash_crypto_instance(inst
),
877 crypto_attr_alg_name(tb
[1]), 0, mask
);
880 alg
= crypto_spawn_cipher_alg(spawn
);
882 err
= crypto_inst_setname(shash_crypto_instance(inst
), tmpl
->name
, alg
);
886 inst
->alg
.base
.cra_priority
= alg
->cra_priority
;
887 inst
->alg
.base
.cra_blocksize
= 1;
889 inst
->alg
.digestsize
= alg
->cra_blocksize
;
890 inst
->alg
.descsize
= sizeof(struct cbcmac_desc_ctx
) +
893 inst
->alg
.base
.cra_ctxsize
= sizeof(struct cbcmac_tfm_ctx
);
894 inst
->alg
.base
.cra_init
= cbcmac_init_tfm
;
895 inst
->alg
.base
.cra_exit
= cbcmac_exit_tfm
;
897 inst
->alg
.init
= crypto_cbcmac_digest_init
;
898 inst
->alg
.update
= crypto_cbcmac_digest_update
;
899 inst
->alg
.final
= crypto_cbcmac_digest_final
;
900 inst
->alg
.setkey
= crypto_cbcmac_digest_setkey
;
902 inst
->free
= shash_free_singlespawn_instance
;
904 err
= shash_register_instance(tmpl
, inst
);
907 shash_free_singlespawn_instance(inst
);
912 static struct crypto_template crypto_ccm_tmpls
[] = {
915 .create
= cbcmac_create
,
916 .module
= THIS_MODULE
,
919 .create
= crypto_ccm_base_create
,
920 .module
= THIS_MODULE
,
923 .create
= crypto_ccm_create
,
924 .module
= THIS_MODULE
,
927 .create
= crypto_rfc4309_create
,
928 .module
= THIS_MODULE
,
932 static int __init
crypto_ccm_module_init(void)
934 return crypto_register_templates(crypto_ccm_tmpls
,
935 ARRAY_SIZE(crypto_ccm_tmpls
));
938 static void __exit
crypto_ccm_module_exit(void)
940 crypto_unregister_templates(crypto_ccm_tmpls
,
941 ARRAY_SIZE(crypto_ccm_tmpls
));
944 subsys_initcall(crypto_ccm_module_init
);
945 module_exit(crypto_ccm_module_exit
);
947 MODULE_LICENSE("GPL");
948 MODULE_DESCRIPTION("Counter with CBC MAC");
949 MODULE_ALIAS_CRYPTO("ccm_base");
950 MODULE_ALIAS_CRYPTO("rfc4309");
951 MODULE_ALIAS_CRYPTO("ccm");
952 MODULE_ALIAS_CRYPTO("cbcmac");
953 MODULE_IMPORT_NS(CRYPTO_INTERNAL
);