1 // SPDX-License-Identifier: GPL-2.0-or-later
3 * CMAC: Cipher Block Mode for Authentication
5 * Copyright © 2013 Jussi Kivilinna <jussi.kivilinna@iki.fi>
8 * Copyright © 2013 Tom St Denis <tstdenis@elliptictech.com>
9 * Based on crypto/xcbc.c:
10 * Copyright © 2006 USAGI/WIDE Project,
11 * Author: Kazunori Miyazawa <miyazawa@linux-ipv6.org>
14 #include <crypto/internal/cipher.h>
15 #include <crypto/internal/hash.h>
16 #include <linux/err.h>
17 #include <linux/kernel.h>
18 #include <linux/module.h>
21 * +------------------------
23 * +------------------------
25 * +------------------------
26 * | consts (block size * 2)
27 * +------------------------
30 struct crypto_cipher
*child
;
35 * +------------------------
37 * +------------------------
39 * +------------------------
41 * +------------------------
43 * +------------------------
45 struct cmac_desc_ctx
{
50 static int crypto_cmac_digest_setkey(struct crypto_shash
*parent
,
51 const u8
*inkey
, unsigned int keylen
)
53 unsigned long alignmask
= crypto_shash_alignmask(parent
);
54 struct cmac_tfm_ctx
*ctx
= crypto_shash_ctx(parent
);
55 unsigned int bs
= crypto_shash_blocksize(parent
);
56 __be64
*consts
= PTR_ALIGN((void *)ctx
->ctx
,
57 (alignmask
| (__alignof__(__be64
) - 1)) + 1);
62 err
= crypto_cipher_setkey(ctx
->child
, inkey
, keylen
);
66 /* encrypt the zero block */
67 memset(consts
, 0, bs
);
68 crypto_cipher_encrypt_one(ctx
->child
, (u8
*)consts
, (u8
*)consts
);
73 _const
[0] = be64_to_cpu(consts
[1]);
74 _const
[1] = be64_to_cpu(consts
[0]);
76 /* gf(2^128) multiply zero-ciphertext with u and u^2 */
77 for (i
= 0; i
< 4; i
+= 2) {
78 msb_mask
= ((s64
)_const
[1] >> 63) & gfmask
;
79 _const
[1] = (_const
[1] << 1) | (_const
[0] >> 63);
80 _const
[0] = (_const
[0] << 1) ^ msb_mask
;
82 consts
[i
+ 0] = cpu_to_be64(_const
[1]);
83 consts
[i
+ 1] = cpu_to_be64(_const
[0]);
89 _const
[0] = be64_to_cpu(consts
[0]);
91 /* gf(2^64) multiply zero-ciphertext with u and u^2 */
92 for (i
= 0; i
< 2; i
++) {
93 msb_mask
= ((s64
)_const
[0] >> 63) & gfmask
;
94 _const
[0] = (_const
[0] << 1) ^ msb_mask
;
96 consts
[i
] = cpu_to_be64(_const
[0]);
105 static int crypto_cmac_digest_init(struct shash_desc
*pdesc
)
107 unsigned long alignmask
= crypto_shash_alignmask(pdesc
->tfm
);
108 struct cmac_desc_ctx
*ctx
= shash_desc_ctx(pdesc
);
109 int bs
= crypto_shash_blocksize(pdesc
->tfm
);
110 u8
*prev
= PTR_ALIGN((void *)ctx
->ctx
, alignmask
+ 1) + bs
;
118 static int crypto_cmac_digest_update(struct shash_desc
*pdesc
, const u8
*p
,
121 struct crypto_shash
*parent
= pdesc
->tfm
;
122 unsigned long alignmask
= crypto_shash_alignmask(parent
);
123 struct cmac_tfm_ctx
*tctx
= crypto_shash_ctx(parent
);
124 struct cmac_desc_ctx
*ctx
= shash_desc_ctx(pdesc
);
125 struct crypto_cipher
*tfm
= tctx
->child
;
126 int bs
= crypto_shash_blocksize(parent
);
127 u8
*odds
= PTR_ALIGN((void *)ctx
->ctx
, alignmask
+ 1);
128 u8
*prev
= odds
+ bs
;
130 /* checking the data can fill the block */
131 if ((ctx
->len
+ len
) <= bs
) {
132 memcpy(odds
+ ctx
->len
, p
, len
);
137 /* filling odds with new data and encrypting it */
138 memcpy(odds
+ ctx
->len
, p
, bs
- ctx
->len
);
139 len
-= bs
- ctx
->len
;
142 crypto_xor(prev
, odds
, bs
);
143 crypto_cipher_encrypt_one(tfm
, prev
, prev
);
145 /* clearing the length */
148 /* encrypting the rest of data */
150 crypto_xor(prev
, p
, bs
);
151 crypto_cipher_encrypt_one(tfm
, prev
, prev
);
156 /* keeping the surplus of blocksize */
158 memcpy(odds
, p
, len
);
165 static int crypto_cmac_digest_final(struct shash_desc
*pdesc
, u8
*out
)
167 struct crypto_shash
*parent
= pdesc
->tfm
;
168 unsigned long alignmask
= crypto_shash_alignmask(parent
);
169 struct cmac_tfm_ctx
*tctx
= crypto_shash_ctx(parent
);
170 struct cmac_desc_ctx
*ctx
= shash_desc_ctx(pdesc
);
171 struct crypto_cipher
*tfm
= tctx
->child
;
172 int bs
= crypto_shash_blocksize(parent
);
173 u8
*consts
= PTR_ALIGN((void *)tctx
->ctx
,
174 (alignmask
| (__alignof__(__be64
) - 1)) + 1);
175 u8
*odds
= PTR_ALIGN((void *)ctx
->ctx
, alignmask
+ 1);
176 u8
*prev
= odds
+ bs
;
177 unsigned int offset
= 0;
179 if (ctx
->len
!= bs
) {
181 u8
*p
= odds
+ ctx
->len
;
186 rlen
= bs
- ctx
->len
- 1;
193 crypto_xor(prev
, odds
, bs
);
194 crypto_xor(prev
, consts
+ offset
, bs
);
196 crypto_cipher_encrypt_one(tfm
, out
, prev
);
201 static int cmac_init_tfm(struct crypto_shash
*tfm
)
203 struct shash_instance
*inst
= shash_alg_instance(tfm
);
204 struct cmac_tfm_ctx
*ctx
= crypto_shash_ctx(tfm
);
205 struct crypto_cipher_spawn
*spawn
;
206 struct crypto_cipher
*cipher
;
208 spawn
= shash_instance_ctx(inst
);
209 cipher
= crypto_spawn_cipher(spawn
);
211 return PTR_ERR(cipher
);
218 static int cmac_clone_tfm(struct crypto_shash
*tfm
, struct crypto_shash
*otfm
)
220 struct cmac_tfm_ctx
*octx
= crypto_shash_ctx(otfm
);
221 struct cmac_tfm_ctx
*ctx
= crypto_shash_ctx(tfm
);
222 struct crypto_cipher
*cipher
;
224 cipher
= crypto_clone_cipher(octx
->child
);
226 return PTR_ERR(cipher
);
233 static void cmac_exit_tfm(struct crypto_shash
*tfm
)
235 struct cmac_tfm_ctx
*ctx
= crypto_shash_ctx(tfm
);
236 crypto_free_cipher(ctx
->child
);
239 static int cmac_create(struct crypto_template
*tmpl
, struct rtattr
**tb
)
241 struct shash_instance
*inst
;
242 struct crypto_cipher_spawn
*spawn
;
243 struct crypto_alg
*alg
;
244 unsigned long alignmask
;
248 err
= crypto_check_attr_type(tb
, CRYPTO_ALG_TYPE_SHASH
, &mask
);
252 inst
= kzalloc(sizeof(*inst
) + sizeof(*spawn
), GFP_KERNEL
);
255 spawn
= shash_instance_ctx(inst
);
257 err
= crypto_grab_cipher(spawn
, shash_crypto_instance(inst
),
258 crypto_attr_alg_name(tb
[1]), 0, mask
);
261 alg
= crypto_spawn_cipher_alg(spawn
);
263 switch (alg
->cra_blocksize
) {
272 err
= crypto_inst_setname(shash_crypto_instance(inst
), tmpl
->name
, alg
);
276 alignmask
= alg
->cra_alignmask
;
277 inst
->alg
.base
.cra_alignmask
= alignmask
;
278 inst
->alg
.base
.cra_priority
= alg
->cra_priority
;
279 inst
->alg
.base
.cra_blocksize
= alg
->cra_blocksize
;
281 inst
->alg
.digestsize
= alg
->cra_blocksize
;
283 ALIGN(sizeof(struct cmac_desc_ctx
), crypto_tfm_ctx_alignment())
284 + (alignmask
& ~(crypto_tfm_ctx_alignment() - 1))
285 + alg
->cra_blocksize
* 2;
287 inst
->alg
.base
.cra_ctxsize
=
288 ALIGN(sizeof(struct cmac_tfm_ctx
), crypto_tfm_ctx_alignment())
289 + ((alignmask
| (__alignof__(__be64
) - 1)) &
290 ~(crypto_tfm_ctx_alignment() - 1))
291 + alg
->cra_blocksize
* 2;
293 inst
->alg
.init
= crypto_cmac_digest_init
;
294 inst
->alg
.update
= crypto_cmac_digest_update
;
295 inst
->alg
.final
= crypto_cmac_digest_final
;
296 inst
->alg
.setkey
= crypto_cmac_digest_setkey
;
297 inst
->alg
.init_tfm
= cmac_init_tfm
;
298 inst
->alg
.clone_tfm
= cmac_clone_tfm
;
299 inst
->alg
.exit_tfm
= cmac_exit_tfm
;
301 inst
->free
= shash_free_singlespawn_instance
;
303 err
= shash_register_instance(tmpl
, inst
);
306 shash_free_singlespawn_instance(inst
);
311 static struct crypto_template crypto_cmac_tmpl
= {
313 .create
= cmac_create
,
314 .module
= THIS_MODULE
,
317 static int __init
crypto_cmac_module_init(void)
319 return crypto_register_template(&crypto_cmac_tmpl
);
322 static void __exit
crypto_cmac_module_exit(void)
324 crypto_unregister_template(&crypto_cmac_tmpl
);
327 subsys_initcall(crypto_cmac_module_init
);
328 module_exit(crypto_cmac_module_exit
);
330 MODULE_LICENSE("GPL");
331 MODULE_DESCRIPTION("CMAC keyed hash algorithm");
332 MODULE_ALIAS_CRYPTO("cmac");
333 MODULE_IMPORT_NS(CRYPTO_INTERNAL
);