xref: /linux/crypto/ccm.c (revision 83869019c74cc2d01c96a3be2463a4eebe362224)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * CCM: Counter with CBC-MAC
4  *
5  * (C) Copyright IBM Corp. 2007 - Joy Latten <latten@us.ibm.com>
6  */
7 
8 #include <crypto/internal/aead.h>
9 #include <crypto/internal/cipher.h>
10 #include <crypto/internal/hash.h>
11 #include <crypto/internal/skcipher.h>
12 #include <crypto/scatterwalk.h>
13 #include <linux/err.h>
14 #include <linux/init.h>
15 #include <linux/kernel.h>
16 #include <linux/module.h>
17 #include <linux/slab.h>
18 
19 struct ccm_instance_ctx {
20 	struct crypto_skcipher_spawn ctr;
21 	struct crypto_ahash_spawn mac;
22 };
23 
24 struct crypto_ccm_ctx {
25 	struct crypto_ahash *mac;
26 	struct crypto_skcipher *ctr;
27 };
28 
29 struct crypto_rfc4309_ctx {
30 	struct crypto_aead *child;
31 	u8 nonce[3];
32 };
33 
34 struct crypto_rfc4309_req_ctx {
35 	struct scatterlist src[3];
36 	struct scatterlist dst[3];
37 	struct aead_request subreq;
38 };
39 
40 struct crypto_ccm_req_priv_ctx {
41 	u8 odata[16];
42 	u8 idata[16];
43 	u8 auth_tag[16];
44 	u32 flags;
45 	struct scatterlist src[3];
46 	struct scatterlist dst[3];
47 	union {
48 		struct ahash_request ahreq;
49 		struct skcipher_request skreq;
50 	};
51 };
52 
53 struct cbcmac_tfm_ctx {
54 	struct crypto_cipher *child;
55 };
56 
57 struct cbcmac_desc_ctx {
58 	unsigned int len;
59 };
60 
61 static inline struct crypto_ccm_req_priv_ctx *crypto_ccm_reqctx(
62 	struct aead_request *req)
63 {
64 	unsigned long align = crypto_aead_alignmask(crypto_aead_reqtfm(req));
65 
66 	return (void *)PTR_ALIGN((u8 *)aead_request_ctx(req), align + 1);
67 }
68 
69 static int set_msg_len(u8 *block, unsigned int msglen, int csize)
70 {
71 	__be32 data;
72 
73 	memset(block, 0, csize);
74 	block += csize;
75 
76 	if (csize >= 4)
77 		csize = 4;
78 	else if (msglen > (1 << (8 * csize)))
79 		return -EOVERFLOW;
80 
81 	data = cpu_to_be32(msglen);
82 	memcpy(block - csize, (u8 *)&data + 4 - csize, csize);
83 
84 	return 0;
85 }
86 
87 static int crypto_ccm_setkey(struct crypto_aead *aead, const u8 *key,
88 			     unsigned int keylen)
89 {
90 	struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead);
91 	struct crypto_skcipher *ctr = ctx->ctr;
92 	struct crypto_ahash *mac = ctx->mac;
93 	int err;
94 
95 	crypto_skcipher_clear_flags(ctr, CRYPTO_TFM_REQ_MASK);
96 	crypto_skcipher_set_flags(ctr, crypto_aead_get_flags(aead) &
97 				       CRYPTO_TFM_REQ_MASK);
98 	err = crypto_skcipher_setkey(ctr, key, keylen);
99 	if (err)
100 		return err;
101 
102 	crypto_ahash_clear_flags(mac, CRYPTO_TFM_REQ_MASK);
103 	crypto_ahash_set_flags(mac, crypto_aead_get_flags(aead) &
104 				    CRYPTO_TFM_REQ_MASK);
105 	return crypto_ahash_setkey(mac, key, keylen);
106 }
107 
108 static int crypto_ccm_setauthsize(struct crypto_aead *tfm,
109 				  unsigned int authsize)
110 {
111 	switch (authsize) {
112 	case 4:
113 	case 6:
114 	case 8:
115 	case 10:
116 	case 12:
117 	case 14:
118 	case 16:
119 		break;
120 	default:
121 		return -EINVAL;
122 	}
123 
124 	return 0;
125 }
126 
127 static int format_input(u8 *info, struct aead_request *req,
128 			unsigned int cryptlen)
129 {
130 	struct crypto_aead *aead = crypto_aead_reqtfm(req);
131 	unsigned int lp = req->iv[0];
132 	unsigned int l = lp + 1;
133 	unsigned int m;
134 
135 	m = crypto_aead_authsize(aead);
136 
137 	memcpy(info, req->iv, 16);
138 
139 	/* format control info per RFC 3610 and
140 	 * NIST Special Publication 800-38C
141 	 */
142 	*info |= (8 * ((m - 2) / 2));
143 	if (req->assoclen)
144 		*info |= 64;
145 
146 	return set_msg_len(info + 16 - l, cryptlen, l);
147 }
148 
149 static int format_adata(u8 *adata, unsigned int a)
150 {
151 	int len = 0;
152 
153 	/* add control info for associated data
154 	 * RFC 3610 and NIST Special Publication 800-38C
155 	 */
156 	if (a < 65280) {
157 		*(__be16 *)adata = cpu_to_be16(a);
158 		len = 2;
159 	} else  {
160 		*(__be16 *)adata = cpu_to_be16(0xfffe);
161 		*(__be32 *)&adata[2] = cpu_to_be32(a);
162 		len = 6;
163 	}
164 
165 	return len;
166 }
167 
168 static int crypto_ccm_auth(struct aead_request *req, struct scatterlist *plain,
169 			   unsigned int cryptlen)
170 {
171 	struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req);
172 	struct crypto_aead *aead = crypto_aead_reqtfm(req);
173 	struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead);
174 	struct ahash_request *ahreq = &pctx->ahreq;
175 	unsigned int assoclen = req->assoclen;
176 	struct scatterlist sg[3];
177 	u8 *odata = pctx->odata;
178 	u8 *idata = pctx->idata;
179 	int ilen, err;
180 
181 	/* format control data for input */
182 	err = format_input(odata, req, cryptlen);
183 	if (err)
184 		goto out;
185 
186 	sg_init_table(sg, 3);
187 	sg_set_buf(&sg[0], odata, 16);
188 
189 	/* format associated data and compute into mac */
190 	if (assoclen) {
191 		ilen = format_adata(idata, assoclen);
192 		sg_set_buf(&sg[1], idata, ilen);
193 		sg_chain(sg, 3, req->src);
194 	} else {
195 		ilen = 0;
196 		sg_chain(sg, 2, req->src);
197 	}
198 
199 	ahash_request_set_tfm(ahreq, ctx->mac);
200 	ahash_request_set_callback(ahreq, pctx->flags, NULL, NULL);
201 	ahash_request_set_crypt(ahreq, sg, NULL, assoclen + ilen + 16);
202 	err = crypto_ahash_init(ahreq);
203 	if (err)
204 		goto out;
205 	err = crypto_ahash_update(ahreq);
206 	if (err)
207 		goto out;
208 
209 	/* we need to pad the MAC input to a round multiple of the block size */
210 	ilen = 16 - (assoclen + ilen) % 16;
211 	if (ilen < 16) {
212 		memset(idata, 0, ilen);
213 		sg_init_table(sg, 2);
214 		sg_set_buf(&sg[0], idata, ilen);
215 		if (plain)
216 			sg_chain(sg, 2, plain);
217 		plain = sg;
218 		cryptlen += ilen;
219 	}
220 
221 	ahash_request_set_crypt(ahreq, plain, pctx->odata, cryptlen);
222 	err = crypto_ahash_finup(ahreq);
223 out:
224 	return err;
225 }
226 
227 static void crypto_ccm_encrypt_done(struct crypto_async_request *areq, int err)
228 {
229 	struct aead_request *req = areq->data;
230 	struct crypto_aead *aead = crypto_aead_reqtfm(req);
231 	struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req);
232 	u8 *odata = pctx->odata;
233 
234 	if (!err)
235 		scatterwalk_map_and_copy(odata, req->dst,
236 					 req->assoclen + req->cryptlen,
237 					 crypto_aead_authsize(aead), 1);
238 	aead_request_complete(req, err);
239 }
240 
241 static inline int crypto_ccm_check_iv(const u8 *iv)
242 {
243 	/* 2 <= L <= 8, so 1 <= L' <= 7. */
244 	if (1 > iv[0] || iv[0] > 7)
245 		return -EINVAL;
246 
247 	return 0;
248 }
249 
250 static int crypto_ccm_init_crypt(struct aead_request *req, u8 *tag)
251 {
252 	struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req);
253 	struct scatterlist *sg;
254 	u8 *iv = req->iv;
255 	int err;
256 
257 	err = crypto_ccm_check_iv(iv);
258 	if (err)
259 		return err;
260 
261 	pctx->flags = aead_request_flags(req);
262 
263 	 /* Note: rfc 3610 and NIST 800-38C require counter of
264 	 * zero to encrypt auth tag.
265 	 */
266 	memset(iv + 15 - iv[0], 0, iv[0] + 1);
267 
268 	sg_init_table(pctx->src, 3);
269 	sg_set_buf(pctx->src, tag, 16);
270 	sg = scatterwalk_ffwd(pctx->src + 1, req->src, req->assoclen);
271 	if (sg != pctx->src + 1)
272 		sg_chain(pctx->src, 2, sg);
273 
274 	if (req->src != req->dst) {
275 		sg_init_table(pctx->dst, 3);
276 		sg_set_buf(pctx->dst, tag, 16);
277 		sg = scatterwalk_ffwd(pctx->dst + 1, req->dst, req->assoclen);
278 		if (sg != pctx->dst + 1)
279 			sg_chain(pctx->dst, 2, sg);
280 	}
281 
282 	return 0;
283 }
284 
285 static int crypto_ccm_encrypt(struct aead_request *req)
286 {
287 	struct crypto_aead *aead = crypto_aead_reqtfm(req);
288 	struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead);
289 	struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req);
290 	struct skcipher_request *skreq = &pctx->skreq;
291 	struct scatterlist *dst;
292 	unsigned int cryptlen = req->cryptlen;
293 	u8 *odata = pctx->odata;
294 	u8 *iv = req->iv;
295 	int err;
296 
297 	err = crypto_ccm_init_crypt(req, odata);
298 	if (err)
299 		return err;
300 
301 	err = crypto_ccm_auth(req, sg_next(pctx->src), cryptlen);
302 	if (err)
303 		return err;
304 
305 	dst = pctx->src;
306 	if (req->src != req->dst)
307 		dst = pctx->dst;
308 
309 	skcipher_request_set_tfm(skreq, ctx->ctr);
310 	skcipher_request_set_callback(skreq, pctx->flags,
311 				      crypto_ccm_encrypt_done, req);
312 	skcipher_request_set_crypt(skreq, pctx->src, dst, cryptlen + 16, iv);
313 	err = crypto_skcipher_encrypt(skreq);
314 	if (err)
315 		return err;
316 
317 	/* copy authtag to end of dst */
318 	scatterwalk_map_and_copy(odata, sg_next(dst), cryptlen,
319 				 crypto_aead_authsize(aead), 1);
320 	return err;
321 }
322 
323 static void crypto_ccm_decrypt_done(struct crypto_async_request *areq,
324 				   int err)
325 {
326 	struct aead_request *req = areq->data;
327 	struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req);
328 	struct crypto_aead *aead = crypto_aead_reqtfm(req);
329 	unsigned int authsize = crypto_aead_authsize(aead);
330 	unsigned int cryptlen = req->cryptlen - authsize;
331 	struct scatterlist *dst;
332 
333 	pctx->flags = 0;
334 
335 	dst = sg_next(req->src == req->dst ? pctx->src : pctx->dst);
336 
337 	if (!err) {
338 		err = crypto_ccm_auth(req, dst, cryptlen);
339 		if (!err && crypto_memneq(pctx->auth_tag, pctx->odata, authsize))
340 			err = -EBADMSG;
341 	}
342 	aead_request_complete(req, err);
343 }
344 
345 static int crypto_ccm_decrypt(struct aead_request *req)
346 {
347 	struct crypto_aead *aead = crypto_aead_reqtfm(req);
348 	struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead);
349 	struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req);
350 	struct skcipher_request *skreq = &pctx->skreq;
351 	struct scatterlist *dst;
352 	unsigned int authsize = crypto_aead_authsize(aead);
353 	unsigned int cryptlen = req->cryptlen;
354 	u8 *authtag = pctx->auth_tag;
355 	u8 *odata = pctx->odata;
356 	u8 *iv = pctx->idata;
357 	int err;
358 
359 	cryptlen -= authsize;
360 
361 	err = crypto_ccm_init_crypt(req, authtag);
362 	if (err)
363 		return err;
364 
365 	scatterwalk_map_and_copy(authtag, sg_next(pctx->src), cryptlen,
366 				 authsize, 0);
367 
368 	dst = pctx->src;
369 	if (req->src != req->dst)
370 		dst = pctx->dst;
371 
372 	memcpy(iv, req->iv, 16);
373 
374 	skcipher_request_set_tfm(skreq, ctx->ctr);
375 	skcipher_request_set_callback(skreq, pctx->flags,
376 				      crypto_ccm_decrypt_done, req);
377 	skcipher_request_set_crypt(skreq, pctx->src, dst, cryptlen + 16, iv);
378 	err = crypto_skcipher_decrypt(skreq);
379 	if (err)
380 		return err;
381 
382 	err = crypto_ccm_auth(req, sg_next(dst), cryptlen);
383 	if (err)
384 		return err;
385 
386 	/* verify */
387 	if (crypto_memneq(authtag, odata, authsize))
388 		return -EBADMSG;
389 
390 	return err;
391 }
392 
393 static int crypto_ccm_init_tfm(struct crypto_aead *tfm)
394 {
395 	struct aead_instance *inst = aead_alg_instance(tfm);
396 	struct ccm_instance_ctx *ictx = aead_instance_ctx(inst);
397 	struct crypto_ccm_ctx *ctx = crypto_aead_ctx(tfm);
398 	struct crypto_ahash *mac;
399 	struct crypto_skcipher *ctr;
400 	unsigned long align;
401 	int err;
402 
403 	mac = crypto_spawn_ahash(&ictx->mac);
404 	if (IS_ERR(mac))
405 		return PTR_ERR(mac);
406 
407 	ctr = crypto_spawn_skcipher(&ictx->ctr);
408 	err = PTR_ERR(ctr);
409 	if (IS_ERR(ctr))
410 		goto err_free_mac;
411 
412 	ctx->mac = mac;
413 	ctx->ctr = ctr;
414 
415 	align = crypto_aead_alignmask(tfm);
416 	align &= ~(crypto_tfm_ctx_alignment() - 1);
417 	crypto_aead_set_reqsize(
418 		tfm,
419 		align + sizeof(struct crypto_ccm_req_priv_ctx) +
420 		max(crypto_ahash_reqsize(mac), crypto_skcipher_reqsize(ctr)));
421 
422 	return 0;
423 
424 err_free_mac:
425 	crypto_free_ahash(mac);
426 	return err;
427 }
428 
429 static void crypto_ccm_exit_tfm(struct crypto_aead *tfm)
430 {
431 	struct crypto_ccm_ctx *ctx = crypto_aead_ctx(tfm);
432 
433 	crypto_free_ahash(ctx->mac);
434 	crypto_free_skcipher(ctx->ctr);
435 }
436 
437 static void crypto_ccm_free(struct aead_instance *inst)
438 {
439 	struct ccm_instance_ctx *ctx = aead_instance_ctx(inst);
440 
441 	crypto_drop_ahash(&ctx->mac);
442 	crypto_drop_skcipher(&ctx->ctr);
443 	kfree(inst);
444 }
445 
446 static int crypto_ccm_create_common(struct crypto_template *tmpl,
447 				    struct rtattr **tb,
448 				    const char *ctr_name,
449 				    const char *mac_name)
450 {
451 	u32 mask;
452 	struct aead_instance *inst;
453 	struct ccm_instance_ctx *ictx;
454 	struct skcipher_alg *ctr;
455 	struct hash_alg_common *mac;
456 	int err;
457 
458 	err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_AEAD, &mask);
459 	if (err)
460 		return err;
461 
462 	inst = kzalloc(sizeof(*inst) + sizeof(*ictx), GFP_KERNEL);
463 	if (!inst)
464 		return -ENOMEM;
465 	ictx = aead_instance_ctx(inst);
466 
467 	err = crypto_grab_ahash(&ictx->mac, aead_crypto_instance(inst),
468 				mac_name, 0, mask | CRYPTO_ALG_ASYNC);
469 	if (err)
470 		goto err_free_inst;
471 	mac = crypto_spawn_ahash_alg(&ictx->mac);
472 
473 	err = -EINVAL;
474 	if (strncmp(mac->base.cra_name, "cbcmac(", 7) != 0 ||
475 	    mac->digestsize != 16)
476 		goto err_free_inst;
477 
478 	err = crypto_grab_skcipher(&ictx->ctr, aead_crypto_instance(inst),
479 				   ctr_name, 0, mask);
480 	if (err)
481 		goto err_free_inst;
482 	ctr = crypto_spawn_skcipher_alg(&ictx->ctr);
483 
484 	/* The skcipher algorithm must be CTR mode, using 16-byte blocks. */
485 	err = -EINVAL;
486 	if (strncmp(ctr->base.cra_name, "ctr(", 4) != 0 ||
487 	    crypto_skcipher_alg_ivsize(ctr) != 16 ||
488 	    ctr->base.cra_blocksize != 1)
489 		goto err_free_inst;
490 
491 	/* ctr and cbcmac must use the same underlying block cipher. */
492 	if (strcmp(ctr->base.cra_name + 4, mac->base.cra_name + 7) != 0)
493 		goto err_free_inst;
494 
495 	err = -ENAMETOOLONG;
496 	if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
497 		     "ccm(%s", ctr->base.cra_name + 4) >= CRYPTO_MAX_ALG_NAME)
498 		goto err_free_inst;
499 
500 	if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
501 		     "ccm_base(%s,%s)", ctr->base.cra_driver_name,
502 		     mac->base.cra_driver_name) >= CRYPTO_MAX_ALG_NAME)
503 		goto err_free_inst;
504 
505 	inst->alg.base.cra_priority = (mac->base.cra_priority +
506 				       ctr->base.cra_priority) / 2;
507 	inst->alg.base.cra_blocksize = 1;
508 	inst->alg.base.cra_alignmask = mac->base.cra_alignmask |
509 				       ctr->base.cra_alignmask;
510 	inst->alg.ivsize = 16;
511 	inst->alg.chunksize = crypto_skcipher_alg_chunksize(ctr);
512 	inst->alg.maxauthsize = 16;
513 	inst->alg.base.cra_ctxsize = sizeof(struct crypto_ccm_ctx);
514 	inst->alg.init = crypto_ccm_init_tfm;
515 	inst->alg.exit = crypto_ccm_exit_tfm;
516 	inst->alg.setkey = crypto_ccm_setkey;
517 	inst->alg.setauthsize = crypto_ccm_setauthsize;
518 	inst->alg.encrypt = crypto_ccm_encrypt;
519 	inst->alg.decrypt = crypto_ccm_decrypt;
520 
521 	inst->free = crypto_ccm_free;
522 
523 	err = aead_register_instance(tmpl, inst);
524 	if (err) {
525 err_free_inst:
526 		crypto_ccm_free(inst);
527 	}
528 	return err;
529 }
530 
531 static int crypto_ccm_create(struct crypto_template *tmpl, struct rtattr **tb)
532 {
533 	const char *cipher_name;
534 	char ctr_name[CRYPTO_MAX_ALG_NAME];
535 	char mac_name[CRYPTO_MAX_ALG_NAME];
536 
537 	cipher_name = crypto_attr_alg_name(tb[1]);
538 	if (IS_ERR(cipher_name))
539 		return PTR_ERR(cipher_name);
540 
541 	if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)",
542 		     cipher_name) >= CRYPTO_MAX_ALG_NAME)
543 		return -ENAMETOOLONG;
544 
545 	if (snprintf(mac_name, CRYPTO_MAX_ALG_NAME, "cbcmac(%s)",
546 		     cipher_name) >= CRYPTO_MAX_ALG_NAME)
547 		return -ENAMETOOLONG;
548 
549 	return crypto_ccm_create_common(tmpl, tb, ctr_name, mac_name);
550 }
551 
552 static int crypto_ccm_base_create(struct crypto_template *tmpl,
553 				  struct rtattr **tb)
554 {
555 	const char *ctr_name;
556 	const char *mac_name;
557 
558 	ctr_name = crypto_attr_alg_name(tb[1]);
559 	if (IS_ERR(ctr_name))
560 		return PTR_ERR(ctr_name);
561 
562 	mac_name = crypto_attr_alg_name(tb[2]);
563 	if (IS_ERR(mac_name))
564 		return PTR_ERR(mac_name);
565 
566 	return crypto_ccm_create_common(tmpl, tb, ctr_name, mac_name);
567 }
568 
569 static int crypto_rfc4309_setkey(struct crypto_aead *parent, const u8 *key,
570 				 unsigned int keylen)
571 {
572 	struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(parent);
573 	struct crypto_aead *child = ctx->child;
574 
575 	if (keylen < 3)
576 		return -EINVAL;
577 
578 	keylen -= 3;
579 	memcpy(ctx->nonce, key + keylen, 3);
580 
581 	crypto_aead_clear_flags(child, CRYPTO_TFM_REQ_MASK);
582 	crypto_aead_set_flags(child, crypto_aead_get_flags(parent) &
583 				     CRYPTO_TFM_REQ_MASK);
584 	return crypto_aead_setkey(child, key, keylen);
585 }
586 
587 static int crypto_rfc4309_setauthsize(struct crypto_aead *parent,
588 				      unsigned int authsize)
589 {
590 	struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(parent);
591 
592 	switch (authsize) {
593 	case 8:
594 	case 12:
595 	case 16:
596 		break;
597 	default:
598 		return -EINVAL;
599 	}
600 
601 	return crypto_aead_setauthsize(ctx->child, authsize);
602 }
603 
604 static struct aead_request *crypto_rfc4309_crypt(struct aead_request *req)
605 {
606 	struct crypto_rfc4309_req_ctx *rctx = aead_request_ctx(req);
607 	struct aead_request *subreq = &rctx->subreq;
608 	struct crypto_aead *aead = crypto_aead_reqtfm(req);
609 	struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(aead);
610 	struct crypto_aead *child = ctx->child;
611 	struct scatterlist *sg;
612 	u8 *iv = PTR_ALIGN((u8 *)(subreq + 1) + crypto_aead_reqsize(child),
613 			   crypto_aead_alignmask(child) + 1);
614 
615 	/* L' */
616 	iv[0] = 3;
617 
618 	memcpy(iv + 1, ctx->nonce, 3);
619 	memcpy(iv + 4, req->iv, 8);
620 
621 	scatterwalk_map_and_copy(iv + 16, req->src, 0, req->assoclen - 8, 0);
622 
623 	sg_init_table(rctx->src, 3);
624 	sg_set_buf(rctx->src, iv + 16, req->assoclen - 8);
625 	sg = scatterwalk_ffwd(rctx->src + 1, req->src, req->assoclen);
626 	if (sg != rctx->src + 1)
627 		sg_chain(rctx->src, 2, sg);
628 
629 	if (req->src != req->dst) {
630 		sg_init_table(rctx->dst, 3);
631 		sg_set_buf(rctx->dst, iv + 16, req->assoclen - 8);
632 		sg = scatterwalk_ffwd(rctx->dst + 1, req->dst, req->assoclen);
633 		if (sg != rctx->dst + 1)
634 			sg_chain(rctx->dst, 2, sg);
635 	}
636 
637 	aead_request_set_tfm(subreq, child);
638 	aead_request_set_callback(subreq, req->base.flags, req->base.complete,
639 				  req->base.data);
640 	aead_request_set_crypt(subreq, rctx->src,
641 			       req->src == req->dst ? rctx->src : rctx->dst,
642 			       req->cryptlen, iv);
643 	aead_request_set_ad(subreq, req->assoclen - 8);
644 
645 	return subreq;
646 }
647 
648 static int crypto_rfc4309_encrypt(struct aead_request *req)
649 {
650 	if (req->assoclen != 16 && req->assoclen != 20)
651 		return -EINVAL;
652 
653 	req = crypto_rfc4309_crypt(req);
654 
655 	return crypto_aead_encrypt(req);
656 }
657 
658 static int crypto_rfc4309_decrypt(struct aead_request *req)
659 {
660 	if (req->assoclen != 16 && req->assoclen != 20)
661 		return -EINVAL;
662 
663 	req = crypto_rfc4309_crypt(req);
664 
665 	return crypto_aead_decrypt(req);
666 }
667 
668 static int crypto_rfc4309_init_tfm(struct crypto_aead *tfm)
669 {
670 	struct aead_instance *inst = aead_alg_instance(tfm);
671 	struct crypto_aead_spawn *spawn = aead_instance_ctx(inst);
672 	struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(tfm);
673 	struct crypto_aead *aead;
674 	unsigned long align;
675 
676 	aead = crypto_spawn_aead(spawn);
677 	if (IS_ERR(aead))
678 		return PTR_ERR(aead);
679 
680 	ctx->child = aead;
681 
682 	align = crypto_aead_alignmask(aead);
683 	align &= ~(crypto_tfm_ctx_alignment() - 1);
684 	crypto_aead_set_reqsize(
685 		tfm,
686 		sizeof(struct crypto_rfc4309_req_ctx) +
687 		ALIGN(crypto_aead_reqsize(aead), crypto_tfm_ctx_alignment()) +
688 		align + 32);
689 
690 	return 0;
691 }
692 
693 static void crypto_rfc4309_exit_tfm(struct crypto_aead *tfm)
694 {
695 	struct crypto_rfc4309_ctx *ctx = crypto_aead_ctx(tfm);
696 
697 	crypto_free_aead(ctx->child);
698 }
699 
700 static void crypto_rfc4309_free(struct aead_instance *inst)
701 {
702 	crypto_drop_aead(aead_instance_ctx(inst));
703 	kfree(inst);
704 }
705 
706 static int crypto_rfc4309_create(struct crypto_template *tmpl,
707 				 struct rtattr **tb)
708 {
709 	u32 mask;
710 	struct aead_instance *inst;
711 	struct crypto_aead_spawn *spawn;
712 	struct aead_alg *alg;
713 	int err;
714 
715 	err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_AEAD, &mask);
716 	if (err)
717 		return err;
718 
719 	inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL);
720 	if (!inst)
721 		return -ENOMEM;
722 
723 	spawn = aead_instance_ctx(inst);
724 	err = crypto_grab_aead(spawn, aead_crypto_instance(inst),
725 			       crypto_attr_alg_name(tb[1]), 0, mask);
726 	if (err)
727 		goto err_free_inst;
728 
729 	alg = crypto_spawn_aead_alg(spawn);
730 
731 	err = -EINVAL;
732 
733 	/* We only support 16-byte blocks. */
734 	if (crypto_aead_alg_ivsize(alg) != 16)
735 		goto err_free_inst;
736 
737 	/* Not a stream cipher? */
738 	if (alg->base.cra_blocksize != 1)
739 		goto err_free_inst;
740 
741 	err = -ENAMETOOLONG;
742 	if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
743 		     "rfc4309(%s)", alg->base.cra_name) >=
744 	    CRYPTO_MAX_ALG_NAME ||
745 	    snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
746 		     "rfc4309(%s)", alg->base.cra_driver_name) >=
747 	    CRYPTO_MAX_ALG_NAME)
748 		goto err_free_inst;
749 
750 	inst->alg.base.cra_priority = alg->base.cra_priority;
751 	inst->alg.base.cra_blocksize = 1;
752 	inst->alg.base.cra_alignmask = alg->base.cra_alignmask;
753 
754 	inst->alg.ivsize = 8;
755 	inst->alg.chunksize = crypto_aead_alg_chunksize(alg);
756 	inst->alg.maxauthsize = 16;
757 
758 	inst->alg.base.cra_ctxsize = sizeof(struct crypto_rfc4309_ctx);
759 
760 	inst->alg.init = crypto_rfc4309_init_tfm;
761 	inst->alg.exit = crypto_rfc4309_exit_tfm;
762 
763 	inst->alg.setkey = crypto_rfc4309_setkey;
764 	inst->alg.setauthsize = crypto_rfc4309_setauthsize;
765 	inst->alg.encrypt = crypto_rfc4309_encrypt;
766 	inst->alg.decrypt = crypto_rfc4309_decrypt;
767 
768 	inst->free = crypto_rfc4309_free;
769 
770 	err = aead_register_instance(tmpl, inst);
771 	if (err) {
772 err_free_inst:
773 		crypto_rfc4309_free(inst);
774 	}
775 	return err;
776 }
777 
778 static int crypto_cbcmac_digest_setkey(struct crypto_shash *parent,
779 				     const u8 *inkey, unsigned int keylen)
780 {
781 	struct cbcmac_tfm_ctx *ctx = crypto_shash_ctx(parent);
782 
783 	return crypto_cipher_setkey(ctx->child, inkey, keylen);
784 }
785 
786 static int crypto_cbcmac_digest_init(struct shash_desc *pdesc)
787 {
788 	struct cbcmac_desc_ctx *ctx = shash_desc_ctx(pdesc);
789 	int bs = crypto_shash_digestsize(pdesc->tfm);
790 	u8 *dg = (u8 *)ctx + crypto_shash_descsize(pdesc->tfm) - bs;
791 
792 	ctx->len = 0;
793 	memset(dg, 0, bs);
794 
795 	return 0;
796 }
797 
798 static int crypto_cbcmac_digest_update(struct shash_desc *pdesc, const u8 *p,
799 				       unsigned int len)
800 {
801 	struct crypto_shash *parent = pdesc->tfm;
802 	struct cbcmac_tfm_ctx *tctx = crypto_shash_ctx(parent);
803 	struct cbcmac_desc_ctx *ctx = shash_desc_ctx(pdesc);
804 	struct crypto_cipher *tfm = tctx->child;
805 	int bs = crypto_shash_digestsize(parent);
806 	u8 *dg = (u8 *)ctx + crypto_shash_descsize(parent) - bs;
807 
808 	while (len > 0) {
809 		unsigned int l = min(len, bs - ctx->len);
810 
811 		crypto_xor(dg + ctx->len, p, l);
812 		ctx->len +=l;
813 		len -= l;
814 		p += l;
815 
816 		if (ctx->len == bs) {
817 			crypto_cipher_encrypt_one(tfm, dg, dg);
818 			ctx->len = 0;
819 		}
820 	}
821 
822 	return 0;
823 }
824 
825 static int crypto_cbcmac_digest_final(struct shash_desc *pdesc, u8 *out)
826 {
827 	struct crypto_shash *parent = pdesc->tfm;
828 	struct cbcmac_tfm_ctx *tctx = crypto_shash_ctx(parent);
829 	struct cbcmac_desc_ctx *ctx = shash_desc_ctx(pdesc);
830 	struct crypto_cipher *tfm = tctx->child;
831 	int bs = crypto_shash_digestsize(parent);
832 	u8 *dg = (u8 *)ctx + crypto_shash_descsize(parent) - bs;
833 
834 	if (ctx->len)
835 		crypto_cipher_encrypt_one(tfm, dg, dg);
836 
837 	memcpy(out, dg, bs);
838 	return 0;
839 }
840 
841 static int cbcmac_init_tfm(struct crypto_tfm *tfm)
842 {
843 	struct crypto_cipher *cipher;
844 	struct crypto_instance *inst = (void *)tfm->__crt_alg;
845 	struct crypto_cipher_spawn *spawn = crypto_instance_ctx(inst);
846 	struct cbcmac_tfm_ctx *ctx = crypto_tfm_ctx(tfm);
847 
848 	cipher = crypto_spawn_cipher(spawn);
849 	if (IS_ERR(cipher))
850 		return PTR_ERR(cipher);
851 
852 	ctx->child = cipher;
853 
854 	return 0;
855 };
856 
857 static void cbcmac_exit_tfm(struct crypto_tfm *tfm)
858 {
859 	struct cbcmac_tfm_ctx *ctx = crypto_tfm_ctx(tfm);
860 	crypto_free_cipher(ctx->child);
861 }
862 
863 static int cbcmac_create(struct crypto_template *tmpl, struct rtattr **tb)
864 {
865 	struct shash_instance *inst;
866 	struct crypto_cipher_spawn *spawn;
867 	struct crypto_alg *alg;
868 	u32 mask;
869 	int err;
870 
871 	err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_SHASH, &mask);
872 	if (err)
873 		return err;
874 
875 	inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL);
876 	if (!inst)
877 		return -ENOMEM;
878 	spawn = shash_instance_ctx(inst);
879 
880 	err = crypto_grab_cipher(spawn, shash_crypto_instance(inst),
881 				 crypto_attr_alg_name(tb[1]), 0, mask);
882 	if (err)
883 		goto err_free_inst;
884 	alg = crypto_spawn_cipher_alg(spawn);
885 
886 	err = crypto_inst_setname(shash_crypto_instance(inst), tmpl->name, alg);
887 	if (err)
888 		goto err_free_inst;
889 
890 	inst->alg.base.cra_priority = alg->cra_priority;
891 	inst->alg.base.cra_blocksize = 1;
892 
893 	inst->alg.digestsize = alg->cra_blocksize;
894 	inst->alg.descsize = ALIGN(sizeof(struct cbcmac_desc_ctx),
895 				   alg->cra_alignmask + 1) +
896 			     alg->cra_blocksize;
897 
898 	inst->alg.base.cra_ctxsize = sizeof(struct cbcmac_tfm_ctx);
899 	inst->alg.base.cra_init = cbcmac_init_tfm;
900 	inst->alg.base.cra_exit = cbcmac_exit_tfm;
901 
902 	inst->alg.init = crypto_cbcmac_digest_init;
903 	inst->alg.update = crypto_cbcmac_digest_update;
904 	inst->alg.final = crypto_cbcmac_digest_final;
905 	inst->alg.setkey = crypto_cbcmac_digest_setkey;
906 
907 	inst->free = shash_free_singlespawn_instance;
908 
909 	err = shash_register_instance(tmpl, inst);
910 	if (err) {
911 err_free_inst:
912 		shash_free_singlespawn_instance(inst);
913 	}
914 	return err;
915 }
916 
917 static struct crypto_template crypto_ccm_tmpls[] = {
918 	{
919 		.name = "cbcmac",
920 		.create = cbcmac_create,
921 		.module = THIS_MODULE,
922 	}, {
923 		.name = "ccm_base",
924 		.create = crypto_ccm_base_create,
925 		.module = THIS_MODULE,
926 	}, {
927 		.name = "ccm",
928 		.create = crypto_ccm_create,
929 		.module = THIS_MODULE,
930 	}, {
931 		.name = "rfc4309",
932 		.create = crypto_rfc4309_create,
933 		.module = THIS_MODULE,
934 	},
935 };
936 
937 static int __init crypto_ccm_module_init(void)
938 {
939 	return crypto_register_templates(crypto_ccm_tmpls,
940 					 ARRAY_SIZE(crypto_ccm_tmpls));
941 }
942 
943 static void __exit crypto_ccm_module_exit(void)
944 {
945 	crypto_unregister_templates(crypto_ccm_tmpls,
946 				    ARRAY_SIZE(crypto_ccm_tmpls));
947 }
948 
949 subsys_initcall(crypto_ccm_module_init);
950 module_exit(crypto_ccm_module_exit);
951 
952 MODULE_LICENSE("GPL");
953 MODULE_DESCRIPTION("Counter with CBC MAC");
954 MODULE_ALIAS_CRYPTO("ccm_base");
955 MODULE_ALIAS_CRYPTO("rfc4309");
956 MODULE_ALIAS_CRYPTO("ccm");
957 MODULE_ALIAS_CRYPTO("cbcmac");
958 MODULE_IMPORT_NS(CRYPTO_INTERNAL);
959