~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/arch/arm64/crypto/aes-ce-ccm-glue.c

Version: ~ [ linux-5.18-rc6 ] ~ [ linux-5.17.6 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.38 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.114 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.192 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.241 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.277 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.312 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.302 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.9 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  * aes-ccm-glue.c - AES-CCM transform for ARMv8 with Crypto Extensions
  3  *
  4  * Copyright (C) 2013 - 2014 Linaro Ltd <ard.biesheuvel@linaro.org>
  5  *
  6  * This program is free software; you can redistribute it and/or modify
  7  * it under the terms of the GNU General Public License version 2 as
  8  * published by the Free Software Foundation.
  9  */
 10 
 11 #include <asm/neon.h>
 12 #include <asm/unaligned.h>
 13 #include <crypto/aes.h>
 14 #include <crypto/algapi.h>
 15 #include <crypto/scatterwalk.h>
 16 #include <linux/crypto.h>
 17 #include <linux/module.h>
 18 
 19 #include "aes-ce-setkey.h"
 20 
 21 static int num_rounds(struct crypto_aes_ctx *ctx)
 22 {
 23         /*
 24          * # of rounds specified by AES:
 25          * 128 bit key          10 rounds
 26          * 192 bit key          12 rounds
 27          * 256 bit key          14 rounds
 28          * => n byte key        => 6 + (n/4) rounds
 29          */
 30         return 6 + ctx->key_length / 4;
 31 }
 32 
 33 asmlinkage void ce_aes_ccm_auth_data(u8 mac[], u8 const in[], u32 abytes,
 34                                      u32 *macp, u32 const rk[], u32 rounds);
 35 
 36 asmlinkage void ce_aes_ccm_encrypt(u8 out[], u8 const in[], u32 cbytes,
 37                                    u32 const rk[], u32 rounds, u8 mac[],
 38                                    u8 ctr[]);
 39 
 40 asmlinkage void ce_aes_ccm_decrypt(u8 out[], u8 const in[], u32 cbytes,
 41                                    u32 const rk[], u32 rounds, u8 mac[],
 42                                    u8 ctr[]);
 43 
 44 asmlinkage void ce_aes_ccm_final(u8 mac[], u8 const ctr[], u32 const rk[],
 45                                  u32 rounds);
 46 
 47 static int ccm_setkey(struct crypto_aead *tfm, const u8 *in_key,
 48                       unsigned int key_len)
 49 {
 50         struct crypto_aes_ctx *ctx = crypto_aead_ctx(tfm);
 51         int ret;
 52 
 53         ret = ce_aes_expandkey(ctx, in_key, key_len);
 54         if (!ret)
 55                 return 0;
 56 
 57         tfm->base.crt_flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
 58         return -EINVAL;
 59 }
 60 
 61 static int ccm_setauthsize(struct crypto_aead *tfm, unsigned int authsize)
 62 {
 63         if ((authsize & 1) || authsize < 4)
 64                 return -EINVAL;
 65         return 0;
 66 }
 67 
 68 static int ccm_init_mac(struct aead_request *req, u8 maciv[], u32 msglen)
 69 {
 70         struct crypto_aead *aead = crypto_aead_reqtfm(req);
 71         __be32 *n = (__be32 *)&maciv[AES_BLOCK_SIZE - 8];
 72         u32 l = req->iv[0] + 1;
 73 
 74         /* verify that CCM dimension 'L' is set correctly in the IV */
 75         if (l < 2 || l > 8)
 76                 return -EINVAL;
 77 
 78         /* verify that msglen can in fact be represented in L bytes */
 79         if (l < 4 && msglen >> (8 * l))
 80                 return -EOVERFLOW;
 81 
 82         /*
 83          * Even if the CCM spec allows L values of up to 8, the Linux cryptoapi
 84          * uses a u32 type to represent msglen so the top 4 bytes are always 0.
 85          */
 86         n[0] = 0;
 87         n[1] = cpu_to_be32(msglen);
 88 
 89         memcpy(maciv, req->iv, AES_BLOCK_SIZE - l);
 90 
 91         /*
 92          * Meaning of byte 0 according to CCM spec (RFC 3610/NIST 800-38C)
 93          * - bits 0..2  : max # of bytes required to represent msglen, minus 1
 94          *                (already set by caller)
 95          * - bits 3..5  : size of auth tag (1 => 4 bytes, 2 => 6 bytes, etc)
 96          * - bit 6      : indicates presence of authenticate-only data
 97          */
 98         maciv[0] |= (crypto_aead_authsize(aead) - 2) << 2;
 99         if (req->assoclen)
100                 maciv[0] |= 0x40;
101 
102         memset(&req->iv[AES_BLOCK_SIZE - l], 0, l);
103         return 0;
104 }
105 
106 static void ccm_calculate_auth_mac(struct aead_request *req, u8 mac[])
107 {
108         struct crypto_aead *aead = crypto_aead_reqtfm(req);
109         struct crypto_aes_ctx *ctx = crypto_aead_ctx(aead);
110         struct __packed { __be16 l; __be32 h; u16 len; } ltag;
111         struct scatter_walk walk;
112         u32 len = req->assoclen;
113         u32 macp = 0;
114 
115         /* prepend the AAD with a length tag */
116         if (len < 0xff00) {
117                 ltag.l = cpu_to_be16(len);
118                 ltag.len = 2;
119         } else  {
120                 ltag.l = cpu_to_be16(0xfffe);
121                 put_unaligned_be32(len, &ltag.h);
122                 ltag.len = 6;
123         }
124 
125         ce_aes_ccm_auth_data(mac, (u8 *)&ltag, ltag.len, &macp, ctx->key_enc,
126                              num_rounds(ctx));
127         scatterwalk_start(&walk, req->assoc);
128 
129         do {
130                 u32 n = scatterwalk_clamp(&walk, len);
131                 u8 *p;
132 
133                 if (!n) {
134                         scatterwalk_start(&walk, sg_next(walk.sg));
135                         n = scatterwalk_clamp(&walk, len);
136                 }
137                 p = scatterwalk_map(&walk);
138                 ce_aes_ccm_auth_data(mac, p, n, &macp, ctx->key_enc,
139                                      num_rounds(ctx));
140                 len -= n;
141 
142                 scatterwalk_unmap(p);
143                 scatterwalk_advance(&walk, n);
144                 scatterwalk_done(&walk, 0, len);
145         } while (len);
146 }
147 
148 static int ccm_encrypt(struct aead_request *req)
149 {
150         struct crypto_aead *aead = crypto_aead_reqtfm(req);
151         struct crypto_aes_ctx *ctx = crypto_aead_ctx(aead);
152         struct blkcipher_desc desc = { .info = req->iv };
153         struct blkcipher_walk walk;
154         u8 __aligned(8) mac[AES_BLOCK_SIZE];
155         u8 buf[AES_BLOCK_SIZE];
156         u32 len = req->cryptlen;
157         int err;
158 
159         err = ccm_init_mac(req, mac, len);
160         if (err)
161                 return err;
162 
163         kernel_neon_begin_partial(6);
164 
165         if (req->assoclen)
166                 ccm_calculate_auth_mac(req, mac);
167 
168         /* preserve the original iv for the final round */
169         memcpy(buf, req->iv, AES_BLOCK_SIZE);
170 
171         blkcipher_walk_init(&walk, req->dst, req->src, len);
172         err = blkcipher_aead_walk_virt_block(&desc, &walk, aead,
173                                              AES_BLOCK_SIZE);
174 
175         while (walk.nbytes) {
176                 u32 tail = walk.nbytes % AES_BLOCK_SIZE;
177 
178                 if (walk.nbytes == len)
179                         tail = 0;
180 
181                 ce_aes_ccm_encrypt(walk.dst.virt.addr, walk.src.virt.addr,
182                                    walk.nbytes - tail, ctx->key_enc,
183                                    num_rounds(ctx), mac, walk.iv);
184 
185                 len -= walk.nbytes - tail;
186                 err = blkcipher_walk_done(&desc, &walk, tail);
187         }
188         if (!err)
189                 ce_aes_ccm_final(mac, buf, ctx->key_enc, num_rounds(ctx));
190 
191         kernel_neon_end();
192 
193         if (err)
194                 return err;
195 
196         /* copy authtag to end of dst */
197         scatterwalk_map_and_copy(mac, req->dst, req->cryptlen,
198                                  crypto_aead_authsize(aead), 1);
199 
200         return 0;
201 }
202 
203 static int ccm_decrypt(struct aead_request *req)
204 {
205         struct crypto_aead *aead = crypto_aead_reqtfm(req);
206         struct crypto_aes_ctx *ctx = crypto_aead_ctx(aead);
207         unsigned int authsize = crypto_aead_authsize(aead);
208         struct blkcipher_desc desc = { .info = req->iv };
209         struct blkcipher_walk walk;
210         u8 __aligned(8) mac[AES_BLOCK_SIZE];
211         u8 buf[AES_BLOCK_SIZE];
212         u32 len = req->cryptlen - authsize;
213         int err;
214 
215         err = ccm_init_mac(req, mac, len);
216         if (err)
217                 return err;
218 
219         kernel_neon_begin_partial(6);
220 
221         if (req->assoclen)
222                 ccm_calculate_auth_mac(req, mac);
223 
224         /* preserve the original iv for the final round */
225         memcpy(buf, req->iv, AES_BLOCK_SIZE);
226 
227         blkcipher_walk_init(&walk, req->dst, req->src, len);
228         err = blkcipher_aead_walk_virt_block(&desc, &walk, aead,
229                                              AES_BLOCK_SIZE);
230 
231         while (walk.nbytes) {
232                 u32 tail = walk.nbytes % AES_BLOCK_SIZE;
233 
234                 if (walk.nbytes == len)
235                         tail = 0;
236 
237                 ce_aes_ccm_decrypt(walk.dst.virt.addr, walk.src.virt.addr,
238                                    walk.nbytes - tail, ctx->key_enc,
239                                    num_rounds(ctx), mac, walk.iv);
240 
241                 len -= walk.nbytes - tail;
242                 err = blkcipher_walk_done(&desc, &walk, tail);
243         }
244         if (!err)
245                 ce_aes_ccm_final(mac, buf, ctx->key_enc, num_rounds(ctx));
246 
247         kernel_neon_end();
248 
249         if (err)
250                 return err;
251 
252         /* compare calculated auth tag with the stored one */
253         scatterwalk_map_and_copy(buf, req->src, req->cryptlen - authsize,
254                                  authsize, 0);
255 
256         if (memcmp(mac, buf, authsize))
257                 return -EBADMSG;
258         return 0;
259 }
260 
261 static struct crypto_alg ccm_aes_alg = {
262         .cra_name               = "ccm(aes)",
263         .cra_driver_name        = "ccm-aes-ce",
264         .cra_priority           = 300,
265         .cra_flags              = CRYPTO_ALG_TYPE_AEAD,
266         .cra_blocksize          = 1,
267         .cra_ctxsize            = sizeof(struct crypto_aes_ctx),
268         .cra_alignmask          = 7,
269         .cra_type               = &crypto_aead_type,
270         .cra_module             = THIS_MODULE,
271         .cra_aead = {
272                 .ivsize         = AES_BLOCK_SIZE,
273                 .maxauthsize    = AES_BLOCK_SIZE,
274                 .setkey         = ccm_setkey,
275                 .setauthsize    = ccm_setauthsize,
276                 .encrypt        = ccm_encrypt,
277                 .decrypt        = ccm_decrypt,
278         }
279 };
280 
281 static int __init aes_mod_init(void)
282 {
283         if (!(elf_hwcap & HWCAP_AES))
284                 return -ENODEV;
285         return crypto_register_alg(&ccm_aes_alg);
286 }
287 
288 static void __exit aes_mod_exit(void)
289 {
290         crypto_unregister_alg(&ccm_aes_alg);
291 }
292 
293 module_init(aes_mod_init);
294 module_exit(aes_mod_exit);
295 
296 MODULE_DESCRIPTION("Synchronous AES in CCM mode using ARMv8 Crypto Extensions");
297 MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@linaro.org>");
298 MODULE_LICENSE("GPL v2");
299 MODULE_ALIAS_CRYPTO("ccm(aes)");
300 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp