Commit | Line | Data |
---|---|---|
a3fd8210 AB |
1 | /* |
2 | * aes-ccm-glue.c - AES-CCM transform for ARMv8 with Crypto Extensions | |
3 | * | |
4 | * Copyright (C) 2013 - 2014 Linaro Ltd <ard.biesheuvel@linaro.org> | |
5 | * | |
6 | * This program is free software; you can redistribute it and/or modify | |
7 | * it under the terms of the GNU General Public License version 2 as | |
8 | * published by the Free Software Foundation. | |
9 | */ | |
10 | ||
11 | #include <asm/neon.h> | |
12 | #include <asm/unaligned.h> | |
13 | #include <crypto/aes.h> | |
14 | #include <crypto/algapi.h> | |
15 | #include <crypto/scatterwalk.h> | |
34ed9a35 | 16 | #include <crypto/internal/aead.h> |
a3fd8210 AB |
17 | #include <linux/module.h> |
18 | ||
12ac3efe AB |
19 | #include "aes-ce-setkey.h" |
20 | ||
a3fd8210 AB |
21 | static int num_rounds(struct crypto_aes_ctx *ctx) |
22 | { | |
23 | /* | |
24 | * # of rounds specified by AES: | |
25 | * 128 bit key 10 rounds | |
26 | * 192 bit key 12 rounds | |
27 | * 256 bit key 14 rounds | |
28 | * => n byte key => 6 + (n/4) rounds | |
29 | */ | |
30 | return 6 + ctx->key_length / 4; | |
31 | } | |
32 | ||
33 | asmlinkage void ce_aes_ccm_auth_data(u8 mac[], u8 const in[], u32 abytes, | |
34 | u32 *macp, u32 const rk[], u32 rounds); | |
35 | ||
36 | asmlinkage void ce_aes_ccm_encrypt(u8 out[], u8 const in[], u32 cbytes, | |
37 | u32 const rk[], u32 rounds, u8 mac[], | |
38 | u8 ctr[]); | |
39 | ||
40 | asmlinkage void ce_aes_ccm_decrypt(u8 out[], u8 const in[], u32 cbytes, | |
41 | u32 const rk[], u32 rounds, u8 mac[], | |
42 | u8 ctr[]); | |
43 | ||
44 | asmlinkage void ce_aes_ccm_final(u8 mac[], u8 const ctr[], u32 const rk[], | |
45 | u32 rounds); | |
46 | ||
47 | static int ccm_setkey(struct crypto_aead *tfm, const u8 *in_key, | |
48 | unsigned int key_len) | |
49 | { | |
50 | struct crypto_aes_ctx *ctx = crypto_aead_ctx(tfm); | |
51 | int ret; | |
52 | ||
12ac3efe | 53 | ret = ce_aes_expandkey(ctx, in_key, key_len); |
a3fd8210 AB |
54 | if (!ret) |
55 | return 0; | |
56 | ||
57 | tfm->base.crt_flags |= CRYPTO_TFM_RES_BAD_KEY_LEN; | |
58 | return -EINVAL; | |
59 | } | |
60 | ||
61 | static int ccm_setauthsize(struct crypto_aead *tfm, unsigned int authsize) | |
62 | { | |
63 | if ((authsize & 1) || authsize < 4) | |
64 | return -EINVAL; | |
65 | return 0; | |
66 | } | |
67 | ||
68 | static int ccm_init_mac(struct aead_request *req, u8 maciv[], u32 msglen) | |
69 | { | |
70 | struct crypto_aead *aead = crypto_aead_reqtfm(req); | |
71 | __be32 *n = (__be32 *)&maciv[AES_BLOCK_SIZE - 8]; | |
72 | u32 l = req->iv[0] + 1; | |
73 | ||
74 | /* verify that CCM dimension 'L' is set correctly in the IV */ | |
75 | if (l < 2 || l > 8) | |
76 | return -EINVAL; | |
77 | ||
78 | /* verify that msglen can in fact be represented in L bytes */ | |
79 | if (l < 4 && msglen >> (8 * l)) | |
80 | return -EOVERFLOW; | |
81 | ||
82 | /* | |
83 | * Even if the CCM spec allows L values of up to 8, the Linux cryptoapi | |
84 | * uses a u32 type to represent msglen so the top 4 bytes are always 0. | |
85 | */ | |
86 | n[0] = 0; | |
87 | n[1] = cpu_to_be32(msglen); | |
88 | ||
89 | memcpy(maciv, req->iv, AES_BLOCK_SIZE - l); | |
90 | ||
91 | /* | |
92 | * Meaning of byte 0 according to CCM spec (RFC 3610/NIST 800-38C) | |
93 | * - bits 0..2 : max # of bytes required to represent msglen, minus 1 | |
94 | * (already set by caller) | |
95 | * - bits 3..5 : size of auth tag (1 => 4 bytes, 2 => 6 bytes, etc) | |
96 | * - bit 6 : indicates presence of authenticate-only data | |
97 | */ | |
98 | maciv[0] |= (crypto_aead_authsize(aead) - 2) << 2; | |
99 | if (req->assoclen) | |
100 | maciv[0] |= 0x40; | |
101 | ||
102 | memset(&req->iv[AES_BLOCK_SIZE - l], 0, l); | |
103 | return 0; | |
104 | } | |
105 | ||
106 | static void ccm_calculate_auth_mac(struct aead_request *req, u8 mac[]) | |
107 | { | |
108 | struct crypto_aead *aead = crypto_aead_reqtfm(req); | |
109 | struct crypto_aes_ctx *ctx = crypto_aead_ctx(aead); | |
110 | struct __packed { __be16 l; __be32 h; u16 len; } ltag; | |
111 | struct scatter_walk walk; | |
112 | u32 len = req->assoclen; | |
113 | u32 macp = 0; | |
114 | ||
115 | /* prepend the AAD with a length tag */ | |
116 | if (len < 0xff00) { | |
117 | ltag.l = cpu_to_be16(len); | |
118 | ltag.len = 2; | |
119 | } else { | |
120 | ltag.l = cpu_to_be16(0xfffe); | |
121 | put_unaligned_be32(len, <ag.h); | |
122 | ltag.len = 6; | |
123 | } | |
124 | ||
125 | ce_aes_ccm_auth_data(mac, (u8 *)<ag, ltag.len, &macp, ctx->key_enc, | |
126 | num_rounds(ctx)); | |
127 | scatterwalk_start(&walk, req->assoc); | |
128 | ||
129 | do { | |
130 | u32 n = scatterwalk_clamp(&walk, len); | |
131 | u8 *p; | |
132 | ||
133 | if (!n) { | |
134 | scatterwalk_start(&walk, sg_next(walk.sg)); | |
135 | n = scatterwalk_clamp(&walk, len); | |
136 | } | |
137 | p = scatterwalk_map(&walk); | |
138 | ce_aes_ccm_auth_data(mac, p, n, &macp, ctx->key_enc, | |
139 | num_rounds(ctx)); | |
140 | len -= n; | |
141 | ||
142 | scatterwalk_unmap(p); | |
143 | scatterwalk_advance(&walk, n); | |
144 | scatterwalk_done(&walk, 0, len); | |
145 | } while (len); | |
146 | } | |
147 | ||
148 | static int ccm_encrypt(struct aead_request *req) | |
149 | { | |
150 | struct crypto_aead *aead = crypto_aead_reqtfm(req); | |
151 | struct crypto_aes_ctx *ctx = crypto_aead_ctx(aead); | |
152 | struct blkcipher_desc desc = { .info = req->iv }; | |
153 | struct blkcipher_walk walk; | |
154 | u8 __aligned(8) mac[AES_BLOCK_SIZE]; | |
155 | u8 buf[AES_BLOCK_SIZE]; | |
156 | u32 len = req->cryptlen; | |
157 | int err; | |
158 | ||
159 | err = ccm_init_mac(req, mac, len); | |
160 | if (err) | |
161 | return err; | |
162 | ||
163 | kernel_neon_begin_partial(6); | |
164 | ||
165 | if (req->assoclen) | |
166 | ccm_calculate_auth_mac(req, mac); | |
167 | ||
168 | /* preserve the original iv for the final round */ | |
169 | memcpy(buf, req->iv, AES_BLOCK_SIZE); | |
170 | ||
171 | blkcipher_walk_init(&walk, req->dst, req->src, len); | |
172 | err = blkcipher_aead_walk_virt_block(&desc, &walk, aead, | |
173 | AES_BLOCK_SIZE); | |
174 | ||
175 | while (walk.nbytes) { | |
176 | u32 tail = walk.nbytes % AES_BLOCK_SIZE; | |
177 | ||
178 | if (walk.nbytes == len) | |
179 | tail = 0; | |
180 | ||
181 | ce_aes_ccm_encrypt(walk.dst.virt.addr, walk.src.virt.addr, | |
182 | walk.nbytes - tail, ctx->key_enc, | |
183 | num_rounds(ctx), mac, walk.iv); | |
184 | ||
185 | len -= walk.nbytes - tail; | |
186 | err = blkcipher_walk_done(&desc, &walk, tail); | |
187 | } | |
188 | if (!err) | |
189 | ce_aes_ccm_final(mac, buf, ctx->key_enc, num_rounds(ctx)); | |
190 | ||
191 | kernel_neon_end(); | |
192 | ||
193 | if (err) | |
194 | return err; | |
195 | ||
196 | /* copy authtag to end of dst */ | |
197 | scatterwalk_map_and_copy(mac, req->dst, req->cryptlen, | |
198 | crypto_aead_authsize(aead), 1); | |
199 | ||
200 | return 0; | |
201 | } | |
202 | ||
203 | static int ccm_decrypt(struct aead_request *req) | |
204 | { | |
205 | struct crypto_aead *aead = crypto_aead_reqtfm(req); | |
206 | struct crypto_aes_ctx *ctx = crypto_aead_ctx(aead); | |
207 | unsigned int authsize = crypto_aead_authsize(aead); | |
208 | struct blkcipher_desc desc = { .info = req->iv }; | |
209 | struct blkcipher_walk walk; | |
210 | u8 __aligned(8) mac[AES_BLOCK_SIZE]; | |
211 | u8 buf[AES_BLOCK_SIZE]; | |
212 | u32 len = req->cryptlen - authsize; | |
213 | int err; | |
214 | ||
215 | err = ccm_init_mac(req, mac, len); | |
216 | if (err) | |
217 | return err; | |
218 | ||
219 | kernel_neon_begin_partial(6); | |
220 | ||
221 | if (req->assoclen) | |
222 | ccm_calculate_auth_mac(req, mac); | |
223 | ||
224 | /* preserve the original iv for the final round */ | |
225 | memcpy(buf, req->iv, AES_BLOCK_SIZE); | |
226 | ||
227 | blkcipher_walk_init(&walk, req->dst, req->src, len); | |
228 | err = blkcipher_aead_walk_virt_block(&desc, &walk, aead, | |
229 | AES_BLOCK_SIZE); | |
230 | ||
231 | while (walk.nbytes) { | |
232 | u32 tail = walk.nbytes % AES_BLOCK_SIZE; | |
233 | ||
234 | if (walk.nbytes == len) | |
235 | tail = 0; | |
236 | ||
237 | ce_aes_ccm_decrypt(walk.dst.virt.addr, walk.src.virt.addr, | |
238 | walk.nbytes - tail, ctx->key_enc, | |
239 | num_rounds(ctx), mac, walk.iv); | |
240 | ||
241 | len -= walk.nbytes - tail; | |
242 | err = blkcipher_walk_done(&desc, &walk, tail); | |
243 | } | |
244 | if (!err) | |
245 | ce_aes_ccm_final(mac, buf, ctx->key_enc, num_rounds(ctx)); | |
246 | ||
247 | kernel_neon_end(); | |
248 | ||
249 | if (err) | |
250 | return err; | |
251 | ||
252 | /* compare calculated auth tag with the stored one */ | |
253 | scatterwalk_map_and_copy(buf, req->src, req->cryptlen - authsize, | |
254 | authsize, 0); | |
255 | ||
256 | if (memcmp(mac, buf, authsize)) | |
257 | return -EBADMSG; | |
258 | return 0; | |
259 | } | |
260 | ||
261 | static struct crypto_alg ccm_aes_alg = { | |
262 | .cra_name = "ccm(aes)", | |
263 | .cra_driver_name = "ccm-aes-ce", | |
264 | .cra_priority = 300, | |
265 | .cra_flags = CRYPTO_ALG_TYPE_AEAD, | |
266 | .cra_blocksize = 1, | |
267 | .cra_ctxsize = sizeof(struct crypto_aes_ctx), | |
268 | .cra_alignmask = 7, | |
269 | .cra_type = &crypto_aead_type, | |
270 | .cra_module = THIS_MODULE, | |
271 | .cra_aead = { | |
272 | .ivsize = AES_BLOCK_SIZE, | |
273 | .maxauthsize = AES_BLOCK_SIZE, | |
274 | .setkey = ccm_setkey, | |
275 | .setauthsize = ccm_setauthsize, | |
276 | .encrypt = ccm_encrypt, | |
277 | .decrypt = ccm_decrypt, | |
278 | } | |
279 | }; | |
280 | ||
281 | static int __init aes_mod_init(void) | |
282 | { | |
283 | if (!(elf_hwcap & HWCAP_AES)) | |
284 | return -ENODEV; | |
285 | return crypto_register_alg(&ccm_aes_alg); | |
286 | } | |
287 | ||
288 | static void __exit aes_mod_exit(void) | |
289 | { | |
290 | crypto_unregister_alg(&ccm_aes_alg); | |
291 | } | |
292 | ||
293 | module_init(aes_mod_init); | |
294 | module_exit(aes_mod_exit); | |
295 | ||
296 | MODULE_DESCRIPTION("Synchronous AES in CCM mode using ARMv8 Crypto Extensions"); | |
297 | MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@linaro.org>"); | |
298 | MODULE_LICENSE("GPL v2"); | |
5d26a105 | 299 | MODULE_ALIAS_CRYPTO("ccm(aes)"); |