2019-06-04 16:11:33 +08:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
2014-03-27 03:53:05 +08:00
|
|
|
/*
|
|
|
|
* Accelerated GHASH implementation with ARMv8 PMULL instructions.
|
|
|
|
*
|
2018-07-31 05:06:42 +08:00
|
|
|
* Copyright (C) 2014 - 2018 Linaro Ltd. <ard.biesheuvel@linaro.org>
|
2014-03-27 03:53:05 +08:00
|
|
|
*/
|
|
|
|
|
|
|
|
#include <asm/neon.h>
|
2017-07-24 18:28:05 +08:00
|
|
|
#include <asm/simd.h>
|
2014-03-27 03:53:05 +08:00
|
|
|
#include <asm/unaligned.h>
|
2017-07-24 18:28:16 +08:00
|
|
|
#include <crypto/aes.h>
|
2022-12-15 01:19:55 +08:00
|
|
|
#include <crypto/gcm.h>
|
2017-07-24 18:28:16 +08:00
|
|
|
#include <crypto/algapi.h>
|
|
|
|
#include <crypto/b128ops.h>
|
2017-07-24 18:28:05 +08:00
|
|
|
#include <crypto/gf128mul.h>
|
2017-07-24 18:28:16 +08:00
|
|
|
#include <crypto/internal/aead.h>
|
2014-03-27 03:53:05 +08:00
|
|
|
#include <crypto/internal/hash.h>
|
2019-03-13 13:12:50 +08:00
|
|
|
#include <crypto/internal/simd.h>
|
2017-07-24 18:28:16 +08:00
|
|
|
#include <crypto/internal/skcipher.h>
|
|
|
|
#include <crypto/scatterwalk.h>
|
2014-03-27 03:53:05 +08:00
|
|
|
#include <linux/cpufeature.h>
|
|
|
|
#include <linux/crypto.h>
|
|
|
|
#include <linux/module.h>
|
|
|
|
|
2017-07-24 18:28:16 +08:00
|
|
|
MODULE_DESCRIPTION("GHASH and AES-GCM using ARMv8 Crypto Extensions");
|
2014-03-27 03:53:05 +08:00
|
|
|
MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@linaro.org>");
|
|
|
|
MODULE_LICENSE("GPL v2");
|
2017-07-24 18:28:18 +08:00
|
|
|
MODULE_ALIAS_CRYPTO("ghash");
|
2014-03-27 03:53:05 +08:00
|
|
|
|
|
|
|
#define GHASH_BLOCK_SIZE 16
|
|
|
|
#define GHASH_DIGEST_SIZE 16
|
2022-12-15 01:19:55 +08:00
|
|
|
|
|
|
|
#define RFC4106_NONCE_SIZE 4
|
2014-03-27 03:53:05 +08:00
|
|
|
|
|
|
|
struct ghash_key {
|
2018-08-05 02:46:25 +08:00
|
|
|
be128 k;
|
2020-06-29 15:39:23 +08:00
|
|
|
u64 h[][2];
|
2014-03-27 03:53:05 +08:00
|
|
|
};
|
|
|
|
|
|
|
|
struct ghash_desc_ctx {
|
|
|
|
u64 digest[GHASH_DIGEST_SIZE/sizeof(u64)];
|
|
|
|
u8 buf[GHASH_BLOCK_SIZE];
|
|
|
|
u32 count;
|
|
|
|
};
|
|
|
|
|
2017-07-24 18:28:16 +08:00
|
|
|
struct gcm_aes_ctx {
|
|
|
|
struct crypto_aes_ctx aes_key;
|
2022-12-15 01:19:55 +08:00
|
|
|
u8 nonce[RFC4106_NONCE_SIZE];
|
2017-07-24 18:28:16 +08:00
|
|
|
struct ghash_key ghash_key;
|
|
|
|
};
|
|
|
|
|
2017-07-24 18:28:18 +08:00
|
|
|
asmlinkage void pmull_ghash_update_p64(int blocks, u64 dg[], const char *src,
|
2020-06-29 15:39:23 +08:00
|
|
|
u64 const h[][2], const char *head);
|
2017-07-24 18:28:18 +08:00
|
|
|
|
|
|
|
asmlinkage void pmull_ghash_update_p8(int blocks, u64 dg[], const char *src,
|
2020-06-29 15:39:23 +08:00
|
|
|
u64 const h[][2], const char *head);
|
2017-07-24 18:28:18 +08:00
|
|
|
|
2019-09-11 07:19:00 +08:00
|
|
|
asmlinkage void pmull_gcm_encrypt(int bytes, u8 dst[], const u8 src[],
|
2020-06-29 15:39:23 +08:00
|
|
|
u64 const h[][2], u64 dg[], u8 ctr[],
|
|
|
|
u32 const rk[], int rounds, u8 tag[]);
|
2020-11-10 17:10:42 +08:00
|
|
|
asmlinkage int pmull_gcm_decrypt(int bytes, u8 dst[], const u8 src[],
|
|
|
|
u64 const h[][2], u64 dg[], u8 ctr[],
|
|
|
|
u32 const rk[], int rounds, const u8 l[],
|
|
|
|
const u8 tag[], u64 authsize);
|
2017-07-24 18:28:16 +08:00
|
|
|
|
2014-03-27 03:53:05 +08:00
|
|
|
static int ghash_init(struct shash_desc *desc)
|
|
|
|
{
|
|
|
|
struct ghash_desc_ctx *ctx = shash_desc_ctx(desc);
|
|
|
|
|
|
|
|
*ctx = (struct ghash_desc_ctx){};
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2017-07-24 18:28:05 +08:00
|
|
|
static void ghash_do_update(int blocks, u64 dg[], const char *src,
|
2020-06-29 15:39:24 +08:00
|
|
|
struct ghash_key *key, const char *head)
|
2017-07-24 18:28:05 +08:00
|
|
|
{
|
2020-06-29 15:39:24 +08:00
|
|
|
be128 dst = { cpu_to_be64(dg[1]), cpu_to_be64(dg[0]) };
|
|
|
|
|
|
|
|
do {
|
|
|
|
const u8 *in = src;
|
|
|
|
|
|
|
|
if (head) {
|
|
|
|
in = head;
|
|
|
|
blocks++;
|
|
|
|
head = NULL;
|
|
|
|
} else {
|
|
|
|
src += GHASH_BLOCK_SIZE;
|
|
|
|
}
|
|
|
|
|
|
|
|
crypto_xor((u8 *)&dst, in, GHASH_BLOCK_SIZE);
|
|
|
|
gf128mul_lle(&dst, &key->k);
|
|
|
|
} while (--blocks);
|
|
|
|
|
|
|
|
dg[0] = be64_to_cpu(dst.b);
|
|
|
|
dg[1] = be64_to_cpu(dst.a);
|
|
|
|
}
|
|
|
|
|
|
|
|
static __always_inline
|
|
|
|
void ghash_do_simd_update(int blocks, u64 dg[], const char *src,
|
|
|
|
struct ghash_key *key, const char *head,
|
|
|
|
void (*simd_update)(int blocks, u64 dg[],
|
|
|
|
const char *src,
|
|
|
|
u64 const h[][2],
|
|
|
|
const char *head))
|
|
|
|
{
|
|
|
|
if (likely(crypto_simd_usable())) {
|
2017-07-24 18:28:05 +08:00
|
|
|
kernel_neon_begin();
|
2020-06-29 15:39:23 +08:00
|
|
|
simd_update(blocks, dg, src, key->h, head);
|
2017-07-24 18:28:05 +08:00
|
|
|
kernel_neon_end();
|
|
|
|
} else {
|
2020-06-29 15:39:24 +08:00
|
|
|
ghash_do_update(blocks, dg, src, key, head);
|
2017-07-24 18:28:05 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-08-05 02:46:24 +08:00
|
|
|
/* avoid hogging the CPU for too long */
|
|
|
|
#define MAX_BLOCKS (SZ_64K / GHASH_BLOCK_SIZE)
|
|
|
|
|
2020-06-29 15:39:21 +08:00
|
|
|
static int ghash_update(struct shash_desc *desc, const u8 *src,
|
|
|
|
unsigned int len)
|
2014-03-27 03:53:05 +08:00
|
|
|
{
|
|
|
|
struct ghash_desc_ctx *ctx = shash_desc_ctx(desc);
|
|
|
|
unsigned int partial = ctx->count % GHASH_BLOCK_SIZE;
|
|
|
|
|
|
|
|
ctx->count += len;
|
|
|
|
|
|
|
|
if ((partial + len) >= GHASH_BLOCK_SIZE) {
|
|
|
|
struct ghash_key *key = crypto_shash_ctx(desc->tfm);
|
|
|
|
int blocks;
|
|
|
|
|
|
|
|
if (partial) {
|
|
|
|
int p = GHASH_BLOCK_SIZE - partial;
|
|
|
|
|
|
|
|
memcpy(ctx->buf + partial, src, p);
|
|
|
|
src += p;
|
|
|
|
len -= p;
|
|
|
|
}
|
|
|
|
|
|
|
|
blocks = len / GHASH_BLOCK_SIZE;
|
|
|
|
len %= GHASH_BLOCK_SIZE;
|
|
|
|
|
2018-08-05 02:46:24 +08:00
|
|
|
do {
|
|
|
|
int chunk = min(blocks, MAX_BLOCKS);
|
|
|
|
|
2020-06-29 15:39:24 +08:00
|
|
|
ghash_do_simd_update(chunk, ctx->digest, src, key,
|
|
|
|
partial ? ctx->buf : NULL,
|
|
|
|
pmull_ghash_update_p8);
|
2017-07-24 18:28:05 +08:00
|
|
|
|
2018-08-05 02:46:24 +08:00
|
|
|
blocks -= chunk;
|
|
|
|
src += chunk * GHASH_BLOCK_SIZE;
|
|
|
|
partial = 0;
|
|
|
|
} while (unlikely(blocks > 0));
|
2014-03-27 03:53:05 +08:00
|
|
|
}
|
|
|
|
if (len)
|
|
|
|
memcpy(ctx->buf + partial, src, len);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2020-06-29 15:39:21 +08:00
|
|
|
static int ghash_final(struct shash_desc *desc, u8 *dst)
|
2014-03-27 03:53:05 +08:00
|
|
|
{
|
|
|
|
struct ghash_desc_ctx *ctx = shash_desc_ctx(desc);
|
|
|
|
unsigned int partial = ctx->count % GHASH_BLOCK_SIZE;
|
|
|
|
|
|
|
|
if (partial) {
|
|
|
|
struct ghash_key *key = crypto_shash_ctx(desc->tfm);
|
|
|
|
|
|
|
|
memset(ctx->buf + partial, 0, GHASH_BLOCK_SIZE - partial);
|
|
|
|
|
2020-06-29 15:39:24 +08:00
|
|
|
ghash_do_simd_update(1, ctx->digest, ctx->buf, key, NULL,
|
|
|
|
pmull_ghash_update_p8);
|
2019-01-25 17:36:27 +08:00
|
|
|
}
|
|
|
|
put_unaligned_be64(ctx->digest[1], dst);
|
|
|
|
put_unaligned_be64(ctx->digest[0], dst + 8);
|
|
|
|
|
2020-10-25 22:31:15 +08:00
|
|
|
memzero_explicit(ctx, sizeof(*ctx));
|
2019-01-25 17:36:27 +08:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2018-08-05 02:46:25 +08:00
|
|
|
static void ghash_reflect(u64 h[], const be128 *k)
|
|
|
|
{
|
|
|
|
u64 carry = be64_to_cpu(k->a) & BIT(63) ? 1 : 0;
|
|
|
|
|
|
|
|
h[0] = (be64_to_cpu(k->b) << 1) | carry;
|
|
|
|
h[1] = (be64_to_cpu(k->a) << 1) | (be64_to_cpu(k->b) >> 63);
|
|
|
|
|
|
|
|
if (carry)
|
|
|
|
h[1] ^= 0xc200000000000000UL;
|
|
|
|
}
|
|
|
|
|
2017-07-24 18:28:16 +08:00
|
|
|
static int ghash_setkey(struct crypto_shash *tfm,
|
|
|
|
const u8 *inkey, unsigned int keylen)
|
|
|
|
{
|
|
|
|
struct ghash_key *key = crypto_shash_ctx(tfm);
|
|
|
|
|
crypto: remove CRYPTO_TFM_RES_BAD_KEY_LEN
The CRYPTO_TFM_RES_BAD_KEY_LEN flag was apparently meant as a way to
make the ->setkey() functions provide more information about errors.
However, no one actually checks for this flag, which makes it pointless.
Also, many algorithms fail to set this flag when given a bad length key.
Reviewing just the generic implementations, this is the case for
aes-fixed-time, cbcmac, echainiv, nhpoly1305, pcrypt, rfc3686, rfc4309,
rfc7539, rfc7539esp, salsa20, seqiv, and xcbc. But there are probably
many more in arch/*/crypto/ and drivers/crypto/.
Some algorithms can even set this flag when the key is the correct
length. For example, authenc and authencesn set it when the key payload
is malformed in any way (not just a bad length), the atmel-sha and ccree
drivers can set it if a memory allocation fails, and the chelsio driver
sets it for bad auth tag lengths, not just bad key lengths.
So even if someone actually wanted to start checking this flag (which
seems unlikely, since it's been unused for a long time), there would be
a lot of work needed to get it working correctly. But it would probably
be much better to go back to the drawing board and just define different
return values, like -EINVAL if the key is invalid for the algorithm vs.
-EKEYREJECTED if the key was rejected by a policy like "no weak keys".
That would be much simpler, less error-prone, and easier to test.
So just remove this flag.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2019-12-31 11:19:36 +08:00
|
|
|
if (keylen != GHASH_BLOCK_SIZE)
|
2017-07-24 18:28:16 +08:00
|
|
|
return -EINVAL;
|
|
|
|
|
2020-06-29 15:39:22 +08:00
|
|
|
/* needed for the fallback */
|
|
|
|
memcpy(&key->k, inkey, GHASH_BLOCK_SIZE);
|
|
|
|
|
2020-06-29 15:39:23 +08:00
|
|
|
ghash_reflect(key->h[0], &key->k);
|
2020-06-29 15:39:22 +08:00
|
|
|
return 0;
|
2017-07-24 18:28:16 +08:00
|
|
|
}
|
|
|
|
|
2020-06-29 15:39:21 +08:00
|
|
|
static struct shash_alg ghash_alg = {
|
2019-01-25 17:36:27 +08:00
|
|
|
.base.cra_name = "ghash",
|
|
|
|
.base.cra_driver_name = "ghash-neon",
|
2019-11-28 20:55:31 +08:00
|
|
|
.base.cra_priority = 150,
|
2019-01-25 17:36:27 +08:00
|
|
|
.base.cra_blocksize = GHASH_BLOCK_SIZE,
|
2020-06-29 15:39:23 +08:00
|
|
|
.base.cra_ctxsize = sizeof(struct ghash_key) + sizeof(u64[2]),
|
2019-01-25 17:36:27 +08:00
|
|
|
.base.cra_module = THIS_MODULE,
|
|
|
|
|
|
|
|
.digestsize = GHASH_DIGEST_SIZE,
|
|
|
|
.init = ghash_init,
|
2020-06-29 15:39:21 +08:00
|
|
|
.update = ghash_update,
|
|
|
|
.final = ghash_final,
|
2017-07-24 18:28:16 +08:00
|
|
|
.setkey = ghash_setkey,
|
|
|
|
.descsize = sizeof(struct ghash_desc_ctx),
|
2020-06-29 15:39:21 +08:00
|
|
|
};
|
2017-07-24 18:28:16 +08:00
|
|
|
|
|
|
|
static int num_rounds(struct crypto_aes_ctx *ctx)
|
|
|
|
{
|
|
|
|
/*
|
|
|
|
* # of rounds specified by AES:
|
|
|
|
* 128 bit key 10 rounds
|
|
|
|
* 192 bit key 12 rounds
|
|
|
|
* 256 bit key 14 rounds
|
|
|
|
* => n byte key => 6 + (n/4) rounds
|
|
|
|
*/
|
|
|
|
return 6 + ctx->key_length / 4;
|
|
|
|
}
|
|
|
|
|
2022-12-15 01:19:55 +08:00
|
|
|
static int gcm_aes_setkey(struct crypto_aead *tfm, const u8 *inkey,
|
|
|
|
unsigned int keylen)
|
2017-07-24 18:28:16 +08:00
|
|
|
{
|
|
|
|
struct gcm_aes_ctx *ctx = crypto_aead_ctx(tfm);
|
2018-08-05 02:46:25 +08:00
|
|
|
u8 key[GHASH_BLOCK_SIZE];
|
2020-06-29 15:39:22 +08:00
|
|
|
be128 h;
|
2017-07-24 18:28:16 +08:00
|
|
|
int ret;
|
|
|
|
|
2019-07-03 03:41:28 +08:00
|
|
|
ret = aes_expandkey(&ctx->aes_key, inkey, keylen);
|
crypto: remove CRYPTO_TFM_RES_BAD_KEY_LEN
The CRYPTO_TFM_RES_BAD_KEY_LEN flag was apparently meant as a way to
make the ->setkey() functions provide more information about errors.
However, no one actually checks for this flag, which makes it pointless.
Also, many algorithms fail to set this flag when given a bad length key.
Reviewing just the generic implementations, this is the case for
aes-fixed-time, cbcmac, echainiv, nhpoly1305, pcrypt, rfc3686, rfc4309,
rfc7539, rfc7539esp, salsa20, seqiv, and xcbc. But there are probably
many more in arch/*/crypto/ and drivers/crypto/.
Some algorithms can even set this flag when the key is the correct
length. For example, authenc and authencesn set it when the key payload
is malformed in any way (not just a bad length), the atmel-sha and ccree
drivers can set it if a memory allocation fails, and the chelsio driver
sets it for bad auth tag lengths, not just bad key lengths.
So even if someone actually wanted to start checking this flag (which
seems unlikely, since it's been unused for a long time), there would be
a lot of work needed to get it working correctly. But it would probably
be much better to go back to the drawing board and just define different
return values, like -EINVAL if the key is invalid for the algorithm vs.
-EKEYREJECTED if the key was rejected by a policy like "no weak keys".
That would be much simpler, less error-prone, and easier to test.
So just remove this flag.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2019-12-31 11:19:36 +08:00
|
|
|
if (ret)
|
2017-07-24 18:28:16 +08:00
|
|
|
return -EINVAL;
|
|
|
|
|
2019-07-03 03:41:28 +08:00
|
|
|
aes_encrypt(&ctx->aes_key, key, (u8[AES_BLOCK_SIZE]){});
|
2017-07-24 18:28:16 +08:00
|
|
|
|
2020-06-29 15:39:22 +08:00
|
|
|
/* needed for the fallback */
|
|
|
|
memcpy(&ctx->ghash_key.k, key, GHASH_BLOCK_SIZE);
|
|
|
|
|
2020-06-29 15:39:23 +08:00
|
|
|
ghash_reflect(ctx->ghash_key.h[0], &ctx->ghash_key.k);
|
2020-06-29 15:39:22 +08:00
|
|
|
|
|
|
|
h = ctx->ghash_key.k;
|
|
|
|
gf128mul_lle(&h, &ctx->ghash_key.k);
|
2020-06-29 15:39:23 +08:00
|
|
|
ghash_reflect(ctx->ghash_key.h[1], &h);
|
2020-06-29 15:39:22 +08:00
|
|
|
|
|
|
|
gf128mul_lle(&h, &ctx->ghash_key.k);
|
2020-06-29 15:39:23 +08:00
|
|
|
ghash_reflect(ctx->ghash_key.h[2], &h);
|
2020-06-29 15:39:22 +08:00
|
|
|
|
|
|
|
gf128mul_lle(&h, &ctx->ghash_key.k);
|
2020-06-29 15:39:23 +08:00
|
|
|
ghash_reflect(ctx->ghash_key.h[3], &h);
|
2020-06-29 15:39:22 +08:00
|
|
|
|
|
|
|
return 0;
|
2017-07-24 18:28:16 +08:00
|
|
|
}
|
|
|
|
|
2022-12-15 01:19:55 +08:00
|
|
|
static int gcm_aes_setauthsize(struct crypto_aead *tfm, unsigned int authsize)
|
2017-07-24 18:28:16 +08:00
|
|
|
{
|
2022-12-15 01:19:55 +08:00
|
|
|
return crypto_gcm_check_authsize(authsize);
|
2017-07-24 18:28:16 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static void gcm_update_mac(u64 dg[], const u8 *src, int count, u8 buf[],
|
|
|
|
int *buf_count, struct gcm_aes_ctx *ctx)
|
|
|
|
{
|
|
|
|
if (*buf_count > 0) {
|
|
|
|
int buf_added = min(count, GHASH_BLOCK_SIZE - *buf_count);
|
|
|
|
|
|
|
|
memcpy(&buf[*buf_count], src, buf_added);
|
|
|
|
|
|
|
|
*buf_count += buf_added;
|
|
|
|
src += buf_added;
|
|
|
|
count -= buf_added;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (count >= GHASH_BLOCK_SIZE || *buf_count == GHASH_BLOCK_SIZE) {
|
|
|
|
int blocks = count / GHASH_BLOCK_SIZE;
|
|
|
|
|
2020-06-29 15:39:24 +08:00
|
|
|
ghash_do_simd_update(blocks, dg, src, &ctx->ghash_key,
|
|
|
|
*buf_count ? buf : NULL,
|
|
|
|
pmull_ghash_update_p64);
|
2017-07-24 18:28:16 +08:00
|
|
|
|
|
|
|
src += blocks * GHASH_BLOCK_SIZE;
|
|
|
|
count %= GHASH_BLOCK_SIZE;
|
|
|
|
*buf_count = 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (count > 0) {
|
|
|
|
memcpy(buf, src, count);
|
|
|
|
*buf_count = count;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-12-15 01:19:55 +08:00
|
|
|
static void gcm_calculate_auth_mac(struct aead_request *req, u64 dg[], u32 len)
|
2017-07-24 18:28:16 +08:00
|
|
|
{
|
|
|
|
struct crypto_aead *aead = crypto_aead_reqtfm(req);
|
|
|
|
struct gcm_aes_ctx *ctx = crypto_aead_ctx(aead);
|
|
|
|
u8 buf[GHASH_BLOCK_SIZE];
|
|
|
|
struct scatter_walk walk;
|
|
|
|
int buf_count = 0;
|
|
|
|
|
|
|
|
scatterwalk_start(&walk, req->src);
|
|
|
|
|
|
|
|
do {
|
|
|
|
u32 n = scatterwalk_clamp(&walk, len);
|
|
|
|
u8 *p;
|
|
|
|
|
|
|
|
if (!n) {
|
|
|
|
scatterwalk_start(&walk, sg_next(walk.sg));
|
|
|
|
n = scatterwalk_clamp(&walk, len);
|
|
|
|
}
|
|
|
|
p = scatterwalk_map(&walk);
|
|
|
|
|
|
|
|
gcm_update_mac(dg, p, n, buf, &buf_count, ctx);
|
|
|
|
len -= n;
|
|
|
|
|
|
|
|
scatterwalk_unmap(p);
|
|
|
|
scatterwalk_advance(&walk, n);
|
|
|
|
scatterwalk_done(&walk, 0, len);
|
|
|
|
} while (len);
|
|
|
|
|
|
|
|
if (buf_count) {
|
|
|
|
memset(&buf[buf_count], 0, GHASH_BLOCK_SIZE - buf_count);
|
2020-06-29 15:39:24 +08:00
|
|
|
ghash_do_simd_update(1, dg, buf, &ctx->ghash_key, NULL,
|
|
|
|
pmull_ghash_update_p64);
|
2017-07-24 18:28:16 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-12-15 01:19:55 +08:00
|
|
|
static int gcm_encrypt(struct aead_request *req, char *iv, int assoclen)
|
2017-07-24 18:28:16 +08:00
|
|
|
{
|
|
|
|
struct crypto_aead *aead = crypto_aead_reqtfm(req);
|
|
|
|
struct gcm_aes_ctx *ctx = crypto_aead_ctx(aead);
|
2019-09-11 07:19:00 +08:00
|
|
|
int nrounds = num_rounds(&ctx->aes_key);
|
2017-07-24 18:28:16 +08:00
|
|
|
struct skcipher_walk walk;
|
2019-09-11 07:19:00 +08:00
|
|
|
u8 buf[AES_BLOCK_SIZE];
|
2017-07-24 18:28:16 +08:00
|
|
|
u64 dg[2] = {};
|
2020-08-25 09:38:01 +08:00
|
|
|
be128 lengths;
|
2019-09-11 07:19:00 +08:00
|
|
|
u8 *tag;
|
2017-07-24 18:28:16 +08:00
|
|
|
int err;
|
|
|
|
|
2022-12-15 01:19:55 +08:00
|
|
|
lengths.a = cpu_to_be64(assoclen * 8);
|
2019-09-11 07:19:00 +08:00
|
|
|
lengths.b = cpu_to_be64(req->cryptlen * 8);
|
|
|
|
|
2022-12-15 01:19:55 +08:00
|
|
|
if (assoclen)
|
|
|
|
gcm_calculate_auth_mac(req, dg, assoclen);
|
2017-07-24 18:28:16 +08:00
|
|
|
|
2022-12-15 01:19:55 +08:00
|
|
|
put_unaligned_be32(2, iv + GCM_AES_IV_SIZE);
|
2017-07-24 18:28:16 +08:00
|
|
|
|
2018-07-31 05:06:42 +08:00
|
|
|
err = skcipher_walk_aead_encrypt(&walk, req, false);
|
2017-07-24 18:28:16 +08:00
|
|
|
|
2021-08-27 15:03:36 +08:00
|
|
|
do {
|
|
|
|
const u8 *src = walk.src.virt.addr;
|
|
|
|
u8 *dst = walk.dst.virt.addr;
|
|
|
|
int nbytes = walk.nbytes;
|
2017-07-24 18:28:16 +08:00
|
|
|
|
2021-08-27 15:03:36 +08:00
|
|
|
tag = (u8 *)&lengths;
|
2017-07-24 18:28:16 +08:00
|
|
|
|
2021-08-27 15:03:36 +08:00
|
|
|
if (unlikely(nbytes > 0 && nbytes < AES_BLOCK_SIZE)) {
|
|
|
|
src = dst = memcpy(buf + sizeof(buf) - nbytes,
|
|
|
|
src, nbytes);
|
|
|
|
} else if (nbytes < walk.total) {
|
|
|
|
nbytes &= ~(AES_BLOCK_SIZE - 1);
|
|
|
|
tag = NULL;
|
2018-07-31 05:06:40 +08:00
|
|
|
}
|
|
|
|
|
2021-08-27 15:03:36 +08:00
|
|
|
kernel_neon_begin();
|
|
|
|
pmull_gcm_encrypt(nbytes, dst, src, ctx->ghash_key.h,
|
|
|
|
dg, iv, ctx->aes_key.key_enc, nrounds,
|
|
|
|
tag);
|
|
|
|
kernel_neon_end();
|
2017-07-24 18:28:16 +08:00
|
|
|
|
2021-08-27 15:03:36 +08:00
|
|
|
if (unlikely(!nbytes))
|
|
|
|
break;
|
2019-09-11 07:19:00 +08:00
|
|
|
|
2021-08-27 15:03:36 +08:00
|
|
|
if (unlikely(nbytes > 0 && nbytes < AES_BLOCK_SIZE))
|
|
|
|
memcpy(walk.dst.virt.addr,
|
|
|
|
buf + sizeof(buf) - nbytes, nbytes);
|
|
|
|
|
|
|
|
err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
|
|
|
|
} while (walk.nbytes);
|
2017-07-24 18:28:16 +08:00
|
|
|
|
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
|
|
|
|
/* copy authtag to end of dst */
|
|
|
|
scatterwalk_map_and_copy(tag, req->dst, req->assoclen + req->cryptlen,
|
|
|
|
crypto_aead_authsize(aead), 1);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2022-12-15 01:19:55 +08:00
|
|
|
static int gcm_decrypt(struct aead_request *req, char *iv, int assoclen)
|
2017-07-24 18:28:16 +08:00
|
|
|
{
|
|
|
|
struct crypto_aead *aead = crypto_aead_reqtfm(req);
|
|
|
|
struct gcm_aes_ctx *ctx = crypto_aead_ctx(aead);
|
|
|
|
unsigned int authsize = crypto_aead_authsize(aead);
|
2019-09-11 07:19:00 +08:00
|
|
|
int nrounds = num_rounds(&ctx->aes_key);
|
2017-07-24 18:28:16 +08:00
|
|
|
struct skcipher_walk walk;
|
2020-11-10 17:10:42 +08:00
|
|
|
u8 otag[AES_BLOCK_SIZE];
|
2019-09-11 07:19:00 +08:00
|
|
|
u8 buf[AES_BLOCK_SIZE];
|
2017-07-24 18:28:16 +08:00
|
|
|
u64 dg[2] = {};
|
2020-08-25 09:38:01 +08:00
|
|
|
be128 lengths;
|
2019-09-11 07:19:00 +08:00
|
|
|
u8 *tag;
|
2021-08-27 15:03:36 +08:00
|
|
|
int ret;
|
2017-07-24 18:28:16 +08:00
|
|
|
int err;
|
|
|
|
|
2022-12-15 01:19:55 +08:00
|
|
|
lengths.a = cpu_to_be64(assoclen * 8);
|
2019-09-11 07:19:00 +08:00
|
|
|
lengths.b = cpu_to_be64((req->cryptlen - authsize) * 8);
|
|
|
|
|
2022-12-15 01:19:55 +08:00
|
|
|
if (assoclen)
|
|
|
|
gcm_calculate_auth_mac(req, dg, assoclen);
|
2017-07-24 18:28:16 +08:00
|
|
|
|
2022-12-15 01:19:55 +08:00
|
|
|
put_unaligned_be32(2, iv + GCM_AES_IV_SIZE);
|
2017-07-24 18:28:16 +08:00
|
|
|
|
2020-11-10 17:10:42 +08:00
|
|
|
scatterwalk_map_and_copy(otag, req->src,
|
|
|
|
req->assoclen + req->cryptlen - authsize,
|
|
|
|
authsize, 0);
|
|
|
|
|
2018-07-31 05:06:42 +08:00
|
|
|
err = skcipher_walk_aead_decrypt(&walk, req, false);
|
|
|
|
|
2021-08-27 15:03:36 +08:00
|
|
|
do {
|
|
|
|
const u8 *src = walk.src.virt.addr;
|
|
|
|
u8 *dst = walk.dst.virt.addr;
|
|
|
|
int nbytes = walk.nbytes;
|
2017-07-24 18:28:16 +08:00
|
|
|
|
2021-08-27 15:03:36 +08:00
|
|
|
tag = (u8 *)&lengths;
|
2018-08-20 22:58:34 +08:00
|
|
|
|
2021-08-27 15:03:36 +08:00
|
|
|
if (unlikely(nbytes > 0 && nbytes < AES_BLOCK_SIZE)) {
|
|
|
|
src = dst = memcpy(buf + sizeof(buf) - nbytes,
|
|
|
|
src, nbytes);
|
|
|
|
} else if (nbytes < walk.total) {
|
|
|
|
nbytes &= ~(AES_BLOCK_SIZE - 1);
|
|
|
|
tag = NULL;
|
2018-08-20 22:58:34 +08:00
|
|
|
}
|
2017-07-24 18:28:16 +08:00
|
|
|
|
2021-08-27 15:03:36 +08:00
|
|
|
kernel_neon_begin();
|
|
|
|
ret = pmull_gcm_decrypt(nbytes, dst, src, ctx->ghash_key.h,
|
|
|
|
dg, iv, ctx->aes_key.key_enc,
|
|
|
|
nrounds, tag, otag, authsize);
|
|
|
|
kernel_neon_end();
|
2018-07-31 05:06:40 +08:00
|
|
|
|
2021-08-27 15:03:36 +08:00
|
|
|
if (unlikely(!nbytes))
|
|
|
|
break;
|
2017-07-24 18:28:16 +08:00
|
|
|
|
2021-08-27 15:03:36 +08:00
|
|
|
if (unlikely(nbytes > 0 && nbytes < AES_BLOCK_SIZE))
|
|
|
|
memcpy(walk.dst.virt.addr,
|
|
|
|
buf + sizeof(buf) - nbytes, nbytes);
|
2017-07-24 18:28:16 +08:00
|
|
|
|
2021-08-27 15:03:36 +08:00
|
|
|
err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
|
|
|
|
} while (walk.nbytes);
|
2020-11-10 17:10:42 +08:00
|
|
|
|
2021-08-27 15:03:36 +08:00
|
|
|
if (err)
|
|
|
|
return err;
|
2017-07-24 18:28:16 +08:00
|
|
|
|
2021-08-27 15:03:36 +08:00
|
|
|
return ret ? -EBADMSG : 0;
|
2017-07-24 18:28:16 +08:00
|
|
|
}
|
|
|
|
|
2022-12-15 01:19:55 +08:00
|
|
|
static int gcm_aes_encrypt(struct aead_request *req)
|
|
|
|
{
|
|
|
|
u8 iv[AES_BLOCK_SIZE];
|
|
|
|
|
|
|
|
memcpy(iv, req->iv, GCM_AES_IV_SIZE);
|
|
|
|
return gcm_encrypt(req, iv, req->assoclen);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int gcm_aes_decrypt(struct aead_request *req)
|
|
|
|
{
|
|
|
|
u8 iv[AES_BLOCK_SIZE];
|
|
|
|
|
|
|
|
memcpy(iv, req->iv, GCM_AES_IV_SIZE);
|
|
|
|
return gcm_decrypt(req, iv, req->assoclen);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int rfc4106_setkey(struct crypto_aead *tfm, const u8 *inkey,
|
|
|
|
unsigned int keylen)
|
|
|
|
{
|
|
|
|
struct gcm_aes_ctx *ctx = crypto_aead_ctx(tfm);
|
|
|
|
int err;
|
|
|
|
|
|
|
|
keylen -= RFC4106_NONCE_SIZE;
|
|
|
|
err = gcm_aes_setkey(tfm, inkey, keylen);
|
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
|
|
|
|
memcpy(ctx->nonce, inkey + keylen, RFC4106_NONCE_SIZE);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int rfc4106_setauthsize(struct crypto_aead *tfm, unsigned int authsize)
|
|
|
|
{
|
|
|
|
return crypto_rfc4106_check_authsize(authsize);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int rfc4106_encrypt(struct aead_request *req)
|
|
|
|
{
|
|
|
|
struct crypto_aead *aead = crypto_aead_reqtfm(req);
|
|
|
|
struct gcm_aes_ctx *ctx = crypto_aead_ctx(aead);
|
|
|
|
u8 iv[AES_BLOCK_SIZE];
|
|
|
|
|
|
|
|
memcpy(iv, ctx->nonce, RFC4106_NONCE_SIZE);
|
|
|
|
memcpy(iv + RFC4106_NONCE_SIZE, req->iv, GCM_RFC4106_IV_SIZE);
|
|
|
|
|
|
|
|
return crypto_ipsec_check_assoclen(req->assoclen) ?:
|
|
|
|
gcm_encrypt(req, iv, req->assoclen - GCM_RFC4106_IV_SIZE);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int rfc4106_decrypt(struct aead_request *req)
|
|
|
|
{
|
|
|
|
struct crypto_aead *aead = crypto_aead_reqtfm(req);
|
|
|
|
struct gcm_aes_ctx *ctx = crypto_aead_ctx(aead);
|
|
|
|
u8 iv[AES_BLOCK_SIZE];
|
|
|
|
|
|
|
|
memcpy(iv, ctx->nonce, RFC4106_NONCE_SIZE);
|
|
|
|
memcpy(iv + RFC4106_NONCE_SIZE, req->iv, GCM_RFC4106_IV_SIZE);
|
|
|
|
|
|
|
|
return crypto_ipsec_check_assoclen(req->assoclen) ?:
|
|
|
|
gcm_decrypt(req, iv, req->assoclen - GCM_RFC4106_IV_SIZE);
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct aead_alg gcm_aes_algs[] = {{
|
|
|
|
.ivsize = GCM_AES_IV_SIZE,
|
2019-09-11 07:19:00 +08:00
|
|
|
.chunksize = AES_BLOCK_SIZE,
|
2017-07-24 18:28:16 +08:00
|
|
|
.maxauthsize = AES_BLOCK_SIZE,
|
2022-12-15 01:19:55 +08:00
|
|
|
.setkey = gcm_aes_setkey,
|
|
|
|
.setauthsize = gcm_aes_setauthsize,
|
|
|
|
.encrypt = gcm_aes_encrypt,
|
|
|
|
.decrypt = gcm_aes_decrypt,
|
2017-07-24 18:28:16 +08:00
|
|
|
|
|
|
|
.base.cra_name = "gcm(aes)",
|
|
|
|
.base.cra_driver_name = "gcm-aes-ce",
|
|
|
|
.base.cra_priority = 300,
|
|
|
|
.base.cra_blocksize = 1,
|
2020-06-29 15:39:23 +08:00
|
|
|
.base.cra_ctxsize = sizeof(struct gcm_aes_ctx) +
|
|
|
|
4 * sizeof(u64[2]),
|
2017-07-24 18:28:16 +08:00
|
|
|
.base.cra_module = THIS_MODULE,
|
2022-12-15 01:19:55 +08:00
|
|
|
}, {
|
|
|
|
.ivsize = GCM_RFC4106_IV_SIZE,
|
|
|
|
.chunksize = AES_BLOCK_SIZE,
|
|
|
|
.maxauthsize = AES_BLOCK_SIZE,
|
|
|
|
.setkey = rfc4106_setkey,
|
|
|
|
.setauthsize = rfc4106_setauthsize,
|
|
|
|
.encrypt = rfc4106_encrypt,
|
|
|
|
.decrypt = rfc4106_decrypt,
|
|
|
|
|
|
|
|
.base.cra_name = "rfc4106(gcm(aes))",
|
|
|
|
.base.cra_driver_name = "rfc4106-gcm-aes-ce",
|
|
|
|
.base.cra_priority = 300,
|
|
|
|
.base.cra_blocksize = 1,
|
|
|
|
.base.cra_ctxsize = sizeof(struct gcm_aes_ctx) +
|
|
|
|
4 * sizeof(u64[2]),
|
|
|
|
.base.cra_module = THIS_MODULE,
|
|
|
|
}};
|
2014-03-27 03:53:05 +08:00
|
|
|
|
|
|
|
static int __init ghash_ce_mod_init(void)
|
|
|
|
{
|
2019-04-09 17:52:40 +08:00
|
|
|
if (!cpu_have_named_feature(ASIMD))
|
2017-07-24 18:28:18 +08:00
|
|
|
return -ENODEV;
|
|
|
|
|
2019-04-09 17:52:40 +08:00
|
|
|
if (cpu_have_named_feature(PMULL))
|
2022-12-15 01:19:55 +08:00
|
|
|
return crypto_register_aeads(gcm_aes_algs,
|
|
|
|
ARRAY_SIZE(gcm_aes_algs));
|
2017-07-24 18:28:16 +08:00
|
|
|
|
2020-06-29 15:39:21 +08:00
|
|
|
return crypto_register_shash(&ghash_alg);
|
2014-03-27 03:53:05 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static void __exit ghash_ce_mod_exit(void)
|
|
|
|
{
|
2019-04-09 17:52:40 +08:00
|
|
|
if (cpu_have_named_feature(PMULL))
|
2022-12-15 01:19:55 +08:00
|
|
|
crypto_unregister_aeads(gcm_aes_algs, ARRAY_SIZE(gcm_aes_algs));
|
2019-01-25 17:36:27 +08:00
|
|
|
else
|
2020-06-29 15:39:21 +08:00
|
|
|
crypto_unregister_shash(&ghash_alg);
|
2014-03-27 03:53:05 +08:00
|
|
|
}
|
|
|
|
|
2022-11-10 18:42:04 +08:00
|
|
|
static const struct cpu_feature __maybe_unused ghash_cpu_feature[] = {
|
2017-07-24 18:28:18 +08:00
|
|
|
{ cpu_feature(PMULL) }, { }
|
|
|
|
};
|
|
|
|
MODULE_DEVICE_TABLE(cpu, ghash_cpu_feature);
|
|
|
|
|
|
|
|
module_init(ghash_ce_mod_init);
|
2014-03-27 03:53:05 +08:00
|
|
|
module_exit(ghash_ce_mod_exit);
|