linux/crypto/gcm.c
<<
>>
Prefs
   1/*
   2 * GCM: Galois/Counter Mode.
   3 *
   4 * Copyright (c) 2007 Nokia Siemens Networks - Mikko Herranen <mh1@iki.fi>
   5 *
   6 * This program is free software; you can redistribute it and/or modify it
   7 * under the terms of the GNU General Public License version 2 as published
   8 * by the Free Software Foundation.
   9 */
  10
  11#include <crypto/gf128mul.h>
  12#include <crypto/internal/aead.h>
  13#include <crypto/internal/skcipher.h>
  14#include <crypto/internal/hash.h>
  15#include <crypto/null.h>
  16#include <crypto/scatterwalk.h>
  17#include <crypto/hash.h>
  18#include "internal.h"
  19#include <linux/completion.h>
  20#include <linux/err.h>
  21#include <linux/init.h>
  22#include <linux/kernel.h>
  23#include <linux/module.h>
  24#include <linux/slab.h>
  25
  26struct gcm_instance_ctx {
  27        struct crypto_skcipher_spawn ctr;
  28        struct crypto_ahash_spawn ghash;
  29};
  30
  31struct crypto_gcm_ctx {
  32        struct crypto_ablkcipher *ctr;
  33        struct crypto_ahash *ghash;
  34};
  35
  36struct crypto_rfc4106_ctx {
  37        struct crypto_aead *child;
  38        u8 nonce[4];
  39};
  40
  41struct crypto_rfc4106_req_ctx {
  42        struct scatterlist src[3];
  43        struct scatterlist dst[3];
  44        struct aead_request subreq;
  45};
  46
  47struct crypto_rfc4543_instance_ctx {
  48        struct crypto_aead_spawn aead;
  49};
  50
  51struct crypto_rfc4543_ctx {
  52        struct crypto_aead *child;
  53        struct crypto_blkcipher *null;
  54        u8 nonce[4];
  55};
  56
  57struct crypto_rfc4543_req_ctx {
  58        struct aead_request subreq;
  59};
  60
  61struct crypto_gcm_ghash_ctx {
  62        unsigned int cryptlen;
  63        struct scatterlist *src;
  64        int (*complete)(struct aead_request *req, u32 flags);
  65};
  66
  67struct crypto_gcm_req_priv_ctx {
  68        u8 iv[16];
  69        u8 auth_tag[16];
  70        u8 iauth_tag[16];
  71        struct scatterlist src[3];
  72        struct scatterlist dst[3];
  73        struct scatterlist sg;
  74        struct crypto_gcm_ghash_ctx ghash_ctx;
  75        union {
  76                struct ahash_request ahreq;
  77                struct ablkcipher_request abreq;
  78        } u;
  79};
  80
  81struct crypto_gcm_setkey_result {
  82        int err;
  83        struct completion completion;
  84};
  85
  86static struct {
  87        u8 buf[16];
  88        struct scatterlist sg;
  89} *gcm_zeroes;
  90
  91static int crypto_rfc4543_copy_src_to_dst(struct aead_request *req, bool enc);
  92
  93static inline struct crypto_gcm_req_priv_ctx *crypto_gcm_reqctx(
  94        struct aead_request *req)
  95{
  96        unsigned long align = crypto_aead_alignmask(crypto_aead_reqtfm(req));
  97
  98        return (void *)PTR_ALIGN((u8 *)aead_request_ctx(req), align + 1);
  99}
 100
 101static void crypto_gcm_setkey_done(struct crypto_async_request *req, int err)
 102{
 103        struct crypto_gcm_setkey_result *result = req->data;
 104
 105        if (err == -EINPROGRESS)
 106                return;
 107
 108        result->err = err;
 109        complete(&result->completion);
 110}
 111
 112static int crypto_gcm_setkey(struct crypto_aead *aead, const u8 *key,
 113                             unsigned int keylen)
 114{
 115        struct crypto_gcm_ctx *ctx = crypto_aead_ctx(aead);
 116        struct crypto_ahash *ghash = ctx->ghash;
 117        struct crypto_ablkcipher *ctr = ctx->ctr;
 118        struct {
 119                be128 hash;
 120                u8 iv[8];
 121
 122                struct crypto_gcm_setkey_result result;
 123
 124                struct scatterlist sg[1];
 125                struct ablkcipher_request req;
 126        } *data;
 127        int err;
 128
 129        crypto_ablkcipher_clear_flags(ctr, CRYPTO_TFM_REQ_MASK);
 130        crypto_ablkcipher_set_flags(ctr, crypto_aead_get_flags(aead) &
 131                                         CRYPTO_TFM_REQ_MASK);
 132        err = crypto_ablkcipher_setkey(ctr, key, keylen);
 133        crypto_aead_set_flags(aead, crypto_ablkcipher_get_flags(ctr) &
 134                                    CRYPTO_TFM_RES_MASK);
 135        if (err)
 136                return err;
 137
 138        data = kzalloc(sizeof(*data) + crypto_ablkcipher_reqsize(ctr),
 139                       GFP_KERNEL);
 140        if (!data)
 141                return -ENOMEM;
 142
 143        init_completion(&data->result.completion);
 144        sg_init_one(data->sg, &data->hash, sizeof(data->hash));
 145        ablkcipher_request_set_tfm(&data->req, ctr);
 146        ablkcipher_request_set_callback(&data->req, CRYPTO_TFM_REQ_MAY_SLEEP |
 147                                                    CRYPTO_TFM_REQ_MAY_BACKLOG,
 148                                        crypto_gcm_setkey_done,
 149                                        &data->result);
 150        ablkcipher_request_set_crypt(&data->req, data->sg, data->sg,
 151                                     sizeof(data->hash), data->iv);
 152
 153        err = crypto_ablkcipher_encrypt(&data->req);
 154        if (err == -EINPROGRESS || err == -EBUSY) {
 155                err = wait_for_completion_interruptible(
 156                        &data->result.completion);
 157                if (!err)
 158                        err = data->result.err;
 159        }
 160
 161        if (err)
 162                goto out;
 163
 164        crypto_ahash_clear_flags(ghash, CRYPTO_TFM_REQ_MASK);
 165        crypto_ahash_set_flags(ghash, crypto_aead_get_flags(aead) &
 166                               CRYPTO_TFM_REQ_MASK);
 167        err = crypto_ahash_setkey(ghash, (u8 *)&data->hash, sizeof(be128));
 168        crypto_aead_set_flags(aead, crypto_ahash_get_flags(ghash) &
 169                              CRYPTO_TFM_RES_MASK);
 170
 171out:
 172        kzfree(data);
 173        return err;
 174}
 175
 176static int crypto_gcm_setauthsize(struct crypto_aead *tfm,
 177                                  unsigned int authsize)
 178{
 179        switch (authsize) {
 180        case 4:
 181        case 8:
 182        case 12:
 183        case 13:
 184        case 14:
 185        case 15:
 186        case 16:
 187                break;
 188        default:
 189                return -EINVAL;
 190        }
 191
 192        return 0;
 193}
 194
 195static void crypto_gcm_init_common(struct aead_request *req)
 196{
 197        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 198        __be32 counter = cpu_to_be32(1);
 199        struct scatterlist *sg;
 200
 201        memset(pctx->auth_tag, 0, sizeof(pctx->auth_tag));
 202        memcpy(pctx->iv, req->iv, 12);
 203        memcpy(pctx->iv + 12, &counter, 4);
 204
 205        sg_init_table(pctx->src, 3);
 206        sg_set_buf(pctx->src, pctx->auth_tag, sizeof(pctx->auth_tag));
 207        sg = scatterwalk_ffwd(pctx->src + 1, req->src, req->assoclen);
 208        if (sg != pctx->src + 1)
 209                sg_chain(pctx->src, 2, sg);
 210
 211        if (req->src != req->dst) {
 212                sg_init_table(pctx->dst, 3);
 213                sg_set_buf(pctx->dst, pctx->auth_tag, sizeof(pctx->auth_tag));
 214                sg = scatterwalk_ffwd(pctx->dst + 1, req->dst, req->assoclen);
 215                if (sg != pctx->dst + 1)
 216                        sg_chain(pctx->dst, 2, sg);
 217        }
 218}
 219
 220static void crypto_gcm_init_crypt(struct aead_request *req,
 221                                  unsigned int cryptlen)
 222{
 223        struct crypto_aead *aead = crypto_aead_reqtfm(req);
 224        struct crypto_gcm_ctx *ctx = crypto_aead_ctx(aead);
 225        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 226        struct ablkcipher_request *ablk_req = &pctx->u.abreq;
 227        struct scatterlist *dst;
 228
 229        dst = req->src == req->dst ? pctx->src : pctx->dst;
 230
 231        ablkcipher_request_set_tfm(ablk_req, ctx->ctr);
 232        ablkcipher_request_set_crypt(ablk_req, pctx->src, dst,
 233                                     cryptlen + sizeof(pctx->auth_tag),
 234                                     pctx->iv);
 235}
 236
 237static inline unsigned int gcm_remain(unsigned int len)
 238{
 239        len &= 0xfU;
 240        return len ? 16 - len : 0;
 241}
 242
 243static void gcm_hash_len_done(struct crypto_async_request *areq, int err);
 244
 245static int gcm_hash_update(struct aead_request *req,
 246                           crypto_completion_t compl,
 247                           struct scatterlist *src,
 248                           unsigned int len, u32 flags)
 249{
 250        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 251        struct ahash_request *ahreq = &pctx->u.ahreq;
 252
 253        ahash_request_set_callback(ahreq, flags, compl, req);
 254        ahash_request_set_crypt(ahreq, src, NULL, len);
 255
 256        return crypto_ahash_update(ahreq);
 257}
 258
 259static int gcm_hash_remain(struct aead_request *req,
 260                           unsigned int remain,
 261                           crypto_completion_t compl, u32 flags)
 262{
 263        return gcm_hash_update(req, compl, &gcm_zeroes->sg, remain, flags);
 264}
 265
 266static int gcm_hash_len(struct aead_request *req, u32 flags)
 267{
 268        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 269        struct ahash_request *ahreq = &pctx->u.ahreq;
 270        struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
 271        u128 lengths;
 272
 273        lengths.a = cpu_to_be64(req->assoclen * 8);
 274        lengths.b = cpu_to_be64(gctx->cryptlen * 8);
 275        memcpy(pctx->iauth_tag, &lengths, 16);
 276        sg_init_one(&pctx->sg, pctx->iauth_tag, 16);
 277        ahash_request_set_callback(ahreq, flags, gcm_hash_len_done, req);
 278        ahash_request_set_crypt(ahreq, &pctx->sg,
 279                                pctx->iauth_tag, sizeof(lengths));
 280
 281        return crypto_ahash_finup(ahreq);
 282}
 283
 284static int gcm_hash_len_continue(struct aead_request *req, u32 flags)
 285{
 286        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 287        struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
 288
 289        return gctx->complete(req, flags);
 290}
 291
 292static void gcm_hash_len_done(struct crypto_async_request *areq, int err)
 293{
 294        struct aead_request *req = areq->data;
 295
 296        if (err)
 297                goto out;
 298
 299        err = gcm_hash_len_continue(req, 0);
 300        if (err == -EINPROGRESS)
 301                return;
 302
 303out:
 304        aead_request_complete(req, err);
 305}
 306
 307static int gcm_hash_crypt_remain_continue(struct aead_request *req, u32 flags)
 308{
 309        return gcm_hash_len(req, flags) ?:
 310               gcm_hash_len_continue(req, flags);
 311}
 312
 313static void gcm_hash_crypt_remain_done(struct crypto_async_request *areq,
 314                                       int err)
 315{
 316        struct aead_request *req = areq->data;
 317
 318        if (err)
 319                goto out;
 320
 321        err = gcm_hash_crypt_remain_continue(req, 0);
 322        if (err == -EINPROGRESS)
 323                return;
 324
 325out:
 326        aead_request_complete(req, err);
 327}
 328
 329static int gcm_hash_crypt_continue(struct aead_request *req, u32 flags)
 330{
 331        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 332        struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
 333        unsigned int remain;
 334
 335        remain = gcm_remain(gctx->cryptlen);
 336        if (remain)
 337                return gcm_hash_remain(req, remain,
 338                                       gcm_hash_crypt_remain_done, flags) ?:
 339                       gcm_hash_crypt_remain_continue(req, flags);
 340
 341        return gcm_hash_crypt_remain_continue(req, flags);
 342}
 343
 344static void gcm_hash_crypt_done(struct crypto_async_request *areq, int err)
 345{
 346        struct aead_request *req = areq->data;
 347
 348        if (err)
 349                goto out;
 350
 351        err = gcm_hash_crypt_continue(req, 0);
 352        if (err == -EINPROGRESS)
 353                return;
 354
 355out:
 356        aead_request_complete(req, err);
 357}
 358
 359static int gcm_hash_assoc_remain_continue(struct aead_request *req, u32 flags)
 360{
 361        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 362        struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
 363
 364        if (gctx->cryptlen)
 365                return gcm_hash_update(req, gcm_hash_crypt_done,
 366                                       gctx->src, gctx->cryptlen, flags) ?:
 367                       gcm_hash_crypt_continue(req, flags);
 368
 369        return gcm_hash_crypt_remain_continue(req, flags);
 370}
 371
 372static void gcm_hash_assoc_remain_done(struct crypto_async_request *areq,
 373                                       int err)
 374{
 375        struct aead_request *req = areq->data;
 376
 377        if (err)
 378                goto out;
 379
 380        err = gcm_hash_assoc_remain_continue(req, 0);
 381        if (err == -EINPROGRESS)
 382                return;
 383
 384out:
 385        aead_request_complete(req, err);
 386}
 387
 388static int gcm_hash_assoc_continue(struct aead_request *req, u32 flags)
 389{
 390        unsigned int remain;
 391
 392        remain = gcm_remain(req->assoclen);
 393        if (remain)
 394                return gcm_hash_remain(req, remain,
 395                                       gcm_hash_assoc_remain_done, flags) ?:
 396                       gcm_hash_assoc_remain_continue(req, flags);
 397
 398        return gcm_hash_assoc_remain_continue(req, flags);
 399}
 400
 401static void gcm_hash_assoc_done(struct crypto_async_request *areq, int err)
 402{
 403        struct aead_request *req = areq->data;
 404
 405        if (err)
 406                goto out;
 407
 408        err = gcm_hash_assoc_continue(req, 0);
 409        if (err == -EINPROGRESS)
 410                return;
 411
 412out:
 413        aead_request_complete(req, err);
 414}
 415
 416static int gcm_hash_init_continue(struct aead_request *req, u32 flags)
 417{
 418        if (req->assoclen)
 419                return gcm_hash_update(req, gcm_hash_assoc_done,
 420                                       req->src, req->assoclen, flags) ?:
 421                       gcm_hash_assoc_continue(req, flags);
 422
 423        return gcm_hash_assoc_remain_continue(req, flags);
 424}
 425
 426static void gcm_hash_init_done(struct crypto_async_request *areq, int err)
 427{
 428        struct aead_request *req = areq->data;
 429
 430        if (err)
 431                goto out;
 432
 433        err = gcm_hash_init_continue(req, 0);
 434        if (err == -EINPROGRESS)
 435                return;
 436
 437out:
 438        aead_request_complete(req, err);
 439}
 440
 441static int gcm_hash(struct aead_request *req, u32 flags)
 442{
 443        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 444        struct ahash_request *ahreq = &pctx->u.ahreq;
 445        struct crypto_gcm_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req));
 446
 447        ahash_request_set_tfm(ahreq, ctx->ghash);
 448
 449        ahash_request_set_callback(ahreq, flags, gcm_hash_init_done, req);
 450        return crypto_ahash_init(ahreq) ?:
 451               gcm_hash_init_continue(req, flags);
 452}
 453
 454static int gcm_enc_copy_hash(struct aead_request *req, u32 flags)
 455{
 456        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 457        struct crypto_aead *aead = crypto_aead_reqtfm(req);
 458        u8 *auth_tag = pctx->auth_tag;
 459
 460        crypto_xor(auth_tag, pctx->iauth_tag, 16);
 461        scatterwalk_map_and_copy(auth_tag, req->dst,
 462                                 req->assoclen + req->cryptlen,
 463                                 crypto_aead_authsize(aead), 1);
 464        return 0;
 465}
 466
 467static int gcm_encrypt_continue(struct aead_request *req, u32 flags)
 468{
 469        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 470        struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
 471
 472        gctx->src = sg_next(req->src == req->dst ? pctx->src : pctx->dst);
 473        gctx->cryptlen = req->cryptlen;
 474        gctx->complete = gcm_enc_copy_hash;
 475
 476        return gcm_hash(req, flags);
 477}
 478
 479static void gcm_encrypt_done(struct crypto_async_request *areq, int err)
 480{
 481        struct aead_request *req = areq->data;
 482
 483        if (err)
 484                goto out;
 485
 486        err = gcm_encrypt_continue(req, 0);
 487        if (err == -EINPROGRESS)
 488                return;
 489
 490out:
 491        aead_request_complete(req, err);
 492}
 493
 494static int crypto_gcm_encrypt(struct aead_request *req)
 495{
 496        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 497        struct ablkcipher_request *abreq = &pctx->u.abreq;
 498        u32 flags = aead_request_flags(req);
 499
 500        crypto_gcm_init_common(req);
 501        crypto_gcm_init_crypt(req, req->cryptlen);
 502        ablkcipher_request_set_callback(abreq, flags, gcm_encrypt_done, req);
 503
 504        return crypto_ablkcipher_encrypt(abreq) ?:
 505               gcm_encrypt_continue(req, flags);
 506}
 507
 508static int crypto_gcm_verify(struct aead_request *req)
 509{
 510        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 511        struct crypto_aead *aead = crypto_aead_reqtfm(req);
 512        u8 *auth_tag = pctx->auth_tag;
 513        u8 *iauth_tag = pctx->iauth_tag;
 514        unsigned int authsize = crypto_aead_authsize(aead);
 515        unsigned int cryptlen = req->cryptlen - authsize;
 516
 517        crypto_xor(auth_tag, iauth_tag, 16);
 518        scatterwalk_map_and_copy(iauth_tag, req->src,
 519                                 req->assoclen + cryptlen, authsize, 0);
 520        return crypto_memneq(iauth_tag, auth_tag, authsize) ? -EBADMSG : 0;
 521}
 522
 523static void gcm_decrypt_done(struct crypto_async_request *areq, int err)
 524{
 525        struct aead_request *req = areq->data;
 526
 527        if (!err)
 528                err = crypto_gcm_verify(req);
 529
 530        aead_request_complete(req, err);
 531}
 532
 533static int gcm_dec_hash_continue(struct aead_request *req, u32 flags)
 534{
 535        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 536        struct ablkcipher_request *abreq = &pctx->u.abreq;
 537        struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
 538
 539        crypto_gcm_init_crypt(req, gctx->cryptlen);
 540        ablkcipher_request_set_callback(abreq, flags, gcm_decrypt_done, req);
 541        return crypto_ablkcipher_decrypt(abreq) ?: crypto_gcm_verify(req);
 542}
 543
 544static int crypto_gcm_decrypt(struct aead_request *req)
 545{
 546        struct crypto_aead *aead = crypto_aead_reqtfm(req);
 547        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 548        struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
 549        unsigned int authsize = crypto_aead_authsize(aead);
 550        unsigned int cryptlen = req->cryptlen;
 551        u32 flags = aead_request_flags(req);
 552
 553        cryptlen -= authsize;
 554
 555        crypto_gcm_init_common(req);
 556
 557        gctx->src = sg_next(pctx->src);
 558        gctx->cryptlen = cryptlen;
 559        gctx->complete = gcm_dec_hash_continue;
 560
 561        return gcm_hash(req, flags);
 562}
 563
 564static int crypto_gcm_init_tfm(struct crypto_aead *tfm)
 565{
 566        struct aead_instance *inst = aead_alg_instance(tfm);
 567        struct gcm_instance_ctx *ictx = aead_instance_ctx(inst);
 568        struct crypto_gcm_ctx *ctx = crypto_aead_ctx(tfm);
 569        struct crypto_ablkcipher *ctr;
 570        struct crypto_ahash *ghash;
 571        unsigned long align;
 572        int err;
 573
 574        ghash = crypto_spawn_ahash(&ictx->ghash);
 575        if (IS_ERR(ghash))
 576                return PTR_ERR(ghash);
 577
 578        ctr = crypto_spawn_skcipher(&ictx->ctr);
 579        err = PTR_ERR(ctr);
 580        if (IS_ERR(ctr))
 581                goto err_free_hash;
 582
 583        ctx->ctr = ctr;
 584        ctx->ghash = ghash;
 585
 586        align = crypto_aead_alignmask(tfm);
 587        align &= ~(crypto_tfm_ctx_alignment() - 1);
 588        crypto_aead_set_reqsize(tfm,
 589                align + offsetof(struct crypto_gcm_req_priv_ctx, u) +
 590                max(sizeof(struct ablkcipher_request) +
 591                    crypto_ablkcipher_reqsize(ctr),
 592                    sizeof(struct ahash_request) +
 593                    crypto_ahash_reqsize(ghash)));
 594
 595        return 0;
 596
 597err_free_hash:
 598        crypto_free_ahash(ghash);
 599        return err;
 600}
 601
 602static void crypto_gcm_exit_tfm(struct crypto_aead *tfm)
 603{
 604        struct crypto_gcm_ctx *ctx = crypto_aead_ctx(tfm);
 605
 606        crypto_free_ahash(ctx->ghash);
 607        crypto_free_ablkcipher(ctx->ctr);
 608}
 609
 610static void crypto_gcm_free(struct aead_instance *inst)
 611{
 612        struct gcm_instance_ctx *ctx = aead_instance_ctx(inst);
 613
 614        crypto_drop_skcipher(&ctx->ctr);
 615        crypto_drop_ahash(&ctx->ghash);
 616        kfree(inst);
 617}
 618
 619static int crypto_gcm_create_common(struct crypto_template *tmpl,
 620                                    struct rtattr **tb,
 621                                    const char *full_name,
 622                                    const char *ctr_name,
 623                                    const char *ghash_name)
 624{
 625        struct crypto_attr_type *algt;
 626        struct aead_instance *inst;
 627        struct crypto_alg *ctr;
 628        struct crypto_alg *ghash_alg;
 629        struct hash_alg_common *ghash;
 630        struct gcm_instance_ctx *ctx;
 631        int err;
 632
 633        algt = crypto_get_attr_type(tb);
 634        if (IS_ERR(algt))
 635                return PTR_ERR(algt);
 636
 637        if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask)
 638                return -EINVAL;
 639
 640        ghash_alg = crypto_find_alg(ghash_name, &crypto_ahash_type,
 641                                    CRYPTO_ALG_TYPE_HASH,
 642                                    CRYPTO_ALG_TYPE_AHASH_MASK);
 643        if (IS_ERR(ghash_alg))
 644                return PTR_ERR(ghash_alg);
 645
 646        ghash = __crypto_hash_alg_common(ghash_alg);
 647
 648        err = -ENOMEM;
 649        inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
 650        if (!inst)
 651                goto out_put_ghash;
 652
 653        ctx = aead_instance_ctx(inst);
 654        err = crypto_init_ahash_spawn(&ctx->ghash, ghash,
 655                                      aead_crypto_instance(inst));
 656        if (err)
 657                goto err_free_inst;
 658
 659        err = -EINVAL;
 660        if (ghash->digestsize != 16)
 661                goto err_drop_ghash;
 662
 663        crypto_set_skcipher_spawn(&ctx->ctr, aead_crypto_instance(inst));
 664        err = crypto_grab_skcipher(&ctx->ctr, ctr_name, 0,
 665                                   crypto_requires_sync(algt->type,
 666                                                        algt->mask));
 667        if (err)
 668                goto err_drop_ghash;
 669
 670        ctr = crypto_skcipher_spawn_alg(&ctx->ctr);
 671
 672        /* We only support 16-byte blocks. */
 673        if (ctr->cra_ablkcipher.ivsize != 16)
 674                goto out_put_ctr;
 675
 676        /* Not a stream cipher? */
 677        err = -EINVAL;
 678        if (ctr->cra_blocksize != 1)
 679                goto out_put_ctr;
 680
 681        err = -ENAMETOOLONG;
 682        if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
 683                     "gcm_base(%s,%s)", ctr->cra_driver_name,
 684                     ghash_alg->cra_driver_name) >=
 685            CRYPTO_MAX_ALG_NAME)
 686                goto out_put_ctr;
 687
 688        memcpy(inst->alg.base.cra_name, full_name, CRYPTO_MAX_ALG_NAME);
 689
 690        inst->alg.base.cra_flags = (ghash->base.cra_flags | ctr->cra_flags) &
 691                                   CRYPTO_ALG_ASYNC;
 692        inst->alg.base.cra_priority = (ghash->base.cra_priority +
 693                                       ctr->cra_priority) / 2;
 694        inst->alg.base.cra_blocksize = 1;
 695        inst->alg.base.cra_alignmask = ghash->base.cra_alignmask |
 696                                       ctr->cra_alignmask;
 697        inst->alg.base.cra_ctxsize = sizeof(struct crypto_gcm_ctx);
 698        inst->alg.ivsize = 12;
 699        inst->alg.maxauthsize = 16;
 700        inst->alg.init = crypto_gcm_init_tfm;
 701        inst->alg.exit = crypto_gcm_exit_tfm;
 702        inst->alg.setkey = crypto_gcm_setkey;
 703        inst->alg.setauthsize = crypto_gcm_setauthsize;
 704        inst->alg.encrypt = crypto_gcm_encrypt;
 705        inst->alg.decrypt = crypto_gcm_decrypt;
 706
 707        inst->free = crypto_gcm_free;
 708
 709        err = aead_register_instance(tmpl, inst);
 710        if (err)
 711                goto out_put_ctr;
 712
 713out_put_ghash:
 714        crypto_mod_put(ghash_alg);
 715        return err;
 716
 717out_put_ctr:
 718        crypto_drop_skcipher(&ctx->ctr);
 719err_drop_ghash:
 720        crypto_drop_ahash(&ctx->ghash);
 721err_free_inst:
 722        kfree(inst);
 723        goto out_put_ghash;
 724}
 725
 726static int crypto_gcm_create(struct crypto_template *tmpl, struct rtattr **tb)
 727{
 728        const char *cipher_name;
 729        char ctr_name[CRYPTO_MAX_ALG_NAME];
 730        char full_name[CRYPTO_MAX_ALG_NAME];
 731
 732        cipher_name = crypto_attr_alg_name(tb[1]);
 733        if (IS_ERR(cipher_name))
 734                return PTR_ERR(cipher_name);
 735
 736        if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)", cipher_name) >=
 737            CRYPTO_MAX_ALG_NAME)
 738                return -ENAMETOOLONG;
 739
 740        if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "gcm(%s)", cipher_name) >=
 741            CRYPTO_MAX_ALG_NAME)
 742                return -ENAMETOOLONG;
 743
 744        return crypto_gcm_create_common(tmpl, tb, full_name,
 745                                        ctr_name, "ghash");
 746}
 747
 748static struct crypto_template crypto_gcm_tmpl = {
 749        .name = "gcm",
 750        .create = crypto_gcm_create,
 751        .module = THIS_MODULE,
 752};
 753
 754static int crypto_gcm_base_create(struct crypto_template *tmpl,
 755                                  struct rtattr **tb)
 756{
 757        const char *ctr_name;
 758        const char *ghash_name;
 759        char full_name[CRYPTO_MAX_ALG_NAME];
 760
 761        ctr_name = crypto_attr_alg_name(tb[1]);
 762        if (IS_ERR(ctr_name))
 763                return PTR_ERR(ctr_name);
 764
 765        ghash_name = crypto_attr_alg_name(tb[2]);
 766        if (IS_ERR(ghash_name))
 767                return PTR_ERR(ghash_name);
 768
 769        if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "gcm_base(%s,%s)",
 770                     ctr_name, ghash_name) >= CRYPTO_MAX_ALG_NAME)
 771                return -ENAMETOOLONG;
 772
 773        return crypto_gcm_create_common(tmpl, tb, full_name,
 774                                        ctr_name, ghash_name);
 775}
 776
 777static struct crypto_template crypto_gcm_base_tmpl = {
 778        .name = "gcm_base",
 779        .create = crypto_gcm_base_create,
 780        .module = THIS_MODULE,
 781};
 782
 783static int crypto_rfc4106_setkey(struct crypto_aead *parent, const u8 *key,
 784                                 unsigned int keylen)
 785{
 786        struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(parent);
 787        struct crypto_aead *child = ctx->child;
 788        int err;
 789
 790        if (keylen < 4)
 791                return -EINVAL;
 792
 793        keylen -= 4;
 794        memcpy(ctx->nonce, key + keylen, 4);
 795
 796        crypto_aead_clear_flags(child, CRYPTO_TFM_REQ_MASK);
 797        crypto_aead_set_flags(child, crypto_aead_get_flags(parent) &
 798                                     CRYPTO_TFM_REQ_MASK);
 799        err = crypto_aead_setkey(child, key, keylen);
 800        crypto_aead_set_flags(parent, crypto_aead_get_flags(child) &
 801                                      CRYPTO_TFM_RES_MASK);
 802
 803        return err;
 804}
 805
 806static int crypto_rfc4106_setauthsize(struct crypto_aead *parent,
 807                                      unsigned int authsize)
 808{
 809        struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(parent);
 810
 811        switch (authsize) {
 812        case 8:
 813        case 12:
 814        case 16:
 815                break;
 816        default:
 817                return -EINVAL;
 818        }
 819
 820        return crypto_aead_setauthsize(ctx->child, authsize);
 821}
 822
 823static struct aead_request *crypto_rfc4106_crypt(struct aead_request *req)
 824{
 825        struct crypto_rfc4106_req_ctx *rctx = aead_request_ctx(req);
 826        struct crypto_aead *aead = crypto_aead_reqtfm(req);
 827        struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(aead);
 828        struct aead_request *subreq = &rctx->subreq;
 829        struct crypto_aead *child = ctx->child;
 830        struct scatterlist *sg;
 831        u8 *iv = PTR_ALIGN((u8 *)(subreq + 1) + crypto_aead_reqsize(child),
 832                           crypto_aead_alignmask(child) + 1);
 833
 834        scatterwalk_map_and_copy(iv + 12, req->src, 0, req->assoclen - 8, 0);
 835
 836        memcpy(iv, ctx->nonce, 4);
 837        memcpy(iv + 4, req->iv, 8);
 838
 839        sg_init_table(rctx->src, 3);
 840        sg_set_buf(rctx->src, iv + 12, req->assoclen - 8);
 841        sg = scatterwalk_ffwd(rctx->src + 1, req->src, req->assoclen);
 842        if (sg != rctx->src + 1)
 843                sg_chain(rctx->src, 2, sg);
 844
 845        if (req->src != req->dst) {
 846                sg_init_table(rctx->dst, 3);
 847                sg_set_buf(rctx->dst, iv + 12, req->assoclen - 8);
 848                sg = scatterwalk_ffwd(rctx->dst + 1, req->dst, req->assoclen);
 849                if (sg != rctx->dst + 1)
 850                        sg_chain(rctx->dst, 2, sg);
 851        }
 852
 853        aead_request_set_tfm(subreq, child);
 854        aead_request_set_callback(subreq, req->base.flags, req->base.complete,
 855                                  req->base.data);
 856        aead_request_set_crypt(subreq, rctx->src,
 857                               req->src == req->dst ? rctx->src : rctx->dst,
 858                               req->cryptlen, iv);
 859        aead_request_set_ad(subreq, req->assoclen - 8);
 860
 861        return subreq;
 862}
 863
 864static int crypto_rfc4106_encrypt(struct aead_request *req)
 865{
 866        if (req->assoclen != 16 && req->assoclen != 20)
 867                return -EINVAL;
 868
 869        req = crypto_rfc4106_crypt(req);
 870
 871        return crypto_aead_encrypt(req);
 872}
 873
 874static int crypto_rfc4106_decrypt(struct aead_request *req)
 875{
 876        if (req->assoclen != 16 && req->assoclen != 20)
 877                return -EINVAL;
 878
 879        req = crypto_rfc4106_crypt(req);
 880
 881        return crypto_aead_decrypt(req);
 882}
 883
 884static int crypto_rfc4106_init_tfm(struct crypto_aead *tfm)
 885{
 886        struct aead_instance *inst = aead_alg_instance(tfm);
 887        struct crypto_aead_spawn *spawn = aead_instance_ctx(inst);
 888        struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(tfm);
 889        struct crypto_aead *aead;
 890        unsigned long align;
 891
 892        aead = crypto_spawn_aead(spawn);
 893        if (IS_ERR(aead))
 894                return PTR_ERR(aead);
 895
 896        ctx->child = aead;
 897
 898        align = crypto_aead_alignmask(aead);
 899        align &= ~(crypto_tfm_ctx_alignment() - 1);
 900        crypto_aead_set_reqsize(
 901                tfm,
 902                sizeof(struct crypto_rfc4106_req_ctx) +
 903                ALIGN(crypto_aead_reqsize(aead), crypto_tfm_ctx_alignment()) +
 904                align + 24);
 905
 906        return 0;
 907}
 908
 909static void crypto_rfc4106_exit_tfm(struct crypto_aead *tfm)
 910{
 911        struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(tfm);
 912
 913        crypto_free_aead(ctx->child);
 914}
 915
 916static void crypto_rfc4106_free(struct aead_instance *inst)
 917{
 918        crypto_drop_aead(aead_instance_ctx(inst));
 919        kfree(inst);
 920}
 921
 922static int crypto_rfc4106_create(struct crypto_template *tmpl,
 923                                 struct rtattr **tb)
 924{
 925        struct crypto_attr_type *algt;
 926        struct aead_instance *inst;
 927        struct crypto_aead_spawn *spawn;
 928        struct aead_alg *alg;
 929        const char *ccm_name;
 930        int err;
 931
 932        algt = crypto_get_attr_type(tb);
 933        if (IS_ERR(algt))
 934                return PTR_ERR(algt);
 935
 936        if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask)
 937                return -EINVAL;
 938
 939        ccm_name = crypto_attr_alg_name(tb[1]);
 940        if (IS_ERR(ccm_name))
 941                return PTR_ERR(ccm_name);
 942
 943        inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL);
 944        if (!inst)
 945                return -ENOMEM;
 946
 947        spawn = aead_instance_ctx(inst);
 948        crypto_set_aead_spawn(spawn, aead_crypto_instance(inst));
 949        err = crypto_grab_aead(spawn, ccm_name, 0,
 950                               crypto_requires_sync(algt->type, algt->mask));
 951        if (err)
 952                goto out_free_inst;
 953
 954        alg = crypto_spawn_aead_alg(spawn);
 955
 956        err = -EINVAL;
 957
 958        /* Underlying IV size must be 12. */
 959        if (crypto_aead_alg_ivsize(alg) != 12)
 960                goto out_drop_alg;
 961
 962        /* Not a stream cipher? */
 963        if (alg->base.cra_blocksize != 1)
 964                goto out_drop_alg;
 965
 966        err = -ENAMETOOLONG;
 967        if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
 968                     "rfc4106(%s)", alg->base.cra_name) >=
 969            CRYPTO_MAX_ALG_NAME ||
 970            snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
 971                     "rfc4106(%s)", alg->base.cra_driver_name) >=
 972            CRYPTO_MAX_ALG_NAME)
 973                goto out_drop_alg;
 974
 975        inst->alg.base.cra_flags = alg->base.cra_flags & CRYPTO_ALG_ASYNC;
 976        inst->alg.base.cra_priority = alg->base.cra_priority;
 977        inst->alg.base.cra_blocksize = 1;
 978        inst->alg.base.cra_alignmask = alg->base.cra_alignmask;
 979
 980        inst->alg.base.cra_ctxsize = sizeof(struct crypto_rfc4106_ctx);
 981
 982        inst->alg.ivsize = 8;
 983        inst->alg.maxauthsize = crypto_aead_alg_maxauthsize(alg);
 984
 985        inst->alg.init = crypto_rfc4106_init_tfm;
 986        inst->alg.exit = crypto_rfc4106_exit_tfm;
 987
 988        inst->alg.setkey = crypto_rfc4106_setkey;
 989        inst->alg.setauthsize = crypto_rfc4106_setauthsize;
 990        inst->alg.encrypt = crypto_rfc4106_encrypt;
 991        inst->alg.decrypt = crypto_rfc4106_decrypt;
 992
 993        inst->free = crypto_rfc4106_free;
 994
 995        err = aead_register_instance(tmpl, inst);
 996        if (err)
 997                goto out_drop_alg;
 998
 999out:
1000        return err;
1001
1002out_drop_alg:
1003        crypto_drop_aead(spawn);
1004out_free_inst:
1005        kfree(inst);
1006        goto out;
1007}
1008
1009static struct crypto_template crypto_rfc4106_tmpl = {
1010        .name = "rfc4106",
1011        .create = crypto_rfc4106_create,
1012        .module = THIS_MODULE,
1013};
1014
1015static int crypto_rfc4543_setkey(struct crypto_aead *parent, const u8 *key,
1016                                 unsigned int keylen)
1017{
1018        struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(parent);
1019        struct crypto_aead *child = ctx->child;
1020        int err;
1021
1022        if (keylen < 4)
1023                return -EINVAL;
1024
1025        keylen -= 4;
1026        memcpy(ctx->nonce, key + keylen, 4);
1027
1028        crypto_aead_clear_flags(child, CRYPTO_TFM_REQ_MASK);
1029        crypto_aead_set_flags(child, crypto_aead_get_flags(parent) &
1030                                     CRYPTO_TFM_REQ_MASK);
1031        err = crypto_aead_setkey(child, key, keylen);
1032        crypto_aead_set_flags(parent, crypto_aead_get_flags(child) &
1033                                      CRYPTO_TFM_RES_MASK);
1034
1035        return err;
1036}
1037
1038static int crypto_rfc4543_setauthsize(struct crypto_aead *parent,
1039                                      unsigned int authsize)
1040{
1041        struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(parent);
1042
1043        if (authsize != 16)
1044                return -EINVAL;
1045
1046        return crypto_aead_setauthsize(ctx->child, authsize);
1047}
1048
1049static int crypto_rfc4543_crypt(struct aead_request *req, bool enc)
1050{
1051        struct crypto_aead *aead = crypto_aead_reqtfm(req);
1052        struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(aead);
1053        struct crypto_rfc4543_req_ctx *rctx = aead_request_ctx(req);
1054        struct aead_request *subreq = &rctx->subreq;
1055        unsigned int authsize = crypto_aead_authsize(aead);
1056        u8 *iv = PTR_ALIGN((u8 *)(rctx + 1) + crypto_aead_reqsize(ctx->child),
1057                           crypto_aead_alignmask(ctx->child) + 1);
1058        int err;
1059
1060        if (req->src != req->dst) {
1061                err = crypto_rfc4543_copy_src_to_dst(req, enc);
1062                if (err)
1063                        return err;
1064        }
1065
1066        memcpy(iv, ctx->nonce, 4);
1067        memcpy(iv + 4, req->iv, 8);
1068
1069        aead_request_set_tfm(subreq, ctx->child);
1070        aead_request_set_callback(subreq, req->base.flags,
1071                                  req->base.complete, req->base.data);
1072        aead_request_set_crypt(subreq, req->src, req->dst,
1073                               enc ? 0 : authsize, iv);
1074        aead_request_set_ad(subreq, req->assoclen + req->cryptlen -
1075                                    subreq->cryptlen);
1076
1077        return enc ? crypto_aead_encrypt(subreq) : crypto_aead_decrypt(subreq);
1078}
1079
1080static int crypto_rfc4543_copy_src_to_dst(struct aead_request *req, bool enc)
1081{
1082        struct crypto_aead *aead = crypto_aead_reqtfm(req);
1083        struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(aead);
1084        unsigned int authsize = crypto_aead_authsize(aead);
1085        unsigned int nbytes = req->assoclen + req->cryptlen -
1086                              (enc ? 0 : authsize);
1087        struct blkcipher_desc desc = {
1088                .tfm = ctx->null,
1089        };
1090
1091        return crypto_blkcipher_encrypt(&desc, req->dst, req->src, nbytes);
1092}
1093
1094static int crypto_rfc4543_encrypt(struct aead_request *req)
1095{
1096        return crypto_rfc4543_crypt(req, true);
1097}
1098
1099static int crypto_rfc4543_decrypt(struct aead_request *req)
1100{
1101        return crypto_rfc4543_crypt(req, false);
1102}
1103
1104static int crypto_rfc4543_init_tfm(struct crypto_aead *tfm)
1105{
1106        struct aead_instance *inst = aead_alg_instance(tfm);
1107        struct crypto_rfc4543_instance_ctx *ictx = aead_instance_ctx(inst);
1108        struct crypto_aead_spawn *spawn = &ictx->aead;
1109        struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(tfm);
1110        struct crypto_aead *aead;
1111        struct crypto_blkcipher *null;
1112        unsigned long align;
1113        int err = 0;
1114
1115        aead = crypto_spawn_aead(spawn);
1116        if (IS_ERR(aead))
1117                return PTR_ERR(aead);
1118
1119        null = crypto_get_default_null_skcipher();
1120        err = PTR_ERR(null);
1121        if (IS_ERR(null))
1122                goto err_free_aead;
1123
1124        ctx->child = aead;
1125        ctx->null = null;
1126
1127        align = crypto_aead_alignmask(aead);
1128        align &= ~(crypto_tfm_ctx_alignment() - 1);
1129        crypto_aead_set_reqsize(
1130                tfm,
1131                sizeof(struct crypto_rfc4543_req_ctx) +
1132                ALIGN(crypto_aead_reqsize(aead), crypto_tfm_ctx_alignment()) +
1133                align + 12);
1134
1135        return 0;
1136
1137err_free_aead:
1138        crypto_free_aead(aead);
1139        return err;
1140}
1141
1142static void crypto_rfc4543_exit_tfm(struct crypto_aead *tfm)
1143{
1144        struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(tfm);
1145
1146        crypto_free_aead(ctx->child);
1147        crypto_put_default_null_skcipher();
1148}
1149
1150static void crypto_rfc4543_free(struct aead_instance *inst)
1151{
1152        struct crypto_rfc4543_instance_ctx *ctx = aead_instance_ctx(inst);
1153
1154        crypto_drop_aead(&ctx->aead);
1155
1156        kfree(inst);
1157}
1158
1159static int crypto_rfc4543_create(struct crypto_template *tmpl,
1160                                struct rtattr **tb)
1161{
1162        struct crypto_attr_type *algt;
1163        struct aead_instance *inst;
1164        struct crypto_aead_spawn *spawn;
1165        struct aead_alg *alg;
1166        struct crypto_rfc4543_instance_ctx *ctx;
1167        const char *ccm_name;
1168        int err;
1169
1170        algt = crypto_get_attr_type(tb);
1171        if (IS_ERR(algt))
1172                return PTR_ERR(algt);
1173
1174        if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask)
1175                return -EINVAL;
1176
1177        ccm_name = crypto_attr_alg_name(tb[1]);
1178        if (IS_ERR(ccm_name))
1179                return PTR_ERR(ccm_name);
1180
1181        inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
1182        if (!inst)
1183                return -ENOMEM;
1184
1185        ctx = aead_instance_ctx(inst);
1186        spawn = &ctx->aead;
1187        crypto_set_aead_spawn(spawn, aead_crypto_instance(inst));
1188        err = crypto_grab_aead(spawn, ccm_name, 0,
1189                               crypto_requires_sync(algt->type, algt->mask));
1190        if (err)
1191                goto out_free_inst;
1192
1193        alg = crypto_spawn_aead_alg(spawn);
1194
1195        err = -EINVAL;
1196
1197        /* Underlying IV size must be 12. */
1198        if (crypto_aead_alg_ivsize(alg) != 12)
1199                goto out_drop_alg;
1200
1201        /* Not a stream cipher? */
1202        if (alg->base.cra_blocksize != 1)
1203                goto out_drop_alg;
1204
1205        err = -ENAMETOOLONG;
1206        if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
1207                     "rfc4543(%s)", alg->base.cra_name) >=
1208            CRYPTO_MAX_ALG_NAME ||
1209            snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
1210                     "rfc4543(%s)", alg->base.cra_driver_name) >=
1211            CRYPTO_MAX_ALG_NAME)
1212                goto out_drop_alg;
1213
1214        inst->alg.base.cra_flags = alg->base.cra_flags & CRYPTO_ALG_ASYNC;
1215        inst->alg.base.cra_priority = alg->base.cra_priority;
1216        inst->alg.base.cra_blocksize = 1;
1217        inst->alg.base.cra_alignmask = alg->base.cra_alignmask;
1218
1219        inst->alg.base.cra_ctxsize = sizeof(struct crypto_rfc4543_ctx);
1220
1221        inst->alg.ivsize = 8;
1222        inst->alg.maxauthsize = crypto_aead_alg_maxauthsize(alg);
1223
1224        inst->alg.init = crypto_rfc4543_init_tfm;
1225        inst->alg.exit = crypto_rfc4543_exit_tfm;
1226
1227        inst->alg.setkey = crypto_rfc4543_setkey;
1228        inst->alg.setauthsize = crypto_rfc4543_setauthsize;
1229        inst->alg.encrypt = crypto_rfc4543_encrypt;
1230        inst->alg.decrypt = crypto_rfc4543_decrypt;
1231
1232        inst->free = crypto_rfc4543_free,
1233
1234        err = aead_register_instance(tmpl, inst);
1235        if (err)
1236                goto out_drop_alg;
1237
1238out:
1239        return err;
1240
1241out_drop_alg:
1242        crypto_drop_aead(spawn);
1243out_free_inst:
1244        kfree(inst);
1245        goto out;
1246}
1247
1248static struct crypto_template crypto_rfc4543_tmpl = {
1249        .name = "rfc4543",
1250        .create = crypto_rfc4543_create,
1251        .module = THIS_MODULE,
1252};
1253
1254static int __init crypto_gcm_module_init(void)
1255{
1256        int err;
1257
1258        gcm_zeroes = kzalloc(sizeof(*gcm_zeroes), GFP_KERNEL);
1259        if (!gcm_zeroes)
1260                return -ENOMEM;
1261
1262        sg_init_one(&gcm_zeroes->sg, gcm_zeroes->buf, sizeof(gcm_zeroes->buf));
1263
1264        err = crypto_register_template(&crypto_gcm_base_tmpl);
1265        if (err)
1266                goto out;
1267
1268        err = crypto_register_template(&crypto_gcm_tmpl);
1269        if (err)
1270                goto out_undo_base;
1271
1272        err = crypto_register_template(&crypto_rfc4106_tmpl);
1273        if (err)
1274                goto out_undo_gcm;
1275
1276        err = crypto_register_template(&crypto_rfc4543_tmpl);
1277        if (err)
1278                goto out_undo_rfc4106;
1279
1280        return 0;
1281
1282out_undo_rfc4106:
1283        crypto_unregister_template(&crypto_rfc4106_tmpl);
1284out_undo_gcm:
1285        crypto_unregister_template(&crypto_gcm_tmpl);
1286out_undo_base:
1287        crypto_unregister_template(&crypto_gcm_base_tmpl);
1288out:
1289        kfree(gcm_zeroes);
1290        return err;
1291}
1292
1293static void __exit crypto_gcm_module_exit(void)
1294{
1295        kfree(gcm_zeroes);
1296        crypto_unregister_template(&crypto_rfc4543_tmpl);
1297        crypto_unregister_template(&crypto_rfc4106_tmpl);
1298        crypto_unregister_template(&crypto_gcm_tmpl);
1299        crypto_unregister_template(&crypto_gcm_base_tmpl);
1300}
1301
1302module_init(crypto_gcm_module_init);
1303module_exit(crypto_gcm_module_exit);
1304
1305MODULE_LICENSE("GPL");
1306MODULE_DESCRIPTION("Galois/Counter Mode");
1307MODULE_AUTHOR("Mikko Herranen <mh1@iki.fi>");
1308MODULE_ALIAS_CRYPTO("gcm_base");
1309MODULE_ALIAS_CRYPTO("rfc4106");
1310MODULE_ALIAS_CRYPTO("rfc4543");
1311MODULE_ALIAS_CRYPTO("gcm");
1312