linux/crypto/gcm.c
<<
>>
Prefs
   1/*
   2 * GCM: Galois/Counter Mode.
   3 *
   4 * Copyright (c) 2007 Nokia Siemens Networks - Mikko Herranen <mh1@iki.fi>
   5 *
   6 * This program is free software; you can redistribute it and/or modify it
   7 * under the terms of the GNU General Public License version 2 as published
   8 * by the Free Software Foundation.
   9 */
  10
  11#include <crypto/gf128mul.h>
  12#include <crypto/internal/aead.h>
  13#include <crypto/internal/skcipher.h>
  14#include <crypto/internal/hash.h>
  15#include <crypto/null.h>
  16#include <crypto/scatterwalk.h>
  17#include <crypto/gcm.h>
  18#include <crypto/hash.h>
  19#include "internal.h"
  20#include <linux/err.h>
  21#include <linux/init.h>
  22#include <linux/kernel.h>
  23#include <linux/module.h>
  24#include <linux/slab.h>
  25
  26struct gcm_instance_ctx {
  27        struct crypto_skcipher_spawn ctr;
  28        struct crypto_ahash_spawn ghash;
  29};
  30
  31struct crypto_gcm_ctx {
  32        struct crypto_skcipher *ctr;
  33        struct crypto_ahash *ghash;
  34};
  35
  36struct crypto_rfc4106_ctx {
  37        struct crypto_aead *child;
  38        u8 nonce[4];
  39};
  40
  41struct crypto_rfc4106_req_ctx {
  42        struct scatterlist src[3];
  43        struct scatterlist dst[3];
  44        struct aead_request subreq;
  45};
  46
  47struct crypto_rfc4543_instance_ctx {
  48        struct crypto_aead_spawn aead;
  49};
  50
  51struct crypto_rfc4543_ctx {
  52        struct crypto_aead *child;
  53        struct crypto_skcipher *null;
  54        u8 nonce[4];
  55};
  56
  57struct crypto_rfc4543_req_ctx {
  58        struct aead_request subreq;
  59};
  60
  61struct crypto_gcm_ghash_ctx {
  62        unsigned int cryptlen;
  63        struct scatterlist *src;
  64        int (*complete)(struct aead_request *req, u32 flags);
  65};
  66
  67struct crypto_gcm_req_priv_ctx {
  68        u8 iv[16];
  69        u8 auth_tag[16];
  70        u8 iauth_tag[16];
  71        struct scatterlist src[3];
  72        struct scatterlist dst[3];
  73        struct scatterlist sg;
  74        struct crypto_gcm_ghash_ctx ghash_ctx;
  75        union {
  76                struct ahash_request ahreq;
  77                struct skcipher_request skreq;
  78        } u;
  79};
  80
  81static struct {
  82        u8 buf[16];
  83        struct scatterlist sg;
  84} *gcm_zeroes;
  85
  86static int crypto_rfc4543_copy_src_to_dst(struct aead_request *req, bool enc);
  87
  88static inline struct crypto_gcm_req_priv_ctx *crypto_gcm_reqctx(
  89        struct aead_request *req)
  90{
  91        unsigned long align = crypto_aead_alignmask(crypto_aead_reqtfm(req));
  92
  93        return (void *)PTR_ALIGN((u8 *)aead_request_ctx(req), align + 1);
  94}
  95
  96static int crypto_gcm_setkey(struct crypto_aead *aead, const u8 *key,
  97                             unsigned int keylen)
  98{
  99        struct crypto_gcm_ctx *ctx = crypto_aead_ctx(aead);
 100        struct crypto_ahash *ghash = ctx->ghash;
 101        struct crypto_skcipher *ctr = ctx->ctr;
 102        struct {
 103                be128 hash;
 104                u8 iv[16];
 105
 106                struct crypto_wait wait;
 107
 108                struct scatterlist sg[1];
 109                struct skcipher_request req;
 110        } *data;
 111        int err;
 112
 113        crypto_skcipher_clear_flags(ctr, CRYPTO_TFM_REQ_MASK);
 114        crypto_skcipher_set_flags(ctr, crypto_aead_get_flags(aead) &
 115                                       CRYPTO_TFM_REQ_MASK);
 116        err = crypto_skcipher_setkey(ctr, key, keylen);
 117        crypto_aead_set_flags(aead, crypto_skcipher_get_flags(ctr) &
 118                                    CRYPTO_TFM_RES_MASK);
 119        if (err)
 120                return err;
 121
 122        data = kzalloc(sizeof(*data) + crypto_skcipher_reqsize(ctr),
 123                       GFP_KERNEL);
 124        if (!data)
 125                return -ENOMEM;
 126
 127        crypto_init_wait(&data->wait);
 128        sg_init_one(data->sg, &data->hash, sizeof(data->hash));
 129        skcipher_request_set_tfm(&data->req, ctr);
 130        skcipher_request_set_callback(&data->req, CRYPTO_TFM_REQ_MAY_SLEEP |
 131                                                  CRYPTO_TFM_REQ_MAY_BACKLOG,
 132                                      crypto_req_done,
 133                                      &data->wait);
 134        skcipher_request_set_crypt(&data->req, data->sg, data->sg,
 135                                   sizeof(data->hash), data->iv);
 136
 137        err = crypto_wait_req(crypto_skcipher_encrypt(&data->req),
 138                                                        &data->wait);
 139
 140        if (err)
 141                goto out;
 142
 143        crypto_ahash_clear_flags(ghash, CRYPTO_TFM_REQ_MASK);
 144        crypto_ahash_set_flags(ghash, crypto_aead_get_flags(aead) &
 145                               CRYPTO_TFM_REQ_MASK);
 146        err = crypto_ahash_setkey(ghash, (u8 *)&data->hash, sizeof(be128));
 147        crypto_aead_set_flags(aead, crypto_ahash_get_flags(ghash) &
 148                              CRYPTO_TFM_RES_MASK);
 149
 150out:
 151        kzfree(data);
 152        return err;
 153}
 154
 155static int crypto_gcm_setauthsize(struct crypto_aead *tfm,
 156                                  unsigned int authsize)
 157{
 158        switch (authsize) {
 159        case 4:
 160        case 8:
 161        case 12:
 162        case 13:
 163        case 14:
 164        case 15:
 165        case 16:
 166                break;
 167        default:
 168                return -EINVAL;
 169        }
 170
 171        return 0;
 172}
 173
 174static void crypto_gcm_init_common(struct aead_request *req)
 175{
 176        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 177        __be32 counter = cpu_to_be32(1);
 178        struct scatterlist *sg;
 179
 180        memset(pctx->auth_tag, 0, sizeof(pctx->auth_tag));
 181        memcpy(pctx->iv, req->iv, GCM_AES_IV_SIZE);
 182        memcpy(pctx->iv + GCM_AES_IV_SIZE, &counter, 4);
 183
 184        sg_init_table(pctx->src, 3);
 185        sg_set_buf(pctx->src, pctx->auth_tag, sizeof(pctx->auth_tag));
 186        sg = scatterwalk_ffwd(pctx->src + 1, req->src, req->assoclen);
 187        if (sg != pctx->src + 1)
 188                sg_chain(pctx->src, 2, sg);
 189
 190        if (req->src != req->dst) {
 191                sg_init_table(pctx->dst, 3);
 192                sg_set_buf(pctx->dst, pctx->auth_tag, sizeof(pctx->auth_tag));
 193                sg = scatterwalk_ffwd(pctx->dst + 1, req->dst, req->assoclen);
 194                if (sg != pctx->dst + 1)
 195                        sg_chain(pctx->dst, 2, sg);
 196        }
 197}
 198
 199static void crypto_gcm_init_crypt(struct aead_request *req,
 200                                  unsigned int cryptlen)
 201{
 202        struct crypto_aead *aead = crypto_aead_reqtfm(req);
 203        struct crypto_gcm_ctx *ctx = crypto_aead_ctx(aead);
 204        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 205        struct skcipher_request *skreq = &pctx->u.skreq;
 206        struct scatterlist *dst;
 207
 208        dst = req->src == req->dst ? pctx->src : pctx->dst;
 209
 210        skcipher_request_set_tfm(skreq, ctx->ctr);
 211        skcipher_request_set_crypt(skreq, pctx->src, dst,
 212                                     cryptlen + sizeof(pctx->auth_tag),
 213                                     pctx->iv);
 214}
 215
 216static inline unsigned int gcm_remain(unsigned int len)
 217{
 218        len &= 0xfU;
 219        return len ? 16 - len : 0;
 220}
 221
 222static void gcm_hash_len_done(struct crypto_async_request *areq, int err);
 223
 224static int gcm_hash_update(struct aead_request *req,
 225                           crypto_completion_t compl,
 226                           struct scatterlist *src,
 227                           unsigned int len, u32 flags)
 228{
 229        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 230        struct ahash_request *ahreq = &pctx->u.ahreq;
 231
 232        ahash_request_set_callback(ahreq, flags, compl, req);
 233        ahash_request_set_crypt(ahreq, src, NULL, len);
 234
 235        return crypto_ahash_update(ahreq);
 236}
 237
 238static int gcm_hash_remain(struct aead_request *req,
 239                           unsigned int remain,
 240                           crypto_completion_t compl, u32 flags)
 241{
 242        return gcm_hash_update(req, compl, &gcm_zeroes->sg, remain, flags);
 243}
 244
 245static int gcm_hash_len(struct aead_request *req, u32 flags)
 246{
 247        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 248        struct ahash_request *ahreq = &pctx->u.ahreq;
 249        struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
 250        u128 lengths;
 251
 252        lengths.a = cpu_to_be64(req->assoclen * 8);
 253        lengths.b = cpu_to_be64(gctx->cryptlen * 8);
 254        memcpy(pctx->iauth_tag, &lengths, 16);
 255        sg_init_one(&pctx->sg, pctx->iauth_tag, 16);
 256        ahash_request_set_callback(ahreq, flags, gcm_hash_len_done, req);
 257        ahash_request_set_crypt(ahreq, &pctx->sg,
 258                                pctx->iauth_tag, sizeof(lengths));
 259
 260        return crypto_ahash_finup(ahreq);
 261}
 262
 263static int gcm_hash_len_continue(struct aead_request *req, u32 flags)
 264{
 265        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 266        struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
 267
 268        return gctx->complete(req, flags);
 269}
 270
 271static void gcm_hash_len_done(struct crypto_async_request *areq, int err)
 272{
 273        struct aead_request *req = areq->data;
 274
 275        if (err)
 276                goto out;
 277
 278        err = gcm_hash_len_continue(req, 0);
 279        if (err == -EINPROGRESS)
 280                return;
 281
 282out:
 283        aead_request_complete(req, err);
 284}
 285
 286static int gcm_hash_crypt_remain_continue(struct aead_request *req, u32 flags)
 287{
 288        return gcm_hash_len(req, flags) ?:
 289               gcm_hash_len_continue(req, flags);
 290}
 291
 292static void gcm_hash_crypt_remain_done(struct crypto_async_request *areq,
 293                                       int err)
 294{
 295        struct aead_request *req = areq->data;
 296
 297        if (err)
 298                goto out;
 299
 300        err = gcm_hash_crypt_remain_continue(req, 0);
 301        if (err == -EINPROGRESS)
 302                return;
 303
 304out:
 305        aead_request_complete(req, err);
 306}
 307
 308static int gcm_hash_crypt_continue(struct aead_request *req, u32 flags)
 309{
 310        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 311        struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
 312        unsigned int remain;
 313
 314        remain = gcm_remain(gctx->cryptlen);
 315        if (remain)
 316                return gcm_hash_remain(req, remain,
 317                                       gcm_hash_crypt_remain_done, flags) ?:
 318                       gcm_hash_crypt_remain_continue(req, flags);
 319
 320        return gcm_hash_crypt_remain_continue(req, flags);
 321}
 322
 323static void gcm_hash_crypt_done(struct crypto_async_request *areq, int err)
 324{
 325        struct aead_request *req = areq->data;
 326
 327        if (err)
 328                goto out;
 329
 330        err = gcm_hash_crypt_continue(req, 0);
 331        if (err == -EINPROGRESS)
 332                return;
 333
 334out:
 335        aead_request_complete(req, err);
 336}
 337
 338static int gcm_hash_assoc_remain_continue(struct aead_request *req, u32 flags)
 339{
 340        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 341        struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
 342
 343        if (gctx->cryptlen)
 344                return gcm_hash_update(req, gcm_hash_crypt_done,
 345                                       gctx->src, gctx->cryptlen, flags) ?:
 346                       gcm_hash_crypt_continue(req, flags);
 347
 348        return gcm_hash_crypt_remain_continue(req, flags);
 349}
 350
 351static void gcm_hash_assoc_remain_done(struct crypto_async_request *areq,
 352                                       int err)
 353{
 354        struct aead_request *req = areq->data;
 355
 356        if (err)
 357                goto out;
 358
 359        err = gcm_hash_assoc_remain_continue(req, 0);
 360        if (err == -EINPROGRESS)
 361                return;
 362
 363out:
 364        aead_request_complete(req, err);
 365}
 366
 367static int gcm_hash_assoc_continue(struct aead_request *req, u32 flags)
 368{
 369        unsigned int remain;
 370
 371        remain = gcm_remain(req->assoclen);
 372        if (remain)
 373                return gcm_hash_remain(req, remain,
 374                                       gcm_hash_assoc_remain_done, flags) ?:
 375                       gcm_hash_assoc_remain_continue(req, flags);
 376
 377        return gcm_hash_assoc_remain_continue(req, flags);
 378}
 379
 380static void gcm_hash_assoc_done(struct crypto_async_request *areq, int err)
 381{
 382        struct aead_request *req = areq->data;
 383
 384        if (err)
 385                goto out;
 386
 387        err = gcm_hash_assoc_continue(req, 0);
 388        if (err == -EINPROGRESS)
 389                return;
 390
 391out:
 392        aead_request_complete(req, err);
 393}
 394
 395static int gcm_hash_init_continue(struct aead_request *req, u32 flags)
 396{
 397        if (req->assoclen)
 398                return gcm_hash_update(req, gcm_hash_assoc_done,
 399                                       req->src, req->assoclen, flags) ?:
 400                       gcm_hash_assoc_continue(req, flags);
 401
 402        return gcm_hash_assoc_remain_continue(req, flags);
 403}
 404
 405static void gcm_hash_init_done(struct crypto_async_request *areq, int err)
 406{
 407        struct aead_request *req = areq->data;
 408
 409        if (err)
 410                goto out;
 411
 412        err = gcm_hash_init_continue(req, 0);
 413        if (err == -EINPROGRESS)
 414                return;
 415
 416out:
 417        aead_request_complete(req, err);
 418}
 419
 420static int gcm_hash(struct aead_request *req, u32 flags)
 421{
 422        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 423        struct ahash_request *ahreq = &pctx->u.ahreq;
 424        struct crypto_gcm_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req));
 425
 426        ahash_request_set_tfm(ahreq, ctx->ghash);
 427
 428        ahash_request_set_callback(ahreq, flags, gcm_hash_init_done, req);
 429        return crypto_ahash_init(ahreq) ?:
 430               gcm_hash_init_continue(req, flags);
 431}
 432
 433static int gcm_enc_copy_hash(struct aead_request *req, u32 flags)
 434{
 435        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 436        struct crypto_aead *aead = crypto_aead_reqtfm(req);
 437        u8 *auth_tag = pctx->auth_tag;
 438
 439        crypto_xor(auth_tag, pctx->iauth_tag, 16);
 440        scatterwalk_map_and_copy(auth_tag, req->dst,
 441                                 req->assoclen + req->cryptlen,
 442                                 crypto_aead_authsize(aead), 1);
 443        return 0;
 444}
 445
 446static int gcm_encrypt_continue(struct aead_request *req, u32 flags)
 447{
 448        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 449        struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
 450
 451        gctx->src = sg_next(req->src == req->dst ? pctx->src : pctx->dst);
 452        gctx->cryptlen = req->cryptlen;
 453        gctx->complete = gcm_enc_copy_hash;
 454
 455        return gcm_hash(req, flags);
 456}
 457
 458static void gcm_encrypt_done(struct crypto_async_request *areq, int err)
 459{
 460        struct aead_request *req = areq->data;
 461
 462        if (err)
 463                goto out;
 464
 465        err = gcm_encrypt_continue(req, 0);
 466        if (err == -EINPROGRESS)
 467                return;
 468
 469out:
 470        aead_request_complete(req, err);
 471}
 472
 473static int crypto_gcm_encrypt(struct aead_request *req)
 474{
 475        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 476        struct skcipher_request *skreq = &pctx->u.skreq;
 477        u32 flags = aead_request_flags(req);
 478
 479        crypto_gcm_init_common(req);
 480        crypto_gcm_init_crypt(req, req->cryptlen);
 481        skcipher_request_set_callback(skreq, flags, gcm_encrypt_done, req);
 482
 483        return crypto_skcipher_encrypt(skreq) ?:
 484               gcm_encrypt_continue(req, flags);
 485}
 486
 487static int crypto_gcm_verify(struct aead_request *req)
 488{
 489        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 490        struct crypto_aead *aead = crypto_aead_reqtfm(req);
 491        u8 *auth_tag = pctx->auth_tag;
 492        u8 *iauth_tag = pctx->iauth_tag;
 493        unsigned int authsize = crypto_aead_authsize(aead);
 494        unsigned int cryptlen = req->cryptlen - authsize;
 495
 496        crypto_xor(auth_tag, iauth_tag, 16);
 497        scatterwalk_map_and_copy(iauth_tag, req->src,
 498                                 req->assoclen + cryptlen, authsize, 0);
 499        return crypto_memneq(iauth_tag, auth_tag, authsize) ? -EBADMSG : 0;
 500}
 501
 502static void gcm_decrypt_done(struct crypto_async_request *areq, int err)
 503{
 504        struct aead_request *req = areq->data;
 505
 506        if (!err)
 507                err = crypto_gcm_verify(req);
 508
 509        aead_request_complete(req, err);
 510}
 511
 512static int gcm_dec_hash_continue(struct aead_request *req, u32 flags)
 513{
 514        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 515        struct skcipher_request *skreq = &pctx->u.skreq;
 516        struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
 517
 518        crypto_gcm_init_crypt(req, gctx->cryptlen);
 519        skcipher_request_set_callback(skreq, flags, gcm_decrypt_done, req);
 520        return crypto_skcipher_decrypt(skreq) ?: crypto_gcm_verify(req);
 521}
 522
 523static int crypto_gcm_decrypt(struct aead_request *req)
 524{
 525        struct crypto_aead *aead = crypto_aead_reqtfm(req);
 526        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 527        struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
 528        unsigned int authsize = crypto_aead_authsize(aead);
 529        unsigned int cryptlen = req->cryptlen;
 530        u32 flags = aead_request_flags(req);
 531
 532        cryptlen -= authsize;
 533
 534        crypto_gcm_init_common(req);
 535
 536        gctx->src = sg_next(pctx->src);
 537        gctx->cryptlen = cryptlen;
 538        gctx->complete = gcm_dec_hash_continue;
 539
 540        return gcm_hash(req, flags);
 541}
 542
 543static int crypto_gcm_init_tfm(struct crypto_aead *tfm)
 544{
 545        struct aead_instance *inst = aead_alg_instance(tfm);
 546        struct gcm_instance_ctx *ictx = aead_instance_ctx(inst);
 547        struct crypto_gcm_ctx *ctx = crypto_aead_ctx(tfm);
 548        struct crypto_skcipher *ctr;
 549        struct crypto_ahash *ghash;
 550        unsigned long align;
 551        int err;
 552
 553        ghash = crypto_spawn_ahash(&ictx->ghash);
 554        if (IS_ERR(ghash))
 555                return PTR_ERR(ghash);
 556
 557        ctr = crypto_spawn_skcipher(&ictx->ctr);
 558        err = PTR_ERR(ctr);
 559        if (IS_ERR(ctr))
 560                goto err_free_hash;
 561
 562        ctx->ctr = ctr;
 563        ctx->ghash = ghash;
 564
 565        align = crypto_aead_alignmask(tfm);
 566        align &= ~(crypto_tfm_ctx_alignment() - 1);
 567        crypto_aead_set_reqsize(tfm,
 568                align + offsetof(struct crypto_gcm_req_priv_ctx, u) +
 569                max(sizeof(struct skcipher_request) +
 570                    crypto_skcipher_reqsize(ctr),
 571                    sizeof(struct ahash_request) +
 572                    crypto_ahash_reqsize(ghash)));
 573
 574        return 0;
 575
 576err_free_hash:
 577        crypto_free_ahash(ghash);
 578        return err;
 579}
 580
 581static void crypto_gcm_exit_tfm(struct crypto_aead *tfm)
 582{
 583        struct crypto_gcm_ctx *ctx = crypto_aead_ctx(tfm);
 584
 585        crypto_free_ahash(ctx->ghash);
 586        crypto_free_skcipher(ctx->ctr);
 587}
 588
 589static void crypto_gcm_free(struct aead_instance *inst)
 590{
 591        struct gcm_instance_ctx *ctx = aead_instance_ctx(inst);
 592
 593        crypto_drop_skcipher(&ctx->ctr);
 594        crypto_drop_ahash(&ctx->ghash);
 595        kfree(inst);
 596}
 597
 598static int crypto_gcm_create_common(struct crypto_template *tmpl,
 599                                    struct rtattr **tb,
 600                                    const char *full_name,
 601                                    const char *ctr_name,
 602                                    const char *ghash_name)
 603{
 604        struct crypto_attr_type *algt;
 605        struct aead_instance *inst;
 606        struct skcipher_alg *ctr;
 607        struct crypto_alg *ghash_alg;
 608        struct hash_alg_common *ghash;
 609        struct gcm_instance_ctx *ctx;
 610        int err;
 611
 612        algt = crypto_get_attr_type(tb);
 613        if (IS_ERR(algt))
 614                return PTR_ERR(algt);
 615
 616        if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask)
 617                return -EINVAL;
 618
 619        ghash_alg = crypto_find_alg(ghash_name, &crypto_ahash_type,
 620                                    CRYPTO_ALG_TYPE_HASH,
 621                                    CRYPTO_ALG_TYPE_AHASH_MASK |
 622                                    crypto_requires_sync(algt->type,
 623                                                         algt->mask));
 624        if (IS_ERR(ghash_alg))
 625                return PTR_ERR(ghash_alg);
 626
 627        ghash = __crypto_hash_alg_common(ghash_alg);
 628
 629        err = -ENOMEM;
 630        inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
 631        if (!inst)
 632                goto out_put_ghash;
 633
 634        ctx = aead_instance_ctx(inst);
 635        err = crypto_init_ahash_spawn(&ctx->ghash, ghash,
 636                                      aead_crypto_instance(inst));
 637        if (err)
 638                goto err_free_inst;
 639
 640        err = -EINVAL;
 641        if (ghash->digestsize != 16)
 642                goto err_drop_ghash;
 643
 644        crypto_set_skcipher_spawn(&ctx->ctr, aead_crypto_instance(inst));
 645        err = crypto_grab_skcipher(&ctx->ctr, ctr_name, 0,
 646                                   crypto_requires_sync(algt->type,
 647                                                        algt->mask));
 648        if (err)
 649                goto err_drop_ghash;
 650
 651        ctr = crypto_spawn_skcipher_alg(&ctx->ctr);
 652
 653        /* We only support 16-byte blocks. */
 654        err = -EINVAL;
 655        if (crypto_skcipher_alg_ivsize(ctr) != 16)
 656                goto out_put_ctr;
 657
 658        /* Not a stream cipher? */
 659        if (ctr->base.cra_blocksize != 1)
 660                goto out_put_ctr;
 661
 662        err = -ENAMETOOLONG;
 663        if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
 664                     "gcm_base(%s,%s)", ctr->base.cra_driver_name,
 665                     ghash_alg->cra_driver_name) >=
 666            CRYPTO_MAX_ALG_NAME)
 667                goto out_put_ctr;
 668
 669        memcpy(inst->alg.base.cra_name, full_name, CRYPTO_MAX_ALG_NAME);
 670
 671        inst->alg.base.cra_flags = (ghash->base.cra_flags |
 672                                    ctr->base.cra_flags) & CRYPTO_ALG_ASYNC;
 673        inst->alg.base.cra_priority = (ghash->base.cra_priority +
 674                                       ctr->base.cra_priority) / 2;
 675        inst->alg.base.cra_blocksize = 1;
 676        inst->alg.base.cra_alignmask = ghash->base.cra_alignmask |
 677                                       ctr->base.cra_alignmask;
 678        inst->alg.base.cra_ctxsize = sizeof(struct crypto_gcm_ctx);
 679        inst->alg.ivsize = GCM_AES_IV_SIZE;
 680        inst->alg.chunksize = crypto_skcipher_alg_chunksize(ctr);
 681        inst->alg.maxauthsize = 16;
 682        inst->alg.init = crypto_gcm_init_tfm;
 683        inst->alg.exit = crypto_gcm_exit_tfm;
 684        inst->alg.setkey = crypto_gcm_setkey;
 685        inst->alg.setauthsize = crypto_gcm_setauthsize;
 686        inst->alg.encrypt = crypto_gcm_encrypt;
 687        inst->alg.decrypt = crypto_gcm_decrypt;
 688
 689        inst->free = crypto_gcm_free;
 690
 691        err = aead_register_instance(tmpl, inst);
 692        if (err)
 693                goto out_put_ctr;
 694
 695out_put_ghash:
 696        crypto_mod_put(ghash_alg);
 697        return err;
 698
 699out_put_ctr:
 700        crypto_drop_skcipher(&ctx->ctr);
 701err_drop_ghash:
 702        crypto_drop_ahash(&ctx->ghash);
 703err_free_inst:
 704        kfree(inst);
 705        goto out_put_ghash;
 706}
 707
 708static int crypto_gcm_create(struct crypto_template *tmpl, struct rtattr **tb)
 709{
 710        const char *cipher_name;
 711        char ctr_name[CRYPTO_MAX_ALG_NAME];
 712        char full_name[CRYPTO_MAX_ALG_NAME];
 713
 714        cipher_name = crypto_attr_alg_name(tb[1]);
 715        if (IS_ERR(cipher_name))
 716                return PTR_ERR(cipher_name);
 717
 718        if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)", cipher_name) >=
 719            CRYPTO_MAX_ALG_NAME)
 720                return -ENAMETOOLONG;
 721
 722        if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "gcm(%s)", cipher_name) >=
 723            CRYPTO_MAX_ALG_NAME)
 724                return -ENAMETOOLONG;
 725
 726        return crypto_gcm_create_common(tmpl, tb, full_name,
 727                                        ctr_name, "ghash");
 728}
 729
 730static struct crypto_template crypto_gcm_tmpl = {
 731        .name = "gcm",
 732        .create = crypto_gcm_create,
 733        .module = THIS_MODULE,
 734};
 735
 736static int crypto_gcm_base_create(struct crypto_template *tmpl,
 737                                  struct rtattr **tb)
 738{
 739        const char *ctr_name;
 740        const char *ghash_name;
 741        char full_name[CRYPTO_MAX_ALG_NAME];
 742
 743        ctr_name = crypto_attr_alg_name(tb[1]);
 744        if (IS_ERR(ctr_name))
 745                return PTR_ERR(ctr_name);
 746
 747        ghash_name = crypto_attr_alg_name(tb[2]);
 748        if (IS_ERR(ghash_name))
 749                return PTR_ERR(ghash_name);
 750
 751        if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "gcm_base(%s,%s)",
 752                     ctr_name, ghash_name) >= CRYPTO_MAX_ALG_NAME)
 753                return -ENAMETOOLONG;
 754
 755        return crypto_gcm_create_common(tmpl, tb, full_name,
 756                                        ctr_name, ghash_name);
 757}
 758
 759static struct crypto_template crypto_gcm_base_tmpl = {
 760        .name = "gcm_base",
 761        .create = crypto_gcm_base_create,
 762        .module = THIS_MODULE,
 763};
 764
 765static int crypto_rfc4106_setkey(struct crypto_aead *parent, const u8 *key,
 766                                 unsigned int keylen)
 767{
 768        struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(parent);
 769        struct crypto_aead *child = ctx->child;
 770        int err;
 771
 772        if (keylen < 4)
 773                return -EINVAL;
 774
 775        keylen -= 4;
 776        memcpy(ctx->nonce, key + keylen, 4);
 777
 778        crypto_aead_clear_flags(child, CRYPTO_TFM_REQ_MASK);
 779        crypto_aead_set_flags(child, crypto_aead_get_flags(parent) &
 780                                     CRYPTO_TFM_REQ_MASK);
 781        err = crypto_aead_setkey(child, key, keylen);
 782        crypto_aead_set_flags(parent, crypto_aead_get_flags(child) &
 783                                      CRYPTO_TFM_RES_MASK);
 784
 785        return err;
 786}
 787
 788static int crypto_rfc4106_setauthsize(struct crypto_aead *parent,
 789                                      unsigned int authsize)
 790{
 791        struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(parent);
 792
 793        switch (authsize) {
 794        case 8:
 795        case 12:
 796        case 16:
 797                break;
 798        default:
 799                return -EINVAL;
 800        }
 801
 802        return crypto_aead_setauthsize(ctx->child, authsize);
 803}
 804
 805static struct aead_request *crypto_rfc4106_crypt(struct aead_request *req)
 806{
 807        struct crypto_rfc4106_req_ctx *rctx = aead_request_ctx(req);
 808        struct crypto_aead *aead = crypto_aead_reqtfm(req);
 809        struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(aead);
 810        struct aead_request *subreq = &rctx->subreq;
 811        struct crypto_aead *child = ctx->child;
 812        struct scatterlist *sg;
 813        u8 *iv = PTR_ALIGN((u8 *)(subreq + 1) + crypto_aead_reqsize(child),
 814                           crypto_aead_alignmask(child) + 1);
 815
 816        scatterwalk_map_and_copy(iv + GCM_AES_IV_SIZE, req->src, 0, req->assoclen - 8, 0);
 817
 818        memcpy(iv, ctx->nonce, 4);
 819        memcpy(iv + 4, req->iv, 8);
 820
 821        sg_init_table(rctx->src, 3);
 822        sg_set_buf(rctx->src, iv + GCM_AES_IV_SIZE, req->assoclen - 8);
 823        sg = scatterwalk_ffwd(rctx->src + 1, req->src, req->assoclen);
 824        if (sg != rctx->src + 1)
 825                sg_chain(rctx->src, 2, sg);
 826
 827        if (req->src != req->dst) {
 828                sg_init_table(rctx->dst, 3);
 829                sg_set_buf(rctx->dst, iv + GCM_AES_IV_SIZE, req->assoclen - 8);
 830                sg = scatterwalk_ffwd(rctx->dst + 1, req->dst, req->assoclen);
 831                if (sg != rctx->dst + 1)
 832                        sg_chain(rctx->dst, 2, sg);
 833        }
 834
 835        aead_request_set_tfm(subreq, child);
 836        aead_request_set_callback(subreq, req->base.flags, req->base.complete,
 837                                  req->base.data);
 838        aead_request_set_crypt(subreq, rctx->src,
 839                               req->src == req->dst ? rctx->src : rctx->dst,
 840                               req->cryptlen, iv);
 841        aead_request_set_ad(subreq, req->assoclen - 8);
 842
 843        return subreq;
 844}
 845
 846static int crypto_rfc4106_encrypt(struct aead_request *req)
 847{
 848        if (req->assoclen != 16 && req->assoclen != 20)
 849                return -EINVAL;
 850
 851        req = crypto_rfc4106_crypt(req);
 852
 853        return crypto_aead_encrypt(req);
 854}
 855
 856static int crypto_rfc4106_decrypt(struct aead_request *req)
 857{
 858        if (req->assoclen != 16 && req->assoclen != 20)
 859                return -EINVAL;
 860
 861        req = crypto_rfc4106_crypt(req);
 862
 863        return crypto_aead_decrypt(req);
 864}
 865
 866static int crypto_rfc4106_init_tfm(struct crypto_aead *tfm)
 867{
 868        struct aead_instance *inst = aead_alg_instance(tfm);
 869        struct crypto_aead_spawn *spawn = aead_instance_ctx(inst);
 870        struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(tfm);
 871        struct crypto_aead *aead;
 872        unsigned long align;
 873
 874        aead = crypto_spawn_aead(spawn);
 875        if (IS_ERR(aead))
 876                return PTR_ERR(aead);
 877
 878        ctx->child = aead;
 879
 880        align = crypto_aead_alignmask(aead);
 881        align &= ~(crypto_tfm_ctx_alignment() - 1);
 882        crypto_aead_set_reqsize(
 883                tfm,
 884                sizeof(struct crypto_rfc4106_req_ctx) +
 885                ALIGN(crypto_aead_reqsize(aead), crypto_tfm_ctx_alignment()) +
 886                align + 24);
 887
 888        return 0;
 889}
 890
 891static void crypto_rfc4106_exit_tfm(struct crypto_aead *tfm)
 892{
 893        struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(tfm);
 894
 895        crypto_free_aead(ctx->child);
 896}
 897
 898static void crypto_rfc4106_free(struct aead_instance *inst)
 899{
 900        crypto_drop_aead(aead_instance_ctx(inst));
 901        kfree(inst);
 902}
 903
 904static int crypto_rfc4106_create(struct crypto_template *tmpl,
 905                                 struct rtattr **tb)
 906{
 907        struct crypto_attr_type *algt;
 908        struct aead_instance *inst;
 909        struct crypto_aead_spawn *spawn;
 910        struct aead_alg *alg;
 911        const char *ccm_name;
 912        int err;
 913
 914        algt = crypto_get_attr_type(tb);
 915        if (IS_ERR(algt))
 916                return PTR_ERR(algt);
 917
 918        if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask)
 919                return -EINVAL;
 920
 921        ccm_name = crypto_attr_alg_name(tb[1]);
 922        if (IS_ERR(ccm_name))
 923                return PTR_ERR(ccm_name);
 924
 925        inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL);
 926        if (!inst)
 927                return -ENOMEM;
 928
 929        spawn = aead_instance_ctx(inst);
 930        crypto_set_aead_spawn(spawn, aead_crypto_instance(inst));
 931        err = crypto_grab_aead(spawn, ccm_name, 0,
 932                               crypto_requires_sync(algt->type, algt->mask));
 933        if (err)
 934                goto out_free_inst;
 935
 936        alg = crypto_spawn_aead_alg(spawn);
 937
 938        err = -EINVAL;
 939
 940        /* Underlying IV size must be 12. */
 941        if (crypto_aead_alg_ivsize(alg) != GCM_AES_IV_SIZE)
 942                goto out_drop_alg;
 943
 944        /* Not a stream cipher? */
 945        if (alg->base.cra_blocksize != 1)
 946                goto out_drop_alg;
 947
 948        err = -ENAMETOOLONG;
 949        if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
 950                     "rfc4106(%s)", alg->base.cra_name) >=
 951            CRYPTO_MAX_ALG_NAME ||
 952            snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
 953                     "rfc4106(%s)", alg->base.cra_driver_name) >=
 954            CRYPTO_MAX_ALG_NAME)
 955                goto out_drop_alg;
 956
 957        inst->alg.base.cra_flags = alg->base.cra_flags & CRYPTO_ALG_ASYNC;
 958        inst->alg.base.cra_priority = alg->base.cra_priority;
 959        inst->alg.base.cra_blocksize = 1;
 960        inst->alg.base.cra_alignmask = alg->base.cra_alignmask;
 961
 962        inst->alg.base.cra_ctxsize = sizeof(struct crypto_rfc4106_ctx);
 963
 964        inst->alg.ivsize = GCM_RFC4106_IV_SIZE;
 965        inst->alg.chunksize = crypto_aead_alg_chunksize(alg);
 966        inst->alg.maxauthsize = crypto_aead_alg_maxauthsize(alg);
 967
 968        inst->alg.init = crypto_rfc4106_init_tfm;
 969        inst->alg.exit = crypto_rfc4106_exit_tfm;
 970
 971        inst->alg.setkey = crypto_rfc4106_setkey;
 972        inst->alg.setauthsize = crypto_rfc4106_setauthsize;
 973        inst->alg.encrypt = crypto_rfc4106_encrypt;
 974        inst->alg.decrypt = crypto_rfc4106_decrypt;
 975
 976        inst->free = crypto_rfc4106_free;
 977
 978        err = aead_register_instance(tmpl, inst);
 979        if (err)
 980                goto out_drop_alg;
 981
 982out:
 983        return err;
 984
 985out_drop_alg:
 986        crypto_drop_aead(spawn);
 987out_free_inst:
 988        kfree(inst);
 989        goto out;
 990}
 991
 992static struct crypto_template crypto_rfc4106_tmpl = {
 993        .name = "rfc4106",
 994        .create = crypto_rfc4106_create,
 995        .module = THIS_MODULE,
 996};
 997
 998static int crypto_rfc4543_setkey(struct crypto_aead *parent, const u8 *key,
 999                                 unsigned int keylen)
1000{
1001        struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(parent);
1002        struct crypto_aead *child = ctx->child;
1003        int err;
1004
1005        if (keylen < 4)
1006                return -EINVAL;
1007
1008        keylen -= 4;
1009        memcpy(ctx->nonce, key + keylen, 4);
1010
1011        crypto_aead_clear_flags(child, CRYPTO_TFM_REQ_MASK);
1012        crypto_aead_set_flags(child, crypto_aead_get_flags(parent) &
1013                                     CRYPTO_TFM_REQ_MASK);
1014        err = crypto_aead_setkey(child, key, keylen);
1015        crypto_aead_set_flags(parent, crypto_aead_get_flags(child) &
1016                                      CRYPTO_TFM_RES_MASK);
1017
1018        return err;
1019}
1020
1021static int crypto_rfc4543_setauthsize(struct crypto_aead *parent,
1022                                      unsigned int authsize)
1023{
1024        struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(parent);
1025
1026        if (authsize != 16)
1027                return -EINVAL;
1028
1029        return crypto_aead_setauthsize(ctx->child, authsize);
1030}
1031
1032static int crypto_rfc4543_crypt(struct aead_request *req, bool enc)
1033{
1034        struct crypto_aead *aead = crypto_aead_reqtfm(req);
1035        struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(aead);
1036        struct crypto_rfc4543_req_ctx *rctx = aead_request_ctx(req);
1037        struct aead_request *subreq = &rctx->subreq;
1038        unsigned int authsize = crypto_aead_authsize(aead);
1039        u8 *iv = PTR_ALIGN((u8 *)(rctx + 1) + crypto_aead_reqsize(ctx->child),
1040                           crypto_aead_alignmask(ctx->child) + 1);
1041        int err;
1042
1043        if (req->src != req->dst) {
1044                err = crypto_rfc4543_copy_src_to_dst(req, enc);
1045                if (err)
1046                        return err;
1047        }
1048
1049        memcpy(iv, ctx->nonce, 4);
1050        memcpy(iv + 4, req->iv, 8);
1051
1052        aead_request_set_tfm(subreq, ctx->child);
1053        aead_request_set_callback(subreq, req->base.flags,
1054                                  req->base.complete, req->base.data);
1055        aead_request_set_crypt(subreq, req->src, req->dst,
1056                               enc ? 0 : authsize, iv);
1057        aead_request_set_ad(subreq, req->assoclen + req->cryptlen -
1058                                    subreq->cryptlen);
1059
1060        return enc ? crypto_aead_encrypt(subreq) : crypto_aead_decrypt(subreq);
1061}
1062
1063static int crypto_rfc4543_copy_src_to_dst(struct aead_request *req, bool enc)
1064{
1065        struct crypto_aead *aead = crypto_aead_reqtfm(req);
1066        struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(aead);
1067        unsigned int authsize = crypto_aead_authsize(aead);
1068        unsigned int nbytes = req->assoclen + req->cryptlen -
1069                              (enc ? 0 : authsize);
1070        SKCIPHER_REQUEST_ON_STACK(nreq, ctx->null);
1071
1072        skcipher_request_set_tfm(nreq, ctx->null);
1073        skcipher_request_set_callback(nreq, req->base.flags, NULL, NULL);
1074        skcipher_request_set_crypt(nreq, req->src, req->dst, nbytes, NULL);
1075
1076        return crypto_skcipher_encrypt(nreq);
1077}
1078
1079static int crypto_rfc4543_encrypt(struct aead_request *req)
1080{
1081        return crypto_rfc4543_crypt(req, true);
1082}
1083
1084static int crypto_rfc4543_decrypt(struct aead_request *req)
1085{
1086        return crypto_rfc4543_crypt(req, false);
1087}
1088
1089static int crypto_rfc4543_init_tfm(struct crypto_aead *tfm)
1090{
1091        struct aead_instance *inst = aead_alg_instance(tfm);
1092        struct crypto_rfc4543_instance_ctx *ictx = aead_instance_ctx(inst);
1093        struct crypto_aead_spawn *spawn = &ictx->aead;
1094        struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(tfm);
1095        struct crypto_aead *aead;
1096        struct crypto_skcipher *null;
1097        unsigned long align;
1098        int err = 0;
1099
1100        aead = crypto_spawn_aead(spawn);
1101        if (IS_ERR(aead))
1102                return PTR_ERR(aead);
1103
1104        null = crypto_get_default_null_skcipher();
1105        err = PTR_ERR(null);
1106        if (IS_ERR(null))
1107                goto err_free_aead;
1108
1109        ctx->child = aead;
1110        ctx->null = null;
1111
1112        align = crypto_aead_alignmask(aead);
1113        align &= ~(crypto_tfm_ctx_alignment() - 1);
1114        crypto_aead_set_reqsize(
1115                tfm,
1116                sizeof(struct crypto_rfc4543_req_ctx) +
1117                ALIGN(crypto_aead_reqsize(aead), crypto_tfm_ctx_alignment()) +
1118                align + GCM_AES_IV_SIZE);
1119
1120        return 0;
1121
1122err_free_aead:
1123        crypto_free_aead(aead);
1124        return err;
1125}
1126
1127static void crypto_rfc4543_exit_tfm(struct crypto_aead *tfm)
1128{
1129        struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(tfm);
1130
1131        crypto_free_aead(ctx->child);
1132        crypto_put_default_null_skcipher();
1133}
1134
1135static void crypto_rfc4543_free(struct aead_instance *inst)
1136{
1137        struct crypto_rfc4543_instance_ctx *ctx = aead_instance_ctx(inst);
1138
1139        crypto_drop_aead(&ctx->aead);
1140
1141        kfree(inst);
1142}
1143
1144static int crypto_rfc4543_create(struct crypto_template *tmpl,
1145                                struct rtattr **tb)
1146{
1147        struct crypto_attr_type *algt;
1148        struct aead_instance *inst;
1149        struct crypto_aead_spawn *spawn;
1150        struct aead_alg *alg;
1151        struct crypto_rfc4543_instance_ctx *ctx;
1152        const char *ccm_name;
1153        int err;
1154
1155        algt = crypto_get_attr_type(tb);
1156        if (IS_ERR(algt))
1157                return PTR_ERR(algt);
1158
1159        if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask)
1160                return -EINVAL;
1161
1162        ccm_name = crypto_attr_alg_name(tb[1]);
1163        if (IS_ERR(ccm_name))
1164                return PTR_ERR(ccm_name);
1165
1166        inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
1167        if (!inst)
1168                return -ENOMEM;
1169
1170        ctx = aead_instance_ctx(inst);
1171        spawn = &ctx->aead;
1172        crypto_set_aead_spawn(spawn, aead_crypto_instance(inst));
1173        err = crypto_grab_aead(spawn, ccm_name, 0,
1174                               crypto_requires_sync(algt->type, algt->mask));
1175        if (err)
1176                goto out_free_inst;
1177
1178        alg = crypto_spawn_aead_alg(spawn);
1179
1180        err = -EINVAL;
1181
1182        /* Underlying IV size must be 12. */
1183        if (crypto_aead_alg_ivsize(alg) != GCM_AES_IV_SIZE)
1184                goto out_drop_alg;
1185
1186        /* Not a stream cipher? */
1187        if (alg->base.cra_blocksize != 1)
1188                goto out_drop_alg;
1189
1190        err = -ENAMETOOLONG;
1191        if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
1192                     "rfc4543(%s)", alg->base.cra_name) >=
1193            CRYPTO_MAX_ALG_NAME ||
1194            snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
1195                     "rfc4543(%s)", alg->base.cra_driver_name) >=
1196            CRYPTO_MAX_ALG_NAME)
1197                goto out_drop_alg;
1198
1199        inst->alg.base.cra_flags = alg->base.cra_flags & CRYPTO_ALG_ASYNC;
1200        inst->alg.base.cra_priority = alg->base.cra_priority;
1201        inst->alg.base.cra_blocksize = 1;
1202        inst->alg.base.cra_alignmask = alg->base.cra_alignmask;
1203
1204        inst->alg.base.cra_ctxsize = sizeof(struct crypto_rfc4543_ctx);
1205
1206        inst->alg.ivsize = GCM_RFC4543_IV_SIZE;
1207        inst->alg.chunksize = crypto_aead_alg_chunksize(alg);
1208        inst->alg.maxauthsize = crypto_aead_alg_maxauthsize(alg);
1209
1210        inst->alg.init = crypto_rfc4543_init_tfm;
1211        inst->alg.exit = crypto_rfc4543_exit_tfm;
1212
1213        inst->alg.setkey = crypto_rfc4543_setkey;
1214        inst->alg.setauthsize = crypto_rfc4543_setauthsize;
1215        inst->alg.encrypt = crypto_rfc4543_encrypt;
1216        inst->alg.decrypt = crypto_rfc4543_decrypt;
1217
1218        inst->free = crypto_rfc4543_free,
1219
1220        err = aead_register_instance(tmpl, inst);
1221        if (err)
1222                goto out_drop_alg;
1223
1224out:
1225        return err;
1226
1227out_drop_alg:
1228        crypto_drop_aead(spawn);
1229out_free_inst:
1230        kfree(inst);
1231        goto out;
1232}
1233
1234static struct crypto_template crypto_rfc4543_tmpl = {
1235        .name = "rfc4543",
1236        .create = crypto_rfc4543_create,
1237        .module = THIS_MODULE,
1238};
1239
1240static int __init crypto_gcm_module_init(void)
1241{
1242        int err;
1243
1244        gcm_zeroes = kzalloc(sizeof(*gcm_zeroes), GFP_KERNEL);
1245        if (!gcm_zeroes)
1246                return -ENOMEM;
1247
1248        sg_init_one(&gcm_zeroes->sg, gcm_zeroes->buf, sizeof(gcm_zeroes->buf));
1249
1250        err = crypto_register_template(&crypto_gcm_base_tmpl);
1251        if (err)
1252                goto out;
1253
1254        err = crypto_register_template(&crypto_gcm_tmpl);
1255        if (err)
1256                goto out_undo_base;
1257
1258        err = crypto_register_template(&crypto_rfc4106_tmpl);
1259        if (err)
1260                goto out_undo_gcm;
1261
1262        err = crypto_register_template(&crypto_rfc4543_tmpl);
1263        if (err)
1264                goto out_undo_rfc4106;
1265
1266        return 0;
1267
1268out_undo_rfc4106:
1269        crypto_unregister_template(&crypto_rfc4106_tmpl);
1270out_undo_gcm:
1271        crypto_unregister_template(&crypto_gcm_tmpl);
1272out_undo_base:
1273        crypto_unregister_template(&crypto_gcm_base_tmpl);
1274out:
1275        kfree(gcm_zeroes);
1276        return err;
1277}
1278
1279static void __exit crypto_gcm_module_exit(void)
1280{
1281        kfree(gcm_zeroes);
1282        crypto_unregister_template(&crypto_rfc4543_tmpl);
1283        crypto_unregister_template(&crypto_rfc4106_tmpl);
1284        crypto_unregister_template(&crypto_gcm_tmpl);
1285        crypto_unregister_template(&crypto_gcm_base_tmpl);
1286}
1287
1288module_init(crypto_gcm_module_init);
1289module_exit(crypto_gcm_module_exit);
1290
1291MODULE_LICENSE("GPL");
1292MODULE_DESCRIPTION("Galois/Counter Mode");
1293MODULE_AUTHOR("Mikko Herranen <mh1@iki.fi>");
1294MODULE_ALIAS_CRYPTO("gcm_base");
1295MODULE_ALIAS_CRYPTO("rfc4106");
1296MODULE_ALIAS_CRYPTO("rfc4543");
1297MODULE_ALIAS_CRYPTO("gcm");
1298