LXR linux/arch/arm64/crypto/aes-ce-ccm-glue.c

   1// SPDX-License-Identifier: GPL-2.0-only
   2/*
   3 * aes-ccm-glue.c - AES-CCM transform for ARMv8 with Crypto Extensions
   4 *
   5 * Copyright (C) 2013 - 2017 Linaro Ltd <ard.biesheuvel@linaro.org>
   6 */
   7
   8#include <asm/neon.h>
   9#include <asm/simd.h>
  10#include <asm/unaligned.h>
  11#include <crypto/aes.h>
  12#include <crypto/scatterwalk.h>
  13#include <crypto/internal/aead.h>
  14#include <crypto/internal/simd.h>
  15#include <crypto/internal/skcipher.h>
  16#include <linux/module.h>
  17
  18#include "aes-ce-setkey.h"
  19
  20static int num_rounds(struct crypto_aes_ctx *ctx)
  21{
  22        /*
  23         * # of rounds specified by AES:
  24         * 128 bit key          10 rounds
  25         * 192 bit key          12 rounds
  26         * 256 bit key          14 rounds
  27         * => n byte key        => 6 + (n/4) rounds
  28         */
  29        return 6 + ctx->key_length / 4;
  30}
  31
  32asmlinkage void ce_aes_ccm_auth_data(u8 mac[], u8 const in[], u32 abytes,
  33                                     u32 *macp, u32 const rk[], u32 rounds);
  34
  35asmlinkage void ce_aes_ccm_encrypt(u8 out[], u8 const in[], u32 cbytes,
  36                                   u32 const rk[], u32 rounds, u8 mac[],
  37                                   u8 ctr[]);
  38
  39asmlinkage void ce_aes_ccm_decrypt(u8 out[], u8 const in[], u32 cbytes,
  40                                   u32 const rk[], u32 rounds, u8 mac[],
  41                                   u8 ctr[]);
  42
  43asmlinkage void ce_aes_ccm_final(u8 mac[], u8 const ctr[], u32 const rk[],
  44                                 u32 rounds);
  45
  46static int ccm_setkey(struct crypto_aead *tfm, const u8 *in_key,
  47                      unsigned int key_len)
  48{
  49        struct crypto_aes_ctx *ctx = crypto_aead_ctx(tfm);
  50
  51        return ce_aes_expandkey(ctx, in_key, key_len);
  52}
  53
  54static int ccm_setauthsize(struct crypto_aead *tfm, unsigned int authsize)
  55{
  56        if ((authsize & 1) || authsize < 4)
  57                return -EINVAL;
  58        return 0;
  59}
  60
  61static int ccm_init_mac(struct aead_request *req, u8 maciv[], u32 msglen)
  62{
  63        struct crypto_aead *aead = crypto_aead_reqtfm(req);
  64        __be32 *n = (__be32 *)&maciv[AES_BLOCK_SIZE - 8];
  65        u32 l = req->iv[0] + 1;
  66
  67        /* verify that CCM dimension 'L' is set correctly in the IV */
  68        if (l < 2 || l > 8)
  69                return -EINVAL;
  70
  71        /* verify that msglen can in fact be represented in L bytes */
  72        if (l < 4 && msglen >> (8 * l))
  73                return -EOVERFLOW;
  74
  75        /*
  76         * Even if the CCM spec allows L values of up to 8, the Linux cryptoapi
  77         * uses a u32 type to represent msglen so the top 4 bytes are always 0.
  78         */
  79        n[0] = 0;
  80        n[1] = cpu_to_be32(msglen);
  81
  82        memcpy(maciv, req->iv, AES_BLOCK_SIZE - l);
  83
  84        /*
  85         * Meaning of byte 0 according to CCM spec (RFC 3610/NIST 800-38C)
  86         * - bits 0..2  : max # of bytes required to represent msglen, minus 1
  87         *                (already set by caller)
  88         * - bits 3..5  : size of auth tag (1 => 4 bytes, 2 => 6 bytes, etc)
  89         * - bit 6      : indicates presence of authenticate-only data
  90         */
  91        maciv[0] |= (crypto_aead_authsize(aead) - 2) << 2;
  92        if (req->assoclen)
  93                maciv[0] |= 0x40;
  94
  95        memset(&req->iv[AES_BLOCK_SIZE - l], 0, l);
  96        return 0;
  97}
  98
  99static void ccm_update_mac(struct crypto_aes_ctx *key, u8 mac[], u8 const in[],
 100                           u32 abytes, u32 *macp)
 101{
 102        if (crypto_simd_usable()) {
 103                kernel_neon_begin();
 104                ce_aes_ccm_auth_data(mac, in, abytes, macp, key->key_enc,
 105                                     num_rounds(key));
 106                kernel_neon_end();
 107        } else {
 108                if (*macp > 0 && *macp < AES_BLOCK_SIZE) {
 109                        int added = min(abytes, AES_BLOCK_SIZE - *macp);
 110
 111                        crypto_xor(&mac[*macp], in, added);
 112
 113                        *macp += added;
 114                        in += added;
 115                        abytes -= added;
 116                }
 117
 118                while (abytes >= AES_BLOCK_SIZE) {
 119                        aes_encrypt(key, mac, mac);
 120                        crypto_xor(mac, in, AES_BLOCK_SIZE);
 121
 122                        in += AES_BLOCK_SIZE;
 123                        abytes -= AES_BLOCK_SIZE;
 124                }
 125
 126                if (abytes > 0) {
 127                        aes_encrypt(key, mac, mac);
 128                        crypto_xor(mac, in, abytes);
 129                        *macp = abytes;
 130                }
 131        }
 132}
 133
 134static void ccm_calculate_auth_mac(struct aead_request *req, u8 mac[])
 135{
 136        struct crypto_aead *aead = crypto_aead_reqtfm(req);
 137        struct crypto_aes_ctx *ctx = crypto_aead_ctx(aead);
 138        struct __packed { __be16 l; __be32 h; u16 len; } ltag;
 139        struct scatter_walk walk;
 140        u32 len = req->assoclen;
 141        u32 macp = 0;
 142
 143        /* prepend the AAD with a length tag */
 144        if (len < 0xff00) {
 145                ltag.l = cpu_to_be16(len);
 146                ltag.len = 2;
 147        } else  {
 148                ltag.l = cpu_to_be16(0xfffe);
 149                put_unaligned_be32(len, &ltag.h);
 150                ltag.len = 6;
 151        }
 152
 153        ccm_update_mac(ctx, mac, (u8 *)&ltag, ltag.len, &macp);
 154        scatterwalk_start(&walk, req->src);
 155
 156        do {
 157                u32 n = scatterwalk_clamp(&walk, len);
 158                u8 *p;
 159
 160                if (!n) {
 161                        scatterwalk_start(&walk, sg_next(walk.sg));
 162                        n = scatterwalk_clamp(&walk, len);
 163                }
 164                p = scatterwalk_map(&walk);
 165                ccm_update_mac(ctx, mac, p, n, &macp);
 166                len -= n;
 167
 168                scatterwalk_unmap(p);
 169                scatterwalk_advance(&walk, n);
 170                scatterwalk_done(&walk, 0, len);
 171        } while (len);
 172}
 173
 174static int ccm_crypt_fallback(struct skcipher_walk *walk, u8 mac[], u8 iv0[],
 175                              struct crypto_aes_ctx *ctx, bool enc)
 176{
 177        u8 buf[AES_BLOCK_SIZE];
 178        int err = 0;
 179
 180        while (walk->nbytes) {
 181                int blocks = walk->nbytes / AES_BLOCK_SIZE;
 182                u32 tail = walk->nbytes % AES_BLOCK_SIZE;
 183                u8 *dst = walk->dst.virt.addr;
 184                u8 *src = walk->src.virt.addr;
 185                u32 nbytes = walk->nbytes;
 186
 187                if (nbytes == walk->total && tail > 0) {
 188                        blocks++;
 189                        tail = 0;
 190                }
 191
 192                do {
 193                        u32 bsize = AES_BLOCK_SIZE;
 194
 195                        if (nbytes < AES_BLOCK_SIZE)
 196                                bsize = nbytes;
 197
 198                        crypto_inc(walk->iv, AES_BLOCK_SIZE);
 199                        aes_encrypt(ctx, buf, walk->iv);
 200                        aes_encrypt(ctx, mac, mac);
 201                        if (enc)
 202                                crypto_xor(mac, src, bsize);
 203                        crypto_xor_cpy(dst, src, buf, bsize);
 204                        if (!enc)
 205                                crypto_xor(mac, dst, bsize);
 206                        dst += bsize;
 207                        src += bsize;
 208                        nbytes -= bsize;
 209                } while (--blocks);
 210
 211                err = skcipher_walk_done(walk, tail);
 212        }
 213
 214        if (!err) {
 215                aes_encrypt(ctx, buf, iv0);
 216                aes_encrypt(ctx, mac, mac);
 217                crypto_xor(mac, buf, AES_BLOCK_SIZE);
 218        }
 219        return err;
 220}
 221
 222static int ccm_encrypt(struct aead_request *req)
 223{
 224        struct crypto_aead *aead = crypto_aead_reqtfm(req);
 225        struct crypto_aes_ctx *ctx = crypto_aead_ctx(aead);
 226        struct skcipher_walk walk;
 227        u8 __aligned(8) mac[AES_BLOCK_SIZE];
 228        u8 buf[AES_BLOCK_SIZE];
 229        u32 len = req->cryptlen;
 230        int err;
 231
 232        err = ccm_init_mac(req, mac, len);
 233        if (err)
 234                return err;
 235
 236        if (req->assoclen)
 237                ccm_calculate_auth_mac(req, mac);
 238
 239        /* preserve the original iv for the final round */
 240        memcpy(buf, req->iv, AES_BLOCK_SIZE);
 241
 242        err = skcipher_walk_aead_encrypt(&walk, req, false);
 243
 244        if (crypto_simd_usable()) {
 245                while (walk.nbytes) {
 246                        u32 tail = walk.nbytes % AES_BLOCK_SIZE;
 247
 248                        if (walk.nbytes == walk.total)
 249                                tail = 0;
 250
 251                        kernel_neon_begin();
 252                        ce_aes_ccm_encrypt(walk.dst.virt.addr,
 253                                           walk.src.virt.addr,
 254                                           walk.nbytes - tail, ctx->key_enc,
 255                                           num_rounds(ctx), mac, walk.iv);
 256                        kernel_neon_end();
 257
 258                        err = skcipher_walk_done(&walk, tail);
 259                }
 260                if (!err) {
 261                        kernel_neon_begin();
 262                        ce_aes_ccm_final(mac, buf, ctx->key_enc,
 263                                         num_rounds(ctx));
 264                        kernel_neon_end();
 265                }
 266        } else {
 267                err = ccm_crypt_fallback(&walk, mac, buf, ctx, true);
 268        }
 269        if (err)
 270                return err;
 271
 272        /* copy authtag to end of dst */
 273        scatterwalk_map_and_copy(mac, req->dst, req->assoclen + req->cryptlen,
 274                                 crypto_aead_authsize(aead), 1);
 275
 276        return 0;
 277}
 278
 279static int ccm_decrypt(struct aead_request *req)
 280{
 281        struct crypto_aead *aead = crypto_aead_reqtfm(req);
 282        struct crypto_aes_ctx *ctx = crypto_aead_ctx(aead);
 283        unsigned int authsize = crypto_aead_authsize(aead);
 284        struct skcipher_walk walk;
 285        u8 __aligned(8) mac[AES_BLOCK_SIZE];
 286        u8 buf[AES_BLOCK_SIZE];
 287        u32 len = req->cryptlen - authsize;
 288        int err;
 289
 290        err = ccm_init_mac(req, mac, len);
 291        if (err)
 292                return err;
 293
 294        if (req->assoclen)
 295                ccm_calculate_auth_mac(req, mac);
 296
 297        /* preserve the original iv for the final round */
 298        memcpy(buf, req->iv, AES_BLOCK_SIZE);
 299
 300        err = skcipher_walk_aead_decrypt(&walk, req, false);
 301
 302        if (crypto_simd_usable()) {
 303                while (walk.nbytes) {
 304                        u32 tail = walk.nbytes % AES_BLOCK_SIZE;
 305
 306                        if (walk.nbytes == walk.total)
 307                                tail = 0;
 308
 309                        kernel_neon_begin();
 310                        ce_aes_ccm_decrypt(walk.dst.virt.addr,
 311                                           walk.src.virt.addr,
 312                                           walk.nbytes - tail, ctx->key_enc,
 313                                           num_rounds(ctx), mac, walk.iv);
 314                        kernel_neon_end();
 315
 316                        err = skcipher_walk_done(&walk, tail);
 317                }
 318                if (!err) {
 319                        kernel_neon_begin();
 320                        ce_aes_ccm_final(mac, buf, ctx->key_enc,
 321                                         num_rounds(ctx));
 322                        kernel_neon_end();
 323                }
 324        } else {
 325                err = ccm_crypt_fallback(&walk, mac, buf, ctx, false);
 326        }
 327
 328        if (err)
 329                return err;
 330
 331        /* compare calculated auth tag with the stored one */
 332        scatterwalk_map_and_copy(buf, req->src,
 333                                 req->assoclen + req->cryptlen - authsize,
 334                                 authsize, 0);
 335
 336        if (crypto_memneq(mac, buf, authsize))
 337                return -EBADMSG;
 338        return 0;
 339}
 340
 341static struct aead_alg ccm_aes_alg = {
 342        .base = {
 343                .cra_name               = "ccm(aes)",
 344                .cra_driver_name        = "ccm-aes-ce",
 345                .cra_priority           = 300,
 346                .cra_blocksize          = 1,
 347                .cra_ctxsize            = sizeof(struct crypto_aes_ctx),
 348                .cra_module             = THIS_MODULE,
 349        },
 350        .ivsize         = AES_BLOCK_SIZE,
 351        .chunksize      = AES_BLOCK_SIZE,
 352        .maxauthsize    = AES_BLOCK_SIZE,
 353        .setkey         = ccm_setkey,
 354        .setauthsize    = ccm_setauthsize,
 355        .encrypt        = ccm_encrypt,
 356        .decrypt        = ccm_decrypt,
 357};
 358
 359static int __init aes_mod_init(void)
 360{
 361        if (!cpu_have_named_feature(AES))
 362                return -ENODEV;
 363        return crypto_register_aead(&ccm_aes_alg);
 364}
 365
 366static void __exit aes_mod_exit(void)
 367{
 368        crypto_unregister_aead(&ccm_aes_alg);
 369}
 370
 371module_init(aes_mod_init);
 372module_exit(aes_mod_exit);
 373
 374MODULE_DESCRIPTION("Synchronous AES in CCM mode using ARMv8 Crypto Extensions");
 375MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@linaro.org>");
 376MODULE_LICENSE("GPL v2");
 377MODULE_ALIAS_CRYPTO("ccm(aes)");
 378