1
2
3
4
5
6
7
8#include <crypto/internal/aead.h>
9#include <crypto/internal/hash.h>
10#include <crypto/internal/skcipher.h>
11#include <crypto/scatterwalk.h>
12#include <crypto/chacha.h>
13#include <crypto/poly1305.h>
14#include <linux/err.h>
15#include <linux/init.h>
16#include <linux/kernel.h>
17#include <linux/module.h>
18
19struct chachapoly_instance_ctx {
20 struct crypto_skcipher_spawn chacha;
21 struct crypto_ahash_spawn poly;
22 unsigned int saltlen;
23};
24
25struct chachapoly_ctx {
26 struct crypto_skcipher *chacha;
27 struct crypto_ahash *poly;
28
29 unsigned int saltlen;
30 u8 salt[];
31};
32
33struct poly_req {
34
35 u8 pad[POLY1305_BLOCK_SIZE];
36
37 struct {
38 __le64 assoclen;
39 __le64 cryptlen;
40 } tail;
41 struct scatterlist src[1];
42 struct ahash_request req;
43};
44
45struct chacha_req {
46 u8 iv[CHACHA_IV_SIZE];
47 struct scatterlist src[1];
48 struct skcipher_request req;
49};
50
51struct chachapoly_req_ctx {
52 struct scatterlist src[2];
53 struct scatterlist dst[2];
54
55 u8 key[POLY1305_KEY_SIZE];
56
57 u8 tag[POLY1305_DIGEST_SIZE];
58
59 unsigned int cryptlen;
60
61 unsigned int assoclen;
62
63 u32 flags;
64 union {
65 struct poly_req poly;
66 struct chacha_req chacha;
67 } u;
68};
69
70static inline void async_done_continue(struct aead_request *req, int err,
71 int (*cont)(struct aead_request *))
72{
73 if (!err) {
74 struct chachapoly_req_ctx *rctx = aead_request_ctx(req);
75
76 rctx->flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP;
77 err = cont(req);
78 }
79
80 if (err != -EINPROGRESS && err != -EBUSY)
81 aead_request_complete(req, err);
82}
83
84static void chacha_iv(u8 *iv, struct aead_request *req, u32 icb)
85{
86 struct chachapoly_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req));
87 __le32 leicb = cpu_to_le32(icb);
88
89 memcpy(iv, &leicb, sizeof(leicb));
90 memcpy(iv + sizeof(leicb), ctx->salt, ctx->saltlen);
91 memcpy(iv + sizeof(leicb) + ctx->saltlen, req->iv,
92 CHACHA_IV_SIZE - sizeof(leicb) - ctx->saltlen);
93}
94
95static int poly_verify_tag(struct aead_request *req)
96{
97 struct chachapoly_req_ctx *rctx = aead_request_ctx(req);
98 u8 tag[sizeof(rctx->tag)];
99
100 scatterwalk_map_and_copy(tag, req->src,
101 req->assoclen + rctx->cryptlen,
102 sizeof(tag), 0);
103 if (crypto_memneq(tag, rctx->tag, sizeof(tag)))
104 return -EBADMSG;
105 return 0;
106}
107
108static int poly_copy_tag(struct aead_request *req)
109{
110 struct chachapoly_req_ctx *rctx = aead_request_ctx(req);
111
112 scatterwalk_map_and_copy(rctx->tag, req->dst,
113 req->assoclen + rctx->cryptlen,
114 sizeof(rctx->tag), 1);
115 return 0;
116}
117
118static void chacha_decrypt_done(struct crypto_async_request *areq, int err)
119{
120 async_done_continue(areq->data, err, poly_verify_tag);
121}
122
123static int chacha_decrypt(struct aead_request *req)
124{
125 struct chachapoly_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req));
126 struct chachapoly_req_ctx *rctx = aead_request_ctx(req);
127 struct chacha_req *creq = &rctx->u.chacha;
128 struct scatterlist *src, *dst;
129 int err;
130
131 if (rctx->cryptlen == 0)
132 goto skip;
133
134 chacha_iv(creq->iv, req, 1);
135
136 src = scatterwalk_ffwd(rctx->src, req->src, req->assoclen);
137 dst = src;
138 if (req->src != req->dst)
139 dst = scatterwalk_ffwd(rctx->dst, req->dst, req->assoclen);
140
141 skcipher_request_set_callback(&creq->req, rctx->flags,
142 chacha_decrypt_done, req);
143 skcipher_request_set_tfm(&creq->req, ctx->chacha);
144 skcipher_request_set_crypt(&creq->req, src, dst,
145 rctx->cryptlen, creq->iv);
146 err = crypto_skcipher_decrypt(&creq->req);
147 if (err)
148 return err;
149
150skip:
151 return poly_verify_tag(req);
152}
153
154static int poly_tail_continue(struct aead_request *req)
155{
156 struct chachapoly_req_ctx *rctx = aead_request_ctx(req);
157
158 if (rctx->cryptlen == req->cryptlen)
159 return poly_copy_tag(req);
160
161 return chacha_decrypt(req);
162}
163
164static void poly_tail_done(struct crypto_async_request *areq, int err)
165{
166 async_done_continue(areq->data, err, poly_tail_continue);
167}
168
169static int poly_tail(struct aead_request *req)
170{
171 struct crypto_aead *tfm = crypto_aead_reqtfm(req);
172 struct chachapoly_ctx *ctx = crypto_aead_ctx(tfm);
173 struct chachapoly_req_ctx *rctx = aead_request_ctx(req);
174 struct poly_req *preq = &rctx->u.poly;
175 int err;
176
177 preq->tail.assoclen = cpu_to_le64(rctx->assoclen);
178 preq->tail.cryptlen = cpu_to_le64(rctx->cryptlen);
179 sg_init_one(preq->src, &preq->tail, sizeof(preq->tail));
180
181 ahash_request_set_callback(&preq->req, rctx->flags,
182 poly_tail_done, req);
183 ahash_request_set_tfm(&preq->req, ctx->poly);
184 ahash_request_set_crypt(&preq->req, preq->src,
185 rctx->tag, sizeof(preq->tail));
186
187 err = crypto_ahash_finup(&preq->req);
188 if (err)
189 return err;
190
191 return poly_tail_continue(req);
192}
193
194static void poly_cipherpad_done(struct crypto_async_request *areq, int err)
195{
196 async_done_continue(areq->data, err, poly_tail);
197}
198
199static int poly_cipherpad(struct aead_request *req)
200{
201 struct chachapoly_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req));
202 struct chachapoly_req_ctx *rctx = aead_request_ctx(req);
203 struct poly_req *preq = &rctx->u.poly;
204 unsigned int padlen;
205 int err;
206
207 padlen = -rctx->cryptlen % POLY1305_BLOCK_SIZE;
208 memset(preq->pad, 0, sizeof(preq->pad));
209 sg_init_one(preq->src, preq->pad, padlen);
210
211 ahash_request_set_callback(&preq->req, rctx->flags,
212 poly_cipherpad_done, req);
213 ahash_request_set_tfm(&preq->req, ctx->poly);
214 ahash_request_set_crypt(&preq->req, preq->src, NULL, padlen);
215
216 err = crypto_ahash_update(&preq->req);
217 if (err)
218 return err;
219
220 return poly_tail(req);
221}
222
223static void poly_cipher_done(struct crypto_async_request *areq, int err)
224{
225 async_done_continue(areq->data, err, poly_cipherpad);
226}
227
228static int poly_cipher(struct aead_request *req)
229{
230 struct chachapoly_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req));
231 struct chachapoly_req_ctx *rctx = aead_request_ctx(req);
232 struct poly_req *preq = &rctx->u.poly;
233 struct scatterlist *crypt = req->src;
234 int err;
235
236 if (rctx->cryptlen == req->cryptlen)
237 crypt = req->dst;
238
239 crypt = scatterwalk_ffwd(rctx->src, crypt, req->assoclen);
240
241 ahash_request_set_callback(&preq->req, rctx->flags,
242 poly_cipher_done, req);
243 ahash_request_set_tfm(&preq->req, ctx->poly);
244 ahash_request_set_crypt(&preq->req, crypt, NULL, rctx->cryptlen);
245
246 err = crypto_ahash_update(&preq->req);
247 if (err)
248 return err;
249
250 return poly_cipherpad(req);
251}
252
253static void poly_adpad_done(struct crypto_async_request *areq, int err)
254{
255 async_done_continue(areq->data, err, poly_cipher);
256}
257
258static int poly_adpad(struct aead_request *req)
259{
260 struct chachapoly_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req));
261 struct chachapoly_req_ctx *rctx = aead_request_ctx(req);
262 struct poly_req *preq = &rctx->u.poly;
263 unsigned int padlen;
264 int err;
265
266 padlen = -rctx->assoclen % POLY1305_BLOCK_SIZE;
267 memset(preq->pad, 0, sizeof(preq->pad));
268 sg_init_one(preq->src, preq->pad, padlen);
269
270 ahash_request_set_callback(&preq->req, rctx->flags,
271 poly_adpad_done, req);
272 ahash_request_set_tfm(&preq->req, ctx->poly);
273 ahash_request_set_crypt(&preq->req, preq->src, NULL, padlen);
274
275 err = crypto_ahash_update(&preq->req);
276 if (err)
277 return err;
278
279 return poly_cipher(req);
280}
281
282static void poly_ad_done(struct crypto_async_request *areq, int err)
283{
284 async_done_continue(areq->data, err, poly_adpad);
285}
286
287static int poly_ad(struct aead_request *req)
288{
289 struct chachapoly_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req));
290 struct chachapoly_req_ctx *rctx = aead_request_ctx(req);
291 struct poly_req *preq = &rctx->u.poly;
292 int err;
293
294 ahash_request_set_callback(&preq->req, rctx->flags,
295 poly_ad_done, req);
296 ahash_request_set_tfm(&preq->req, ctx->poly);
297 ahash_request_set_crypt(&preq->req, req->src, NULL, rctx->assoclen);
298
299 err = crypto_ahash_update(&preq->req);
300 if (err)
301 return err;
302
303 return poly_adpad(req);
304}
305
306static void poly_setkey_done(struct crypto_async_request *areq, int err)
307{
308 async_done_continue(areq->data, err, poly_ad);
309}
310
311static int poly_setkey(struct aead_request *req)
312{
313 struct chachapoly_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req));
314 struct chachapoly_req_ctx *rctx = aead_request_ctx(req);
315 struct poly_req *preq = &rctx->u.poly;
316 int err;
317
318 sg_init_one(preq->src, rctx->key, sizeof(rctx->key));
319
320 ahash_request_set_callback(&preq->req, rctx->flags,
321 poly_setkey_done, req);
322 ahash_request_set_tfm(&preq->req, ctx->poly);
323 ahash_request_set_crypt(&preq->req, preq->src, NULL, sizeof(rctx->key));
324
325 err = crypto_ahash_update(&preq->req);
326 if (err)
327 return err;
328
329 return poly_ad(req);
330}
331
332static void poly_init_done(struct crypto_async_request *areq, int err)
333{
334 async_done_continue(areq->data, err, poly_setkey);
335}
336
337static int poly_init(struct aead_request *req)
338{
339 struct chachapoly_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req));
340 struct chachapoly_req_ctx *rctx = aead_request_ctx(req);
341 struct poly_req *preq = &rctx->u.poly;
342 int err;
343
344 ahash_request_set_callback(&preq->req, rctx->flags,
345 poly_init_done, req);
346 ahash_request_set_tfm(&preq->req, ctx->poly);
347
348 err = crypto_ahash_init(&preq->req);
349 if (err)
350 return err;
351
352 return poly_setkey(req);
353}
354
355static void poly_genkey_done(struct crypto_async_request *areq, int err)
356{
357 async_done_continue(areq->data, err, poly_init);
358}
359
360static int poly_genkey(struct aead_request *req)
361{
362 struct crypto_aead *tfm = crypto_aead_reqtfm(req);
363 struct chachapoly_ctx *ctx = crypto_aead_ctx(tfm);
364 struct chachapoly_req_ctx *rctx = aead_request_ctx(req);
365 struct chacha_req *creq = &rctx->u.chacha;
366 int err;
367
368 rctx->assoclen = req->assoclen;
369
370 if (crypto_aead_ivsize(tfm) == 8) {
371 if (rctx->assoclen < 8)
372 return -EINVAL;
373 rctx->assoclen -= 8;
374 }
375
376 memset(rctx->key, 0, sizeof(rctx->key));
377 sg_init_one(creq->src, rctx->key, sizeof(rctx->key));
378
379 chacha_iv(creq->iv, req, 0);
380
381 skcipher_request_set_callback(&creq->req, rctx->flags,
382 poly_genkey_done, req);
383 skcipher_request_set_tfm(&creq->req, ctx->chacha);
384 skcipher_request_set_crypt(&creq->req, creq->src, creq->src,
385 POLY1305_KEY_SIZE, creq->iv);
386
387 err = crypto_skcipher_decrypt(&creq->req);
388 if (err)
389 return err;
390
391 return poly_init(req);
392}
393
394static void chacha_encrypt_done(struct crypto_async_request *areq, int err)
395{
396 async_done_continue(areq->data, err, poly_genkey);
397}
398
399static int chacha_encrypt(struct aead_request *req)
400{
401 struct chachapoly_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req));
402 struct chachapoly_req_ctx *rctx = aead_request_ctx(req);
403 struct chacha_req *creq = &rctx->u.chacha;
404 struct scatterlist *src, *dst;
405 int err;
406
407 if (req->cryptlen == 0)
408 goto skip;
409
410 chacha_iv(creq->iv, req, 1);
411
412 src = scatterwalk_ffwd(rctx->src, req->src, req->assoclen);
413 dst = src;
414 if (req->src != req->dst)
415 dst = scatterwalk_ffwd(rctx->dst, req->dst, req->assoclen);
416
417 skcipher_request_set_callback(&creq->req, rctx->flags,
418 chacha_encrypt_done, req);
419 skcipher_request_set_tfm(&creq->req, ctx->chacha);
420 skcipher_request_set_crypt(&creq->req, src, dst,
421 req->cryptlen, creq->iv);
422 err = crypto_skcipher_encrypt(&creq->req);
423 if (err)
424 return err;
425
426skip:
427 return poly_genkey(req);
428}
429
430static int chachapoly_encrypt(struct aead_request *req)
431{
432 struct chachapoly_req_ctx *rctx = aead_request_ctx(req);
433
434 rctx->cryptlen = req->cryptlen;
435 rctx->flags = aead_request_flags(req);
436
437
438
439
440
441
442
443
444
445
446
447
448
449 return chacha_encrypt(req);
450}
451
452static int chachapoly_decrypt(struct aead_request *req)
453{
454 struct chachapoly_req_ctx *rctx = aead_request_ctx(req);
455
456 rctx->cryptlen = req->cryptlen - POLY1305_DIGEST_SIZE;
457 rctx->flags = aead_request_flags(req);
458
459
460
461
462
463
464
465
466
467
468
469
470
471 return poly_genkey(req);
472}
473
474static int chachapoly_setkey(struct crypto_aead *aead, const u8 *key,
475 unsigned int keylen)
476{
477 struct chachapoly_ctx *ctx = crypto_aead_ctx(aead);
478
479 if (keylen != ctx->saltlen + CHACHA_KEY_SIZE)
480 return -EINVAL;
481
482 keylen -= ctx->saltlen;
483 memcpy(ctx->salt, key + keylen, ctx->saltlen);
484
485 crypto_skcipher_clear_flags(ctx->chacha, CRYPTO_TFM_REQ_MASK);
486 crypto_skcipher_set_flags(ctx->chacha, crypto_aead_get_flags(aead) &
487 CRYPTO_TFM_REQ_MASK);
488 return crypto_skcipher_setkey(ctx->chacha, key, keylen);
489}
490
491static int chachapoly_setauthsize(struct crypto_aead *tfm,
492 unsigned int authsize)
493{
494 if (authsize != POLY1305_DIGEST_SIZE)
495 return -EINVAL;
496
497 return 0;
498}
499
500static int chachapoly_init(struct crypto_aead *tfm)
501{
502 struct aead_instance *inst = aead_alg_instance(tfm);
503 struct chachapoly_instance_ctx *ictx = aead_instance_ctx(inst);
504 struct chachapoly_ctx *ctx = crypto_aead_ctx(tfm);
505 struct crypto_skcipher *chacha;
506 struct crypto_ahash *poly;
507 unsigned long align;
508
509 poly = crypto_spawn_ahash(&ictx->poly);
510 if (IS_ERR(poly))
511 return PTR_ERR(poly);
512
513 chacha = crypto_spawn_skcipher(&ictx->chacha);
514 if (IS_ERR(chacha)) {
515 crypto_free_ahash(poly);
516 return PTR_ERR(chacha);
517 }
518
519 ctx->chacha = chacha;
520 ctx->poly = poly;
521 ctx->saltlen = ictx->saltlen;
522
523 align = crypto_aead_alignmask(tfm);
524 align &= ~(crypto_tfm_ctx_alignment() - 1);
525 crypto_aead_set_reqsize(
526 tfm,
527 align + offsetof(struct chachapoly_req_ctx, u) +
528 max(offsetof(struct chacha_req, req) +
529 sizeof(struct skcipher_request) +
530 crypto_skcipher_reqsize(chacha),
531 offsetof(struct poly_req, req) +
532 sizeof(struct ahash_request) +
533 crypto_ahash_reqsize(poly)));
534
535 return 0;
536}
537
538static void chachapoly_exit(struct crypto_aead *tfm)
539{
540 struct chachapoly_ctx *ctx = crypto_aead_ctx(tfm);
541
542 crypto_free_ahash(ctx->poly);
543 crypto_free_skcipher(ctx->chacha);
544}
545
546static void chachapoly_free(struct aead_instance *inst)
547{
548 struct chachapoly_instance_ctx *ctx = aead_instance_ctx(inst);
549
550 crypto_drop_skcipher(&ctx->chacha);
551 crypto_drop_ahash(&ctx->poly);
552 kfree(inst);
553}
554
555static int chachapoly_create(struct crypto_template *tmpl, struct rtattr **tb,
556 const char *name, unsigned int ivsize)
557{
558 u32 mask;
559 struct aead_instance *inst;
560 struct chachapoly_instance_ctx *ctx;
561 struct skcipher_alg *chacha;
562 struct hash_alg_common *poly;
563 int err;
564
565 if (ivsize > CHACHAPOLY_IV_SIZE)
566 return -EINVAL;
567
568 err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_AEAD, &mask);
569 if (err)
570 return err;
571
572 inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
573 if (!inst)
574 return -ENOMEM;
575 ctx = aead_instance_ctx(inst);
576 ctx->saltlen = CHACHAPOLY_IV_SIZE - ivsize;
577
578 err = crypto_grab_skcipher(&ctx->chacha, aead_crypto_instance(inst),
579 crypto_attr_alg_name(tb[1]), 0, mask);
580 if (err)
581 goto err_free_inst;
582 chacha = crypto_spawn_skcipher_alg(&ctx->chacha);
583
584 err = crypto_grab_ahash(&ctx->poly, aead_crypto_instance(inst),
585 crypto_attr_alg_name(tb[2]), 0, mask);
586 if (err)
587 goto err_free_inst;
588 poly = crypto_spawn_ahash_alg(&ctx->poly);
589
590 err = -EINVAL;
591 if (poly->digestsize != POLY1305_DIGEST_SIZE)
592 goto err_free_inst;
593
594 if (crypto_skcipher_alg_ivsize(chacha) != CHACHA_IV_SIZE)
595 goto err_free_inst;
596
597 if (chacha->base.cra_blocksize != 1)
598 goto err_free_inst;
599
600 err = -ENAMETOOLONG;
601 if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
602 "%s(%s,%s)", name, chacha->base.cra_name,
603 poly->base.cra_name) >= CRYPTO_MAX_ALG_NAME)
604 goto err_free_inst;
605 if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
606 "%s(%s,%s)", name, chacha->base.cra_driver_name,
607 poly->base.cra_driver_name) >= CRYPTO_MAX_ALG_NAME)
608 goto err_free_inst;
609
610 inst->alg.base.cra_priority = (chacha->base.cra_priority +
611 poly->base.cra_priority) / 2;
612 inst->alg.base.cra_blocksize = 1;
613 inst->alg.base.cra_alignmask = chacha->base.cra_alignmask |
614 poly->base.cra_alignmask;
615 inst->alg.base.cra_ctxsize = sizeof(struct chachapoly_ctx) +
616 ctx->saltlen;
617 inst->alg.ivsize = ivsize;
618 inst->alg.chunksize = crypto_skcipher_alg_chunksize(chacha);
619 inst->alg.maxauthsize = POLY1305_DIGEST_SIZE;
620 inst->alg.init = chachapoly_init;
621 inst->alg.exit = chachapoly_exit;
622 inst->alg.encrypt = chachapoly_encrypt;
623 inst->alg.decrypt = chachapoly_decrypt;
624 inst->alg.setkey = chachapoly_setkey;
625 inst->alg.setauthsize = chachapoly_setauthsize;
626
627 inst->free = chachapoly_free;
628
629 err = aead_register_instance(tmpl, inst);
630 if (err) {
631err_free_inst:
632 chachapoly_free(inst);
633 }
634 return err;
635}
636
637static int rfc7539_create(struct crypto_template *tmpl, struct rtattr **tb)
638{
639 return chachapoly_create(tmpl, tb, "rfc7539", 12);
640}
641
642static int rfc7539esp_create(struct crypto_template *tmpl, struct rtattr **tb)
643{
644 return chachapoly_create(tmpl, tb, "rfc7539esp", 8);
645}
646
647static struct crypto_template rfc7539_tmpls[] = {
648 {
649 .name = "rfc7539",
650 .create = rfc7539_create,
651 .module = THIS_MODULE,
652 }, {
653 .name = "rfc7539esp",
654 .create = rfc7539esp_create,
655 .module = THIS_MODULE,
656 },
657};
658
659static int __init chacha20poly1305_module_init(void)
660{
661 return crypto_register_templates(rfc7539_tmpls,
662 ARRAY_SIZE(rfc7539_tmpls));
663}
664
665static void __exit chacha20poly1305_module_exit(void)
666{
667 crypto_unregister_templates(rfc7539_tmpls,
668 ARRAY_SIZE(rfc7539_tmpls));
669}
670
671subsys_initcall(chacha20poly1305_module_init);
672module_exit(chacha20poly1305_module_exit);
673
674MODULE_LICENSE("GPL");
675MODULE_AUTHOR("Martin Willi <martin@strongswan.org>");
676MODULE_DESCRIPTION("ChaCha20-Poly1305 AEAD");
677MODULE_ALIAS_CRYPTO("rfc7539");
678MODULE_ALIAS_CRYPTO("rfc7539esp");
679
