1 // SPDX-License-Identifier: GPL-2.0-only
3  * aes-ccm-glue.c - AES-CCM transform for ARMv8 with Crypto Extensions
5  * Copyright (C) 2013 - 2017 Linaro Ltd <ard.biesheuvel@linaro.org>
18 #include "aes-ce-setkey.h"
29 	return 6 + ctx->key_length / 4;  in num_rounds()
32 asmlinkage void ce_aes_ccm_auth_data(u8 mac[], u8 const in[], u32 abytes,
36 				   u32 const rk[], u32 rounds, u8 mac[],
40 				   u32 const rk[], u32 rounds, u8 mac[],
43 asmlinkage void ce_aes_ccm_final(u8 mac[], u8 const ctr[], u32 const rk[],
57 		return -EINVAL;  in ccm_setauthsize()
64 	__be32 *n = (__be32 *)&maciv[AES_BLOCK_SIZE - 8];  in ccm_init_mac()
65 	u32 l = req->iv[0] + 1;  in ccm_init_mac()
69 		return -EINVAL;  in ccm_init_mac()
73 		return -EOVERFLOW;  in ccm_init_mac()
82 	memcpy(maciv, req->iv, AES_BLOCK_SIZE - l);  in ccm_init_mac()
85 	 * Meaning of byte 0 according to CCM spec (RFC 3610/NIST 800-38C)  in ccm_init_mac()
86 	 * - bits 0..2	: max # of bytes required to represent msglen, minus 1  in ccm_init_mac()
88 	 * - bits 3..5	: size of auth tag (1 => 4 bytes, 2 => 6 bytes, etc)  in ccm_init_mac()
89 	 * - bit 6	: indicates presence of authenticate-only data  in ccm_init_mac()
91 	maciv[0] |= (crypto_aead_authsize(aead) - 2) << 2;  in ccm_init_mac()
92 	if (req->assoclen)  in ccm_init_mac()
95 	memset(&req->iv[AES_BLOCK_SIZE - l], 0, l);  in ccm_init_mac()
99 static void ccm_update_mac(struct crypto_aes_ctx *key, u8 mac[], u8 const in[],  in ccm_update_mac()  argument
104 		ce_aes_ccm_auth_data(mac, in, abytes, macp, key->key_enc,  in ccm_update_mac()
109 			int added = min(abytes, AES_BLOCK_SIZE - *macp);  in ccm_update_mac()
111 			crypto_xor(&mac[*macp], in, added);  in ccm_update_mac()
115 			abytes -= added;  in ccm_update_mac()
119 			aes_encrypt(key, mac, mac);  in ccm_update_mac()
120 			crypto_xor(mac, in, AES_BLOCK_SIZE);  in ccm_update_mac()
123 			abytes -= AES_BLOCK_SIZE;  in ccm_update_mac()
127 			aes_encrypt(key, mac, mac);  in ccm_update_mac()
128 			crypto_xor(mac, in, abytes);  in ccm_update_mac()
134 static void ccm_calculate_auth_mac(struct aead_request *req, u8 mac[])  in ccm_calculate_auth_mac()  argument
140 	u32 len = req->assoclen;  in ccm_calculate_auth_mac()
153 	ccm_update_mac(ctx, mac, (u8 *)&ltag, ltag.len, &macp);  in ccm_calculate_auth_mac()
154 	scatterwalk_start(&walk, req->src);  in ccm_calculate_auth_mac()
165 		ccm_update_mac(ctx, mac, p, n, &macp);  in ccm_calculate_auth_mac()
166 		len -= n;  in ccm_calculate_auth_mac()
174 static int ccm_crypt_fallback(struct skcipher_walk *walk, u8 mac[], u8 iv0[],  in ccm_crypt_fallback()  argument
180 	while (walk->nbytes) {  in ccm_crypt_fallback()
181 		int blocks = walk->nbytes / AES_BLOCK_SIZE;  in ccm_crypt_fallback()
182 		u32 tail = walk->nbytes % AES_BLOCK_SIZE;  in ccm_crypt_fallback()
183 		u8 *dst = walk->dst.virt.addr;  in ccm_crypt_fallback()
184 		u8 *src = walk->src.virt.addr;  in ccm_crypt_fallback()
185 		u32 nbytes = walk->nbytes;  in ccm_crypt_fallback()
187 		if (nbytes == walk->total && tail > 0) {  in ccm_crypt_fallback()
198 			crypto_inc(walk->iv, AES_BLOCK_SIZE);  in ccm_crypt_fallback()
199 			aes_encrypt(ctx, buf, walk->iv);  in ccm_crypt_fallback()
200 			aes_encrypt(ctx, mac, mac);  in ccm_crypt_fallback()
202 				crypto_xor(mac, src, bsize);  in ccm_crypt_fallback()
205 				crypto_xor(mac, dst, bsize);  in ccm_crypt_fallback()
208 			nbytes -= bsize;  in ccm_crypt_fallback()
209 		} while (--blocks);  in ccm_crypt_fallback()
216 		aes_encrypt(ctx, mac, mac);  in ccm_crypt_fallback()
217 		crypto_xor(mac, buf, AES_BLOCK_SIZE);  in ccm_crypt_fallback()
227 	u8 __aligned(8) mac[AES_BLOCK_SIZE];  in ccm_encrypt()
229 	u32 len = req->cryptlen;  in ccm_encrypt()
232 	err = ccm_init_mac(req, mac, len);  in ccm_encrypt()
236 	if (req->assoclen)  in ccm_encrypt()
237 		ccm_calculate_auth_mac(req, mac);  in ccm_encrypt()
240 	memcpy(buf, req->iv, AES_BLOCK_SIZE);  in ccm_encrypt()
254 					   walk.nbytes - tail, ctx->key_enc,  in ccm_encrypt()
255 					   num_rounds(ctx), mac, walk.iv);  in ccm_encrypt()
262 			ce_aes_ccm_final(mac, buf, ctx->key_enc,  in ccm_encrypt()
267 		err = ccm_crypt_fallback(&walk, mac, buf, ctx, true);  in ccm_encrypt()
273 	scatterwalk_map_and_copy(mac, req->dst, req->assoclen + req->cryptlen,  in ccm_encrypt()
285 	u8 __aligned(8) mac[AES_BLOCK_SIZE];  in ccm_decrypt()
287 	u32 len = req->cryptlen - authsize;  in ccm_decrypt()
290 	err = ccm_init_mac(req, mac, len);  in ccm_decrypt()
294 	if (req->assoclen)  in ccm_decrypt()
295 		ccm_calculate_auth_mac(req, mac);  in ccm_decrypt()
298 	memcpy(buf, req->iv, AES_BLOCK_SIZE);  in ccm_decrypt()
312 					   walk.nbytes - tail, ctx->key_enc,  in ccm_decrypt()
313 					   num_rounds(ctx), mac, walk.iv);  in ccm_decrypt()
320 			ce_aes_ccm_final(mac, buf, ctx->key_enc,  in ccm_decrypt()
325 		err = ccm_crypt_fallback(&walk, mac, buf, ctx, false);  in ccm_decrypt()
332 	scatterwalk_map_and_copy(buf, req->src,  in ccm_decrypt()
333 				 req->assoclen + req->cryptlen - authsize,  in ccm_decrypt()
336 	if (crypto_memneq(mac, buf, authsize))  in ccm_decrypt()
337 		return -EBADMSG;  in ccm_decrypt()
344 		.cra_driver_name	= "ccm-aes-ce",
362 		return -ENODEV;  in aes_mod_init()