Commit | Line | Data |
---|---|---|
698ffc03 AC |
1 | /* |
2 | * HEH: Hash-Encrypt-Hash mode | |
3 | * | |
4 | * Copyright (c) 2016 Google Inc. | |
5 | * | |
6 | * Authors: | |
7 | * Alex Cope <alexcope@google.com> | |
8 | * Eric Biggers <ebiggers@google.com> | |
9 | */ | |
10 | ||
11 | /* | |
12 | * Hash-Encrypt-Hash (HEH) is a proposed block cipher mode of operation which | |
13 | * extends the strong pseudo-random permutation (SPRP) property of block ciphers | |
14 | * (e.g. AES) to arbitrary length input strings. It uses two keyed invertible | |
15 | * hash functions with a layer of ECB encryption applied in-between. The | |
16 | * algorithm is specified by the following Internet Draft: | |
17 | * | |
18 | * https://tools.ietf.org/html/draft-cope-heh-01 | |
19 | * | |
20 | * Although HEH can be used as either a regular symmetric cipher or as an AEAD, | |
21 | * currently this module only provides it as a symmetric cipher. Additionally, | |
22 | * only 16-byte nonces are supported. | |
23 | */ | |
24 | ||
25 | #include <crypto/gf128mul.h> | |
26 | #include <crypto/internal/hash.h> | |
27 | #include <crypto/internal/skcipher.h> | |
28 | #include <crypto/scatterwalk.h> | |
29 | #include <crypto/skcipher.h> | |
30 | #include "internal.h" | |
31 | ||
32 | /* | |
33 | * The block size is the size of GF(2^128) elements and also the required block | |
34 | * size of the underlying block cipher. | |
35 | */ | |
36 | #define HEH_BLOCK_SIZE 16 | |
37 | ||
38 | struct heh_instance_ctx { | |
39 | struct crypto_shash_spawn cmac; | |
58b9edb0 | 40 | struct crypto_shash_spawn poly_hash; |
698ffc03 AC |
41 | struct crypto_skcipher_spawn ecb; |
42 | }; | |
43 | ||
44 | struct heh_tfm_ctx { | |
45 | struct crypto_shash *cmac; | |
58b9edb0 | 46 | struct crypto_shash *poly_hash; /* keyed with tau_key */ |
698ffc03 | 47 | struct crypto_ablkcipher *ecb; |
698ffc03 AC |
48 | }; |
49 | ||
50 | struct heh_cmac_data { | |
51 | u8 nonce[HEH_BLOCK_SIZE]; | |
52 | __le32 nonce_length; | |
53 | __le32 aad_length; | |
54 | __le32 message_length; | |
55 | __le32 padding; | |
56 | }; | |
57 | ||
58 | struct heh_req_ctx { /* aligned to alignmask */ | |
59 | be128 beta1_key; | |
60 | be128 beta2_key; | |
61 | union { | |
62 | struct { | |
63 | struct heh_cmac_data data; | |
64 | struct shash_desc desc; | |
65 | /* + crypto_shash_descsize(cmac) */ | |
66 | } cmac; | |
58b9edb0 EB |
67 | struct { |
68 | struct shash_desc desc; | |
69 | /* + crypto_shash_descsize(poly_hash) */ | |
70 | } poly_hash; | |
698ffc03 AC |
71 | struct { |
72 | u8 keystream[HEH_BLOCK_SIZE]; | |
73 | u8 tmp[HEH_BLOCK_SIZE]; | |
74 | struct scatterlist tmp_sgl[2]; | |
75 | struct ablkcipher_request req; | |
76 | /* + crypto_ablkcipher_reqsize(ecb) */ | |
77 | } ecb; | |
78 | } u; | |
79 | }; | |
80 | ||
81 | /* | |
82 | * Get the offset in bytes to the last full block, or equivalently the length of | |
83 | * all full blocks excluding the last | |
84 | */ | |
85 | static inline unsigned int get_tail_offset(unsigned int len) | |
86 | { | |
87 | len -= len % HEH_BLOCK_SIZE; | |
88 | return len - HEH_BLOCK_SIZE; | |
89 | } | |
90 | ||
91 | static inline struct heh_req_ctx *heh_req_ctx(struct ablkcipher_request *req) | |
92 | { | |
93 | unsigned int alignmask = crypto_ablkcipher_alignmask( | |
94 | crypto_ablkcipher_reqtfm(req)); | |
95 | ||
96 | return (void *)PTR_ALIGN((u8 *)ablkcipher_request_ctx(req), | |
97 | alignmask + 1); | |
98 | } | |
99 | ||
100 | static inline void async_done(struct crypto_async_request *areq, int err, | |
101 | int (*next_step)(struct ablkcipher_request *, | |
102 | u32)) | |
103 | { | |
104 | struct ablkcipher_request *req = areq->data; | |
105 | ||
106 | if (err) | |
107 | goto out; | |
108 | ||
109 | err = next_step(req, req->base.flags & ~CRYPTO_TFM_REQ_MAY_SLEEP); | |
110 | if (err == -EINPROGRESS || | |
111 | (err == -EBUSY && (req->base.flags & CRYPTO_TFM_REQ_MAY_BACKLOG))) | |
112 | return; | |
113 | out: | |
114 | ablkcipher_request_complete(req, err); | |
115 | } | |
116 | ||
117 | /* | |
118 | * Generate the per-message "beta" keys used by the hashing layers of HEH. The | |
119 | * first beta key is the CMAC of the nonce, the additional authenticated data | |
120 | * (AAD), and the lengths in bytes of the nonce, AAD, and message. The nonce | |
121 | * and AAD are each zero-padded to the next 16-byte block boundary, and the | |
122 | * lengths are serialized as 4-byte little endian integers and zero-padded to | |
123 | * the next 16-byte block boundary. | |
124 | * The second beta key is the first one interpreted as an element in GF(2^128) | |
125 | * and multiplied by x. | |
126 | * | |
127 | * Note that because the nonce and AAD may, in general, be variable-length, the | |
128 | * key generation must be done by a pseudo-random function (PRF) on | |
129 | * variable-length inputs. CBC-MAC does not satisfy this, as it is only a PRF | |
130 | * on fixed-length inputs. CMAC remedies this flaw. Including the lengths of | |
131 | * the nonce, AAD, and message is also critical to avoid collisions. | |
132 | * | |
133 | * That being said, this implementation does not yet operate as an AEAD and | |
134 | * therefore there is never any AAD, nor are variable-length nonces supported. | |
135 | */ | |
136 | static int generate_betas(struct ablkcipher_request *req, | |
137 | be128 *beta1_key, be128 *beta2_key) | |
138 | { | |
139 | struct crypto_ablkcipher *tfm = crypto_ablkcipher_reqtfm(req); | |
140 | struct heh_tfm_ctx *ctx = crypto_ablkcipher_ctx(tfm); | |
141 | struct heh_req_ctx *rctx = heh_req_ctx(req); | |
142 | struct heh_cmac_data *data = &rctx->u.cmac.data; | |
143 | struct shash_desc *desc = &rctx->u.cmac.desc; | |
144 | int err; | |
145 | ||
146 | BUILD_BUG_ON(sizeof(*data) != 2 * HEH_BLOCK_SIZE); | |
147 | memcpy(data->nonce, req->info, HEH_BLOCK_SIZE); | |
148 | data->nonce_length = cpu_to_le32(HEH_BLOCK_SIZE); | |
149 | data->aad_length = cpu_to_le32(0); | |
150 | data->message_length = cpu_to_le32(req->nbytes); | |
151 | data->padding = cpu_to_le32(0); | |
152 | ||
153 | desc->tfm = ctx->cmac; | |
154 | desc->flags = req->base.flags; | |
155 | ||
156 | err = crypto_shash_digest(desc, (const u8 *)data, sizeof(*data), | |
157 | (u8 *)beta1_key); | |
158 | if (err) | |
159 | return err; | |
160 | ||
161 | gf128mul_x_ble(beta2_key, beta1_key); | |
162 | return 0; | |
163 | } | |
164 | ||
58b9edb0 EB |
165 | /*****************************************************************************/ |
166 | ||
698ffc03 | 167 | /* |
58b9edb0 EB |
168 | * This is the generic version of poly_hash. It does the GF(2^128) |
169 | * multiplication by 'tau_key' using a precomputed table, without using any | |
170 | * special CPU instructions. On some platforms, an accelerated version (with | |
171 | * higher cra_priority) may be used instead. | |
698ffc03 | 172 | */ |
58b9edb0 EB |
173 | |
174 | struct poly_hash_tfm_ctx { | |
175 | struct gf128mul_4k *tau_key; | |
176 | }; | |
177 | ||
178 | struct poly_hash_desc_ctx { | |
179 | be128 digest; | |
180 | unsigned int count; | |
181 | }; | |
182 | ||
183 | static int poly_hash_setkey(struct crypto_shash *tfm, | |
184 | const u8 *key, unsigned int keylen) | |
698ffc03 | 185 | { |
58b9edb0 EB |
186 | struct poly_hash_tfm_ctx *tctx = crypto_shash_ctx(tfm); |
187 | be128 key128; | |
698ffc03 | 188 | |
58b9edb0 EB |
189 | if (keylen != HEH_BLOCK_SIZE) { |
190 | crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN); | |
191 | return -EINVAL; | |
192 | } | |
193 | ||
194 | if (tctx->tau_key) | |
195 | gf128mul_free_4k(tctx->tau_key); | |
196 | memcpy(&key128, key, HEH_BLOCK_SIZE); | |
197 | tctx->tau_key = gf128mul_init_4k_ble(&key128); | |
198 | if (!tctx->tau_key) | |
199 | return -ENOMEM; | |
200 | return 0; | |
201 | } | |
202 | ||
203 | static int poly_hash_init(struct shash_desc *desc) | |
204 | { | |
205 | struct poly_hash_desc_ctx *ctx = shash_desc_ctx(desc); | |
698ffc03 | 206 | |
58b9edb0 EB |
207 | ctx->digest = (be128) { 0 }; |
208 | ctx->count = 0; | |
209 | return 0; | |
210 | } | |
698ffc03 | 211 | |
58b9edb0 EB |
212 | static int poly_hash_update(struct shash_desc *desc, const u8 *src, |
213 | unsigned int len) | |
214 | { | |
215 | struct poly_hash_tfm_ctx *tctx = crypto_shash_ctx(desc->tfm); | |
216 | struct poly_hash_desc_ctx *ctx = shash_desc_ctx(desc); | |
217 | unsigned int partial = ctx->count % HEH_BLOCK_SIZE; | |
218 | u8 *dst = (u8 *)&ctx->digest + partial; | |
698ffc03 | 219 | |
58b9edb0 | 220 | ctx->count += len; |
698ffc03 | 221 | |
58b9edb0 EB |
222 | /* Finishing at least one block? */ |
223 | if (partial + len >= HEH_BLOCK_SIZE) { | |
698ffc03 | 224 | |
58b9edb0 EB |
225 | if (partial) { |
226 | /* Finish the pending block. */ | |
227 | unsigned int n = HEH_BLOCK_SIZE - partial; | |
228 | ||
229 | len -= n; | |
230 | do { | |
231 | *dst++ ^= *src++; | |
232 | } while (--n); | |
233 | ||
234 | gf128mul_4k_ble(&ctx->digest, tctx->tau_key); | |
698ffc03 AC |
235 | } |
236 | ||
58b9edb0 EB |
237 | /* Process zero or more full blocks. */ |
238 | while (len >= HEH_BLOCK_SIZE) { | |
239 | be128 coeff; | |
240 | ||
698ffc03 | 241 | memcpy(&coeff, src, HEH_BLOCK_SIZE); |
58b9edb0 | 242 | be128_xor(&ctx->digest, &ctx->digest, &coeff); |
698ffc03 | 243 | src += HEH_BLOCK_SIZE; |
58b9edb0 EB |
244 | len -= HEH_BLOCK_SIZE; |
245 | gf128mul_4k_ble(&ctx->digest, tctx->tau_key); | |
698ffc03 | 246 | } |
58b9edb0 EB |
247 | dst = (u8 *)&ctx->digest; |
248 | } | |
698ffc03 | 249 | |
58b9edb0 EB |
250 | /* Continue adding the next block to 'digest'. */ |
251 | while (len--) | |
252 | *dst++ ^= *src++; | |
253 | return 0; | |
254 | } | |
255 | ||
256 | static int poly_hash_final(struct shash_desc *desc, u8 *out) | |
257 | { | |
258 | struct poly_hash_desc_ctx *ctx = shash_desc_ctx(desc); | |
259 | ||
260 | /* Finish the last block if needed. */ | |
261 | if (ctx->count % HEH_BLOCK_SIZE) { | |
262 | struct poly_hash_tfm_ctx *tctx = crypto_shash_ctx(desc->tfm); | |
263 | ||
264 | gf128mul_4k_ble(&ctx->digest, tctx->tau_key); | |
698ffc03 | 265 | } |
58b9edb0 EB |
266 | |
267 | memcpy(out, &ctx->digest, HEH_BLOCK_SIZE); | |
268 | return 0; | |
698ffc03 AC |
269 | } |
270 | ||
58b9edb0 EB |
271 | static void poly_hash_exit(struct crypto_tfm *tfm) |
272 | { | |
273 | struct poly_hash_tfm_ctx *tctx = crypto_tfm_ctx(tfm); | |
274 | ||
275 | gf128mul_free_4k(tctx->tau_key); | |
276 | } | |
277 | ||
278 | static struct shash_alg poly_hash_alg = { | |
279 | .digestsize = HEH_BLOCK_SIZE, | |
280 | .init = poly_hash_init, | |
281 | .update = poly_hash_update, | |
282 | .final = poly_hash_final, | |
283 | .setkey = poly_hash_setkey, | |
284 | .descsize = sizeof(struct poly_hash_desc_ctx), | |
285 | .base = { | |
286 | .cra_name = "poly_hash", | |
287 | .cra_driver_name = "poly_hash-generic", | |
288 | .cra_priority = 100, | |
289 | .cra_ctxsize = sizeof(struct poly_hash_tfm_ctx), | |
290 | .cra_exit = poly_hash_exit, | |
291 | .cra_module = THIS_MODULE, | |
292 | }, | |
293 | }; | |
294 | ||
295 | /*****************************************************************************/ | |
296 | ||
698ffc03 AC |
297 | /* |
298 | * Split the message into 16 byte blocks, padding out the last block, and use | |
299 | * the blocks as coefficients in the evaluation of a polynomial over GF(2^128) | |
300 | * at the secret point 'tau_key'. For ease of implementing the higher-level | |
301 | * heh_hash_inv() function, the constant and degree-1 coefficients are swapped | |
302 | * if there is a partial block. | |
303 | * | |
304 | * Mathematically, compute: | |
305 | * if (no partial block) | |
306 | * k^{N-1} * m_0 + ... + k * m_{N-2} + m_{N-1} | |
307 | * else if (partial block) | |
308 | * k^N * m_0 + ... + k^2 * m_{N-2} + k * m_N + m_{N-1} | |
309 | * | |
310 | * where: | |
311 | * t is tau_key | |
312 | * N is the number of full blocks in the message | |
313 | * m_i is the i-th full block in the message for i = 0 to N-1 inclusive | |
314 | * m_N is the partial block of the message zero-padded up to 16 bytes | |
58b9edb0 EB |
315 | * |
316 | * Note that most of this is now separated out into its own keyed hash | |
317 | * algorithm, to allow optimized implementations. However, we still handle the | |
318 | * swapping of the last two coefficients here in the HEH template because this | |
319 | * simplifies the poly_hash algorithms: they don't have to buffer an extra | |
320 | * block, don't have to duplicate as much code, and are more similar to GHASH. | |
698ffc03 | 321 | */ |
58b9edb0 EB |
322 | static int poly_hash(struct ablkcipher_request *req, struct scatterlist *sgl, |
323 | be128 *hash) | |
698ffc03 | 324 | { |
58b9edb0 EB |
325 | struct heh_req_ctx *rctx = heh_req_ctx(req); |
326 | struct crypto_ablkcipher *tfm = crypto_ablkcipher_reqtfm(req); | |
698ffc03 | 327 | struct heh_tfm_ctx *ctx = crypto_ablkcipher_ctx(tfm); |
58b9edb0 EB |
328 | struct shash_desc *desc = &rctx->u.poly_hash.desc; |
329 | unsigned int tail_offset = get_tail_offset(req->nbytes); | |
330 | unsigned int tail_len = req->nbytes - tail_offset; | |
698ffc03 | 331 | be128 tail[2]; |
58b9edb0 EB |
332 | unsigned int i, n; |
333 | struct sg_mapping_iter miter; | |
334 | int err; | |
335 | ||
336 | desc->tfm = ctx->poly_hash; | |
337 | desc->flags = req->base.flags; | |
698ffc03 AC |
338 | |
339 | /* Handle all full blocks except the last */ | |
58b9edb0 EB |
340 | err = crypto_shash_init(desc); |
341 | sg_miter_start(&miter, sgl, sg_nents(sgl), | |
342 | SG_MITER_FROM_SG | SG_MITER_ATOMIC); | |
343 | for (i = 0; i < tail_offset && !err; i += n) { | |
344 | sg_miter_next(&miter); | |
345 | n = min_t(unsigned int, miter.length, tail_offset - i); | |
346 | err = crypto_shash_update(desc, miter.addr, n); | |
347 | } | |
348 | sg_miter_stop(&miter); | |
349 | if (err) | |
350 | return err; | |
698ffc03 AC |
351 | |
352 | /* Handle the last full block and the partial block */ | |
353 | scatterwalk_map_and_copy(tail, sgl, tail_offset, tail_len, 0); | |
354 | ||
355 | if (tail_len != HEH_BLOCK_SIZE) { | |
356 | /* handle the partial block */ | |
357 | memset((u8 *)tail + tail_len, 0, sizeof(tail) - tail_len); | |
58b9edb0 EB |
358 | err = crypto_shash_update(desc, (u8 *)&tail[1], HEH_BLOCK_SIZE); |
359 | if (err) | |
360 | return err; | |
698ffc03 | 361 | } |
58b9edb0 EB |
362 | err = crypto_shash_final(desc, (u8 *)hash); |
363 | if (err) | |
364 | return err; | |
365 | be128_xor(hash, hash, &tail[0]); | |
366 | return 0; | |
698ffc03 AC |
367 | } |
368 | ||
369 | /* | |
370 | * Transform all full blocks except the last. | |
371 | * This is used by both the hash and inverse hash phases. | |
372 | */ | |
373 | static int heh_tfm_blocks(struct ablkcipher_request *req, | |
374 | struct scatterlist *src_sgl, | |
375 | struct scatterlist *dst_sgl, unsigned int len, | |
376 | const be128 *hash, const be128 *beta_key) | |
377 | { | |
378 | struct crypto_ablkcipher *tfm = crypto_ablkcipher_reqtfm(req); | |
379 | struct blkcipher_desc desc = { .flags = req->base.flags }; | |
380 | struct blkcipher_walk walk; | |
381 | be128 e = *beta_key; | |
382 | int err; | |
383 | unsigned int nbytes; | |
384 | ||
385 | blkcipher_walk_init(&walk, dst_sgl, src_sgl, len); | |
386 | ||
387 | err = blkcipher_ablkcipher_walk_virt(&desc, &walk, tfm); | |
388 | ||
389 | while ((nbytes = walk.nbytes)) { | |
390 | const be128 *src = (be128 *)walk.src.virt.addr; | |
391 | be128 *dst = (be128 *)walk.dst.virt.addr; | |
392 | ||
393 | do { | |
394 | gf128mul_x_ble(&e, &e); | |
395 | be128_xor(dst, src, hash); | |
396 | be128_xor(dst, dst, &e); | |
397 | src++; | |
398 | dst++; | |
399 | } while ((nbytes -= HEH_BLOCK_SIZE) >= HEH_BLOCK_SIZE); | |
400 | err = blkcipher_walk_done(&desc, &walk, nbytes); | |
401 | } | |
402 | return err; | |
403 | } | |
404 | ||
405 | /* | |
406 | * The hash phase of HEH. Given a message, compute: | |
407 | * | |
408 | * (m_0 + H, ..., m_{N-2} + H, H, m_N) + (xb, x^2b, ..., x^{N-1}b, b, 0) | |
409 | * | |
410 | * where: | |
411 | * N is the number of full blocks in the message | |
412 | * m_i is the i-th full block in the message for i = 0 to N-1 inclusive | |
413 | * m_N is the unpadded partial block, possibly empty | |
414 | * H is the poly_hash() of the message, keyed by tau_key | |
415 | * b is beta_key | |
416 | * x is the element x in our representation of GF(2^128) | |
417 | * | |
418 | * Note that the partial block remains unchanged, but it does affect the result | |
419 | * of poly_hash() and therefore the transformation of all the full blocks. | |
420 | */ | |
421 | static int heh_hash(struct ablkcipher_request *req, const be128 *beta_key) | |
422 | { | |
423 | be128 hash; | |
698ffc03 AC |
424 | unsigned int tail_offset = get_tail_offset(req->nbytes); |
425 | unsigned int partial_len = req->nbytes % HEH_BLOCK_SIZE; | |
426 | int err; | |
427 | ||
428 | /* poly_hash() the full message including the partial block */ | |
58b9edb0 EB |
429 | err = poly_hash(req, req->src, &hash); |
430 | if (err) | |
431 | return err; | |
698ffc03 AC |
432 | |
433 | /* Transform all full blocks except the last */ | |
434 | err = heh_tfm_blocks(req, req->src, req->dst, tail_offset, &hash, | |
435 | beta_key); | |
436 | if (err) | |
437 | return err; | |
438 | ||
439 | /* Set the last full block to hash XOR beta_key */ | |
440 | be128_xor(&hash, &hash, beta_key); | |
441 | scatterwalk_map_and_copy(&hash, req->dst, tail_offset, HEH_BLOCK_SIZE, | |
442 | 1); | |
443 | ||
444 | /* Copy the partial block if needed */ | |
445 | if (partial_len != 0 && req->src != req->dst) { | |
446 | unsigned int offs = tail_offset + HEH_BLOCK_SIZE; | |
447 | ||
448 | scatterwalk_map_and_copy(&hash, req->src, offs, partial_len, 0); | |
449 | scatterwalk_map_and_copy(&hash, req->dst, offs, partial_len, 1); | |
450 | } | |
451 | return 0; | |
452 | } | |
453 | ||
454 | /* | |
455 | * The inverse hash phase of HEH. This undoes the result of heh_hash(). | |
456 | */ | |
457 | static int heh_hash_inv(struct ablkcipher_request *req, const be128 *beta_key) | |
458 | { | |
459 | be128 hash; | |
460 | be128 tmp; | |
461 | struct scatterlist tmp_sgl[2]; | |
462 | struct scatterlist *tail_sgl; | |
58b9edb0 | 463 | unsigned int tail_offset = get_tail_offset(req->nbytes); |
698ffc03 | 464 | struct scatterlist *sgl = req->dst; |
698ffc03 AC |
465 | int err; |
466 | ||
467 | /* | |
468 | * The last full block was computed as hash XOR beta_key, so XOR it with | |
469 | * beta_key to recover hash. | |
470 | */ | |
471 | tail_sgl = scatterwalk_ffwd(tmp_sgl, sgl, tail_offset); | |
472 | scatterwalk_map_and_copy(&hash, tail_sgl, 0, HEH_BLOCK_SIZE, 0); | |
473 | be128_xor(&hash, &hash, beta_key); | |
474 | ||
475 | /* Transform all full blocks except the last */ | |
476 | err = heh_tfm_blocks(req, sgl, sgl, tail_offset, &hash, beta_key); | |
477 | if (err) | |
478 | return err; | |
479 | ||
480 | /* | |
481 | * Recover the last full block. We know 'hash', i.e. the poly_hash() of | |
482 | * the the original message. The last full block was the constant term | |
483 | * of the polynomial. To recover the last full block, temporarily zero | |
484 | * it, compute the poly_hash(), and take the difference from 'hash'. | |
485 | */ | |
486 | memset(&tmp, 0, sizeof(tmp)); | |
487 | scatterwalk_map_and_copy(&tmp, tail_sgl, 0, HEH_BLOCK_SIZE, 1); | |
58b9edb0 EB |
488 | err = poly_hash(req, sgl, &tmp); |
489 | if (err) | |
490 | return err; | |
698ffc03 AC |
491 | be128_xor(&tmp, &tmp, &hash); |
492 | scatterwalk_map_and_copy(&tmp, tail_sgl, 0, HEH_BLOCK_SIZE, 1); | |
493 | return 0; | |
494 | } | |
495 | ||
496 | static int heh_hash_inv_step(struct ablkcipher_request *req, u32 flags) | |
497 | { | |
498 | struct heh_req_ctx *rctx = heh_req_ctx(req); | |
499 | ||
500 | return heh_hash_inv(req, &rctx->beta2_key); | |
501 | } | |
502 | ||
503 | static int heh_ecb_step_3(struct ablkcipher_request *req, u32 flags) | |
504 | { | |
505 | struct heh_req_ctx *rctx = heh_req_ctx(req); | |
506 | u8 partial_block[HEH_BLOCK_SIZE] __aligned(__alignof__(u32)); | |
507 | unsigned int tail_offset = get_tail_offset(req->nbytes); | |
508 | unsigned int partial_offset = tail_offset + HEH_BLOCK_SIZE; | |
509 | unsigned int partial_len = req->nbytes - partial_offset; | |
510 | ||
511 | /* | |
512 | * Extract the pad in req->dst at tail_offset, and xor the partial block | |
513 | * with it to create encrypted partial block | |
514 | */ | |
515 | scatterwalk_map_and_copy(rctx->u.ecb.keystream, req->dst, tail_offset, | |
516 | HEH_BLOCK_SIZE, 0); | |
517 | scatterwalk_map_and_copy(partial_block, req->dst, partial_offset, | |
518 | partial_len, 0); | |
519 | crypto_xor(partial_block, rctx->u.ecb.keystream, partial_len); | |
520 | ||
521 | /* | |
522 | * Store the encrypted final block and partial block back in dst_sg | |
523 | */ | |
524 | scatterwalk_map_and_copy(&rctx->u.ecb.tmp, req->dst, tail_offset, | |
525 | HEH_BLOCK_SIZE, 1); | |
526 | scatterwalk_map_and_copy(partial_block, req->dst, partial_offset, | |
527 | partial_len, 1); | |
528 | ||
529 | return heh_hash_inv_step(req, flags); | |
530 | } | |
531 | ||
532 | static void heh_ecb_step_2_done(struct crypto_async_request *areq, int err) | |
533 | { | |
534 | return async_done(areq, err, heh_ecb_step_3); | |
535 | } | |
536 | ||
537 | static int heh_ecb_step_2(struct ablkcipher_request *req, u32 flags) | |
538 | { | |
539 | struct heh_req_ctx *rctx = heh_req_ctx(req); | |
540 | unsigned int partial_len = req->nbytes % HEH_BLOCK_SIZE; | |
541 | struct scatterlist *tmp_sgl; | |
542 | int err; | |
543 | unsigned int tail_offset = get_tail_offset(req->nbytes); | |
544 | ||
545 | if (partial_len == 0) | |
546 | return heh_hash_inv_step(req, flags); | |
547 | ||
548 | /* | |
549 | * Extract the final full block, store it in tmp, and then xor that with | |
550 | * the value saved in u.ecb.keystream | |
551 | */ | |
552 | scatterwalk_map_and_copy(rctx->u.ecb.tmp, req->dst, tail_offset, | |
553 | HEH_BLOCK_SIZE, 0); | |
554 | crypto_xor(rctx->u.ecb.keystream, rctx->u.ecb.tmp, HEH_BLOCK_SIZE); | |
555 | ||
556 | /* | |
557 | * Encrypt the value in rctx->u.ecb.keystream to create the pad for the | |
558 | * partial block. | |
559 | * We cannot encrypt stack buffers, so re-use the dst_sg to do this | |
560 | * encryption to avoid a malloc. The value at tail_offset is stored in | |
561 | * tmp, and will be restored later. | |
562 | */ | |
563 | scatterwalk_map_and_copy(rctx->u.ecb.keystream, req->dst, tail_offset, | |
564 | HEH_BLOCK_SIZE, 1); | |
565 | tmp_sgl = scatterwalk_ffwd(rctx->u.ecb.tmp_sgl, req->dst, tail_offset); | |
566 | ablkcipher_request_set_callback(&rctx->u.ecb.req, flags, | |
567 | heh_ecb_step_2_done, req); | |
568 | ablkcipher_request_set_crypt(&rctx->u.ecb.req, tmp_sgl, tmp_sgl, | |
569 | HEH_BLOCK_SIZE, NULL); | |
570 | err = crypto_ablkcipher_encrypt(&rctx->u.ecb.req); | |
571 | if (err) | |
572 | return err; | |
573 | return heh_ecb_step_3(req, flags); | |
574 | } | |
575 | ||
576 | static void heh_ecb_full_done(struct crypto_async_request *areq, int err) | |
577 | { | |
578 | return async_done(areq, err, heh_ecb_step_2); | |
579 | } | |
580 | ||
581 | /* | |
582 | * The encrypt phase of HEH. This uses ECB encryption, with special handling | |
583 | * for the partial block at the end if any. The source data is already in | |
584 | * req->dst, so the encryption happens in-place. | |
585 | * | |
586 | * After the encrypt phase we continue on to the inverse hash phase. The | |
587 | * functions calls are chained to support asynchronous ECB algorithms. | |
588 | */ | |
589 | static int heh_ecb(struct ablkcipher_request *req, bool decrypt) | |
590 | { | |
591 | struct crypto_ablkcipher *tfm = crypto_ablkcipher_reqtfm(req); | |
592 | struct heh_tfm_ctx *ctx = crypto_ablkcipher_ctx(tfm); | |
593 | struct heh_req_ctx *rctx = heh_req_ctx(req); | |
594 | struct ablkcipher_request *ecb_req = &rctx->u.ecb.req; | |
595 | unsigned int tail_offset = get_tail_offset(req->nbytes); | |
596 | unsigned int full_len = tail_offset + HEH_BLOCK_SIZE; | |
597 | int err; | |
598 | ||
599 | /* | |
600 | * Save the last full block before it is encrypted/decrypted. This will | |
601 | * be used later to encrypt/decrypt the partial block | |
602 | */ | |
603 | scatterwalk_map_and_copy(rctx->u.ecb.keystream, req->dst, tail_offset, | |
604 | HEH_BLOCK_SIZE, 0); | |
605 | ||
606 | /* Encrypt/decrypt all full blocks */ | |
607 | ablkcipher_request_set_tfm(ecb_req, ctx->ecb); | |
608 | ablkcipher_request_set_callback(ecb_req, req->base.flags, | |
609 | heh_ecb_full_done, req); | |
610 | ablkcipher_request_set_crypt(ecb_req, req->dst, req->dst, full_len, | |
611 | NULL); | |
612 | if (decrypt) | |
613 | err = crypto_ablkcipher_decrypt(ecb_req); | |
614 | else | |
615 | err = crypto_ablkcipher_encrypt(ecb_req); | |
616 | if (err) | |
617 | return err; | |
618 | ||
619 | return heh_ecb_step_2(req, req->base.flags); | |
620 | } | |
621 | ||
622 | static int heh_crypt(struct ablkcipher_request *req, bool decrypt) | |
623 | { | |
698ffc03 AC |
624 | struct heh_req_ctx *rctx = heh_req_ctx(req); |
625 | int err; | |
626 | ||
627 | /* Inputs must be at least one full block */ | |
628 | if (req->nbytes < HEH_BLOCK_SIZE) | |
629 | return -EINVAL; | |
630 | ||
698ffc03 AC |
631 | err = generate_betas(req, &rctx->beta1_key, &rctx->beta2_key); |
632 | if (err) | |
633 | return err; | |
634 | ||
635 | if (decrypt) | |
636 | swap(rctx->beta1_key, rctx->beta2_key); | |
637 | ||
638 | err = heh_hash(req, &rctx->beta1_key); | |
639 | if (err) | |
640 | return err; | |
641 | ||
642 | return heh_ecb(req, decrypt); | |
643 | } | |
644 | ||
645 | static int heh_encrypt(struct ablkcipher_request *req) | |
646 | { | |
647 | return heh_crypt(req, false); | |
648 | } | |
649 | ||
650 | static int heh_decrypt(struct ablkcipher_request *req) | |
651 | { | |
652 | return heh_crypt(req, true); | |
653 | } | |
654 | ||
655 | static int heh_setkey(struct crypto_ablkcipher *parent, const u8 *key, | |
656 | unsigned int keylen) | |
657 | { | |
658 | struct heh_tfm_ctx *ctx = crypto_ablkcipher_ctx(parent); | |
659 | struct crypto_shash *cmac = ctx->cmac; | |
660 | struct crypto_ablkcipher *ecb = ctx->ecb; | |
661 | SHASH_DESC_ON_STACK(desc, cmac); | |
662 | u8 *derived_keys; | |
663 | u8 digest[HEH_BLOCK_SIZE]; | |
664 | unsigned int i; | |
665 | int err; | |
666 | ||
667 | /* set prf_key = key */ | |
668 | crypto_shash_clear_flags(cmac, CRYPTO_TFM_REQ_MASK); | |
669 | crypto_shash_set_flags(cmac, crypto_ablkcipher_get_flags(parent) & | |
670 | CRYPTO_TFM_REQ_MASK); | |
671 | err = crypto_shash_setkey(cmac, key, keylen); | |
672 | crypto_ablkcipher_set_flags(parent, crypto_shash_get_flags(cmac) & | |
673 | CRYPTO_TFM_RES_MASK); | |
674 | if (err) | |
675 | return err; | |
676 | ||
677 | /* | |
678 | * Generate tau_key and ecb_key as follows: | |
679 | * tau_key = cmac(prf_key, 0x00...01) | |
680 | * ecb_key = cmac(prf_key, 0x00...02) || cmac(prf_key, 0x00...03) || ... | |
681 | * truncated to keylen bytes | |
682 | */ | |
683 | derived_keys = kzalloc(round_up(HEH_BLOCK_SIZE + keylen, | |
684 | HEH_BLOCK_SIZE), GFP_KERNEL); | |
685 | if (!derived_keys) | |
686 | return -ENOMEM; | |
687 | desc->tfm = cmac; | |
688 | desc->flags = (crypto_shash_get_flags(cmac) & CRYPTO_TFM_REQ_MASK); | |
689 | for (i = 0; i < keylen + HEH_BLOCK_SIZE; i += HEH_BLOCK_SIZE) { | |
690 | derived_keys[i + HEH_BLOCK_SIZE - 1] = | |
691 | 0x01 + i / HEH_BLOCK_SIZE; | |
692 | err = crypto_shash_digest(desc, derived_keys + i, | |
693 | HEH_BLOCK_SIZE, digest); | |
694 | if (err) | |
695 | goto out; | |
696 | memcpy(derived_keys + i, digest, HEH_BLOCK_SIZE); | |
697 | } | |
698 | ||
58b9edb0 EB |
699 | err = crypto_shash_setkey(ctx->poly_hash, derived_keys, HEH_BLOCK_SIZE); |
700 | if (err) | |
698ffc03 AC |
701 | goto out; |
702 | ||
703 | crypto_ablkcipher_clear_flags(ecb, CRYPTO_TFM_REQ_MASK); | |
704 | crypto_ablkcipher_set_flags(ecb, crypto_ablkcipher_get_flags(parent) & | |
705 | CRYPTO_TFM_REQ_MASK); | |
706 | err = crypto_ablkcipher_setkey(ecb, derived_keys + HEH_BLOCK_SIZE, | |
707 | keylen); | |
708 | crypto_ablkcipher_set_flags(parent, crypto_ablkcipher_get_flags(ecb) & | |
709 | CRYPTO_TFM_RES_MASK); | |
710 | out: | |
711 | kzfree(derived_keys); | |
712 | return err; | |
713 | } | |
714 | ||
715 | static int heh_init_tfm(struct crypto_tfm *tfm) | |
716 | { | |
717 | struct crypto_instance *inst = crypto_tfm_alg_instance(tfm); | |
718 | struct heh_instance_ctx *ictx = crypto_instance_ctx(inst); | |
719 | struct heh_tfm_ctx *ctx = crypto_tfm_ctx(tfm); | |
720 | struct crypto_shash *cmac; | |
58b9edb0 | 721 | struct crypto_shash *poly_hash; |
698ffc03 AC |
722 | struct crypto_ablkcipher *ecb; |
723 | unsigned int reqsize; | |
724 | int err; | |
725 | ||
726 | cmac = crypto_spawn_shash(&ictx->cmac); | |
727 | if (IS_ERR(cmac)) | |
728 | return PTR_ERR(cmac); | |
729 | ||
58b9edb0 EB |
730 | poly_hash = crypto_spawn_shash(&ictx->poly_hash); |
731 | err = PTR_ERR(poly_hash); | |
732 | if (IS_ERR(poly_hash)) | |
733 | goto err_free_cmac; | |
734 | ||
698ffc03 AC |
735 | ecb = crypto_spawn_skcipher(&ictx->ecb); |
736 | err = PTR_ERR(ecb); | |
737 | if (IS_ERR(ecb)) | |
58b9edb0 | 738 | goto err_free_poly_hash; |
698ffc03 AC |
739 | |
740 | ctx->cmac = cmac; | |
58b9edb0 | 741 | ctx->poly_hash = poly_hash; |
698ffc03 AC |
742 | ctx->ecb = ecb; |
743 | ||
744 | reqsize = crypto_tfm_alg_alignmask(tfm) & | |
745 | ~(crypto_tfm_ctx_alignment() - 1); | |
58b9edb0 EB |
746 | reqsize += max3(offsetof(struct heh_req_ctx, u.cmac.desc) + |
747 | sizeof(struct shash_desc) + | |
748 | crypto_shash_descsize(cmac), | |
749 | offsetof(struct heh_req_ctx, u.poly_hash.desc) + | |
750 | sizeof(struct shash_desc) + | |
751 | crypto_shash_descsize(poly_hash), | |
752 | offsetof(struct heh_req_ctx, u.ecb.req) + | |
753 | sizeof(struct ablkcipher_request) + | |
754 | crypto_ablkcipher_reqsize(ecb)); | |
698ffc03 | 755 | tfm->crt_ablkcipher.reqsize = reqsize; |
58b9edb0 | 756 | |
698ffc03 AC |
757 | return 0; |
758 | ||
58b9edb0 EB |
759 | err_free_poly_hash: |
760 | crypto_free_shash(poly_hash); | |
698ffc03 AC |
761 | err_free_cmac: |
762 | crypto_free_shash(cmac); | |
763 | return err; | |
764 | } | |
765 | ||
766 | static void heh_exit_tfm(struct crypto_tfm *tfm) | |
767 | { | |
768 | struct heh_tfm_ctx *ctx = crypto_tfm_ctx(tfm); | |
769 | ||
698ffc03 | 770 | crypto_free_shash(ctx->cmac); |
58b9edb0 | 771 | crypto_free_shash(ctx->poly_hash); |
698ffc03 AC |
772 | crypto_free_ablkcipher(ctx->ecb); |
773 | } | |
774 | ||
775 | static void heh_free_instance(struct crypto_instance *inst) | |
776 | { | |
777 | struct heh_instance_ctx *ctx = crypto_instance_ctx(inst); | |
778 | ||
779 | crypto_drop_shash(&ctx->cmac); | |
58b9edb0 | 780 | crypto_drop_shash(&ctx->poly_hash); |
698ffc03 AC |
781 | crypto_drop_skcipher(&ctx->ecb); |
782 | kfree(inst); | |
783 | } | |
784 | ||
785 | /* | |
786 | * Create an instance of HEH as a ablkcipher. | |
787 | * | |
788 | * This relies on underlying CMAC and ECB algorithms, usually cmac(aes) and | |
789 | * ecb(aes). For performance reasons we support asynchronous ECB algorithms. | |
790 | * However, we do not yet support asynchronous CMAC algorithms because CMAC is | |
791 | * only used on a small fixed amount of data per request, independent of the | |
792 | * request length. This would change if AEAD or variable-length nonce support | |
793 | * were to be exposed. | |
794 | */ | |
795 | static int heh_create_common(struct crypto_template *tmpl, struct rtattr **tb, | |
796 | const char *full_name, const char *cmac_name, | |
58b9edb0 | 797 | const char *poly_hash_name, const char *ecb_name) |
698ffc03 AC |
798 | { |
799 | struct crypto_attr_type *algt; | |
800 | struct crypto_instance *inst; | |
801 | struct heh_instance_ctx *ctx; | |
802 | struct shash_alg *cmac; | |
58b9edb0 | 803 | struct shash_alg *poly_hash; |
698ffc03 AC |
804 | struct crypto_alg *ecb; |
805 | int err; | |
806 | ||
807 | algt = crypto_get_attr_type(tb); | |
808 | if (IS_ERR(algt)) | |
809 | return PTR_ERR(algt); | |
810 | ||
811 | /* User must be asking for something compatible with ablkcipher */ | |
812 | if ((algt->type ^ CRYPTO_ALG_TYPE_ABLKCIPHER) & algt->mask) | |
813 | return -EINVAL; | |
814 | ||
815 | /* Allocate the ablkcipher instance */ | |
816 | inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL); | |
817 | if (!inst) | |
818 | return -ENOMEM; | |
819 | ||
820 | ctx = crypto_instance_ctx(inst); | |
821 | ||
58b9edb0 | 822 | /* Set up the cmac spawn */ |
698ffc03 | 823 | ctx->cmac.base.inst = inst; |
58b9edb0 | 824 | err = crypto_grab_shash(&ctx->cmac, cmac_name, 0, 0); |
698ffc03 AC |
825 | if (err) |
826 | goto err_free_inst; | |
827 | cmac = crypto_spawn_shash_alg(&ctx->cmac); | |
828 | err = -EINVAL; | |
829 | if (cmac->digestsize != HEH_BLOCK_SIZE) | |
830 | goto err_drop_cmac; | |
831 | ||
58b9edb0 EB |
832 | /* Set up the poly_hash spawn */ |
833 | ctx->poly_hash.base.inst = inst; | |
834 | err = crypto_grab_shash(&ctx->poly_hash, poly_hash_name, 0, 0); | |
835 | if (err) | |
836 | goto err_drop_cmac; | |
837 | poly_hash = crypto_spawn_shash_alg(&ctx->poly_hash); | |
838 | err = -EINVAL; | |
839 | if (poly_hash->digestsize != HEH_BLOCK_SIZE) | |
840 | goto err_drop_poly_hash; | |
841 | ||
842 | /* Set up the ecb spawn */ | |
698ffc03 AC |
843 | ctx->ecb.base.inst = inst; |
844 | err = crypto_grab_skcipher(&ctx->ecb, ecb_name, 0, | |
845 | crypto_requires_sync(algt->type, | |
846 | algt->mask)); | |
847 | if (err) | |
58b9edb0 | 848 | goto err_drop_poly_hash; |
698ffc03 AC |
849 | ecb = crypto_skcipher_spawn_alg(&ctx->ecb); |
850 | ||
851 | /* HEH only supports block ciphers with 16 byte block size */ | |
852 | err = -EINVAL; | |
853 | if (ecb->cra_blocksize != HEH_BLOCK_SIZE) | |
854 | goto err_drop_ecb; | |
855 | ||
856 | /* The underlying "ECB" algorithm must not require an IV */ | |
857 | err = -EINVAL; | |
858 | if ((ecb->cra_flags & CRYPTO_ALG_TYPE_MASK) == CRYPTO_ALG_TYPE_BLKCIPHER) { | |
859 | if (ecb->cra_blkcipher.ivsize != 0) | |
860 | goto err_drop_ecb; | |
861 | } else { | |
862 | if (ecb->cra_ablkcipher.ivsize != 0) | |
863 | goto err_drop_ecb; | |
864 | } | |
865 | ||
866 | /* Set the instance names */ | |
867 | err = -ENAMETOOLONG; | |
868 | if (snprintf(inst->alg.cra_driver_name, CRYPTO_MAX_ALG_NAME, | |
58b9edb0 EB |
869 | "heh_base(%s,%s,%s)", cmac->base.cra_driver_name, |
870 | poly_hash->base.cra_driver_name, | |
698ffc03 AC |
871 | ecb->cra_driver_name) >= CRYPTO_MAX_ALG_NAME) |
872 | goto err_drop_ecb; | |
873 | ||
874 | err = -ENAMETOOLONG; | |
875 | if (snprintf(inst->alg.cra_name, CRYPTO_MAX_ALG_NAME, | |
876 | "%s", full_name) >= CRYPTO_MAX_ALG_NAME) | |
877 | goto err_drop_ecb; | |
878 | ||
879 | /* Finish initializing the instance */ | |
880 | ||
881 | inst->alg.cra_flags = CRYPTO_ALG_TYPE_ABLKCIPHER | | |
58b9edb0 | 882 | (ecb->cra_flags & CRYPTO_ALG_ASYNC); |
698ffc03 AC |
883 | inst->alg.cra_blocksize = HEH_BLOCK_SIZE; |
884 | inst->alg.cra_ctxsize = sizeof(struct heh_tfm_ctx); | |
885 | inst->alg.cra_alignmask = ecb->cra_alignmask | (__alignof__(be128) - 1); | |
886 | inst->alg.cra_priority = ecb->cra_priority; | |
887 | inst->alg.cra_type = &crypto_ablkcipher_type; | |
888 | inst->alg.cra_init = heh_init_tfm; | |
889 | inst->alg.cra_exit = heh_exit_tfm; | |
890 | ||
891 | inst->alg.cra_ablkcipher.setkey = heh_setkey; | |
892 | inst->alg.cra_ablkcipher.encrypt = heh_encrypt; | |
893 | inst->alg.cra_ablkcipher.decrypt = heh_decrypt; | |
894 | if ((ecb->cra_flags & CRYPTO_ALG_TYPE_MASK) == CRYPTO_ALG_TYPE_BLKCIPHER) { | |
895 | inst->alg.cra_ablkcipher.min_keysize = ecb->cra_blkcipher.min_keysize; | |
896 | inst->alg.cra_ablkcipher.max_keysize = ecb->cra_blkcipher.max_keysize; | |
897 | } else { | |
898 | inst->alg.cra_ablkcipher.min_keysize = ecb->cra_ablkcipher.min_keysize; | |
899 | inst->alg.cra_ablkcipher.max_keysize = ecb->cra_ablkcipher.max_keysize; | |
900 | } | |
901 | inst->alg.cra_ablkcipher.ivsize = HEH_BLOCK_SIZE; | |
902 | ||
903 | /* Register the instance */ | |
904 | err = crypto_register_instance(tmpl, inst); | |
905 | if (err) | |
906 | goto err_drop_ecb; | |
907 | return 0; | |
908 | ||
909 | err_drop_ecb: | |
910 | crypto_drop_skcipher(&ctx->ecb); | |
58b9edb0 EB |
911 | err_drop_poly_hash: |
912 | crypto_drop_shash(&ctx->poly_hash); | |
698ffc03 AC |
913 | err_drop_cmac: |
914 | crypto_drop_shash(&ctx->cmac); | |
915 | err_free_inst: | |
916 | kfree(inst); | |
917 | return err; | |
918 | } | |
919 | ||
920 | static int heh_create(struct crypto_template *tmpl, struct rtattr **tb) | |
921 | { | |
922 | const char *cipher_name; | |
923 | char full_name[CRYPTO_MAX_ALG_NAME]; | |
924 | char cmac_name[CRYPTO_MAX_ALG_NAME]; | |
925 | char ecb_name[CRYPTO_MAX_ALG_NAME]; | |
926 | ||
927 | /* Get the name of the requested block cipher (e.g. aes) */ | |
928 | cipher_name = crypto_attr_alg_name(tb[1]); | |
929 | if (IS_ERR(cipher_name)) | |
930 | return PTR_ERR(cipher_name); | |
931 | ||
932 | if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "heh(%s)", cipher_name) >= | |
933 | CRYPTO_MAX_ALG_NAME) | |
934 | return -ENAMETOOLONG; | |
935 | ||
936 | if (snprintf(cmac_name, CRYPTO_MAX_ALG_NAME, "cmac(%s)", cipher_name) >= | |
937 | CRYPTO_MAX_ALG_NAME) | |
938 | return -ENAMETOOLONG; | |
939 | ||
940 | if (snprintf(ecb_name, CRYPTO_MAX_ALG_NAME, "ecb(%s)", cipher_name) >= | |
941 | CRYPTO_MAX_ALG_NAME) | |
942 | return -ENAMETOOLONG; | |
943 | ||
58b9edb0 EB |
944 | return heh_create_common(tmpl, tb, full_name, cmac_name, "poly_hash", |
945 | ecb_name); | |
698ffc03 AC |
946 | } |
947 | ||
948 | static struct crypto_template heh_tmpl = { | |
949 | .name = "heh", | |
950 | .create = heh_create, | |
951 | .free = heh_free_instance, | |
952 | .module = THIS_MODULE, | |
953 | }; | |
954 | ||
955 | static int heh_base_create(struct crypto_template *tmpl, struct rtattr **tb) | |
956 | { | |
957 | char full_name[CRYPTO_MAX_ALG_NAME]; | |
958 | const char *cmac_name; | |
58b9edb0 | 959 | const char *poly_hash_name; |
698ffc03 AC |
960 | const char *ecb_name; |
961 | ||
962 | cmac_name = crypto_attr_alg_name(tb[1]); | |
963 | if (IS_ERR(cmac_name)) | |
964 | return PTR_ERR(cmac_name); | |
965 | ||
58b9edb0 EB |
966 | poly_hash_name = crypto_attr_alg_name(tb[2]); |
967 | if (IS_ERR(poly_hash_name)) | |
968 | return PTR_ERR(poly_hash_name); | |
969 | ||
970 | ecb_name = crypto_attr_alg_name(tb[3]); | |
698ffc03 AC |
971 | if (IS_ERR(ecb_name)) |
972 | return PTR_ERR(ecb_name); | |
973 | ||
58b9edb0 EB |
974 | if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "heh_base(%s,%s,%s)", |
975 | cmac_name, poly_hash_name, ecb_name) >= | |
976 | CRYPTO_MAX_ALG_NAME) | |
698ffc03 AC |
977 | return -ENAMETOOLONG; |
978 | ||
58b9edb0 EB |
979 | return heh_create_common(tmpl, tb, full_name, cmac_name, poly_hash_name, |
980 | ecb_name); | |
698ffc03 AC |
981 | } |
982 | ||
983 | /* | |
984 | * If HEH is instantiated as "heh_base" instead of "heh", then specific | |
58b9edb0 EB |
985 | * implementations of cmac, poly_hash, and ecb can be specified instead of just |
986 | * the cipher. | |
698ffc03 AC |
987 | */ |
988 | static struct crypto_template heh_base_tmpl = { | |
989 | .name = "heh_base", | |
990 | .create = heh_base_create, | |
991 | .free = heh_free_instance, | |
992 | .module = THIS_MODULE, | |
993 | }; | |
994 | ||
995 | static int __init heh_module_init(void) | |
996 | { | |
997 | int err; | |
998 | ||
999 | err = crypto_register_template(&heh_tmpl); | |
1000 | if (err) | |
1001 | return err; | |
1002 | ||
1003 | err = crypto_register_template(&heh_base_tmpl); | |
1004 | if (err) | |
1005 | goto out_undo_heh; | |
1006 | ||
58b9edb0 EB |
1007 | err = crypto_register_shash(&poly_hash_alg); |
1008 | if (err) | |
1009 | goto out_undo_heh_base; | |
1010 | ||
698ffc03 AC |
1011 | return 0; |
1012 | ||
58b9edb0 EB |
1013 | out_undo_heh_base: |
1014 | crypto_unregister_template(&heh_base_tmpl); | |
698ffc03 AC |
1015 | out_undo_heh: |
1016 | crypto_unregister_template(&heh_tmpl); | |
1017 | return err; | |
1018 | } | |
1019 | ||
1020 | static void __exit heh_module_exit(void) | |
1021 | { | |
1022 | crypto_unregister_template(&heh_tmpl); | |
1023 | crypto_unregister_template(&heh_base_tmpl); | |
58b9edb0 | 1024 | crypto_unregister_shash(&poly_hash_alg); |
698ffc03 AC |
1025 | } |
1026 | ||
1027 | module_init(heh_module_init); | |
1028 | module_exit(heh_module_exit); | |
1029 | ||
1030 | MODULE_LICENSE("GPL"); | |
1031 | MODULE_DESCRIPTION("Hash-Encrypt-Hash block cipher mode"); | |
1032 | MODULE_ALIAS_CRYPTO("heh"); | |
1033 | MODULE_ALIAS_CRYPTO("heh_base"); |