/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * SM4-CCM AEAD Algorithm using ARMv8 Crypto Extensions * as specified in rfc8998 * https://datatracker.ietf.org/doc/html/rfc8998 * * Copyright (C) 2022 Tianjia Zhang <tianjia.zhang@linux.alibaba.com> */ #include <linux/module.h> #include <linux/crypto.h> #include <linux/kernel.h> #include <linux/cpufeature.h> #include <asm/neon.h> #include <crypto/scatterwalk.h> #include <crypto/internal/aead.h> #include <crypto/internal/skcipher.h> #include <crypto/sm4.h> #include "sm4-ce.h" asmlinkage void sm4_ce_cbcmac_update(const u32 *rkey_enc, u8 *mac, const u8 *src, unsigned int nblocks); asmlinkage void sm4_ce_ccm_enc(const u32 *rkey_enc, u8 *dst, const u8 *src, u8 *iv, unsigned int nbytes, u8 *mac); asmlinkage void sm4_ce_ccm_dec(const u32 *rkey_enc, u8 *dst, const u8 *src, u8 *iv, unsigned int nbytes, u8 *mac); asmlinkage void sm4_ce_ccm_final(const u32 *rkey_enc, u8 *iv, u8 *mac); static int ccm_setkey(struct crypto_aead *tfm, const u8 *key, unsigned int key_len) { struct sm4_ctx *ctx = crypto_aead_ctx(tfm); if (key_len != SM4_KEY_SIZE) return -EINVAL; kernel_neon_begin(); sm4_ce_expand_key(key, ctx->rkey_enc, ctx->rkey_dec, crypto_sm4_fk, crypto_sm4_ck); kernel_neon_end(); return 0; } static int ccm_setauthsize(struct crypto_aead *tfm, unsigned int authsize) { if ((authsize & 1) || authsize < 4) return -EINVAL; return 0; } static int ccm_format_input(u8 info[], struct aead_request *req, unsigned int msglen) { struct crypto_aead *aead = crypto_aead_reqtfm(req); unsigned int l = req->iv[0] + 1; unsigned int m; __be32 len; /* verify that CCM dimension 'L': 2 <= L <= 8 */ if (l < 2 || l > 8) return -EINVAL; if (l < 4 && msglen >> (8 * l)) return -EOVERFLOW; memset(&req->iv[SM4_BLOCK_SIZE - l], 0, l); memcpy(info, req->iv, SM4_BLOCK_SIZE); m = crypto_aead_authsize(aead); /* format flags field per RFC 3610/NIST 800-38C */ *info |= ((m - 2) / 2) << 3; if (req->assoclen) *info |= (1 << 6); /* * format message length field, * Linux uses a u32 type to represent msglen */ if (l >= 4) l = 4; len = cpu_to_be32(msglen); memcpy(&info[SM4_BLOCK_SIZE - l], (u8 *)&len + 4 - l, l); return 0; } static void ccm_calculate_auth_mac(struct aead_request *req, u8 mac[]) { struct crypto_aead *aead = crypto_aead_reqtfm(req); struct sm4_ctx *ctx = crypto_aead_ctx(aead); struct __packed { __be16 l; __be32 h; } aadlen; u32 assoclen = req->assoclen; struct scatter_walk walk; unsigned int len; if (assoclen < 0xff00) { aadlen.l = cpu_to_be16(assoclen); len = 2; } else { aadlen.l = cpu_to_be16(0xfffe); put_unaligned_be32(assoclen, &aadlen.h); len = 6; } sm4_ce_crypt_block(ctx->rkey_enc, mac, mac); crypto_xor(mac, (const u8 *)&aadlen, len); scatterwalk_start(&walk, req->src); do { u32 n = scatterwalk_clamp(&walk, assoclen); u8 *p, *ptr; if (!n) { scatterwalk_start(&walk, sg_next(walk.sg)); n = scatterwalk_clamp(&walk, assoclen); } p = ptr = scatterwalk_map(&walk); assoclen -= n; scatterwalk_advance(&walk, n); while (n > 0) { unsigned int l, nblocks; if (len == SM4_BLOCK_SIZE) { if (n < SM4_BLOCK_SIZE) { sm4_ce_crypt_block(ctx->rkey_enc, mac, mac); len = 0; } else { nblocks = n / SM4_BLOCK_SIZE; sm4_ce_cbcmac_update(ctx->rkey_enc, mac, ptr, nblocks); ptr += nblocks * SM4_BLOCK_SIZE; n %= SM4_BLOCK_SIZE; continue; } } l = min(n, SM4_BLOCK_SIZE - len); if (l) { crypto_xor(mac + len, ptr, l); len += l; ptr += l; n -= l; } } scatterwalk_unmap(p); scatterwalk_done(&walk, 0, assoclen); } while (assoclen); } static int ccm_crypt(struct aead_request *req, struct skcipher_walk *walk, u32 *rkey_enc, u8 mac[], void (*sm4_ce_ccm_crypt)(const u32 *rkey_enc, u8 *dst, const u8 *src, u8 *iv, unsigned int nbytes, u8 *mac)) { u8 __aligned(8) ctr0[SM4_BLOCK_SIZE]; int err = 0; /* preserve the initial ctr0 for the TAG */ memcpy(ctr0, walk->iv, SM4_BLOCK_SIZE); crypto_inc(walk->iv, SM4_BLOCK_SIZE); kernel_neon_begin(); if (req->assoclen) ccm_calculate_auth_mac(req, mac); while (walk->nbytes && walk->nbytes != walk->total) { unsigned int tail = walk->nbytes % SM4_BLOCK_SIZE; sm4_ce_ccm_crypt(rkey_enc, walk->dst.virt.addr, walk->src.virt.addr, walk->iv, walk->nbytes - tail, mac); kernel_neon_end(); err = skcipher_walk_done(walk, tail); kernel_neon_begin(); } if (walk->nbytes) { sm4_ce_ccm_crypt(rkey_enc, walk->dst.virt.addr, walk->src.virt.addr, walk->iv, walk->nbytes, mac); sm4_ce_ccm_final(rkey_enc, ctr0, mac); kernel_neon_end(); err = skcipher_walk_done(walk, 0); } else { sm4_ce_ccm_final(rkey_enc, ctr0, mac); kernel_neon_end(); } return err; } static int ccm_encrypt(struct aead_request *req) { struct crypto_aead *aead = crypto_aead_reqtfm(req); struct sm4_ctx *ctx = crypto_aead_ctx(aead); u8 __aligned(8) mac[SM4_BLOCK_SIZE]; struct skcipher_walk walk; int err; err = ccm_format_input(mac, req, req->cryptlen); if (err) return err; err = skcipher_walk_aead_encrypt(&walk, req, false); if (err) return err; err = ccm_crypt(req, &walk, ctx->rkey_enc, mac, sm4_ce_ccm_enc); if (err) return err; /* copy authtag to end of dst */ scatterwalk_map_and_copy(mac, req->dst, req->assoclen + req->cryptlen, crypto_aead_authsize(aead), 1); return 0; } static int ccm_decrypt(struct aead_request *req) { struct crypto_aead *aead = crypto_aead_reqtfm(req); unsigned int authsize = crypto_aead_authsize(aead); struct sm4_ctx *ctx = crypto_aead_ctx(aead); u8 __aligned(8) mac[SM4_BLOCK_SIZE]; u8 authtag[SM4_BLOCK_SIZE]; struct skcipher_walk walk; int err; err = ccm_format_input(mac, req, req->cryptlen - authsize); if (err) return err; err = skcipher_walk_aead_decrypt(&walk, req, false); if (err) return err; err = ccm_crypt(req, &walk, ctx->rkey_enc, mac, sm4_ce_ccm_dec); if (err) return err; /* compare calculated auth tag with the stored one */ scatterwalk_map_and_copy(authtag, req->src, req->assoclen + req->cryptlen - authsize, authsize, 0); if (crypto_memneq(authtag, mac, authsize)) return -EBADMSG; return 0; } static struct aead_alg sm4_ccm_alg = { .base = { .cra_name = "ccm(sm4)", .cra_driver_name = "ccm-sm4-ce", .cra_priority = 400, .cra_blocksize = 1, .cra_ctxsize = sizeof(struct sm4_ctx), .cra_module = THIS_MODULE, }, .ivsize = SM4_BLOCK_SIZE, .chunksize = SM4_BLOCK_SIZE, .maxauthsize = SM4_BLOCK_SIZE, .setkey = ccm_setkey, .setauthsize = ccm_setauthsize, .encrypt = ccm_encrypt, .decrypt = ccm_decrypt, }; static int __init sm4_ce_ccm_init(void) { return crypto_register_aead(&sm4_ccm_alg); } static void __exit sm4_ce_ccm_exit(void) { crypto_unregister_aead(&sm4_ccm_alg); } module_cpu_feature_match(SM4, sm4_ce_ccm_init); module_exit(sm4_ce_ccm_exit); MODULE_DESCRIPTION("Synchronous SM4 in CCM mode using ARMv8 Crypto Extensions"); MODULE_ALIAS_CRYPTO("ccm(sm4)"); MODULE_AUTHOR("Tianjia Zhang <tianjia.zhang@linux.alibaba.com>"); MODULE_LICENSE("GPL v2");