18c2ecf20Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0-only 28c2ecf20Sopenharmony_ci/* 38c2ecf20Sopenharmony_ci * aes-ccm-glue.c - AES-CCM transform for ARMv8 with Crypto Extensions 48c2ecf20Sopenharmony_ci * 58c2ecf20Sopenharmony_ci * Copyright (C) 2013 - 2017 Linaro Ltd <ard.biesheuvel@linaro.org> 68c2ecf20Sopenharmony_ci */ 78c2ecf20Sopenharmony_ci 88c2ecf20Sopenharmony_ci#include <asm/neon.h> 98c2ecf20Sopenharmony_ci#include <asm/simd.h> 108c2ecf20Sopenharmony_ci#include <asm/unaligned.h> 118c2ecf20Sopenharmony_ci#include <crypto/aes.h> 128c2ecf20Sopenharmony_ci#include <crypto/scatterwalk.h> 138c2ecf20Sopenharmony_ci#include <crypto/internal/aead.h> 148c2ecf20Sopenharmony_ci#include <crypto/internal/simd.h> 158c2ecf20Sopenharmony_ci#include <crypto/internal/skcipher.h> 168c2ecf20Sopenharmony_ci#include <linux/module.h> 178c2ecf20Sopenharmony_ci 188c2ecf20Sopenharmony_ci#include "aes-ce-setkey.h" 198c2ecf20Sopenharmony_ci 208c2ecf20Sopenharmony_cistatic int num_rounds(struct crypto_aes_ctx *ctx) 218c2ecf20Sopenharmony_ci{ 228c2ecf20Sopenharmony_ci /* 238c2ecf20Sopenharmony_ci * # of rounds specified by AES: 248c2ecf20Sopenharmony_ci * 128 bit key 10 rounds 258c2ecf20Sopenharmony_ci * 192 bit key 12 rounds 268c2ecf20Sopenharmony_ci * 256 bit key 14 rounds 278c2ecf20Sopenharmony_ci * => n byte key => 6 + (n/4) rounds 288c2ecf20Sopenharmony_ci */ 298c2ecf20Sopenharmony_ci return 6 + ctx->key_length / 4; 308c2ecf20Sopenharmony_ci} 318c2ecf20Sopenharmony_ci 328c2ecf20Sopenharmony_ciasmlinkage void ce_aes_ccm_auth_data(u8 mac[], u8 const in[], u32 abytes, 338c2ecf20Sopenharmony_ci u32 *macp, u32 const rk[], u32 rounds); 348c2ecf20Sopenharmony_ci 358c2ecf20Sopenharmony_ciasmlinkage void ce_aes_ccm_encrypt(u8 out[], u8 const in[], u32 cbytes, 368c2ecf20Sopenharmony_ci u32 const rk[], u32 rounds, u8 mac[], 378c2ecf20Sopenharmony_ci u8 ctr[]); 388c2ecf20Sopenharmony_ci 398c2ecf20Sopenharmony_ciasmlinkage void ce_aes_ccm_decrypt(u8 out[], u8 const in[], u32 cbytes, 408c2ecf20Sopenharmony_ci u32 const rk[], u32 rounds, u8 mac[], 418c2ecf20Sopenharmony_ci u8 ctr[]); 428c2ecf20Sopenharmony_ci 438c2ecf20Sopenharmony_ciasmlinkage void ce_aes_ccm_final(u8 mac[], u8 const ctr[], u32 const rk[], 448c2ecf20Sopenharmony_ci u32 rounds); 458c2ecf20Sopenharmony_ci 468c2ecf20Sopenharmony_cistatic int ccm_setkey(struct crypto_aead *tfm, const u8 *in_key, 478c2ecf20Sopenharmony_ci unsigned int key_len) 488c2ecf20Sopenharmony_ci{ 498c2ecf20Sopenharmony_ci struct crypto_aes_ctx *ctx = crypto_aead_ctx(tfm); 508c2ecf20Sopenharmony_ci 518c2ecf20Sopenharmony_ci return ce_aes_expandkey(ctx, in_key, key_len); 528c2ecf20Sopenharmony_ci} 538c2ecf20Sopenharmony_ci 548c2ecf20Sopenharmony_cistatic int ccm_setauthsize(struct crypto_aead *tfm, unsigned int authsize) 558c2ecf20Sopenharmony_ci{ 568c2ecf20Sopenharmony_ci if ((authsize & 1) || authsize < 4) 578c2ecf20Sopenharmony_ci return -EINVAL; 588c2ecf20Sopenharmony_ci return 0; 598c2ecf20Sopenharmony_ci} 608c2ecf20Sopenharmony_ci 618c2ecf20Sopenharmony_cistatic int ccm_init_mac(struct aead_request *req, u8 maciv[], u32 msglen) 628c2ecf20Sopenharmony_ci{ 638c2ecf20Sopenharmony_ci struct crypto_aead *aead = crypto_aead_reqtfm(req); 648c2ecf20Sopenharmony_ci __be32 *n = (__be32 *)&maciv[AES_BLOCK_SIZE - 8]; 658c2ecf20Sopenharmony_ci u32 l = req->iv[0] + 1; 668c2ecf20Sopenharmony_ci 678c2ecf20Sopenharmony_ci /* verify that CCM dimension 'L' is set correctly in the IV */ 688c2ecf20Sopenharmony_ci if (l < 2 || l > 8) 698c2ecf20Sopenharmony_ci return -EINVAL; 708c2ecf20Sopenharmony_ci 718c2ecf20Sopenharmony_ci /* verify that msglen can in fact be represented in L bytes */ 728c2ecf20Sopenharmony_ci if (l < 4 && msglen >> (8 * l)) 738c2ecf20Sopenharmony_ci return -EOVERFLOW; 748c2ecf20Sopenharmony_ci 758c2ecf20Sopenharmony_ci /* 768c2ecf20Sopenharmony_ci * Even if the CCM spec allows L values of up to 8, the Linux cryptoapi 778c2ecf20Sopenharmony_ci * uses a u32 type to represent msglen so the top 4 bytes are always 0. 788c2ecf20Sopenharmony_ci */ 798c2ecf20Sopenharmony_ci n[0] = 0; 808c2ecf20Sopenharmony_ci n[1] = cpu_to_be32(msglen); 818c2ecf20Sopenharmony_ci 828c2ecf20Sopenharmony_ci memcpy(maciv, req->iv, AES_BLOCK_SIZE - l); 838c2ecf20Sopenharmony_ci 848c2ecf20Sopenharmony_ci /* 858c2ecf20Sopenharmony_ci * Meaning of byte 0 according to CCM spec (RFC 3610/NIST 800-38C) 868c2ecf20Sopenharmony_ci * - bits 0..2 : max # of bytes required to represent msglen, minus 1 878c2ecf20Sopenharmony_ci * (already set by caller) 888c2ecf20Sopenharmony_ci * - bits 3..5 : size of auth tag (1 => 4 bytes, 2 => 6 bytes, etc) 898c2ecf20Sopenharmony_ci * - bit 6 : indicates presence of authenticate-only data 908c2ecf20Sopenharmony_ci */ 918c2ecf20Sopenharmony_ci maciv[0] |= (crypto_aead_authsize(aead) - 2) << 2; 928c2ecf20Sopenharmony_ci if (req->assoclen) 938c2ecf20Sopenharmony_ci maciv[0] |= 0x40; 948c2ecf20Sopenharmony_ci 958c2ecf20Sopenharmony_ci memset(&req->iv[AES_BLOCK_SIZE - l], 0, l); 968c2ecf20Sopenharmony_ci return 0; 978c2ecf20Sopenharmony_ci} 988c2ecf20Sopenharmony_ci 998c2ecf20Sopenharmony_cistatic void ccm_update_mac(struct crypto_aes_ctx *key, u8 mac[], u8 const in[], 1008c2ecf20Sopenharmony_ci u32 abytes, u32 *macp) 1018c2ecf20Sopenharmony_ci{ 1028c2ecf20Sopenharmony_ci if (crypto_simd_usable()) { 1038c2ecf20Sopenharmony_ci kernel_neon_begin(); 1048c2ecf20Sopenharmony_ci ce_aes_ccm_auth_data(mac, in, abytes, macp, key->key_enc, 1058c2ecf20Sopenharmony_ci num_rounds(key)); 1068c2ecf20Sopenharmony_ci kernel_neon_end(); 1078c2ecf20Sopenharmony_ci } else { 1088c2ecf20Sopenharmony_ci if (*macp > 0 && *macp < AES_BLOCK_SIZE) { 1098c2ecf20Sopenharmony_ci int added = min(abytes, AES_BLOCK_SIZE - *macp); 1108c2ecf20Sopenharmony_ci 1118c2ecf20Sopenharmony_ci crypto_xor(&mac[*macp], in, added); 1128c2ecf20Sopenharmony_ci 1138c2ecf20Sopenharmony_ci *macp += added; 1148c2ecf20Sopenharmony_ci in += added; 1158c2ecf20Sopenharmony_ci abytes -= added; 1168c2ecf20Sopenharmony_ci } 1178c2ecf20Sopenharmony_ci 1188c2ecf20Sopenharmony_ci while (abytes >= AES_BLOCK_SIZE) { 1198c2ecf20Sopenharmony_ci aes_encrypt(key, mac, mac); 1208c2ecf20Sopenharmony_ci crypto_xor(mac, in, AES_BLOCK_SIZE); 1218c2ecf20Sopenharmony_ci 1228c2ecf20Sopenharmony_ci in += AES_BLOCK_SIZE; 1238c2ecf20Sopenharmony_ci abytes -= AES_BLOCK_SIZE; 1248c2ecf20Sopenharmony_ci } 1258c2ecf20Sopenharmony_ci 1268c2ecf20Sopenharmony_ci if (abytes > 0) { 1278c2ecf20Sopenharmony_ci aes_encrypt(key, mac, mac); 1288c2ecf20Sopenharmony_ci crypto_xor(mac, in, abytes); 1298c2ecf20Sopenharmony_ci *macp = abytes; 1308c2ecf20Sopenharmony_ci } 1318c2ecf20Sopenharmony_ci } 1328c2ecf20Sopenharmony_ci} 1338c2ecf20Sopenharmony_ci 1348c2ecf20Sopenharmony_cistatic void ccm_calculate_auth_mac(struct aead_request *req, u8 mac[]) 1358c2ecf20Sopenharmony_ci{ 1368c2ecf20Sopenharmony_ci struct crypto_aead *aead = crypto_aead_reqtfm(req); 1378c2ecf20Sopenharmony_ci struct crypto_aes_ctx *ctx = crypto_aead_ctx(aead); 1388c2ecf20Sopenharmony_ci struct __packed { __be16 l; __be32 h; u16 len; } ltag; 1398c2ecf20Sopenharmony_ci struct scatter_walk walk; 1408c2ecf20Sopenharmony_ci u32 len = req->assoclen; 1418c2ecf20Sopenharmony_ci u32 macp = 0; 1428c2ecf20Sopenharmony_ci 1438c2ecf20Sopenharmony_ci /* prepend the AAD with a length tag */ 1448c2ecf20Sopenharmony_ci if (len < 0xff00) { 1458c2ecf20Sopenharmony_ci ltag.l = cpu_to_be16(len); 1468c2ecf20Sopenharmony_ci ltag.len = 2; 1478c2ecf20Sopenharmony_ci } else { 1488c2ecf20Sopenharmony_ci ltag.l = cpu_to_be16(0xfffe); 1498c2ecf20Sopenharmony_ci put_unaligned_be32(len, <ag.h); 1508c2ecf20Sopenharmony_ci ltag.len = 6; 1518c2ecf20Sopenharmony_ci } 1528c2ecf20Sopenharmony_ci 1538c2ecf20Sopenharmony_ci ccm_update_mac(ctx, mac, (u8 *)<ag, ltag.len, &macp); 1548c2ecf20Sopenharmony_ci scatterwalk_start(&walk, req->src); 1558c2ecf20Sopenharmony_ci 1568c2ecf20Sopenharmony_ci do { 1578c2ecf20Sopenharmony_ci u32 n = scatterwalk_clamp(&walk, len); 1588c2ecf20Sopenharmony_ci u8 *p; 1598c2ecf20Sopenharmony_ci 1608c2ecf20Sopenharmony_ci if (!n) { 1618c2ecf20Sopenharmony_ci scatterwalk_start(&walk, sg_next(walk.sg)); 1628c2ecf20Sopenharmony_ci n = scatterwalk_clamp(&walk, len); 1638c2ecf20Sopenharmony_ci } 1648c2ecf20Sopenharmony_ci p = scatterwalk_map(&walk); 1658c2ecf20Sopenharmony_ci ccm_update_mac(ctx, mac, p, n, &macp); 1668c2ecf20Sopenharmony_ci len -= n; 1678c2ecf20Sopenharmony_ci 1688c2ecf20Sopenharmony_ci scatterwalk_unmap(p); 1698c2ecf20Sopenharmony_ci scatterwalk_advance(&walk, n); 1708c2ecf20Sopenharmony_ci scatterwalk_done(&walk, 0, len); 1718c2ecf20Sopenharmony_ci } while (len); 1728c2ecf20Sopenharmony_ci} 1738c2ecf20Sopenharmony_ci 1748c2ecf20Sopenharmony_cistatic int ccm_crypt_fallback(struct skcipher_walk *walk, u8 mac[], u8 iv0[], 1758c2ecf20Sopenharmony_ci struct crypto_aes_ctx *ctx, bool enc) 1768c2ecf20Sopenharmony_ci{ 1778c2ecf20Sopenharmony_ci u8 buf[AES_BLOCK_SIZE]; 1788c2ecf20Sopenharmony_ci int err = 0; 1798c2ecf20Sopenharmony_ci 1808c2ecf20Sopenharmony_ci while (walk->nbytes) { 1818c2ecf20Sopenharmony_ci int blocks = walk->nbytes / AES_BLOCK_SIZE; 1828c2ecf20Sopenharmony_ci u32 tail = walk->nbytes % AES_BLOCK_SIZE; 1838c2ecf20Sopenharmony_ci u8 *dst = walk->dst.virt.addr; 1848c2ecf20Sopenharmony_ci u8 *src = walk->src.virt.addr; 1858c2ecf20Sopenharmony_ci u32 nbytes = walk->nbytes; 1868c2ecf20Sopenharmony_ci 1878c2ecf20Sopenharmony_ci if (nbytes == walk->total && tail > 0) { 1888c2ecf20Sopenharmony_ci blocks++; 1898c2ecf20Sopenharmony_ci tail = 0; 1908c2ecf20Sopenharmony_ci } 1918c2ecf20Sopenharmony_ci 1928c2ecf20Sopenharmony_ci do { 1938c2ecf20Sopenharmony_ci u32 bsize = AES_BLOCK_SIZE; 1948c2ecf20Sopenharmony_ci 1958c2ecf20Sopenharmony_ci if (nbytes < AES_BLOCK_SIZE) 1968c2ecf20Sopenharmony_ci bsize = nbytes; 1978c2ecf20Sopenharmony_ci 1988c2ecf20Sopenharmony_ci crypto_inc(walk->iv, AES_BLOCK_SIZE); 1998c2ecf20Sopenharmony_ci aes_encrypt(ctx, buf, walk->iv); 2008c2ecf20Sopenharmony_ci aes_encrypt(ctx, mac, mac); 2018c2ecf20Sopenharmony_ci if (enc) 2028c2ecf20Sopenharmony_ci crypto_xor(mac, src, bsize); 2038c2ecf20Sopenharmony_ci crypto_xor_cpy(dst, src, buf, bsize); 2048c2ecf20Sopenharmony_ci if (!enc) 2058c2ecf20Sopenharmony_ci crypto_xor(mac, dst, bsize); 2068c2ecf20Sopenharmony_ci dst += bsize; 2078c2ecf20Sopenharmony_ci src += bsize; 2088c2ecf20Sopenharmony_ci nbytes -= bsize; 2098c2ecf20Sopenharmony_ci } while (--blocks); 2108c2ecf20Sopenharmony_ci 2118c2ecf20Sopenharmony_ci err = skcipher_walk_done(walk, tail); 2128c2ecf20Sopenharmony_ci } 2138c2ecf20Sopenharmony_ci 2148c2ecf20Sopenharmony_ci if (!err) { 2158c2ecf20Sopenharmony_ci aes_encrypt(ctx, buf, iv0); 2168c2ecf20Sopenharmony_ci aes_encrypt(ctx, mac, mac); 2178c2ecf20Sopenharmony_ci crypto_xor(mac, buf, AES_BLOCK_SIZE); 2188c2ecf20Sopenharmony_ci } 2198c2ecf20Sopenharmony_ci return err; 2208c2ecf20Sopenharmony_ci} 2218c2ecf20Sopenharmony_ci 2228c2ecf20Sopenharmony_cistatic int ccm_encrypt(struct aead_request *req) 2238c2ecf20Sopenharmony_ci{ 2248c2ecf20Sopenharmony_ci struct crypto_aead *aead = crypto_aead_reqtfm(req); 2258c2ecf20Sopenharmony_ci struct crypto_aes_ctx *ctx = crypto_aead_ctx(aead); 2268c2ecf20Sopenharmony_ci struct skcipher_walk walk; 2278c2ecf20Sopenharmony_ci u8 __aligned(8) mac[AES_BLOCK_SIZE]; 2288c2ecf20Sopenharmony_ci u8 buf[AES_BLOCK_SIZE]; 2298c2ecf20Sopenharmony_ci u32 len = req->cryptlen; 2308c2ecf20Sopenharmony_ci int err; 2318c2ecf20Sopenharmony_ci 2328c2ecf20Sopenharmony_ci err = ccm_init_mac(req, mac, len); 2338c2ecf20Sopenharmony_ci if (err) 2348c2ecf20Sopenharmony_ci return err; 2358c2ecf20Sopenharmony_ci 2368c2ecf20Sopenharmony_ci if (req->assoclen) 2378c2ecf20Sopenharmony_ci ccm_calculate_auth_mac(req, mac); 2388c2ecf20Sopenharmony_ci 2398c2ecf20Sopenharmony_ci /* preserve the original iv for the final round */ 2408c2ecf20Sopenharmony_ci memcpy(buf, req->iv, AES_BLOCK_SIZE); 2418c2ecf20Sopenharmony_ci 2428c2ecf20Sopenharmony_ci err = skcipher_walk_aead_encrypt(&walk, req, false); 2438c2ecf20Sopenharmony_ci 2448c2ecf20Sopenharmony_ci if (crypto_simd_usable()) { 2458c2ecf20Sopenharmony_ci while (walk.nbytes) { 2468c2ecf20Sopenharmony_ci u32 tail = walk.nbytes % AES_BLOCK_SIZE; 2478c2ecf20Sopenharmony_ci 2488c2ecf20Sopenharmony_ci if (walk.nbytes == walk.total) 2498c2ecf20Sopenharmony_ci tail = 0; 2508c2ecf20Sopenharmony_ci 2518c2ecf20Sopenharmony_ci kernel_neon_begin(); 2528c2ecf20Sopenharmony_ci ce_aes_ccm_encrypt(walk.dst.virt.addr, 2538c2ecf20Sopenharmony_ci walk.src.virt.addr, 2548c2ecf20Sopenharmony_ci walk.nbytes - tail, ctx->key_enc, 2558c2ecf20Sopenharmony_ci num_rounds(ctx), mac, walk.iv); 2568c2ecf20Sopenharmony_ci kernel_neon_end(); 2578c2ecf20Sopenharmony_ci 2588c2ecf20Sopenharmony_ci err = skcipher_walk_done(&walk, tail); 2598c2ecf20Sopenharmony_ci } 2608c2ecf20Sopenharmony_ci if (!err) { 2618c2ecf20Sopenharmony_ci kernel_neon_begin(); 2628c2ecf20Sopenharmony_ci ce_aes_ccm_final(mac, buf, ctx->key_enc, 2638c2ecf20Sopenharmony_ci num_rounds(ctx)); 2648c2ecf20Sopenharmony_ci kernel_neon_end(); 2658c2ecf20Sopenharmony_ci } 2668c2ecf20Sopenharmony_ci } else { 2678c2ecf20Sopenharmony_ci err = ccm_crypt_fallback(&walk, mac, buf, ctx, true); 2688c2ecf20Sopenharmony_ci } 2698c2ecf20Sopenharmony_ci if (err) 2708c2ecf20Sopenharmony_ci return err; 2718c2ecf20Sopenharmony_ci 2728c2ecf20Sopenharmony_ci /* copy authtag to end of dst */ 2738c2ecf20Sopenharmony_ci scatterwalk_map_and_copy(mac, req->dst, req->assoclen + req->cryptlen, 2748c2ecf20Sopenharmony_ci crypto_aead_authsize(aead), 1); 2758c2ecf20Sopenharmony_ci 2768c2ecf20Sopenharmony_ci return 0; 2778c2ecf20Sopenharmony_ci} 2788c2ecf20Sopenharmony_ci 2798c2ecf20Sopenharmony_cistatic int ccm_decrypt(struct aead_request *req) 2808c2ecf20Sopenharmony_ci{ 2818c2ecf20Sopenharmony_ci struct crypto_aead *aead = crypto_aead_reqtfm(req); 2828c2ecf20Sopenharmony_ci struct crypto_aes_ctx *ctx = crypto_aead_ctx(aead); 2838c2ecf20Sopenharmony_ci unsigned int authsize = crypto_aead_authsize(aead); 2848c2ecf20Sopenharmony_ci struct skcipher_walk walk; 2858c2ecf20Sopenharmony_ci u8 __aligned(8) mac[AES_BLOCK_SIZE]; 2868c2ecf20Sopenharmony_ci u8 buf[AES_BLOCK_SIZE]; 2878c2ecf20Sopenharmony_ci u32 len = req->cryptlen - authsize; 2888c2ecf20Sopenharmony_ci int err; 2898c2ecf20Sopenharmony_ci 2908c2ecf20Sopenharmony_ci err = ccm_init_mac(req, mac, len); 2918c2ecf20Sopenharmony_ci if (err) 2928c2ecf20Sopenharmony_ci return err; 2938c2ecf20Sopenharmony_ci 2948c2ecf20Sopenharmony_ci if (req->assoclen) 2958c2ecf20Sopenharmony_ci ccm_calculate_auth_mac(req, mac); 2968c2ecf20Sopenharmony_ci 2978c2ecf20Sopenharmony_ci /* preserve the original iv for the final round */ 2988c2ecf20Sopenharmony_ci memcpy(buf, req->iv, AES_BLOCK_SIZE); 2998c2ecf20Sopenharmony_ci 3008c2ecf20Sopenharmony_ci err = skcipher_walk_aead_decrypt(&walk, req, false); 3018c2ecf20Sopenharmony_ci 3028c2ecf20Sopenharmony_ci if (crypto_simd_usable()) { 3038c2ecf20Sopenharmony_ci while (walk.nbytes) { 3048c2ecf20Sopenharmony_ci u32 tail = walk.nbytes % AES_BLOCK_SIZE; 3058c2ecf20Sopenharmony_ci 3068c2ecf20Sopenharmony_ci if (walk.nbytes == walk.total) 3078c2ecf20Sopenharmony_ci tail = 0; 3088c2ecf20Sopenharmony_ci 3098c2ecf20Sopenharmony_ci kernel_neon_begin(); 3108c2ecf20Sopenharmony_ci ce_aes_ccm_decrypt(walk.dst.virt.addr, 3118c2ecf20Sopenharmony_ci walk.src.virt.addr, 3128c2ecf20Sopenharmony_ci walk.nbytes - tail, ctx->key_enc, 3138c2ecf20Sopenharmony_ci num_rounds(ctx), mac, walk.iv); 3148c2ecf20Sopenharmony_ci kernel_neon_end(); 3158c2ecf20Sopenharmony_ci 3168c2ecf20Sopenharmony_ci err = skcipher_walk_done(&walk, tail); 3178c2ecf20Sopenharmony_ci } 3188c2ecf20Sopenharmony_ci if (!err) { 3198c2ecf20Sopenharmony_ci kernel_neon_begin(); 3208c2ecf20Sopenharmony_ci ce_aes_ccm_final(mac, buf, ctx->key_enc, 3218c2ecf20Sopenharmony_ci num_rounds(ctx)); 3228c2ecf20Sopenharmony_ci kernel_neon_end(); 3238c2ecf20Sopenharmony_ci } 3248c2ecf20Sopenharmony_ci } else { 3258c2ecf20Sopenharmony_ci err = ccm_crypt_fallback(&walk, mac, buf, ctx, false); 3268c2ecf20Sopenharmony_ci } 3278c2ecf20Sopenharmony_ci 3288c2ecf20Sopenharmony_ci if (err) 3298c2ecf20Sopenharmony_ci return err; 3308c2ecf20Sopenharmony_ci 3318c2ecf20Sopenharmony_ci /* compare calculated auth tag with the stored one */ 3328c2ecf20Sopenharmony_ci scatterwalk_map_and_copy(buf, req->src, 3338c2ecf20Sopenharmony_ci req->assoclen + req->cryptlen - authsize, 3348c2ecf20Sopenharmony_ci authsize, 0); 3358c2ecf20Sopenharmony_ci 3368c2ecf20Sopenharmony_ci if (crypto_memneq(mac, buf, authsize)) 3378c2ecf20Sopenharmony_ci return -EBADMSG; 3388c2ecf20Sopenharmony_ci return 0; 3398c2ecf20Sopenharmony_ci} 3408c2ecf20Sopenharmony_ci 3418c2ecf20Sopenharmony_cistatic struct aead_alg ccm_aes_alg = { 3428c2ecf20Sopenharmony_ci .base = { 3438c2ecf20Sopenharmony_ci .cra_name = "ccm(aes)", 3448c2ecf20Sopenharmony_ci .cra_driver_name = "ccm-aes-ce", 3458c2ecf20Sopenharmony_ci .cra_priority = 300, 3468c2ecf20Sopenharmony_ci .cra_blocksize = 1, 3478c2ecf20Sopenharmony_ci .cra_ctxsize = sizeof(struct crypto_aes_ctx), 3488c2ecf20Sopenharmony_ci .cra_module = THIS_MODULE, 3498c2ecf20Sopenharmony_ci }, 3508c2ecf20Sopenharmony_ci .ivsize = AES_BLOCK_SIZE, 3518c2ecf20Sopenharmony_ci .chunksize = AES_BLOCK_SIZE, 3528c2ecf20Sopenharmony_ci .maxauthsize = AES_BLOCK_SIZE, 3538c2ecf20Sopenharmony_ci .setkey = ccm_setkey, 3548c2ecf20Sopenharmony_ci .setauthsize = ccm_setauthsize, 3558c2ecf20Sopenharmony_ci .encrypt = ccm_encrypt, 3568c2ecf20Sopenharmony_ci .decrypt = ccm_decrypt, 3578c2ecf20Sopenharmony_ci}; 3588c2ecf20Sopenharmony_ci 3598c2ecf20Sopenharmony_cistatic int __init aes_mod_init(void) 3608c2ecf20Sopenharmony_ci{ 3618c2ecf20Sopenharmony_ci if (!cpu_have_named_feature(AES)) 3628c2ecf20Sopenharmony_ci return -ENODEV; 3638c2ecf20Sopenharmony_ci return crypto_register_aead(&ccm_aes_alg); 3648c2ecf20Sopenharmony_ci} 3658c2ecf20Sopenharmony_ci 3668c2ecf20Sopenharmony_cistatic void __exit aes_mod_exit(void) 3678c2ecf20Sopenharmony_ci{ 3688c2ecf20Sopenharmony_ci crypto_unregister_aead(&ccm_aes_alg); 3698c2ecf20Sopenharmony_ci} 3708c2ecf20Sopenharmony_ci 3718c2ecf20Sopenharmony_cimodule_init(aes_mod_init); 3728c2ecf20Sopenharmony_cimodule_exit(aes_mod_exit); 3738c2ecf20Sopenharmony_ci 3748c2ecf20Sopenharmony_ciMODULE_DESCRIPTION("Synchronous AES in CCM mode using ARMv8 Crypto Extensions"); 3758c2ecf20Sopenharmony_ciMODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@linaro.org>"); 3768c2ecf20Sopenharmony_ciMODULE_LICENSE("GPL v2"); 3778c2ecf20Sopenharmony_ciMODULE_ALIAS_CRYPTO("ccm(aes)"); 378