linux/crypto/gcm.c
<<
>>
Prefs
   1/*
   2 * GCM: Galois/Counter Mode.
   3 *
   4 * Copyright (c) 2007 Nokia Siemens Networks - Mikko Herranen <mh1@iki.fi>
   5 *
   6 * This program is free software; you can redistribute it and/or modify it
   7 * under the terms of the GNU General Public License version 2 as published
   8 * by the Free Software Foundation.
   9 */
  10
  11#include <crypto/gf128mul.h>
  12#include <crypto/internal/aead.h>
  13#include <crypto/internal/skcipher.h>
  14#include <crypto/internal/hash.h>
  15#include <crypto/null.h>
  16#include <crypto/scatterwalk.h>
  17#include <crypto/hash.h>
  18#include "internal.h"
  19#include <linux/completion.h>
  20#include <linux/err.h>
  21#include <linux/init.h>
  22#include <linux/kernel.h>
  23#include <linux/module.h>
  24#include <linux/slab.h>
  25
  26struct gcm_instance_ctx {
  27        struct crypto_skcipher_spawn ctr;
  28        struct crypto_ahash_spawn ghash;
  29};
  30
  31struct crypto_gcm_ctx {
  32        struct crypto_skcipher *ctr;
  33        struct crypto_ahash *ghash;
  34};
  35
  36struct crypto_rfc4106_ctx {
  37        struct crypto_aead *child;
  38        u8 nonce[4];
  39};
  40
  41struct crypto_rfc4106_req_ctx {
  42        struct scatterlist src[3];
  43        struct scatterlist dst[3];
  44        struct aead_request subreq;
  45};
  46
  47struct crypto_rfc4543_instance_ctx {
  48        struct crypto_aead_spawn aead;
  49};
  50
  51struct crypto_rfc4543_ctx {
  52        struct crypto_aead *child;
  53        struct crypto_skcipher *null;
  54        u8 nonce[4];
  55};
  56
  57struct crypto_rfc4543_req_ctx {
  58        struct aead_request subreq;
  59};
  60
  61struct crypto_gcm_ghash_ctx {
  62        unsigned int cryptlen;
  63        struct scatterlist *src;
  64        int (*complete)(struct aead_request *req, u32 flags);
  65};
  66
  67struct crypto_gcm_req_priv_ctx {
  68        u8 iv[16];
  69        u8 auth_tag[16];
  70        u8 iauth_tag[16];
  71        struct scatterlist src[3];
  72        struct scatterlist dst[3];
  73        struct scatterlist sg;
  74        struct crypto_gcm_ghash_ctx ghash_ctx;
  75        union {
  76                struct ahash_request ahreq;
  77                struct skcipher_request skreq;
  78        } u;
  79};
  80
  81struct crypto_gcm_setkey_result {
  82        int err;
  83        struct completion completion;
  84};
  85
  86static struct {
  87        u8 buf[16];
  88        struct scatterlist sg;
  89} *gcm_zeroes;
  90
  91static int crypto_rfc4543_copy_src_to_dst(struct aead_request *req, bool enc);
  92
  93static inline struct crypto_gcm_req_priv_ctx *crypto_gcm_reqctx(
  94        struct aead_request *req)
  95{
  96        unsigned long align = crypto_aead_alignmask(crypto_aead_reqtfm(req));
  97
  98        return (void *)PTR_ALIGN((u8 *)aead_request_ctx(req), align + 1);
  99}
 100
 101static void crypto_gcm_setkey_done(struct crypto_async_request *req, int err)
 102{
 103        struct crypto_gcm_setkey_result *result = req->data;
 104
 105        if (err == -EINPROGRESS)
 106                return;
 107
 108        result->err = err;
 109        complete(&result->completion);
 110}
 111
 112static int crypto_gcm_setkey(struct crypto_aead *aead, const u8 *key,
 113                             unsigned int keylen)
 114{
 115        struct crypto_gcm_ctx *ctx = crypto_aead_ctx(aead);
 116        struct crypto_ahash *ghash = ctx->ghash;
 117        struct crypto_skcipher *ctr = ctx->ctr;
 118        struct {
 119                be128 hash;
 120                u8 iv[16];
 121
 122                struct crypto_gcm_setkey_result result;
 123
 124                struct scatterlist sg[1];
 125                struct skcipher_request req;
 126        } *data;
 127        int err;
 128
 129        crypto_skcipher_clear_flags(ctr, CRYPTO_TFM_REQ_MASK);
 130        crypto_skcipher_set_flags(ctr, crypto_aead_get_flags(aead) &
 131                                       CRYPTO_TFM_REQ_MASK);
 132        err = crypto_skcipher_setkey(ctr, key, keylen);
 133        crypto_aead_set_flags(aead, crypto_skcipher_get_flags(ctr) &
 134                                    CRYPTO_TFM_RES_MASK);
 135        if (err)
 136                return err;
 137
 138        data = kzalloc(sizeof(*data) + crypto_skcipher_reqsize(ctr),
 139                       GFP_KERNEL);
 140        if (!data)
 141                return -ENOMEM;
 142
 143        init_completion(&data->result.completion);
 144        sg_init_one(data->sg, &data->hash, sizeof(data->hash));
 145        skcipher_request_set_tfm(&data->req, ctr);
 146        skcipher_request_set_callback(&data->req, CRYPTO_TFM_REQ_MAY_SLEEP |
 147                                                  CRYPTO_TFM_REQ_MAY_BACKLOG,
 148                                      crypto_gcm_setkey_done,
 149                                      &data->result);
 150        skcipher_request_set_crypt(&data->req, data->sg, data->sg,
 151                                   sizeof(data->hash), data->iv);
 152
 153        err = crypto_skcipher_encrypt(&data->req);
 154        if (err == -EINPROGRESS || err == -EBUSY) {
 155                err = wait_for_completion_interruptible(
 156                        &data->result.completion);
 157                if (!err)
 158                        err = data->result.err;
 159        }
 160
 161        if (err)
 162                goto out;
 163
 164        crypto_ahash_clear_flags(ghash, CRYPTO_TFM_REQ_MASK);
 165        crypto_ahash_set_flags(ghash, crypto_aead_get_flags(aead) &
 166                               CRYPTO_TFM_REQ_MASK);
 167        err = crypto_ahash_setkey(ghash, (u8 *)&data->hash, sizeof(be128));
 168        crypto_aead_set_flags(aead, crypto_ahash_get_flags(ghash) &
 169                              CRYPTO_TFM_RES_MASK);
 170
 171out:
 172        kzfree(data);
 173        return err;
 174}
 175
 176static int crypto_gcm_setauthsize(struct crypto_aead *tfm,
 177                                  unsigned int authsize)
 178{
 179        switch (authsize) {
 180        case 4:
 181        case 8:
 182        case 12:
 183        case 13:
 184        case 14:
 185        case 15:
 186        case 16:
 187                break;
 188        default:
 189                return -EINVAL;
 190        }
 191
 192        return 0;
 193}
 194
 195static void crypto_gcm_init_common(struct aead_request *req)
 196{
 197        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 198        __be32 counter = cpu_to_be32(1);
 199        struct scatterlist *sg;
 200
 201        memset(pctx->auth_tag, 0, sizeof(pctx->auth_tag));
 202        memcpy(pctx->iv, req->iv, 12);
 203        memcpy(pctx->iv + 12, &counter, 4);
 204
 205        sg_init_table(pctx->src, 3);
 206        sg_set_buf(pctx->src, pctx->auth_tag, sizeof(pctx->auth_tag));
 207        sg = scatterwalk_ffwd(pctx->src + 1, req->src, req->assoclen);
 208        if (sg != pctx->src + 1)
 209                sg_chain(pctx->src, 2, sg);
 210
 211        if (req->src != req->dst) {
 212                sg_init_table(pctx->dst, 3);
 213                sg_set_buf(pctx->dst, pctx->auth_tag, sizeof(pctx->auth_tag));
 214                sg = scatterwalk_ffwd(pctx->dst + 1, req->dst, req->assoclen);
 215                if (sg != pctx->dst + 1)
 216                        sg_chain(pctx->dst, 2, sg);
 217        }
 218}
 219
 220static void crypto_gcm_init_crypt(struct aead_request *req,
 221                                  unsigned int cryptlen)
 222{
 223        struct crypto_aead *aead = crypto_aead_reqtfm(req);
 224        struct crypto_gcm_ctx *ctx = crypto_aead_ctx(aead);
 225        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 226        struct skcipher_request *skreq = &pctx->u.skreq;
 227        struct scatterlist *dst;
 228
 229        dst = req->src == req->dst ? pctx->src : pctx->dst;
 230
 231        skcipher_request_set_tfm(skreq, ctx->ctr);
 232        skcipher_request_set_crypt(skreq, pctx->src, dst,
 233                                     cryptlen + sizeof(pctx->auth_tag),
 234                                     pctx->iv);
 235}
 236
 237static inline unsigned int gcm_remain(unsigned int len)
 238{
 239        len &= 0xfU;
 240        return len ? 16 - len : 0;
 241}
 242
 243static void gcm_hash_len_done(struct crypto_async_request *areq, int err);
 244
 245static int gcm_hash_update(struct aead_request *req,
 246                           crypto_completion_t compl,
 247                           struct scatterlist *src,
 248                           unsigned int len, u32 flags)
 249{
 250        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 251        struct ahash_request *ahreq = &pctx->u.ahreq;
 252
 253        ahash_request_set_callback(ahreq, flags, compl, req);
 254        ahash_request_set_crypt(ahreq, src, NULL, len);
 255
 256        return crypto_ahash_update(ahreq);
 257}
 258
 259static int gcm_hash_remain(struct aead_request *req,
 260                           unsigned int remain,
 261                           crypto_completion_t compl, u32 flags)
 262{
 263        return gcm_hash_update(req, compl, &gcm_zeroes->sg, remain, flags);
 264}
 265
 266static int gcm_hash_len(struct aead_request *req, u32 flags)
 267{
 268        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 269        struct ahash_request *ahreq = &pctx->u.ahreq;
 270        struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
 271        u128 lengths;
 272
 273        lengths.a = cpu_to_be64(req->assoclen * 8);
 274        lengths.b = cpu_to_be64(gctx->cryptlen * 8);
 275        memcpy(pctx->iauth_tag, &lengths, 16);
 276        sg_init_one(&pctx->sg, pctx->iauth_tag, 16);
 277        ahash_request_set_callback(ahreq, flags, gcm_hash_len_done, req);
 278        ahash_request_set_crypt(ahreq, &pctx->sg,
 279                                pctx->iauth_tag, sizeof(lengths));
 280
 281        return crypto_ahash_finup(ahreq);
 282}
 283
 284static int gcm_hash_len_continue(struct aead_request *req, u32 flags)
 285{
 286        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 287        struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
 288
 289        return gctx->complete(req, flags);
 290}
 291
 292static void gcm_hash_len_done(struct crypto_async_request *areq, int err)
 293{
 294        struct aead_request *req = areq->data;
 295
 296        if (err)
 297                goto out;
 298
 299        err = gcm_hash_len_continue(req, 0);
 300        if (err == -EINPROGRESS)
 301                return;
 302
 303out:
 304        aead_request_complete(req, err);
 305}
 306
 307static int gcm_hash_crypt_remain_continue(struct aead_request *req, u32 flags)
 308{
 309        return gcm_hash_len(req, flags) ?:
 310               gcm_hash_len_continue(req, flags);
 311}
 312
 313static void gcm_hash_crypt_remain_done(struct crypto_async_request *areq,
 314                                       int err)
 315{
 316        struct aead_request *req = areq->data;
 317
 318        if (err)
 319                goto out;
 320
 321        err = gcm_hash_crypt_remain_continue(req, 0);
 322        if (err == -EINPROGRESS)
 323                return;
 324
 325out:
 326        aead_request_complete(req, err);
 327}
 328
 329static int gcm_hash_crypt_continue(struct aead_request *req, u32 flags)
 330{
 331        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 332        struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
 333        unsigned int remain;
 334
 335        remain = gcm_remain(gctx->cryptlen);
 336        if (remain)
 337                return gcm_hash_remain(req, remain,
 338                                       gcm_hash_crypt_remain_done, flags) ?:
 339                       gcm_hash_crypt_remain_continue(req, flags);
 340
 341        return gcm_hash_crypt_remain_continue(req, flags);
 342}
 343
 344static void gcm_hash_crypt_done(struct crypto_async_request *areq, int err)
 345{
 346        struct aead_request *req = areq->data;
 347
 348        if (err)
 349                goto out;
 350
 351        err = gcm_hash_crypt_continue(req, 0);
 352        if (err == -EINPROGRESS)
 353                return;
 354
 355out:
 356        aead_request_complete(req, err);
 357}
 358
 359static int gcm_hash_assoc_remain_continue(struct aead_request *req, u32 flags)
 360{
 361        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 362        struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
 363
 364        if (gctx->cryptlen)
 365                return gcm_hash_update(req, gcm_hash_crypt_done,
 366                                       gctx->src, gctx->cryptlen, flags) ?:
 367                       gcm_hash_crypt_continue(req, flags);
 368
 369        return gcm_hash_crypt_remain_continue(req, flags);
 370}
 371
 372static void gcm_hash_assoc_remain_done(struct crypto_async_request *areq,
 373                                       int err)
 374{
 375        struct aead_request *req = areq->data;
 376
 377        if (err)
 378                goto out;
 379
 380        err = gcm_hash_assoc_remain_continue(req, 0);
 381        if (err == -EINPROGRESS)
 382                return;
 383
 384out:
 385        aead_request_complete(req, err);
 386}
 387
 388static int gcm_hash_assoc_continue(struct aead_request *req, u32 flags)
 389{
 390        unsigned int remain;
 391
 392        remain = gcm_remain(req->assoclen);
 393        if (remain)
 394                return gcm_hash_remain(req, remain,
 395                                       gcm_hash_assoc_remain_done, flags) ?:
 396                       gcm_hash_assoc_remain_continue(req, flags);
 397
 398        return gcm_hash_assoc_remain_continue(req, flags);
 399}
 400
 401static void gcm_hash_assoc_done(struct crypto_async_request *areq, int err)
 402{
 403        struct aead_request *req = areq->data;
 404
 405        if (err)
 406                goto out;
 407
 408        err = gcm_hash_assoc_continue(req, 0);
 409        if (err == -EINPROGRESS)
 410                return;
 411
 412out:
 413        aead_request_complete(req, err);
 414}
 415
 416static int gcm_hash_init_continue(struct aead_request *req, u32 flags)
 417{
 418        if (req->assoclen)
 419                return gcm_hash_update(req, gcm_hash_assoc_done,
 420                                       req->src, req->assoclen, flags) ?:
 421                       gcm_hash_assoc_continue(req, flags);
 422
 423        return gcm_hash_assoc_remain_continue(req, flags);
 424}
 425
 426static void gcm_hash_init_done(struct crypto_async_request *areq, int err)
 427{
 428        struct aead_request *req = areq->data;
 429
 430        if (err)
 431                goto out;
 432
 433        err = gcm_hash_init_continue(req, 0);
 434        if (err == -EINPROGRESS)
 435                return;
 436
 437out:
 438        aead_request_complete(req, err);
 439}
 440
 441static int gcm_hash(struct aead_request *req, u32 flags)
 442{
 443        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 444        struct ahash_request *ahreq = &pctx->u.ahreq;
 445        struct crypto_gcm_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req));
 446
 447        ahash_request_set_tfm(ahreq, ctx->ghash);
 448
 449        ahash_request_set_callback(ahreq, flags, gcm_hash_init_done, req);
 450        return crypto_ahash_init(ahreq) ?:
 451               gcm_hash_init_continue(req, flags);
 452}
 453
 454static int gcm_enc_copy_hash(struct aead_request *req, u32 flags)
 455{
 456        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 457        struct crypto_aead *aead = crypto_aead_reqtfm(req);
 458        u8 *auth_tag = pctx->auth_tag;
 459
 460        crypto_xor(auth_tag, pctx->iauth_tag, 16);
 461        scatterwalk_map_and_copy(auth_tag, req->dst,
 462                                 req->assoclen + req->cryptlen,
 463                                 crypto_aead_authsize(aead), 1);
 464        return 0;
 465}
 466
 467static int gcm_encrypt_continue(struct aead_request *req, u32 flags)
 468{
 469        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 470        struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
 471
 472        gctx->src = sg_next(req->src == req->dst ? pctx->src : pctx->dst);
 473        gctx->cryptlen = req->cryptlen;
 474        gctx->complete = gcm_enc_copy_hash;
 475
 476        return gcm_hash(req, flags);
 477}
 478
 479static void gcm_encrypt_done(struct crypto_async_request *areq, int err)
 480{
 481        struct aead_request *req = areq->data;
 482
 483        if (err)
 484                goto out;
 485
 486        err = gcm_encrypt_continue(req, 0);
 487        if (err == -EINPROGRESS)
 488                return;
 489
 490out:
 491        aead_request_complete(req, err);
 492}
 493
 494static int crypto_gcm_encrypt(struct aead_request *req)
 495{
 496        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 497        struct skcipher_request *skreq = &pctx->u.skreq;
 498        u32 flags = aead_request_flags(req);
 499
 500        crypto_gcm_init_common(req);
 501        crypto_gcm_init_crypt(req, req->cryptlen);
 502        skcipher_request_set_callback(skreq, flags, gcm_encrypt_done, req);
 503
 504        return crypto_skcipher_encrypt(skreq) ?:
 505               gcm_encrypt_continue(req, flags);
 506}
 507
 508static int crypto_gcm_verify(struct aead_request *req)
 509{
 510        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 511        struct crypto_aead *aead = crypto_aead_reqtfm(req);
 512        u8 *auth_tag = pctx->auth_tag;
 513        u8 *iauth_tag = pctx->iauth_tag;
 514        unsigned int authsize = crypto_aead_authsize(aead);
 515        unsigned int cryptlen = req->cryptlen - authsize;
 516
 517        crypto_xor(auth_tag, iauth_tag, 16);
 518        scatterwalk_map_and_copy(iauth_tag, req->src,
 519                                 req->assoclen + cryptlen, authsize, 0);
 520        return crypto_memneq(iauth_tag, auth_tag, authsize) ? -EBADMSG : 0;
 521}
 522
 523static void gcm_decrypt_done(struct crypto_async_request *areq, int err)
 524{
 525        struct aead_request *req = areq->data;
 526
 527        if (!err)
 528                err = crypto_gcm_verify(req);
 529
 530        aead_request_complete(req, err);
 531}
 532
 533static int gcm_dec_hash_continue(struct aead_request *req, u32 flags)
 534{
 535        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 536        struct skcipher_request *skreq = &pctx->u.skreq;
 537        struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
 538
 539        crypto_gcm_init_crypt(req, gctx->cryptlen);
 540        skcipher_request_set_callback(skreq, flags, gcm_decrypt_done, req);
 541        return crypto_skcipher_decrypt(skreq) ?: crypto_gcm_verify(req);
 542}
 543
 544static int crypto_gcm_decrypt(struct aead_request *req)
 545{
 546        struct crypto_aead *aead = crypto_aead_reqtfm(req);
 547        struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
 548        struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
 549        unsigned int authsize = crypto_aead_authsize(aead);
 550        unsigned int cryptlen = req->cryptlen;
 551        u32 flags = aead_request_flags(req);
 552
 553        cryptlen -= authsize;
 554
 555        crypto_gcm_init_common(req);
 556
 557        gctx->src = sg_next(pctx->src);
 558        gctx->cryptlen = cryptlen;
 559        gctx->complete = gcm_dec_hash_continue;
 560
 561        return gcm_hash(req, flags);
 562}
 563
 564static int crypto_gcm_init_tfm(struct crypto_aead *tfm)
 565{
 566        struct aead_instance *inst = aead_alg_instance(tfm);
 567        struct gcm_instance_ctx *ictx = aead_instance_ctx(inst);
 568        struct crypto_gcm_ctx *ctx = crypto_aead_ctx(tfm);
 569        struct crypto_skcipher *ctr;
 570        struct crypto_ahash *ghash;
 571        unsigned long align;
 572        int err;
 573
 574        ghash = crypto_spawn_ahash(&ictx->ghash);
 575        if (IS_ERR(ghash))
 576                return PTR_ERR(ghash);
 577
 578        ctr = crypto_spawn_skcipher2(&ictx->ctr);
 579        err = PTR_ERR(ctr);
 580        if (IS_ERR(ctr))
 581                goto err_free_hash;
 582
 583        ctx->ctr = ctr;
 584        ctx->ghash = ghash;
 585
 586        align = crypto_aead_alignmask(tfm);
 587        align &= ~(crypto_tfm_ctx_alignment() - 1);
 588        crypto_aead_set_reqsize(tfm,
 589                align + offsetof(struct crypto_gcm_req_priv_ctx, u) +
 590                max(sizeof(struct skcipher_request) +
 591                    crypto_skcipher_reqsize(ctr),
 592                    sizeof(struct ahash_request) +
 593                    crypto_ahash_reqsize(ghash)));
 594
 595        return 0;
 596
 597err_free_hash:
 598        crypto_free_ahash(ghash);
 599        return err;
 600}
 601
 602static void crypto_gcm_exit_tfm(struct crypto_aead *tfm)
 603{
 604        struct crypto_gcm_ctx *ctx = crypto_aead_ctx(tfm);
 605
 606        crypto_free_ahash(ctx->ghash);
 607        crypto_free_skcipher(ctx->ctr);
 608}
 609
 610static void crypto_gcm_free(struct aead_instance *inst)
 611{
 612        struct gcm_instance_ctx *ctx = aead_instance_ctx(inst);
 613
 614        crypto_drop_skcipher(&ctx->ctr);
 615        crypto_drop_ahash(&ctx->ghash);
 616        kfree(inst);
 617}
 618
 619static int crypto_gcm_create_common(struct crypto_template *tmpl,
 620                                    struct rtattr **tb,
 621                                    const char *full_name,
 622                                    const char *ctr_name,
 623                                    const char *ghash_name)
 624{
 625        struct crypto_attr_type *algt;
 626        struct aead_instance *inst;
 627        struct skcipher_alg *ctr;
 628        struct crypto_alg *ghash_alg;
 629        struct hash_alg_common *ghash;
 630        struct gcm_instance_ctx *ctx;
 631        int err;
 632
 633        algt = crypto_get_attr_type(tb);
 634        if (IS_ERR(algt))
 635                return PTR_ERR(algt);
 636
 637        if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask)
 638                return -EINVAL;
 639
 640        ghash_alg = crypto_find_alg(ghash_name, &crypto_ahash_type,
 641                                    CRYPTO_ALG_TYPE_HASH,
 642                                    CRYPTO_ALG_TYPE_AHASH_MASK |
 643                                    crypto_requires_sync(algt->type,
 644                                                         algt->mask));
 645        if (IS_ERR(ghash_alg))
 646                return PTR_ERR(ghash_alg);
 647
 648        ghash = __crypto_hash_alg_common(ghash_alg);
 649
 650        err = -ENOMEM;
 651        inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
 652        if (!inst)
 653                goto out_put_ghash;
 654
 655        ctx = aead_instance_ctx(inst);
 656        err = crypto_init_ahash_spawn(&ctx->ghash, ghash,
 657                                      aead_crypto_instance(inst));
 658        if (err)
 659                goto err_free_inst;
 660
 661        err = -EINVAL;
 662        if (ghash->digestsize != 16)
 663                goto err_drop_ghash;
 664
 665        crypto_set_skcipher_spawn(&ctx->ctr, aead_crypto_instance(inst));
 666        err = crypto_grab_skcipher2(&ctx->ctr, ctr_name, 0,
 667                                    crypto_requires_sync(algt->type,
 668                                                         algt->mask));
 669        if (err)
 670                goto err_drop_ghash;
 671
 672        ctr = crypto_spawn_skcipher_alg(&ctx->ctr);
 673
 674        /* We only support 16-byte blocks. */
 675        if (crypto_skcipher_alg_ivsize(ctr) != 16)
 676                goto out_put_ctr;
 677
 678        /* Not a stream cipher? */
 679        err = -EINVAL;
 680        if (ctr->base.cra_blocksize != 1)
 681                goto out_put_ctr;
 682
 683        err = -ENAMETOOLONG;
 684        if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
 685                     "gcm_base(%s,%s)", ctr->base.cra_driver_name,
 686                     ghash_alg->cra_driver_name) >=
 687            CRYPTO_MAX_ALG_NAME)
 688                goto out_put_ctr;
 689
 690        memcpy(inst->alg.base.cra_name, full_name, CRYPTO_MAX_ALG_NAME);
 691
 692        inst->alg.base.cra_flags = (ghash->base.cra_flags |
 693                                    ctr->base.cra_flags) & CRYPTO_ALG_ASYNC;
 694        inst->alg.base.cra_priority = (ghash->base.cra_priority +
 695                                       ctr->base.cra_priority) / 2;
 696        inst->alg.base.cra_blocksize = 1;
 697        inst->alg.base.cra_alignmask = ghash->base.cra_alignmask |
 698                                       ctr->base.cra_alignmask;
 699        inst->alg.base.cra_ctxsize = sizeof(struct crypto_gcm_ctx);
 700        inst->alg.ivsize = 12;
 701        inst->alg.chunksize = crypto_skcipher_alg_chunksize(ctr);
 702        inst->alg.maxauthsize = 16;
 703        inst->alg.init = crypto_gcm_init_tfm;
 704        inst->alg.exit = crypto_gcm_exit_tfm;
 705        inst->alg.setkey = crypto_gcm_setkey;
 706        inst->alg.setauthsize = crypto_gcm_setauthsize;
 707        inst->alg.encrypt = crypto_gcm_encrypt;
 708        inst->alg.decrypt = crypto_gcm_decrypt;
 709
 710        inst->free = crypto_gcm_free;
 711
 712        err = aead_register_instance(tmpl, inst);
 713        if (err)
 714                goto out_put_ctr;
 715
 716out_put_ghash:
 717        crypto_mod_put(ghash_alg);
 718        return err;
 719
 720out_put_ctr:
 721        crypto_drop_skcipher(&ctx->ctr);
 722err_drop_ghash:
 723        crypto_drop_ahash(&ctx->ghash);
 724err_free_inst:
 725        kfree(inst);
 726        goto out_put_ghash;
 727}
 728
 729static int crypto_gcm_create(struct crypto_template *tmpl, struct rtattr **tb)
 730{
 731        const char *cipher_name;
 732        char ctr_name[CRYPTO_MAX_ALG_NAME];
 733        char full_name[CRYPTO_MAX_ALG_NAME];
 734
 735        cipher_name = crypto_attr_alg_name(tb[1]);
 736        if (IS_ERR(cipher_name))
 737                return PTR_ERR(cipher_name);
 738
 739        if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)", cipher_name) >=
 740            CRYPTO_MAX_ALG_NAME)
 741                return -ENAMETOOLONG;
 742
 743        if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "gcm(%s)", cipher_name) >=
 744            CRYPTO_MAX_ALG_NAME)
 745                return -ENAMETOOLONG;
 746
 747        return crypto_gcm_create_common(tmpl, tb, full_name,
 748                                        ctr_name, "ghash");
 749}
 750
 751static struct crypto_template crypto_gcm_tmpl = {
 752        .name = "gcm",
 753        .create = crypto_gcm_create,
 754        .module = THIS_MODULE,
 755};
 756
 757static int crypto_gcm_base_create(struct crypto_template *tmpl,
 758                                  struct rtattr **tb)
 759{
 760        const char *ctr_name;
 761        const char *ghash_name;
 762        char full_name[CRYPTO_MAX_ALG_NAME];
 763
 764        ctr_name = crypto_attr_alg_name(tb[1]);
 765        if (IS_ERR(ctr_name))
 766                return PTR_ERR(ctr_name);
 767
 768        ghash_name = crypto_attr_alg_name(tb[2]);
 769        if (IS_ERR(ghash_name))
 770                return PTR_ERR(ghash_name);
 771
 772        if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "gcm_base(%s,%s)",
 773                     ctr_name, ghash_name) >= CRYPTO_MAX_ALG_NAME)
 774                return -ENAMETOOLONG;
 775
 776        return crypto_gcm_create_common(tmpl, tb, full_name,
 777                                        ctr_name, ghash_name);
 778}
 779
 780static struct crypto_template crypto_gcm_base_tmpl = {
 781        .name = "gcm_base",
 782        .create = crypto_gcm_base_create,
 783        .module = THIS_MODULE,
 784};
 785
 786static int crypto_rfc4106_setkey(struct crypto_aead *parent, const u8 *key,
 787                                 unsigned int keylen)
 788{
 789        struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(parent);
 790        struct crypto_aead *child = ctx->child;
 791        int err;
 792
 793        if (keylen < 4)
 794                return -EINVAL;
 795
 796        keylen -= 4;
 797        memcpy(ctx->nonce, key + keylen, 4);
 798
 799        crypto_aead_clear_flags(child, CRYPTO_TFM_REQ_MASK);
 800        crypto_aead_set_flags(child, crypto_aead_get_flags(parent) &
 801                                     CRYPTO_TFM_REQ_MASK);
 802        err = crypto_aead_setkey(child, key, keylen);
 803        crypto_aead_set_flags(parent, crypto_aead_get_flags(child) &
 804                                      CRYPTO_TFM_RES_MASK);
 805
 806        return err;
 807}
 808
 809static int crypto_rfc4106_setauthsize(struct crypto_aead *parent,
 810                                      unsigned int authsize)
 811{
 812        struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(parent);
 813
 814        switch (authsize) {
 815        case 8:
 816        case 12:
 817        case 16:
 818                break;
 819        default:
 820                return -EINVAL;
 821        }
 822
 823        return crypto_aead_setauthsize(ctx->child, authsize);
 824}
 825
 826static struct aead_request *crypto_rfc4106_crypt(struct aead_request *req)
 827{
 828        struct crypto_rfc4106_req_ctx *rctx = aead_request_ctx(req);
 829        struct crypto_aead *aead = crypto_aead_reqtfm(req);
 830        struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(aead);
 831        struct aead_request *subreq = &rctx->subreq;
 832        struct crypto_aead *child = ctx->child;
 833        struct scatterlist *sg;
 834        u8 *iv = PTR_ALIGN((u8 *)(subreq + 1) + crypto_aead_reqsize(child),
 835                           crypto_aead_alignmask(child) + 1);
 836
 837        scatterwalk_map_and_copy(iv + 12, req->src, 0, req->assoclen - 8, 0);
 838
 839        memcpy(iv, ctx->nonce, 4);
 840        memcpy(iv + 4, req->iv, 8);
 841
 842        sg_init_table(rctx->src, 3);
 843        sg_set_buf(rctx->src, iv + 12, req->assoclen - 8);
 844        sg = scatterwalk_ffwd(rctx->src + 1, req->src, req->assoclen);
 845        if (sg != rctx->src + 1)
 846                sg_chain(rctx->src, 2, sg);
 847
 848        if (req->src != req->dst) {
 849                sg_init_table(rctx->dst, 3);
 850                sg_set_buf(rctx->dst, iv + 12, req->assoclen - 8);
 851                sg = scatterwalk_ffwd(rctx->dst + 1, req->dst, req->assoclen);
 852                if (sg != rctx->dst + 1)
 853                        sg_chain(rctx->dst, 2, sg);
 854        }
 855
 856        aead_request_set_tfm(subreq, child);
 857        aead_request_set_callback(subreq, req->base.flags, req->base.complete,
 858                                  req->base.data);
 859        aead_request_set_crypt(subreq, rctx->src,
 860                               req->src == req->dst ? rctx->src : rctx->dst,
 861                               req->cryptlen, iv);
 862        aead_request_set_ad(subreq, req->assoclen - 8);
 863
 864        return subreq;
 865}
 866
 867static int crypto_rfc4106_encrypt(struct aead_request *req)
 868{
 869        if (req->assoclen != 16 && req->assoclen != 20)
 870                return -EINVAL;
 871
 872        req = crypto_rfc4106_crypt(req);
 873
 874        return crypto_aead_encrypt(req);
 875}
 876
 877static int crypto_rfc4106_decrypt(struct aead_request *req)
 878{
 879        if (req->assoclen != 16 && req->assoclen != 20)
 880                return -EINVAL;
 881
 882        req = crypto_rfc4106_crypt(req);
 883
 884        return crypto_aead_decrypt(req);
 885}
 886
 887static int crypto_rfc4106_init_tfm(struct crypto_aead *tfm)
 888{
 889        struct aead_instance *inst = aead_alg_instance(tfm);
 890        struct crypto_aead_spawn *spawn = aead_instance_ctx(inst);
 891        struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(tfm);
 892        struct crypto_aead *aead;
 893        unsigned long align;
 894
 895        aead = crypto_spawn_aead(spawn);
 896        if (IS_ERR(aead))
 897                return PTR_ERR(aead);
 898
 899        ctx->child = aead;
 900
 901        align = crypto_aead_alignmask(aead);
 902        align &= ~(crypto_tfm_ctx_alignment() - 1);
 903        crypto_aead_set_reqsize(
 904                tfm,
 905                sizeof(struct crypto_rfc4106_req_ctx) +
 906                ALIGN(crypto_aead_reqsize(aead), crypto_tfm_ctx_alignment()) +
 907                align + 24);
 908
 909        return 0;
 910}
 911
 912static void crypto_rfc4106_exit_tfm(struct crypto_aead *tfm)
 913{
 914        struct crypto_rfc4106_ctx *ctx = crypto_aead_ctx(tfm);
 915
 916        crypto_free_aead(ctx->child);
 917}
 918
 919static void crypto_rfc4106_free(struct aead_instance *inst)
 920{
 921        crypto_drop_aead(aead_instance_ctx(inst));
 922        kfree(inst);
 923}
 924
 925static int crypto_rfc4106_create(struct crypto_template *tmpl,
 926                                 struct rtattr **tb)
 927{
 928        struct crypto_attr_type *algt;
 929        struct aead_instance *inst;
 930        struct crypto_aead_spawn *spawn;
 931        struct aead_alg *alg;
 932        const char *ccm_name;
 933        int err;
 934
 935        algt = crypto_get_attr_type(tb);
 936        if (IS_ERR(algt))
 937                return PTR_ERR(algt);
 938
 939        if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask)
 940                return -EINVAL;
 941
 942        ccm_name = crypto_attr_alg_name(tb[1]);
 943        if (IS_ERR(ccm_name))
 944                return PTR_ERR(ccm_name);
 945
 946        inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL);
 947        if (!inst)
 948                return -ENOMEM;
 949
 950        spawn = aead_instance_ctx(inst);
 951        crypto_set_aead_spawn(spawn, aead_crypto_instance(inst));
 952        err = crypto_grab_aead(spawn, ccm_name, 0,
 953                               crypto_requires_sync(algt->type, algt->mask));
 954        if (err)
 955                goto out_free_inst;
 956
 957        alg = crypto_spawn_aead_alg(spawn);
 958
 959        err = -EINVAL;
 960
 961        /* Underlying IV size must be 12. */
 962        if (crypto_aead_alg_ivsize(alg) != 12)
 963                goto out_drop_alg;
 964
 965        /* Not a stream cipher? */
 966        if (alg->base.cra_blocksize != 1)
 967                goto out_drop_alg;
 968
 969        err = -ENAMETOOLONG;
 970        if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
 971                     "rfc4106(%s)", alg->base.cra_name) >=
 972            CRYPTO_MAX_ALG_NAME ||
 973            snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
 974                     "rfc4106(%s)", alg->base.cra_driver_name) >=
 975            CRYPTO_MAX_ALG_NAME)
 976                goto out_drop_alg;
 977
 978        inst->alg.base.cra_flags = alg->base.cra_flags & CRYPTO_ALG_ASYNC;
 979        inst->alg.base.cra_priority = alg->base.cra_priority;
 980        inst->alg.base.cra_blocksize = 1;
 981        inst->alg.base.cra_alignmask = alg->base.cra_alignmask;
 982
 983        inst->alg.base.cra_ctxsize = sizeof(struct crypto_rfc4106_ctx);
 984
 985        inst->alg.ivsize = 8;
 986        inst->alg.chunksize = crypto_aead_alg_chunksize(alg);
 987        inst->alg.maxauthsize = crypto_aead_alg_maxauthsize(alg);
 988
 989        inst->alg.init = crypto_rfc4106_init_tfm;
 990        inst->alg.exit = crypto_rfc4106_exit_tfm;
 991
 992        inst->alg.setkey = crypto_rfc4106_setkey;
 993        inst->alg.setauthsize = crypto_rfc4106_setauthsize;
 994        inst->alg.encrypt = crypto_rfc4106_encrypt;
 995        inst->alg.decrypt = crypto_rfc4106_decrypt;
 996
 997        inst->free = crypto_rfc4106_free;
 998
 999        err = aead_register_instance(tmpl, inst);
1000        if (err)
1001                goto out_drop_alg;
1002
1003out:
1004        return err;
1005
1006out_drop_alg:
1007        crypto_drop_aead(spawn);
1008out_free_inst:
1009        kfree(inst);
1010        goto out;
1011}
1012
1013static struct crypto_template crypto_rfc4106_tmpl = {
1014        .name = "rfc4106",
1015        .create = crypto_rfc4106_create,
1016        .module = THIS_MODULE,
1017};
1018
1019static int crypto_rfc4543_setkey(struct crypto_aead *parent, const u8 *key,
1020                                 unsigned int keylen)
1021{
1022        struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(parent);
1023        struct crypto_aead *child = ctx->child;
1024        int err;
1025
1026        if (keylen < 4)
1027                return -EINVAL;
1028
1029        keylen -= 4;
1030        memcpy(ctx->nonce, key + keylen, 4);
1031
1032        crypto_aead_clear_flags(child, CRYPTO_TFM_REQ_MASK);
1033        crypto_aead_set_flags(child, crypto_aead_get_flags(parent) &
1034                                     CRYPTO_TFM_REQ_MASK);
1035        err = crypto_aead_setkey(child, key, keylen);
1036        crypto_aead_set_flags(parent, crypto_aead_get_flags(child) &
1037                                      CRYPTO_TFM_RES_MASK);
1038
1039        return err;
1040}
1041
1042static int crypto_rfc4543_setauthsize(struct crypto_aead *parent,
1043                                      unsigned int authsize)
1044{
1045        struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(parent);
1046
1047        if (authsize != 16)
1048                return -EINVAL;
1049
1050        return crypto_aead_setauthsize(ctx->child, authsize);
1051}
1052
1053static int crypto_rfc4543_crypt(struct aead_request *req, bool enc)
1054{
1055        struct crypto_aead *aead = crypto_aead_reqtfm(req);
1056        struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(aead);
1057        struct crypto_rfc4543_req_ctx *rctx = aead_request_ctx(req);
1058        struct aead_request *subreq = &rctx->subreq;
1059        unsigned int authsize = crypto_aead_authsize(aead);
1060        u8 *iv = PTR_ALIGN((u8 *)(rctx + 1) + crypto_aead_reqsize(ctx->child),
1061                           crypto_aead_alignmask(ctx->child) + 1);
1062        int err;
1063
1064        if (req->src != req->dst) {
1065                err = crypto_rfc4543_copy_src_to_dst(req, enc);
1066                if (err)
1067                        return err;
1068        }
1069
1070        memcpy(iv, ctx->nonce, 4);
1071        memcpy(iv + 4, req->iv, 8);
1072
1073        aead_request_set_tfm(subreq, ctx->child);
1074        aead_request_set_callback(subreq, req->base.flags,
1075                                  req->base.complete, req->base.data);
1076        aead_request_set_crypt(subreq, req->src, req->dst,
1077                               enc ? 0 : authsize, iv);
1078        aead_request_set_ad(subreq, req->assoclen + req->cryptlen -
1079                                    subreq->cryptlen);
1080
1081        return enc ? crypto_aead_encrypt(subreq) : crypto_aead_decrypt(subreq);
1082}
1083
1084static int crypto_rfc4543_copy_src_to_dst(struct aead_request *req, bool enc)
1085{
1086        struct crypto_aead *aead = crypto_aead_reqtfm(req);
1087        struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(aead);
1088        unsigned int authsize = crypto_aead_authsize(aead);
1089        unsigned int nbytes = req->assoclen + req->cryptlen -
1090                              (enc ? 0 : authsize);
1091        SKCIPHER_REQUEST_ON_STACK(nreq, ctx->null);
1092
1093        skcipher_request_set_tfm(nreq, ctx->null);
1094        skcipher_request_set_callback(nreq, req->base.flags, NULL, NULL);
1095        skcipher_request_set_crypt(nreq, req->src, req->dst, nbytes, NULL);
1096
1097        return crypto_skcipher_encrypt(nreq);
1098}
1099
1100static int crypto_rfc4543_encrypt(struct aead_request *req)
1101{
1102        return crypto_rfc4543_crypt(req, true);
1103}
1104
1105static int crypto_rfc4543_decrypt(struct aead_request *req)
1106{
1107        return crypto_rfc4543_crypt(req, false);
1108}
1109
1110static int crypto_rfc4543_init_tfm(struct crypto_aead *tfm)
1111{
1112        struct aead_instance *inst = aead_alg_instance(tfm);
1113        struct crypto_rfc4543_instance_ctx *ictx = aead_instance_ctx(inst);
1114        struct crypto_aead_spawn *spawn = &ictx->aead;
1115        struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(tfm);
1116        struct crypto_aead *aead;
1117        struct crypto_skcipher *null;
1118        unsigned long align;
1119        int err = 0;
1120
1121        aead = crypto_spawn_aead(spawn);
1122        if (IS_ERR(aead))
1123                return PTR_ERR(aead);
1124
1125        null = crypto_get_default_null_skcipher2();
1126        err = PTR_ERR(null);
1127        if (IS_ERR(null))
1128                goto err_free_aead;
1129
1130        ctx->child = aead;
1131        ctx->null = null;
1132
1133        align = crypto_aead_alignmask(aead);
1134        align &= ~(crypto_tfm_ctx_alignment() - 1);
1135        crypto_aead_set_reqsize(
1136                tfm,
1137                sizeof(struct crypto_rfc4543_req_ctx) +
1138                ALIGN(crypto_aead_reqsize(aead), crypto_tfm_ctx_alignment()) +
1139                align + 12);
1140
1141        return 0;
1142
1143err_free_aead:
1144        crypto_free_aead(aead);
1145        return err;
1146}
1147
1148static void crypto_rfc4543_exit_tfm(struct crypto_aead *tfm)
1149{
1150        struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(tfm);
1151
1152        crypto_free_aead(ctx->child);
1153        crypto_put_default_null_skcipher2();
1154}
1155
1156static void crypto_rfc4543_free(struct aead_instance *inst)
1157{
1158        struct crypto_rfc4543_instance_ctx *ctx = aead_instance_ctx(inst);
1159
1160        crypto_drop_aead(&ctx->aead);
1161
1162        kfree(inst);
1163}
1164
1165static int crypto_rfc4543_create(struct crypto_template *tmpl,
1166                                struct rtattr **tb)
1167{
1168        struct crypto_attr_type *algt;
1169        struct aead_instance *inst;
1170        struct crypto_aead_spawn *spawn;
1171        struct aead_alg *alg;
1172        struct crypto_rfc4543_instance_ctx *ctx;
1173        const char *ccm_name;
1174        int err;
1175
1176        algt = crypto_get_attr_type(tb);
1177        if (IS_ERR(algt))
1178                return PTR_ERR(algt);
1179
1180        if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask)
1181                return -EINVAL;
1182
1183        ccm_name = crypto_attr_alg_name(tb[1]);
1184        if (IS_ERR(ccm_name))
1185                return PTR_ERR(ccm_name);
1186
1187        inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
1188        if (!inst)
1189                return -ENOMEM;
1190
1191        ctx = aead_instance_ctx(inst);
1192        spawn = &ctx->aead;
1193        crypto_set_aead_spawn(spawn, aead_crypto_instance(inst));
1194        err = crypto_grab_aead(spawn, ccm_name, 0,
1195                               crypto_requires_sync(algt->type, algt->mask));
1196        if (err)
1197                goto out_free_inst;
1198
1199        alg = crypto_spawn_aead_alg(spawn);
1200
1201        err = -EINVAL;
1202
1203        /* Underlying IV size must be 12. */
1204        if (crypto_aead_alg_ivsize(alg) != 12)
1205                goto out_drop_alg;
1206
1207        /* Not a stream cipher? */
1208        if (alg->base.cra_blocksize != 1)
1209                goto out_drop_alg;
1210
1211        err = -ENAMETOOLONG;
1212        if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
1213                     "rfc4543(%s)", alg->base.cra_name) >=
1214            CRYPTO_MAX_ALG_NAME ||
1215            snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
1216                     "rfc4543(%s)", alg->base.cra_driver_name) >=
1217            CRYPTO_MAX_ALG_NAME)
1218                goto out_drop_alg;
1219
1220        inst->alg.base.cra_flags = alg->base.cra_flags & CRYPTO_ALG_ASYNC;
1221        inst->alg.base.cra_priority = alg->base.cra_priority;
1222        inst->alg.base.cra_blocksize = 1;
1223        inst->alg.base.cra_alignmask = alg->base.cra_alignmask;
1224
1225        inst->alg.base.cra_ctxsize = sizeof(struct crypto_rfc4543_ctx);
1226
1227        inst->alg.ivsize = 8;
1228        inst->alg.chunksize = crypto_aead_alg_chunksize(alg);
1229        inst->alg.maxauthsize = crypto_aead_alg_maxauthsize(alg);
1230
1231        inst->alg.init = crypto_rfc4543_init_tfm;
1232        inst->alg.exit = crypto_rfc4543_exit_tfm;
1233
1234        inst->alg.setkey = crypto_rfc4543_setkey;
1235        inst->alg.setauthsize = crypto_rfc4543_setauthsize;
1236        inst->alg.encrypt = crypto_rfc4543_encrypt;
1237        inst->alg.decrypt = crypto_rfc4543_decrypt;
1238
1239        inst->free = crypto_rfc4543_free,
1240
1241        err = aead_register_instance(tmpl, inst);
1242        if (err)
1243                goto out_drop_alg;
1244
1245out:
1246        return err;
1247
1248out_drop_alg:
1249        crypto_drop_aead(spawn);
1250out_free_inst:
1251        kfree(inst);
1252        goto out;
1253}
1254
1255static struct crypto_template crypto_rfc4543_tmpl = {
1256        .name = "rfc4543",
1257        .create = crypto_rfc4543_create,
1258        .module = THIS_MODULE,
1259};
1260
1261static int __init crypto_gcm_module_init(void)
1262{
1263        int err;
1264
1265        gcm_zeroes = kzalloc(sizeof(*gcm_zeroes), GFP_KERNEL);
1266        if (!gcm_zeroes)
1267                return -ENOMEM;
1268
1269        sg_init_one(&gcm_zeroes->sg, gcm_zeroes->buf, sizeof(gcm_zeroes->buf));
1270
1271        err = crypto_register_template(&crypto_gcm_base_tmpl);
1272        if (err)
1273                goto out;
1274
1275        err = crypto_register_template(&crypto_gcm_tmpl);
1276        if (err)
1277                goto out_undo_base;
1278
1279        err = crypto_register_template(&crypto_rfc4106_tmpl);
1280        if (err)
1281                goto out_undo_gcm;
1282
1283        err = crypto_register_template(&crypto_rfc4543_tmpl);
1284        if (err)
1285                goto out_undo_rfc4106;
1286
1287        return 0;
1288
1289out_undo_rfc4106:
1290        crypto_unregister_template(&crypto_rfc4106_tmpl);
1291out_undo_gcm:
1292        crypto_unregister_template(&crypto_gcm_tmpl);
1293out_undo_base:
1294        crypto_unregister_template(&crypto_gcm_base_tmpl);
1295out:
1296        kfree(gcm_zeroes);
1297        return err;
1298}
1299
1300static void __exit crypto_gcm_module_exit(void)
1301{
1302        kfree(gcm_zeroes);
1303        crypto_unregister_template(&crypto_rfc4543_tmpl);
1304        crypto_unregister_template(&crypto_rfc4106_tmpl);
1305        crypto_unregister_template(&crypto_gcm_tmpl);
1306        crypto_unregister_template(&crypto_gcm_base_tmpl);
1307}
1308
1309module_init(crypto_gcm_module_init);
1310module_exit(crypto_gcm_module_exit);
1311
1312MODULE_LICENSE("GPL");
1313MODULE_DESCRIPTION("Galois/Counter Mode");
1314MODULE_AUTHOR("Mikko Herranen <mh1@iki.fi>");
1315MODULE_ALIAS_CRYPTO("gcm_base");
1316MODULE_ALIAS_CRYPTO("rfc4106");
1317MODULE_ALIAS_CRYPTO("rfc4543");
1318MODULE_ALIAS_CRYPTO("gcm");
1319