[linux-2.6-block.git] / crypto / authencesn.c

// SPDX-License-Identifier: GPL-2.0-or-later
/*
 * authencesn.c - AEAD wrapper for IPsec with extended sequence numbers,
 *                 derived from authenc.c
 *
 * Copyright (C) 2010 secunet Security Networks AG
 * Copyright (C) 2010 Steffen Klassert <steffen.klassert@secunet.com>
 * Copyright (c) 2015 Herbert Xu <herbert@gondor.apana.org.au>
 */

#include <crypto/internal/aead.h>
#include <crypto/internal/hash.h>
#include <crypto/internal/skcipher.h>
#include <crypto/authenc.h>
#include <crypto/null.h>
#include <crypto/scatterwalk.h>
#include <linux/err.h>
#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/rtnetlink.h>
#include <linux/slab.h>
#include <linux/spinlock.h>

struct authenc_esn_instance_ctx {
	struct crypto_ahash_spawn auth;
	struct crypto_skcipher_spawn enc;
};

struct crypto_authenc_esn_ctx {
	unsigned int reqoff;
	struct crypto_ahash *auth;
	struct crypto_skcipher *enc;
	struct crypto_sync_skcipher *null;
};

struct authenc_esn_request_ctx {
	struct scatterlist src[2];
	struct scatterlist dst[2];
	char tail[];
};

static void authenc_esn_request_complete(struct aead_request *req, int err)
{
	if (err != -EINPROGRESS)
		aead_request_complete(req, err);
}

static int crypto_authenc_esn_setauthsize(struct crypto_aead *authenc_esn,
					  unsigned int authsize)
{
	if (authsize > 0 && authsize < 4)
		return -EINVAL;

	return 0;
}

static int crypto_authenc_esn_setkey(struct crypto_aead *authenc_esn, const u8 *key,
				     unsigned int keylen)
{
	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
	struct crypto_ahash *auth = ctx->auth;
	struct crypto_skcipher *enc = ctx->enc;
	struct crypto_authenc_keys keys;
	int err = -EINVAL;

	if (crypto_authenc_extractkeys(&keys, key, keylen) != 0)
		goto badkey;

	crypto_ahash_clear_flags(auth, CRYPTO_TFM_REQ_MASK);
	crypto_ahash_set_flags(auth, crypto_aead_get_flags(authenc_esn) &
				     CRYPTO_TFM_REQ_MASK);
	err = crypto_ahash_setkey(auth, keys.authkey, keys.authkeylen);
	crypto_aead_set_flags(authenc_esn, crypto_ahash_get_flags(auth) &
					   CRYPTO_TFM_RES_MASK);

	if (err)
		goto out;

	crypto_skcipher_clear_flags(enc, CRYPTO_TFM_REQ_MASK);
	crypto_skcipher_set_flags(enc, crypto_aead_get_flags(authenc_esn) &
					 CRYPTO_TFM_REQ_MASK);
	err = crypto_skcipher_setkey(enc, keys.enckey, keys.enckeylen);
	crypto_aead_set_flags(authenc_esn, crypto_skcipher_get_flags(enc) &
					   CRYPTO_TFM_RES_MASK);

out:
	memzero_explicit(&keys, sizeof(keys));
	return err;

badkey:
	crypto_aead_set_flags(authenc_esn, CRYPTO_TFM_RES_BAD_KEY_LEN);
	goto out;
}

static int crypto_authenc_esn_genicv_tail(struct aead_request *req,
					  unsigned int flags)
{
	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
	struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
	struct crypto_ahash *auth = ctx->auth;
	u8 *hash = PTR_ALIGN((u8 *)areq_ctx->tail,
			     crypto_ahash_alignmask(auth) + 1);
	unsigned int authsize = crypto_aead_authsize(authenc_esn);
	unsigned int assoclen = req->assoclen;
	unsigned int cryptlen = req->cryptlen;
	struct scatterlist *dst = req->dst;
	u32 tmp[2];

	/* Move high-order bits of sequence number back. */
	scatterwalk_map_and_copy(tmp, dst, 4, 4, 0);
	scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 0);
	scatterwalk_map_and_copy(tmp, dst, 0, 8, 1);

	scatterwalk_map_and_copy(hash, dst, assoclen + cryptlen, authsize, 1);
	return 0;
}

static void authenc_esn_geniv_ahash_done(struct crypto_async_request *areq,
					 int err)
{
	struct aead_request *req = areq->data;

	err = err ?: crypto_authenc_esn_genicv_tail(req, 0);
	aead_request_complete(req, err);
}

static int crypto_authenc_esn_genicv(struct aead_request *req,
				     unsigned int flags)
{
	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
	struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
	struct crypto_ahash *auth = ctx->auth;
	u8 *hash = PTR_ALIGN((u8 *)areq_ctx->tail,
			     crypto_ahash_alignmask(auth) + 1);
	struct ahash_request *ahreq = (void *)(areq_ctx->tail + ctx->reqoff);
	unsigned int authsize = crypto_aead_authsize(authenc_esn);
	unsigned int assoclen = req->assoclen;
	unsigned int cryptlen = req->cryptlen;
	struct scatterlist *dst = req->dst;
	u32 tmp[2];

	if (!authsize)
		return 0;

	/* Move high-order bits of sequence number to the end. */
	scatterwalk_map_and_copy(tmp, dst, 0, 8, 0);
	scatterwalk_map_and_copy(tmp, dst, 4, 4, 1);
	scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 1);

	sg_init_table(areq_ctx->dst, 2);
	dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4);

	ahash_request_set_tfm(ahreq, auth);
	ahash_request_set_crypt(ahreq, dst, hash, assoclen + cryptlen);
	ahash_request_set_callback(ahreq, flags,
				   authenc_esn_geniv_ahash_done, req);

	return crypto_ahash_digest(ahreq) ?:
	       crypto_authenc_esn_genicv_tail(req, aead_request_flags(req));
}


static void crypto_authenc_esn_encrypt_done(struct crypto_async_request *req,
					    int err)
{
	struct aead_request *areq = req->data;

	if (!err)
		err = crypto_authenc_esn_genicv(areq, 0);

	authenc_esn_request_complete(areq, err);
}

static int crypto_authenc_esn_copy(struct aead_request *req, unsigned int len)
{
	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
	SYNC_SKCIPHER_REQUEST_ON_STACK(skreq, ctx->null);

	skcipher_request_set_sync_tfm(skreq, ctx->null);
	skcipher_request_set_callback(skreq, aead_request_flags(req),
				      NULL, NULL);
	skcipher_request_set_crypt(skreq, req->src, req->dst, len, NULL);

	return crypto_skcipher_encrypt(skreq);
}

static int crypto_authenc_esn_encrypt(struct aead_request *req)
{
	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
	struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
	struct skcipher_request *skreq = (void *)(areq_ctx->tail +
						  ctx->reqoff);
	struct crypto_skcipher *enc = ctx->enc;
	unsigned int assoclen = req->assoclen;
	unsigned int cryptlen = req->cryptlen;
	struct scatterlist *src, *dst;
	int err;

	sg_init_table(areq_ctx->src, 2);
	src = scatterwalk_ffwd(areq_ctx->src, req->src, assoclen);
	dst = src;

	if (req->src != req->dst) {
		err = crypto_authenc_esn_copy(req, assoclen);
		if (err)
			return err;

		sg_init_table(areq_ctx->dst, 2);
		dst = scatterwalk_ffwd(areq_ctx->dst, req->dst, assoclen);
	}

	skcipher_request_set_tfm(skreq, enc);
	skcipher_request_set_callback(skreq, aead_request_flags(req),
				      crypto_authenc_esn_encrypt_done, req);
	skcipher_request_set_crypt(skreq, src, dst, cryptlen, req->iv);

	err = crypto_skcipher_encrypt(skreq);
	if (err)
		return err;

	return crypto_authenc_esn_genicv(req, aead_request_flags(req));
}

static int crypto_authenc_esn_decrypt_tail(struct aead_request *req,
					   unsigned int flags)
{
	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
	unsigned int authsize = crypto_aead_authsize(authenc_esn);
	struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
	struct skcipher_request *skreq = (void *)(areq_ctx->tail +
						  ctx->reqoff);
	struct crypto_ahash *auth = ctx->auth;
	u8 *ohash = PTR_ALIGN((u8 *)areq_ctx->tail,
			      crypto_ahash_alignmask(auth) + 1);
	unsigned int cryptlen = req->cryptlen - authsize;
	unsigned int assoclen = req->assoclen;
	struct scatterlist *dst = req->dst;
	u8 *ihash = ohash + crypto_ahash_digestsize(auth);
	u32 tmp[2];

	if (!authsize)
		goto decrypt;

	/* Move high-order bits of sequence number back. */
	scatterwalk_map_and_copy(tmp, dst, 4, 4, 0);
	scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 0);
	scatterwalk_map_and_copy(tmp, dst, 0, 8, 1);

	if (crypto_memneq(ihash, ohash, authsize))
		return -EBADMSG;

decrypt:

	sg_init_table(areq_ctx->dst, 2);
	dst = scatterwalk_ffwd(areq_ctx->dst, dst, assoclen);

	skcipher_request_set_tfm(skreq, ctx->enc);
	skcipher_request_set_callback(skreq, flags,
				      req->base.complete, req->base.data);
	skcipher_request_set_crypt(skreq, dst, dst, cryptlen, req->iv);

	return crypto_skcipher_decrypt(skreq);
}

static void authenc_esn_verify_ahash_done(struct crypto_async_request *areq,
					  int err)
{
	struct aead_request *req = areq->data;

	err = err ?: crypto_authenc_esn_decrypt_tail(req, 0);
	authenc_esn_request_complete(req, err);
}

static int crypto_authenc_esn_decrypt(struct aead_request *req)
{
	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
	struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
	struct ahash_request *ahreq = (void *)(areq_ctx->tail + ctx->reqoff);
	unsigned int authsize = crypto_aead_authsize(authenc_esn);
	struct crypto_ahash *auth = ctx->auth;
	u8 *ohash = PTR_ALIGN((u8 *)areq_ctx->tail,
			      crypto_ahash_alignmask(auth) + 1);
	unsigned int assoclen = req->assoclen;
	unsigned int cryptlen = req->cryptlen;
	u8 *ihash = ohash + crypto_ahash_digestsize(auth);
	struct scatterlist *dst = req->dst;
	u32 tmp[2];
	int err;

	cryptlen -= authsize;

	if (req->src != dst) {
		err = crypto_authenc_esn_copy(req, assoclen + cryptlen);
		if (err)
			return err;
	}

	scatterwalk_map_and_copy(ihash, req->src, assoclen + cryptlen,
				 authsize, 0);

	if (!authsize)
		goto tail;

	/* Move high-order bits of sequence number to the end. */
	scatterwalk_map_and_copy(tmp, dst, 0, 8, 0);
	scatterwalk_map_and_copy(tmp, dst, 4, 4, 1);
	scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 1);

	sg_init_table(areq_ctx->dst, 2);
	dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4);

	ahash_request_set_tfm(ahreq, auth);
	ahash_request_set_crypt(ahreq, dst, ohash, assoclen + cryptlen);
	ahash_request_set_callback(ahreq, aead_request_flags(req),
				   authenc_esn_verify_ahash_done, req);

	err = crypto_ahash_digest(ahreq);
	if (err)
		return err;

tail:
	return crypto_authenc_esn_decrypt_tail(req, aead_request_flags(req));
}

static int crypto_authenc_esn_init_tfm(struct crypto_aead *tfm)
{
	struct aead_instance *inst = aead_alg_instance(tfm);
	struct authenc_esn_instance_ctx *ictx = aead_instance_ctx(inst);
	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(tfm);
	struct crypto_ahash *auth;
	struct crypto_skcipher *enc;
	struct crypto_sync_skcipher *null;
	int err;

	auth = crypto_spawn_ahash(&ictx->auth);
	if (IS_ERR(auth))
		return PTR_ERR(auth);

	enc = crypto_spawn_skcipher(&ictx->enc);
	err = PTR_ERR(enc);
	if (IS_ERR(enc))
		goto err_free_ahash;

	null = crypto_get_default_null_skcipher();
	err = PTR_ERR(null);
	if (IS_ERR(null))
		goto err_free_skcipher;

	ctx->auth = auth;
	ctx->enc = enc;
	ctx->null = null;

	ctx->reqoff = ALIGN(2 * crypto_ahash_digestsize(auth),
			    crypto_ahash_alignmask(auth) + 1);

	crypto_aead_set_reqsize(
		tfm,
		sizeof(struct authenc_esn_request_ctx) +
		ctx->reqoff +
		max_t(unsigned int,
		      crypto_ahash_reqsize(auth) +
		      sizeof(struct ahash_request),
		      sizeof(struct skcipher_request) +
		      crypto_skcipher_reqsize(enc)));

	return 0;

err_free_skcipher:
	crypto_free_skcipher(enc);
err_free_ahash:
	crypto_free_ahash(auth);
	return err;
}

static void crypto_authenc_esn_exit_tfm(struct crypto_aead *tfm)
{
	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(tfm);

	crypto_free_ahash(ctx->auth);
	crypto_free_skcipher(ctx->enc);
	crypto_put_default_null_skcipher();
}

static void crypto_authenc_esn_free(struct aead_instance *inst)
{
	struct authenc_esn_instance_ctx *ctx = aead_instance_ctx(inst);

	crypto_drop_skcipher(&ctx->enc);
	crypto_drop_ahash(&ctx->auth);
	kfree(inst);
}

static int crypto_authenc_esn_create(struct crypto_template *tmpl,
				     struct rtattr **tb)
{
	struct crypto_attr_type *algt;
	struct aead_instance *inst;
	struct hash_alg_common *auth;
	struct crypto_alg *auth_base;
	struct skcipher_alg *enc;
	struct authenc_esn_instance_ctx *ctx;
	const char *enc_name;
	int err;

	algt = crypto_get_attr_type(tb);
	if (IS_ERR(algt))
		return PTR_ERR(algt);

	if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask)
		return -EINVAL;

	auth = ahash_attr_alg(tb[1], CRYPTO_ALG_TYPE_HASH,
			      CRYPTO_ALG_TYPE_AHASH_MASK |
			      crypto_requires_sync(algt->type, algt->mask));
	if (IS_ERR(auth))
		return PTR_ERR(auth);

	auth_base = &auth->base;

	enc_name = crypto_attr_alg_name(tb[2]);
	err = PTR_ERR(enc_name);
	if (IS_ERR(enc_name))
		goto out_put_auth;

	inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
	err = -ENOMEM;
	if (!inst)
		goto out_put_auth;

	ctx = aead_instance_ctx(inst);

	err = crypto_init_ahash_spawn(&ctx->auth, auth,
				      aead_crypto_instance(inst));
	if (err)
		goto err_free_inst;

	crypto_set_skcipher_spawn(&ctx->enc, aead_crypto_instance(inst));
	err = crypto_grab_skcipher(&ctx->enc, enc_name, 0,
				   crypto_requires_sync(algt->type,
							algt->mask));
	if (err)
		goto err_drop_auth;

	enc = crypto_spawn_skcipher_alg(&ctx->enc);

	err = -ENAMETOOLONG;
	if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
		     "authencesn(%s,%s)", auth_base->cra_name,
		     enc->base.cra_name) >= CRYPTO_MAX_ALG_NAME)
		goto err_drop_enc;

	if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
		     "authencesn(%s,%s)", auth_base->cra_driver_name,
		     enc->base.cra_driver_name) >= CRYPTO_MAX_ALG_NAME)
		goto err_drop_enc;

	inst->alg.base.cra_flags = (auth_base->cra_flags |
				    enc->base.cra_flags) & CRYPTO_ALG_ASYNC;
	inst->alg.base.cra_priority = enc->base.cra_priority * 10 +
				      auth_base->cra_priority;
	inst->alg.base.cra_blocksize = enc->base.cra_blocksize;
	inst->alg.base.cra_alignmask = auth_base->cra_alignmask |
				       enc->base.cra_alignmask;
	inst->alg.base.cra_ctxsize = sizeof(struct crypto_authenc_esn_ctx);

	inst->alg.ivsize = crypto_skcipher_alg_ivsize(enc);
	inst->alg.chunksize = crypto_skcipher_alg_chunksize(enc);
	inst->alg.maxauthsize = auth->digestsize;

	inst->alg.init = crypto_authenc_esn_init_tfm;
	inst->alg.exit = crypto_authenc_esn_exit_tfm;

	inst->alg.setkey = crypto_authenc_esn_setkey;
	inst->alg.setauthsize = crypto_authenc_esn_setauthsize;
	inst->alg.encrypt = crypto_authenc_esn_encrypt;
	inst->alg.decrypt = crypto_authenc_esn_decrypt;

	inst->free = crypto_authenc_esn_free,

	err = aead_register_instance(tmpl, inst);
	if (err)
		goto err_drop_enc;

out:
	crypto_mod_put(auth_base);
	return err;

err_drop_enc:
	crypto_drop_skcipher(&ctx->enc);
err_drop_auth:
	crypto_drop_ahash(&ctx->auth);
err_free_inst:
	kfree(inst);
out_put_auth:
	goto out;
}

static struct crypto_template crypto_authenc_esn_tmpl = {
	.name = "authencesn",
	.create = crypto_authenc_esn_create,
	.module = THIS_MODULE,
};

static int __init crypto_authenc_esn_module_init(void)
{
	return crypto_register_template(&crypto_authenc_esn_tmpl);
}

static void __exit crypto_authenc_esn_module_exit(void)
{
	crypto_unregister_template(&crypto_authenc_esn_tmpl);
}

subsys_initcall(crypto_authenc_esn_module_init);
module_exit(crypto_authenc_esn_module_exit);

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Steffen Klassert <steffen.klassert@secunet.com>");
MODULE_DESCRIPTION("AEAD wrapper for IPsec with extended sequence numbers");
MODULE_ALIAS_CRYPTO("authencesn");
Commit	Line	Data
2874c5fd	1	// SPDX-License-Identifier: GPL-2.0-or-later
a5079d08 SK	2	/*
	3	* authencesn.c - AEAD wrapper for IPsec with extended sequence numbers,
	4	* derived from authenc.c
	5	*
	6	* Copyright (C) 2010 secunet Security Networks AG
	7	* Copyright (C) 2010 Steffen Klassert <steffen.klassert@secunet.com>
104880a6	8	* Copyright (c) 2015 Herbert Xu <herbert@gondor.apana.org.au>
a5079d08 SK	9	*/
a5079d08 SK	10
7fb2a4bd	11	#include <crypto/internal/aead.h>
a5079d08 SK	12	#include <crypto/internal/hash.h>
	13	#include <crypto/internal/skcipher.h>
	14	#include <crypto/authenc.h>
104880a6	15	#include <crypto/null.h>
a5079d08 SK	16	#include <crypto/scatterwalk.h>
	17	#include <linux/err.h>
	18	#include <linux/init.h>
	19	#include <linux/kernel.h>
	20	#include <linux/module.h>
	21	#include <linux/rtnetlink.h>
	22	#include <linux/slab.h>
	23	#include <linux/spinlock.h>
	24
	25	struct authenc_esn_instance_ctx {
	26	struct crypto_ahash_spawn auth;
	27	struct crypto_skcipher_spawn enc;
	28	};
	29
	30	struct crypto_authenc_esn_ctx {
	31	unsigned int reqoff;
	32	struct crypto_ahash *auth;
e75445a8	33	struct crypto_skcipher *enc;
8d605398	34	struct crypto_sync_skcipher *null;
a5079d08 SK	35	};
	36
	37	struct authenc_esn_request_ctx {
104880a6 HX	38	struct scatterlist src[2];
104880a6 HX	39	struct scatterlist dst[2];
a5079d08 SK	40	char tail[];
	41	};
	42
	43	static void authenc_esn_request_complete(struct aead_request *req, int err)
	44	{
	45	if (err != -EINPROGRESS)
	46	aead_request_complete(req, err);
	47	}
	48
104880a6 HX	49	static int crypto_authenc_esn_setauthsize(struct crypto_aead *authenc_esn,
	50	unsigned int authsize)
	51	{
	52	if (authsize > 0 && authsize < 4)
	53	return -EINVAL;
	54
	55	return 0;
	56	}
	57
a5079d08 SK	58	static int crypto_authenc_esn_setkey(struct crypto_aead authenc_esn, const u8 key,
	59	unsigned int keylen)
	60	{
a5079d08 SK	61	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
a5079d08 SK	62	struct crypto_ahash *auth = ctx->auth;
e75445a8	63	struct crypto_skcipher *enc = ctx->enc;
fddc2c43	64	struct crypto_authenc_keys keys;
a5079d08 SK	65	int err = -EINVAL;
a5079d08 SK	66
fddc2c43	67	if (crypto_authenc_extractkeys(&keys, key, keylen) != 0)
a5079d08	68	goto badkey;
a5079d08 SK	69
	70	crypto_ahash_clear_flags(auth, CRYPTO_TFM_REQ_MASK);
	71	crypto_ahash_set_flags(auth, crypto_aead_get_flags(authenc_esn) &
	72	CRYPTO_TFM_REQ_MASK);
fddc2c43	73	err = crypto_ahash_setkey(auth, keys.authkey, keys.authkeylen);
a5079d08 SK	74	crypto_aead_set_flags(authenc_esn, crypto_ahash_get_flags(auth) &
	75	CRYPTO_TFM_RES_MASK);
	76
	77	if (err)
	78	goto out;
	79
e75445a8 HX	80	crypto_skcipher_clear_flags(enc, CRYPTO_TFM_REQ_MASK);
e75445a8 HX	81	crypto_skcipher_set_flags(enc, crypto_aead_get_flags(authenc_esn) &
a5079d08	82	CRYPTO_TFM_REQ_MASK);
e75445a8 HX	83	err = crypto_skcipher_setkey(enc, keys.enckey, keys.enckeylen);
e75445a8 HX	84	crypto_aead_set_flags(authenc_esn, crypto_skcipher_get_flags(enc) &
a5079d08 SK	85	CRYPTO_TFM_RES_MASK);
	86
	87	out:
31545df3	88	memzero_explicit(&keys, sizeof(keys));
a5079d08 SK	89	return err;
	90
	91	badkey:
	92	crypto_aead_set_flags(authenc_esn, CRYPTO_TFM_RES_BAD_KEY_LEN);
	93	goto out;
	94	}
	95
104880a6 HX	96	static int crypto_authenc_esn_genicv_tail(struct aead_request *req,
104880a6 HX	97	unsigned int flags)
a5079d08	98	{
a5079d08 SK	99	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
	100	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
	101	struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
104880a6 HX	102	struct crypto_ahash *auth = ctx->auth;
	103	u8 hash = PTR_ALIGN((u8 )areq_ctx->tail,
	104	crypto_ahash_alignmask(auth) + 1);
	105	unsigned int authsize = crypto_aead_authsize(authenc_esn);
	106	unsigned int assoclen = req->assoclen;
	107	unsigned int cryptlen = req->cryptlen;
	108	struct scatterlist *dst = req->dst;
	109	u32 tmp[2];
a5079d08	110
104880a6 HX	111	/* Move high-order bits of sequence number back. */
	112	scatterwalk_map_and_copy(tmp, dst, 4, 4, 0);
	113	scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 0);
	114	scatterwalk_map_and_copy(tmp, dst, 0, 8, 1);
a5079d08	115
104880a6 HX	116	scatterwalk_map_and_copy(hash, dst, assoclen + cryptlen, authsize, 1);
104880a6 HX	117	return 0;
a5079d08 SK	118	}
a5079d08 SK	119
a5079d08 SK	120	static void authenc_esn_geniv_ahash_done(struct crypto_async_request *areq,
	121	int err)
	122	{
	123	struct aead_request *req = areq->data;
a5079d08	124
104880a6	125	err = err ?: crypto_authenc_esn_genicv_tail(req, 0);
a5079d08 SK	126	aead_request_complete(req, err);
	127	}
	128
104880a6 HX	129	static int crypto_authenc_esn_genicv(struct aead_request *req,
104880a6 HX	130	unsigned int flags)
a5079d08	131	{
a5079d08	132	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
a5079d08	133	struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
a5079d08	134	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
104880a6 HX	135	struct crypto_ahash *auth = ctx->auth;
	136	u8 hash = PTR_ALIGN((u8 )areq_ctx->tail,
	137	crypto_ahash_alignmask(auth) + 1);
a5079d08	138	struct ahash_request ahreq = (void )(areq_ctx->tail + ctx->reqoff);
104880a6 HX	139	unsigned int authsize = crypto_aead_authsize(authenc_esn);
104880a6 HX	140	unsigned int assoclen = req->assoclen;
a5079d08	141	unsigned int cryptlen = req->cryptlen;
104880a6 HX	142	struct scatterlist *dst = req->dst;
104880a6 HX	143	u32 tmp[2];
a5079d08	144
104880a6 HX	145	if (!authsize)
104880a6 HX	146	return 0;
a5079d08	147
104880a6 HX	148	/* Move high-order bits of sequence number to the end. */
	149	scatterwalk_map_and_copy(tmp, dst, 0, 8, 0);
	150	scatterwalk_map_and_copy(tmp, dst, 4, 4, 1);
	151	scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 1);
a5079d08	152
104880a6 HX	153	sg_init_table(areq_ctx->dst, 2);
104880a6 HX	154	dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4);
a5079d08	155
104880a6 HX	156	ahash_request_set_tfm(ahreq, auth);
	157	ahash_request_set_crypt(ahreq, dst, hash, assoclen + cryptlen);
	158	ahash_request_set_callback(ahreq, flags,
	159	authenc_esn_geniv_ahash_done, req);
a5079d08	160
104880a6 HX	161	return crypto_ahash_digest(ahreq) ?:
104880a6 HX	162	crypto_authenc_esn_genicv_tail(req, aead_request_flags(req));
a5079d08 SK	163	}
	164
	165
104880a6 HX	166	static void crypto_authenc_esn_encrypt_done(struct crypto_async_request *req,
104880a6 HX	167	int err)
a5079d08	168	{
104880a6	169	struct aead_request *areq = req->data;
a5079d08	170
104880a6 HX	171	if (!err)
104880a6 HX	172	err = crypto_authenc_esn_genicv(areq, 0);
a5079d08	173
104880a6	174	authenc_esn_request_complete(areq, err);
a5079d08 SK	175	}
a5079d08 SK	176
104880a6	177	static int crypto_authenc_esn_copy(struct aead_request *req, unsigned int len)
a5079d08 SK	178	{
	179	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
	180	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
8d605398	181	SYNC_SKCIPHER_REQUEST_ON_STACK(skreq, ctx->null);
a5079d08	182
8d605398	183	skcipher_request_set_sync_tfm(skreq, ctx->null);
e75445a8 HX	184	skcipher_request_set_callback(skreq, aead_request_flags(req),
	185	NULL, NULL);
	186	skcipher_request_set_crypt(skreq, req->src, req->dst, len, NULL);
	187
	188	return crypto_skcipher_encrypt(skreq);
a5079d08 SK	189	}
a5079d08 SK	190
104880a6	191	static int crypto_authenc_esn_encrypt(struct aead_request *req)
a5079d08 SK	192	{
	193	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
	194	struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
104880a6	195	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
e75445a8 HX	196	struct skcipher_request skreq = (void )(areq_ctx->tail +
	197	ctx->reqoff);
	198	struct crypto_skcipher *enc = ctx->enc;
104880a6	199	unsigned int assoclen = req->assoclen;
a5079d08	200	unsigned int cryptlen = req->cryptlen;
104880a6 HX	201	struct scatterlist src, dst;
104880a6 HX	202	int err;
a5079d08	203
104880a6 HX	204	sg_init_table(areq_ctx->src, 2);
	205	src = scatterwalk_ffwd(areq_ctx->src, req->src, assoclen);
	206	dst = src;
a5079d08	207
104880a6 HX	208	if (req->src != req->dst) {
	209	err = crypto_authenc_esn_copy(req, assoclen);
	210	if (err)
	211	return err;
a5079d08	212
104880a6 HX	213	sg_init_table(areq_ctx->dst, 2);
104880a6 HX	214	dst = scatterwalk_ffwd(areq_ctx->dst, req->dst, assoclen);
a5079d08 SK	215	}
a5079d08 SK	216
e75445a8 HX	217	skcipher_request_set_tfm(skreq, enc);
	218	skcipher_request_set_callback(skreq, aead_request_flags(req),
	219	crypto_authenc_esn_encrypt_done, req);
	220	skcipher_request_set_crypt(skreq, src, dst, cryptlen, req->iv);
a5079d08	221
e75445a8	222	err = crypto_skcipher_encrypt(skreq);
a5079d08 SK	223	if (err)
	224	return err;
	225
104880a6	226	return crypto_authenc_esn_genicv(req, aead_request_flags(req));
a5079d08 SK	227	}
a5079d08 SK	228
104880a6 HX	229	static int crypto_authenc_esn_decrypt_tail(struct aead_request *req,
104880a6 HX	230	unsigned int flags)
a5079d08	231	{
104880a6 HX	232	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
	233	unsigned int authsize = crypto_aead_authsize(authenc_esn);
	234	struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
	235	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
e75445a8 HX	236	struct skcipher_request skreq = (void )(areq_ctx->tail +
e75445a8 HX	237	ctx->reqoff);
104880a6 HX	238	struct crypto_ahash *auth = ctx->auth;
	239	u8 ohash = PTR_ALIGN((u8 )areq_ctx->tail,
	240	crypto_ahash_alignmask(auth) + 1);
	241	unsigned int cryptlen = req->cryptlen - authsize;
	242	unsigned int assoclen = req->assoclen;
	243	struct scatterlist *dst = req->dst;
	244	u8 *ihash = ohash + crypto_ahash_digestsize(auth);
	245	u32 tmp[2];
a5079d08	246
41cdf7a4 HX	247	if (!authsize)
	248	goto decrypt;
	249
104880a6 HX	250	/* Move high-order bits of sequence number back. */
	251	scatterwalk_map_and_copy(tmp, dst, 4, 4, 0);
	252	scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 0);
	253	scatterwalk_map_and_copy(tmp, dst, 0, 8, 1);
a5079d08	254
104880a6 HX	255	if (crypto_memneq(ihash, ohash, authsize))
104880a6 HX	256	return -EBADMSG;
a5079d08	257
41cdf7a4 HX	258	decrypt:
41cdf7a4 HX	259
104880a6 HX	260	sg_init_table(areq_ctx->dst, 2);
104880a6 HX	261	dst = scatterwalk_ffwd(areq_ctx->dst, dst, assoclen);
a5079d08	262
e75445a8 HX	263	skcipher_request_set_tfm(skreq, ctx->enc);
	264	skcipher_request_set_callback(skreq, flags,
	265	req->base.complete, req->base.data);
	266	skcipher_request_set_crypt(skreq, dst, dst, cryptlen, req->iv);
a5079d08	267
e75445a8	268	return crypto_skcipher_decrypt(skreq);
a5079d08 SK	269	}
a5079d08 SK	270
104880a6 HX	271	static void authenc_esn_verify_ahash_done(struct crypto_async_request *areq,
104880a6 HX	272	int err)
a5079d08	273	{
104880a6	274	struct aead_request *req = areq->data;
a5079d08	275
104880a6	276	err = err ?: crypto_authenc_esn_decrypt_tail(req, 0);
a7773363	277	authenc_esn_request_complete(req, err);
a5079d08 SK	278	}
a5079d08 SK	279
104880a6	280	static int crypto_authenc_esn_decrypt(struct aead_request *req)
a5079d08 SK	281	{
	282	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
	283	struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
104880a6 HX	284	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
	285	struct ahash_request ahreq = (void )(areq_ctx->tail + ctx->reqoff);
	286	unsigned int authsize = crypto_aead_authsize(authenc_esn);
	287	struct crypto_ahash *auth = ctx->auth;
	288	u8 ohash = PTR_ALIGN((u8 )areq_ctx->tail,
	289	crypto_ahash_alignmask(auth) + 1);
	290	unsigned int assoclen = req->assoclen;
	291	unsigned int cryptlen = req->cryptlen;
	292	u8 *ihash = ohash + crypto_ahash_digestsize(auth);
	293	struct scatterlist *dst = req->dst;
	294	u32 tmp[2];
	295	int err;
a5079d08	296
104880a6	297	cryptlen -= authsize;
a5079d08	298
104880a6 HX	299	if (req->src != dst) {
	300	err = crypto_authenc_esn_copy(req, assoclen + cryptlen);
	301	if (err)
	302	return err;
	303	}
a5079d08	304
104880a6 HX	305	scatterwalk_map_and_copy(ihash, req->src, assoclen + cryptlen,
104880a6 HX	306	authsize, 0);
a5079d08	307
104880a6 HX	308	if (!authsize)
104880a6 HX	309	goto tail;
a5079d08	310
104880a6 HX	311	/* Move high-order bits of sequence number to the end. */
	312	scatterwalk_map_and_copy(tmp, dst, 0, 8, 0);
	313	scatterwalk_map_and_copy(tmp, dst, 4, 4, 1);
	314	scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 1);
a5079d08	315
104880a6 HX	316	sg_init_table(areq_ctx->dst, 2);
104880a6 HX	317	dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4);
a5079d08	318
104880a6 HX	319	ahash_request_set_tfm(ahreq, auth);
	320	ahash_request_set_crypt(ahreq, dst, ohash, assoclen + cryptlen);
	321	ahash_request_set_callback(ahreq, aead_request_flags(req),
	322	authenc_esn_verify_ahash_done, req);
a5079d08	323
104880a6	324	err = crypto_ahash_digest(ahreq);
a5079d08 SK	325	if (err)
	326	return err;
	327
104880a6 HX	328	tail:
104880a6 HX	329	return crypto_authenc_esn_decrypt_tail(req, aead_request_flags(req));
a5079d08 SK	330	}
a5079d08 SK	331
104880a6	332	static int crypto_authenc_esn_init_tfm(struct crypto_aead *tfm)
a5079d08	333	{
104880a6 HX	334	struct aead_instance *inst = aead_alg_instance(tfm);
	335	struct authenc_esn_instance_ctx *ictx = aead_instance_ctx(inst);
	336	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(tfm);
a5079d08	337	struct crypto_ahash *auth;
e75445a8	338	struct crypto_skcipher *enc;
8d605398	339	struct crypto_sync_skcipher *null;
a5079d08 SK	340	int err;
	341
	342	auth = crypto_spawn_ahash(&ictx->auth);
	343	if (IS_ERR(auth))
	344	return PTR_ERR(auth);
	345
60425a8b	346	enc = crypto_spawn_skcipher(&ictx->enc);
a5079d08 SK	347	err = PTR_ERR(enc);
	348	if (IS_ERR(enc))
	349	goto err_free_ahash;
	350
3a2d4fb5	351	null = crypto_get_default_null_skcipher();
104880a6 HX	352	err = PTR_ERR(null);
	353	if (IS_ERR(null))
	354	goto err_free_skcipher;
	355
a5079d08 SK	356	ctx->auth = auth;
a5079d08 SK	357	ctx->enc = enc;
104880a6	358	ctx->null = null;
a5079d08	359
104880a6 HX	360	ctx->reqoff = ALIGN(2 * crypto_ahash_digestsize(auth),
104880a6 HX	361	crypto_ahash_alignmask(auth) + 1);
a5079d08	362
104880a6 HX	363	crypto_aead_set_reqsize(
104880a6 HX	364	tfm,
6650d09b HX	365	sizeof(struct authenc_esn_request_ctx) +
	366	ctx->reqoff +
	367	max_t(unsigned int,
e75445a8 HX	368	crypto_ahash_reqsize(auth) +
	369	sizeof(struct ahash_request),
	370	sizeof(struct skcipher_request) +
	371	crypto_skcipher_reqsize(enc)));
a5079d08 SK	372
	373	return 0;
	374
104880a6	375	err_free_skcipher:
e75445a8	376	crypto_free_skcipher(enc);
a5079d08 SK	377	err_free_ahash:
	378	crypto_free_ahash(auth);
	379	return err;
	380	}
	381
104880a6	382	static void crypto_authenc_esn_exit_tfm(struct crypto_aead *tfm)
a5079d08	383	{
104880a6	384	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(tfm);
a5079d08 SK	385
a5079d08 SK	386	crypto_free_ahash(ctx->auth);
e75445a8	387	crypto_free_skcipher(ctx->enc);
3a2d4fb5	388	crypto_put_default_null_skcipher();
104880a6 HX	389	}
	390
	391	static void crypto_authenc_esn_free(struct aead_instance *inst)
	392	{
	393	struct authenc_esn_instance_ctx *ctx = aead_instance_ctx(inst);
	394
	395	crypto_drop_skcipher(&ctx->enc);
	396	crypto_drop_ahash(&ctx->auth);
	397	kfree(inst);
a5079d08 SK	398	}
a5079d08 SK	399
104880a6 HX	400	static int crypto_authenc_esn_create(struct crypto_template *tmpl,
104880a6 HX	401	struct rtattr **tb)
a5079d08 SK	402	{
a5079d08 SK	403	struct crypto_attr_type *algt;
104880a6	404	struct aead_instance *inst;
a5079d08 SK	405	struct hash_alg_common *auth;
a5079d08 SK	406	struct crypto_alg *auth_base;
e75445a8	407	struct skcipher_alg *enc;
a5079d08 SK	408	struct authenc_esn_instance_ctx *ctx;
	409	const char *enc_name;
	410	int err;
	411
	412	algt = crypto_get_attr_type(tb);
a5079d08	413	if (IS_ERR(algt))
104880a6	414	return PTR_ERR(algt);
a5079d08	415
5e4b8c1f	416	if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask)
104880a6	417	return -EINVAL;
a5079d08 SK	418
a5079d08 SK	419	auth = ahash_attr_alg(tb[1], CRYPTO_ALG_TYPE_HASH,
927ef32d HX	420	CRYPTO_ALG_TYPE_AHASH_MASK \|
927ef32d HX	421	crypto_requires_sync(algt->type, algt->mask));
a5079d08	422	if (IS_ERR(auth))
104880a6	423	return PTR_ERR(auth);
a5079d08 SK	424
	425	auth_base = &auth->base;
	426
	427	enc_name = crypto_attr_alg_name(tb[2]);
	428	err = PTR_ERR(enc_name);
	429	if (IS_ERR(enc_name))
	430	goto out_put_auth;
	431
	432	inst = kzalloc(sizeof(inst) + sizeof(ctx), GFP_KERNEL);
	433	err = -ENOMEM;
	434	if (!inst)
	435	goto out_put_auth;
	436
104880a6	437	ctx = aead_instance_ctx(inst);
a5079d08	438
104880a6 HX	439	err = crypto_init_ahash_spawn(&ctx->auth, auth,
104880a6 HX	440	aead_crypto_instance(inst));
a5079d08 SK	441	if (err)
	442	goto err_free_inst;
	443
104880a6	444	crypto_set_skcipher_spawn(&ctx->enc, aead_crypto_instance(inst));
a35528ec EB	445	err = crypto_grab_skcipher(&ctx->enc, enc_name, 0,
	446	crypto_requires_sync(algt->type,
	447	algt->mask));
a5079d08 SK	448	if (err)
	449	goto err_drop_auth;
	450
e75445a8	451	enc = crypto_spawn_skcipher_alg(&ctx->enc);
a5079d08 SK	452
a5079d08 SK	453	err = -ENAMETOOLONG;
104880a6 HX	454	if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
104880a6 HX	455	"authencesn(%s,%s)", auth_base->cra_name,
e75445a8	456	enc->base.cra_name) >= CRYPTO_MAX_ALG_NAME)
a5079d08 SK	457	goto err_drop_enc;
a5079d08 SK	458
104880a6	459	if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
a5079d08	460	"authencesn(%s,%s)", auth_base->cra_driver_name,
e75445a8	461	enc->base.cra_driver_name) >= CRYPTO_MAX_ALG_NAME)
a5079d08 SK	462	goto err_drop_enc;
a5079d08 SK	463
e75445a8 HX	464	inst->alg.base.cra_flags = (auth_base->cra_flags \|
	465	enc->base.cra_flags) & CRYPTO_ALG_ASYNC;
	466	inst->alg.base.cra_priority = enc->base.cra_priority * 10 +
104880a6	467	auth_base->cra_priority;
e75445a8	468	inst->alg.base.cra_blocksize = enc->base.cra_blocksize;
104880a6	469	inst->alg.base.cra_alignmask = auth_base->cra_alignmask \|
e75445a8	470	enc->base.cra_alignmask;
104880a6 HX	471	inst->alg.base.cra_ctxsize = sizeof(struct crypto_authenc_esn_ctx);
104880a6 HX	472
e75445a8 HX	473	inst->alg.ivsize = crypto_skcipher_alg_ivsize(enc);
e75445a8 HX	474	inst->alg.chunksize = crypto_skcipher_alg_chunksize(enc);
104880a6	475	inst->alg.maxauthsize = auth->digestsize;
a5079d08	476
104880a6 HX	477	inst->alg.init = crypto_authenc_esn_init_tfm;
104880a6 HX	478	inst->alg.exit = crypto_authenc_esn_exit_tfm;
a5079d08	479
104880a6 HX	480	inst->alg.setkey = crypto_authenc_esn_setkey;
	481	inst->alg.setauthsize = crypto_authenc_esn_setauthsize;
	482	inst->alg.encrypt = crypto_authenc_esn_encrypt;
	483	inst->alg.decrypt = crypto_authenc_esn_decrypt;
a5079d08	484
104880a6	485	inst->free = crypto_authenc_esn_free,
a5079d08	486
104880a6 HX	487	err = aead_register_instance(tmpl, inst);
	488	if (err)
	489	goto err_drop_enc;
a5079d08 SK	490
	491	out:
	492	crypto_mod_put(auth_base);
104880a6	493	return err;
a5079d08 SK	494
	495	err_drop_enc:
	496	crypto_drop_skcipher(&ctx->enc);
	497	err_drop_auth:
	498	crypto_drop_ahash(&ctx->auth);
	499	err_free_inst:
	500	kfree(inst);
	501	out_put_auth:
a5079d08 SK	502	goto out;
	503	}
	504
a5079d08 SK	505	static struct crypto_template crypto_authenc_esn_tmpl = {
a5079d08 SK	506	.name = "authencesn",
104880a6	507	.create = crypto_authenc_esn_create,
a5079d08 SK	508	.module = THIS_MODULE,
	509	};
	510
	511	static int __init crypto_authenc_esn_module_init(void)
	512	{
	513	return crypto_register_template(&crypto_authenc_esn_tmpl);
	514	}
	515
	516	static void __exit crypto_authenc_esn_module_exit(void)
	517	{
	518	crypto_unregister_template(&crypto_authenc_esn_tmpl);
	519	}
	520
c4741b23	521	subsys_initcall(crypto_authenc_esn_module_init);
a5079d08 SK	522	module_exit(crypto_authenc_esn_module_exit);
	523
	524	MODULE_LICENSE("GPL");
	525	MODULE_AUTHOR("Steffen Klassert <steffen.klassert@secunet.com>");
	526	MODULE_DESCRIPTION("AEAD wrapper for IPsec with extended sequence numbers");
4943ba16	527	MODULE_ALIAS_CRYPTO("authencesn");