[GitHub/exynos8895/android_kernel_samsung_universal8895.git] / crypto / authencesn.c

/*
 * authencesn.c - AEAD wrapper for IPsec with extended sequence numbers,
 *                 derived from authenc.c
 *
 * Copyright (C) 2010 secunet Security Networks AG
 * Copyright (C) 2010 Steffen Klassert <steffen.klassert@secunet.com>
 * Copyright (c) 2015 Herbert Xu <herbert@gondor.apana.org.au>
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the Free
 * Software Foundation; either version 2 of the License, or (at your option)
 * any later version.
 *
 */

#include <crypto/internal/aead.h>
#include <crypto/internal/hash.h>
#include <crypto/internal/skcipher.h>
#include <crypto/authenc.h>
#include <crypto/null.h>
#include <crypto/scatterwalk.h>
#include <linux/err.h>
#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/rtnetlink.h>
#include <linux/slab.h>
#include <linux/spinlock.h>

struct authenc_esn_instance_ctx {
	struct crypto_ahash_spawn auth;
	struct crypto_skcipher_spawn enc;
};

struct crypto_authenc_esn_ctx {
	unsigned int reqoff;
	struct crypto_ahash *auth;
	struct crypto_ablkcipher *enc;
	struct crypto_blkcipher *null;
};

struct authenc_esn_request_ctx {
	struct scatterlist src[2];
	struct scatterlist dst[2];
	char tail[];
};

static void authenc_esn_request_complete(struct aead_request *req, int err)
{
	if (err != -EINPROGRESS)
		aead_request_complete(req, err);
}

static int crypto_authenc_esn_setauthsize(struct crypto_aead *authenc_esn,
					  unsigned int authsize)
{
	if (authsize > 0 && authsize < 4)
		return -EINVAL;

	return 0;
}

static int crypto_authenc_esn_setkey(struct crypto_aead *authenc_esn, const u8 *key,
				     unsigned int keylen)
{
	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
	struct crypto_ahash *auth = ctx->auth;
	struct crypto_ablkcipher *enc = ctx->enc;
	struct crypto_authenc_keys keys;
	int err = -EINVAL;

	if (crypto_authenc_extractkeys(&keys, key, keylen) != 0)
		goto badkey;

	crypto_ahash_clear_flags(auth, CRYPTO_TFM_REQ_MASK);
	crypto_ahash_set_flags(auth, crypto_aead_get_flags(authenc_esn) &
				     CRYPTO_TFM_REQ_MASK);
	err = crypto_ahash_setkey(auth, keys.authkey, keys.authkeylen);
	crypto_aead_set_flags(authenc_esn, crypto_ahash_get_flags(auth) &
					   CRYPTO_TFM_RES_MASK);

	if (err)
		goto out;

	crypto_ablkcipher_clear_flags(enc, CRYPTO_TFM_REQ_MASK);
	crypto_ablkcipher_set_flags(enc, crypto_aead_get_flags(authenc_esn) &
					 CRYPTO_TFM_REQ_MASK);
	err = crypto_ablkcipher_setkey(enc, keys.enckey, keys.enckeylen);
	crypto_aead_set_flags(authenc_esn, crypto_ablkcipher_get_flags(enc) &
					   CRYPTO_TFM_RES_MASK);

out:
	return err;

badkey:
	crypto_aead_set_flags(authenc_esn, CRYPTO_TFM_RES_BAD_KEY_LEN);
	goto out;
}

static int crypto_authenc_esn_genicv_tail(struct aead_request *req,
					  unsigned int flags)
{
	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
	struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
	struct crypto_ahash *auth = ctx->auth;
	u8 *hash = PTR_ALIGN((u8 *)areq_ctx->tail,
			     crypto_ahash_alignmask(auth) + 1);
	unsigned int authsize = crypto_aead_authsize(authenc_esn);
	unsigned int assoclen = req->assoclen;
	unsigned int cryptlen = req->cryptlen;
	struct scatterlist *dst = req->dst;
	u32 tmp[2];

	/* Move high-order bits of sequence number back. */
	scatterwalk_map_and_copy(tmp, dst, 4, 4, 0);
	scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 0);
	scatterwalk_map_and_copy(tmp, dst, 0, 8, 1);

	scatterwalk_map_and_copy(hash, dst, assoclen + cryptlen, authsize, 1);
	return 0;
}

static void authenc_esn_geniv_ahash_done(struct crypto_async_request *areq,
					 int err)
{
	struct aead_request *req = areq->data;

	err = err ?: crypto_authenc_esn_genicv_tail(req, 0);
	aead_request_complete(req, err);
}

static int crypto_authenc_esn_genicv(struct aead_request *req,
				     unsigned int flags)
{
	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
	struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
	struct crypto_ahash *auth = ctx->auth;
	u8 *hash = PTR_ALIGN((u8 *)areq_ctx->tail,
			     crypto_ahash_alignmask(auth) + 1);
	struct ahash_request *ahreq = (void *)(areq_ctx->tail + ctx->reqoff);
	unsigned int authsize = crypto_aead_authsize(authenc_esn);
	unsigned int assoclen = req->assoclen;
	unsigned int cryptlen = req->cryptlen;
	struct scatterlist *dst = req->dst;
	u32 tmp[2];

	if (!authsize)
		return 0;

	/* Move high-order bits of sequence number to the end. */
	scatterwalk_map_and_copy(tmp, dst, 0, 8, 0);
	scatterwalk_map_and_copy(tmp, dst, 4, 4, 1);
	scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 1);

	sg_init_table(areq_ctx->dst, 2);
	dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4);

	ahash_request_set_tfm(ahreq, auth);
	ahash_request_set_crypt(ahreq, dst, hash, assoclen + cryptlen);
	ahash_request_set_callback(ahreq, flags,
				   authenc_esn_geniv_ahash_done, req);

	return crypto_ahash_digest(ahreq) ?:
	       crypto_authenc_esn_genicv_tail(req, aead_request_flags(req));
}


static void crypto_authenc_esn_encrypt_done(struct crypto_async_request *req,
					    int err)
{
	struct aead_request *areq = req->data;

	if (!err)
		err = crypto_authenc_esn_genicv(areq, 0);

	authenc_esn_request_complete(areq, err);
}

static int crypto_authenc_esn_copy(struct aead_request *req, unsigned int len)
{
	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
	struct blkcipher_desc desc = {
		.tfm = ctx->null,
	};

	return crypto_blkcipher_encrypt(&desc, req->dst, req->src, len);
}

static int crypto_authenc_esn_encrypt(struct aead_request *req)
{
	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
	struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
	struct ablkcipher_request *abreq = (void *)(areq_ctx->tail
						    + ctx->reqoff);
	struct crypto_ablkcipher *enc = ctx->enc;
	unsigned int assoclen = req->assoclen;
	unsigned int cryptlen = req->cryptlen;
	struct scatterlist *src, *dst;
	int err;

	sg_init_table(areq_ctx->src, 2);
	src = scatterwalk_ffwd(areq_ctx->src, req->src, assoclen);
	dst = src;

	if (req->src != req->dst) {
		err = crypto_authenc_esn_copy(req, assoclen);
		if (err)
			return err;

		sg_init_table(areq_ctx->dst, 2);
		dst = scatterwalk_ffwd(areq_ctx->dst, req->dst, assoclen);
	}

	ablkcipher_request_set_tfm(abreq, enc);
	ablkcipher_request_set_callback(abreq, aead_request_flags(req),
					crypto_authenc_esn_encrypt_done, req);
	ablkcipher_request_set_crypt(abreq, src, dst, cryptlen, req->iv);

	err = crypto_ablkcipher_encrypt(abreq);
	if (err)
		return err;

	return crypto_authenc_esn_genicv(req, aead_request_flags(req));
}

static int crypto_authenc_esn_decrypt_tail(struct aead_request *req,
					   unsigned int flags)
{
	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
	unsigned int authsize = crypto_aead_authsize(authenc_esn);
	struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
	struct ablkcipher_request *abreq = (void *)(areq_ctx->tail
						    + ctx->reqoff);
	struct crypto_ahash *auth = ctx->auth;
	u8 *ohash = PTR_ALIGN((u8 *)areq_ctx->tail,
			      crypto_ahash_alignmask(auth) + 1);
	unsigned int cryptlen = req->cryptlen - authsize;
	unsigned int assoclen = req->assoclen;
	struct scatterlist *dst = req->dst;
	u8 *ihash = ohash + crypto_ahash_digestsize(auth);
	u32 tmp[2];

	if (!authsize)
		goto decrypt;

	/* Move high-order bits of sequence number back. */
	scatterwalk_map_and_copy(tmp, dst, 4, 4, 0);
	scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 0);
	scatterwalk_map_and_copy(tmp, dst, 0, 8, 1);

	if (crypto_memneq(ihash, ohash, authsize))
		return -EBADMSG;

decrypt:

	sg_init_table(areq_ctx->dst, 2);
	dst = scatterwalk_ffwd(areq_ctx->dst, dst, assoclen);

	ablkcipher_request_set_tfm(abreq, ctx->enc);
	ablkcipher_request_set_callback(abreq, flags,
					req->base.complete, req->base.data);
	ablkcipher_request_set_crypt(abreq, dst, dst, cryptlen, req->iv);

	return crypto_ablkcipher_decrypt(abreq);
}

static void authenc_esn_verify_ahash_done(struct crypto_async_request *areq,
					  int err)
{
	struct aead_request *req = areq->data;

	err = err ?: crypto_authenc_esn_decrypt_tail(req, 0);
	aead_request_complete(req, err);
}

static int crypto_authenc_esn_decrypt(struct aead_request *req)
{
	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
	struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
	struct ahash_request *ahreq = (void *)(areq_ctx->tail + ctx->reqoff);
	unsigned int authsize = crypto_aead_authsize(authenc_esn);
	struct crypto_ahash *auth = ctx->auth;
	u8 *ohash = PTR_ALIGN((u8 *)areq_ctx->tail,
			      crypto_ahash_alignmask(auth) + 1);
	unsigned int assoclen = req->assoclen;
	unsigned int cryptlen = req->cryptlen;
	u8 *ihash = ohash + crypto_ahash_digestsize(auth);
	struct scatterlist *dst = req->dst;
	u32 tmp[2];
	int err;

	cryptlen -= authsize;

	if (req->src != dst) {
		err = crypto_authenc_esn_copy(req, assoclen + cryptlen);
		if (err)
			return err;
	}

	scatterwalk_map_and_copy(ihash, req->src, assoclen + cryptlen,
				 authsize, 0);

	if (!authsize)
		goto tail;

	/* Move high-order bits of sequence number to the end. */
	scatterwalk_map_and_copy(tmp, dst, 0, 8, 0);
	scatterwalk_map_and_copy(tmp, dst, 4, 4, 1);
	scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 1);

	sg_init_table(areq_ctx->dst, 2);
	dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4);

	ahash_request_set_tfm(ahreq, auth);
	ahash_request_set_crypt(ahreq, dst, ohash, assoclen + cryptlen);
	ahash_request_set_callback(ahreq, aead_request_flags(req),
				   authenc_esn_verify_ahash_done, req);

	err = crypto_ahash_digest(ahreq);
	if (err)
		return err;

tail:
	return crypto_authenc_esn_decrypt_tail(req, aead_request_flags(req));
}

static int crypto_authenc_esn_init_tfm(struct crypto_aead *tfm)
{
	struct aead_instance *inst = aead_alg_instance(tfm);
	struct authenc_esn_instance_ctx *ictx = aead_instance_ctx(inst);
	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(tfm);
	struct crypto_ahash *auth;
	struct crypto_ablkcipher *enc;
	struct crypto_blkcipher *null;
	int err;

	auth = crypto_spawn_ahash(&ictx->auth);
	if (IS_ERR(auth))
		return PTR_ERR(auth);

	enc = crypto_spawn_skcipher(&ictx->enc);
	err = PTR_ERR(enc);
	if (IS_ERR(enc))
		goto err_free_ahash;

	null = crypto_get_default_null_skcipher();
	err = PTR_ERR(null);
	if (IS_ERR(null))
		goto err_free_skcipher;

	ctx->auth = auth;
	ctx->enc = enc;
	ctx->null = null;

	ctx->reqoff = ALIGN(2 * crypto_ahash_digestsize(auth),
			    crypto_ahash_alignmask(auth) + 1);

	crypto_aead_set_reqsize(
		tfm,
		sizeof(struct authenc_esn_request_ctx) +
		ctx->reqoff +
		max_t(unsigned int,
			crypto_ahash_reqsize(auth) +
			sizeof(struct ahash_request),
			sizeof(struct skcipher_givcrypt_request) +
			crypto_ablkcipher_reqsize(enc)));

	return 0;

err_free_skcipher:
	crypto_free_ablkcipher(enc);
err_free_ahash:
	crypto_free_ahash(auth);
	return err;
}

static void crypto_authenc_esn_exit_tfm(struct crypto_aead *tfm)
{
	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(tfm);

	crypto_free_ahash(ctx->auth);
	crypto_free_ablkcipher(ctx->enc);
	crypto_put_default_null_skcipher();
}

static void crypto_authenc_esn_free(struct aead_instance *inst)
{
	struct authenc_esn_instance_ctx *ctx = aead_instance_ctx(inst);

	crypto_drop_skcipher(&ctx->enc);
	crypto_drop_ahash(&ctx->auth);
	kfree(inst);
}

static int crypto_authenc_esn_create(struct crypto_template *tmpl,
				     struct rtattr **tb)
{
	struct crypto_attr_type *algt;
	struct aead_instance *inst;
	struct hash_alg_common *auth;
	struct crypto_alg *auth_base;
	struct crypto_alg *enc;
	struct authenc_esn_instance_ctx *ctx;
	const char *enc_name;
	int err;

	algt = crypto_get_attr_type(tb);
	if (IS_ERR(algt))
		return PTR_ERR(algt);

	if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask)
		return -EINVAL;

	auth = ahash_attr_alg(tb[1], CRYPTO_ALG_TYPE_HASH,
			       CRYPTO_ALG_TYPE_AHASH_MASK);
	if (IS_ERR(auth))
		return PTR_ERR(auth);

	auth_base = &auth->base;

	enc_name = crypto_attr_alg_name(tb[2]);
	err = PTR_ERR(enc_name);
	if (IS_ERR(enc_name))
		goto out_put_auth;

	inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
	err = -ENOMEM;
	if (!inst)
		goto out_put_auth;

	ctx = aead_instance_ctx(inst);

	err = crypto_init_ahash_spawn(&ctx->auth, auth,
				      aead_crypto_instance(inst));
	if (err)
		goto err_free_inst;

	crypto_set_skcipher_spawn(&ctx->enc, aead_crypto_instance(inst));
	err = crypto_grab_skcipher(&ctx->enc, enc_name, 0,
				   crypto_requires_sync(algt->type,
							algt->mask));
	if (err)
		goto err_drop_auth;

	enc = crypto_skcipher_spawn_alg(&ctx->enc);

	err = -ENAMETOOLONG;
	if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
		     "authencesn(%s,%s)", auth_base->cra_name,
		     enc->cra_name) >= CRYPTO_MAX_ALG_NAME)
		goto err_drop_enc;

	if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
		     "authencesn(%s,%s)", auth_base->cra_driver_name,
		     enc->cra_driver_name) >= CRYPTO_MAX_ALG_NAME)
		goto err_drop_enc;

	inst->alg.base.cra_flags = enc->cra_flags & CRYPTO_ALG_ASYNC;
	inst->alg.base.cra_priority = enc->cra_priority * 10 +
				      auth_base->cra_priority;
	inst->alg.base.cra_blocksize = enc->cra_blocksize;
	inst->alg.base.cra_alignmask = auth_base->cra_alignmask |
				       enc->cra_alignmask;
	inst->alg.base.cra_ctxsize = sizeof(struct crypto_authenc_esn_ctx);

	inst->alg.ivsize = enc->cra_ablkcipher.ivsize;
	inst->alg.maxauthsize = auth->digestsize;

	inst->alg.init = crypto_authenc_esn_init_tfm;
	inst->alg.exit = crypto_authenc_esn_exit_tfm;

	inst->alg.setkey = crypto_authenc_esn_setkey;
	inst->alg.setauthsize = crypto_authenc_esn_setauthsize;
	inst->alg.encrypt = crypto_authenc_esn_encrypt;
	inst->alg.decrypt = crypto_authenc_esn_decrypt;

	inst->free = crypto_authenc_esn_free,

	err = aead_register_instance(tmpl, inst);
	if (err)
		goto err_drop_enc;

out:
	crypto_mod_put(auth_base);
	return err;

err_drop_enc:
	crypto_drop_skcipher(&ctx->enc);
err_drop_auth:
	crypto_drop_ahash(&ctx->auth);
err_free_inst:
	kfree(inst);
out_put_auth:
	goto out;
}

static struct crypto_template crypto_authenc_esn_tmpl = {
	.name = "authencesn",
	.create = crypto_authenc_esn_create,
	.module = THIS_MODULE,
};

static int __init crypto_authenc_esn_module_init(void)
{
	return crypto_register_template(&crypto_authenc_esn_tmpl);
}

static void __exit crypto_authenc_esn_module_exit(void)
{
	crypto_unregister_template(&crypto_authenc_esn_tmpl);
}

module_init(crypto_authenc_esn_module_init);
module_exit(crypto_authenc_esn_module_exit);

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Steffen Klassert <steffen.klassert@secunet.com>");
MODULE_DESCRIPTION("AEAD wrapper for IPsec with extended sequence numbers");
MODULE_ALIAS_CRYPTO("authencesn");
Commit	Line	Data
a5079d08 SK	1	/*
	2	* authencesn.c - AEAD wrapper for IPsec with extended sequence numbers,
	3	* derived from authenc.c
	4	*
	5	* Copyright (C) 2010 secunet Security Networks AG
	6	* Copyright (C) 2010 Steffen Klassert <steffen.klassert@secunet.com>
104880a6	7	* Copyright (c) 2015 Herbert Xu <herbert@gondor.apana.org.au>
a5079d08 SK	8	*
	9	* This program is free software; you can redistribute it and/or modify it
	10	* under the terms of the GNU General Public License as published by the Free
	11	* Software Foundation; either version 2 of the License, or (at your option)
	12	* any later version.
	13	*
	14	*/
	15
7fb2a4bd	16	#include <crypto/internal/aead.h>
a5079d08 SK	17	#include <crypto/internal/hash.h>
	18	#include <crypto/internal/skcipher.h>
	19	#include <crypto/authenc.h>
104880a6	20	#include <crypto/null.h>
a5079d08 SK	21	#include <crypto/scatterwalk.h>
	22	#include <linux/err.h>
	23	#include <linux/init.h>
	24	#include <linux/kernel.h>
	25	#include <linux/module.h>
	26	#include <linux/rtnetlink.h>
	27	#include <linux/slab.h>
	28	#include <linux/spinlock.h>
	29
	30	struct authenc_esn_instance_ctx {
	31	struct crypto_ahash_spawn auth;
	32	struct crypto_skcipher_spawn enc;
	33	};
	34
	35	struct crypto_authenc_esn_ctx {
	36	unsigned int reqoff;
	37	struct crypto_ahash *auth;
	38	struct crypto_ablkcipher *enc;
104880a6	39	struct crypto_blkcipher *null;
a5079d08 SK	40	};
	41
	42	struct authenc_esn_request_ctx {
104880a6 HX	43	struct scatterlist src[2];
104880a6 HX	44	struct scatterlist dst[2];
a5079d08 SK	45	char tail[];
	46	};
	47
	48	static void authenc_esn_request_complete(struct aead_request *req, int err)
	49	{
	50	if (err != -EINPROGRESS)
	51	aead_request_complete(req, err);
	52	}
	53
104880a6 HX	54	static int crypto_authenc_esn_setauthsize(struct crypto_aead *authenc_esn,
	55	unsigned int authsize)
	56	{
	57	if (authsize > 0 && authsize < 4)
	58	return -EINVAL;
	59
	60	return 0;
	61	}
	62
a5079d08 SK	63	static int crypto_authenc_esn_setkey(struct crypto_aead authenc_esn, const u8 key,
	64	unsigned int keylen)
	65	{
a5079d08 SK	66	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
	67	struct crypto_ahash *auth = ctx->auth;
	68	struct crypto_ablkcipher *enc = ctx->enc;
fddc2c43	69	struct crypto_authenc_keys keys;
a5079d08 SK	70	int err = -EINVAL;
a5079d08 SK	71
fddc2c43	72	if (crypto_authenc_extractkeys(&keys, key, keylen) != 0)
a5079d08	73	goto badkey;
a5079d08 SK	74
	75	crypto_ahash_clear_flags(auth, CRYPTO_TFM_REQ_MASK);
	76	crypto_ahash_set_flags(auth, crypto_aead_get_flags(authenc_esn) &
	77	CRYPTO_TFM_REQ_MASK);
fddc2c43	78	err = crypto_ahash_setkey(auth, keys.authkey, keys.authkeylen);
a5079d08 SK	79	crypto_aead_set_flags(authenc_esn, crypto_ahash_get_flags(auth) &
	80	CRYPTO_TFM_RES_MASK);
	81
	82	if (err)
	83	goto out;
	84
	85	crypto_ablkcipher_clear_flags(enc, CRYPTO_TFM_REQ_MASK);
	86	crypto_ablkcipher_set_flags(enc, crypto_aead_get_flags(authenc_esn) &
	87	CRYPTO_TFM_REQ_MASK);
fddc2c43	88	err = crypto_ablkcipher_setkey(enc, keys.enckey, keys.enckeylen);
a5079d08 SK	89	crypto_aead_set_flags(authenc_esn, crypto_ablkcipher_get_flags(enc) &
	90	CRYPTO_TFM_RES_MASK);
	91
	92	out:
	93	return err;
	94
	95	badkey:
	96	crypto_aead_set_flags(authenc_esn, CRYPTO_TFM_RES_BAD_KEY_LEN);
	97	goto out;
	98	}
	99
104880a6 HX	100	static int crypto_authenc_esn_genicv_tail(struct aead_request *req,
104880a6 HX	101	unsigned int flags)
a5079d08	102	{
a5079d08 SK	103	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
	104	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
	105	struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
104880a6 HX	106	struct crypto_ahash *auth = ctx->auth;
	107	u8 hash = PTR_ALIGN((u8 )areq_ctx->tail,
	108	crypto_ahash_alignmask(auth) + 1);
	109	unsigned int authsize = crypto_aead_authsize(authenc_esn);
	110	unsigned int assoclen = req->assoclen;
	111	unsigned int cryptlen = req->cryptlen;
	112	struct scatterlist *dst = req->dst;
	113	u32 tmp[2];
a5079d08	114
104880a6 HX	115	/* Move high-order bits of sequence number back. */
	116	scatterwalk_map_and_copy(tmp, dst, 4, 4, 0);
	117	scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 0);
	118	scatterwalk_map_and_copy(tmp, dst, 0, 8, 1);
a5079d08	119
104880a6 HX	120	scatterwalk_map_and_copy(hash, dst, assoclen + cryptlen, authsize, 1);
104880a6 HX	121	return 0;
a5079d08 SK	122	}
a5079d08 SK	123
a5079d08 SK	124	static void authenc_esn_geniv_ahash_done(struct crypto_async_request *areq,
	125	int err)
	126	{
	127	struct aead_request *req = areq->data;
a5079d08	128
104880a6	129	err = err ?: crypto_authenc_esn_genicv_tail(req, 0);
a5079d08 SK	130	aead_request_complete(req, err);
	131	}
	132
104880a6 HX	133	static int crypto_authenc_esn_genicv(struct aead_request *req,
104880a6 HX	134	unsigned int flags)
a5079d08	135	{
a5079d08	136	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
a5079d08	137	struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
a5079d08	138	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
104880a6 HX	139	struct crypto_ahash *auth = ctx->auth;
	140	u8 hash = PTR_ALIGN((u8 )areq_ctx->tail,
	141	crypto_ahash_alignmask(auth) + 1);
a5079d08	142	struct ahash_request ahreq = (void )(areq_ctx->tail + ctx->reqoff);
104880a6 HX	143	unsigned int authsize = crypto_aead_authsize(authenc_esn);
104880a6 HX	144	unsigned int assoclen = req->assoclen;
a5079d08	145	unsigned int cryptlen = req->cryptlen;
104880a6 HX	146	struct scatterlist *dst = req->dst;
104880a6 HX	147	u32 tmp[2];
a5079d08	148
104880a6 HX	149	if (!authsize)
104880a6 HX	150	return 0;
a5079d08	151
104880a6 HX	152	/* Move high-order bits of sequence number to the end. */
	153	scatterwalk_map_and_copy(tmp, dst, 0, 8, 0);
	154	scatterwalk_map_and_copy(tmp, dst, 4, 4, 1);
	155	scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 1);
a5079d08	156
104880a6 HX	157	sg_init_table(areq_ctx->dst, 2);
104880a6 HX	158	dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4);
a5079d08	159
104880a6 HX	160	ahash_request_set_tfm(ahreq, auth);
	161	ahash_request_set_crypt(ahreq, dst, hash, assoclen + cryptlen);
	162	ahash_request_set_callback(ahreq, flags,
	163	authenc_esn_geniv_ahash_done, req);
a5079d08	164
104880a6 HX	165	return crypto_ahash_digest(ahreq) ?:
104880a6 HX	166	crypto_authenc_esn_genicv_tail(req, aead_request_flags(req));
a5079d08 SK	167	}
	168
	169
104880a6 HX	170	static void crypto_authenc_esn_encrypt_done(struct crypto_async_request *req,
104880a6 HX	171	int err)
a5079d08	172	{
104880a6	173	struct aead_request *areq = req->data;
a5079d08	174
104880a6 HX	175	if (!err)
104880a6 HX	176	err = crypto_authenc_esn_genicv(areq, 0);
a5079d08	177
104880a6	178	authenc_esn_request_complete(areq, err);
a5079d08 SK	179	}
a5079d08 SK	180
104880a6	181	static int crypto_authenc_esn_copy(struct aead_request *req, unsigned int len)
a5079d08 SK	182	{
	183	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
	184	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
104880a6 HX	185	struct blkcipher_desc desc = {
	186	.tfm = ctx->null,
	187	};
a5079d08	188
104880a6	189	return crypto_blkcipher_encrypt(&desc, req->dst, req->src, len);
a5079d08 SK	190	}
a5079d08 SK	191
104880a6	192	static int crypto_authenc_esn_encrypt(struct aead_request *req)
a5079d08 SK	193	{
	194	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
	195	struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
104880a6 HX	196	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
	197	struct ablkcipher_request abreq = (void )(areq_ctx->tail
	198	+ ctx->reqoff);
	199	struct crypto_ablkcipher *enc = ctx->enc;
	200	unsigned int assoclen = req->assoclen;
a5079d08	201	unsigned int cryptlen = req->cryptlen;
104880a6 HX	202	struct scatterlist src, dst;
104880a6 HX	203	int err;
a5079d08	204
104880a6 HX	205	sg_init_table(areq_ctx->src, 2);
	206	src = scatterwalk_ffwd(areq_ctx->src, req->src, assoclen);
	207	dst = src;
a5079d08	208
104880a6 HX	209	if (req->src != req->dst) {
	210	err = crypto_authenc_esn_copy(req, assoclen);
	211	if (err)
	212	return err;
a5079d08	213
104880a6 HX	214	sg_init_table(areq_ctx->dst, 2);
104880a6 HX	215	dst = scatterwalk_ffwd(areq_ctx->dst, req->dst, assoclen);
a5079d08 SK	216	}
a5079d08 SK	217
a5079d08 SK	218	ablkcipher_request_set_tfm(abreq, enc);
	219	ablkcipher_request_set_callback(abreq, aead_request_flags(req),
	220	crypto_authenc_esn_encrypt_done, req);
104880a6	221	ablkcipher_request_set_crypt(abreq, src, dst, cryptlen, req->iv);
a5079d08 SK	222
	223	err = crypto_ablkcipher_encrypt(abreq);
	224	if (err)
	225	return err;
	226
104880a6	227	return crypto_authenc_esn_genicv(req, aead_request_flags(req));
a5079d08 SK	228	}
a5079d08 SK	229
104880a6 HX	230	static int crypto_authenc_esn_decrypt_tail(struct aead_request *req,
104880a6 HX	231	unsigned int flags)
a5079d08	232	{
104880a6 HX	233	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
	234	unsigned int authsize = crypto_aead_authsize(authenc_esn);
	235	struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
	236	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
	237	struct ablkcipher_request abreq = (void )(areq_ctx->tail
	238	+ ctx->reqoff);
	239	struct crypto_ahash *auth = ctx->auth;
	240	u8 ohash = PTR_ALIGN((u8 )areq_ctx->tail,
	241	crypto_ahash_alignmask(auth) + 1);
	242	unsigned int cryptlen = req->cryptlen - authsize;
	243	unsigned int assoclen = req->assoclen;
	244	struct scatterlist *dst = req->dst;
	245	u8 *ihash = ohash + crypto_ahash_digestsize(auth);
	246	u32 tmp[2];
a5079d08	247
2148e9ab HX	248	if (!authsize)
	249	goto decrypt;
	250
104880a6 HX	251	/* Move high-order bits of sequence number back. */
	252	scatterwalk_map_and_copy(tmp, dst, 4, 4, 0);
	253	scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 0);
	254	scatterwalk_map_and_copy(tmp, dst, 0, 8, 1);
a5079d08	255
104880a6 HX	256	if (crypto_memneq(ihash, ohash, authsize))
104880a6 HX	257	return -EBADMSG;
a5079d08	258
2148e9ab HX	259	decrypt:
2148e9ab HX	260
104880a6 HX	261	sg_init_table(areq_ctx->dst, 2);
104880a6 HX	262	dst = scatterwalk_ffwd(areq_ctx->dst, dst, assoclen);
a5079d08	263
104880a6 HX	264	ablkcipher_request_set_tfm(abreq, ctx->enc);
	265	ablkcipher_request_set_callback(abreq, flags,
	266	req->base.complete, req->base.data);
	267	ablkcipher_request_set_crypt(abreq, dst, dst, cryptlen, req->iv);
a5079d08	268
104880a6	269	return crypto_ablkcipher_decrypt(abreq);
a5079d08 SK	270	}
a5079d08 SK	271
104880a6 HX	272	static void authenc_esn_verify_ahash_done(struct crypto_async_request *areq,
104880a6 HX	273	int err)
a5079d08	274	{
104880a6	275	struct aead_request *req = areq->data;
a5079d08	276
104880a6 HX	277	err = err ?: crypto_authenc_esn_decrypt_tail(req, 0);
104880a6 HX	278	aead_request_complete(req, err);
a5079d08 SK	279	}
a5079d08 SK	280
104880a6	281	static int crypto_authenc_esn_decrypt(struct aead_request *req)
a5079d08 SK	282	{
	283	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
	284	struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
104880a6 HX	285	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
	286	struct ahash_request ahreq = (void )(areq_ctx->tail + ctx->reqoff);
	287	unsigned int authsize = crypto_aead_authsize(authenc_esn);
	288	struct crypto_ahash *auth = ctx->auth;
	289	u8 ohash = PTR_ALIGN((u8 )areq_ctx->tail,
	290	crypto_ahash_alignmask(auth) + 1);
	291	unsigned int assoclen = req->assoclen;
	292	unsigned int cryptlen = req->cryptlen;
	293	u8 *ihash = ohash + crypto_ahash_digestsize(auth);
	294	struct scatterlist *dst = req->dst;
	295	u32 tmp[2];
	296	int err;
a5079d08	297
104880a6	298	cryptlen -= authsize;
a5079d08	299
104880a6 HX	300	if (req->src != dst) {
	301	err = crypto_authenc_esn_copy(req, assoclen + cryptlen);
	302	if (err)
	303	return err;
	304	}
a5079d08	305
104880a6 HX	306	scatterwalk_map_and_copy(ihash, req->src, assoclen + cryptlen,
104880a6 HX	307	authsize, 0);
a5079d08	308
104880a6 HX	309	if (!authsize)
104880a6 HX	310	goto tail;
a5079d08	311
104880a6 HX	312	/* Move high-order bits of sequence number to the end. */
	313	scatterwalk_map_and_copy(tmp, dst, 0, 8, 0);
	314	scatterwalk_map_and_copy(tmp, dst, 4, 4, 1);
	315	scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 1);
a5079d08	316
104880a6 HX	317	sg_init_table(areq_ctx->dst, 2);
104880a6 HX	318	dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4);
a5079d08	319
104880a6 HX	320	ahash_request_set_tfm(ahreq, auth);
	321	ahash_request_set_crypt(ahreq, dst, ohash, assoclen + cryptlen);
	322	ahash_request_set_callback(ahreq, aead_request_flags(req),
	323	authenc_esn_verify_ahash_done, req);
a5079d08	324
104880a6	325	err = crypto_ahash_digest(ahreq);
a5079d08 SK	326	if (err)
	327	return err;
	328
104880a6 HX	329	tail:
104880a6 HX	330	return crypto_authenc_esn_decrypt_tail(req, aead_request_flags(req));
a5079d08 SK	331	}
a5079d08 SK	332
104880a6	333	static int crypto_authenc_esn_init_tfm(struct crypto_aead *tfm)
a5079d08	334	{
104880a6 HX	335	struct aead_instance *inst = aead_alg_instance(tfm);
	336	struct authenc_esn_instance_ctx *ictx = aead_instance_ctx(inst);
	337	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(tfm);
a5079d08 SK	338	struct crypto_ahash *auth;
a5079d08 SK	339	struct crypto_ablkcipher *enc;
104880a6	340	struct crypto_blkcipher *null;
a5079d08 SK	341	int err;
	342
	343	auth = crypto_spawn_ahash(&ictx->auth);
	344	if (IS_ERR(auth))
	345	return PTR_ERR(auth);
	346
	347	enc = crypto_spawn_skcipher(&ictx->enc);
	348	err = PTR_ERR(enc);
	349	if (IS_ERR(enc))
	350	goto err_free_ahash;
	351
104880a6 HX	352	null = crypto_get_default_null_skcipher();
	353	err = PTR_ERR(null);
	354	if (IS_ERR(null))
	355	goto err_free_skcipher;
	356
a5079d08 SK	357	ctx->auth = auth;
a5079d08 SK	358	ctx->enc = enc;
104880a6	359	ctx->null = null;
a5079d08	360
104880a6 HX	361	ctx->reqoff = ALIGN(2 * crypto_ahash_digestsize(auth),
104880a6 HX	362	crypto_ahash_alignmask(auth) + 1);
a5079d08	363
104880a6 HX	364	crypto_aead_set_reqsize(
104880a6 HX	365	tfm,
6650d09b HX	366	sizeof(struct authenc_esn_request_ctx) +
	367	ctx->reqoff +
	368	max_t(unsigned int,
	369	crypto_ahash_reqsize(auth) +
	370	sizeof(struct ahash_request),
	371	sizeof(struct skcipher_givcrypt_request) +
	372	crypto_ablkcipher_reqsize(enc)));
a5079d08 SK	373
	374	return 0;
	375
104880a6 HX	376	err_free_skcipher:
104880a6 HX	377	crypto_free_ablkcipher(enc);
a5079d08 SK	378	err_free_ahash:
	379	crypto_free_ahash(auth);
	380	return err;
	381	}
	382
104880a6	383	static void crypto_authenc_esn_exit_tfm(struct crypto_aead *tfm)
a5079d08	384	{
104880a6	385	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(tfm);
a5079d08 SK	386
	387	crypto_free_ahash(ctx->auth);
	388	crypto_free_ablkcipher(ctx->enc);
104880a6 HX	389	crypto_put_default_null_skcipher();
	390	}
	391
	392	static void crypto_authenc_esn_free(struct aead_instance *inst)
	393	{
	394	struct authenc_esn_instance_ctx *ctx = aead_instance_ctx(inst);
	395
	396	crypto_drop_skcipher(&ctx->enc);
	397	crypto_drop_ahash(&ctx->auth);
	398	kfree(inst);
a5079d08 SK	399	}
a5079d08 SK	400
104880a6 HX	401	static int crypto_authenc_esn_create(struct crypto_template *tmpl,
104880a6 HX	402	struct rtattr **tb)
a5079d08 SK	403	{
a5079d08 SK	404	struct crypto_attr_type *algt;
104880a6	405	struct aead_instance *inst;
a5079d08 SK	406	struct hash_alg_common *auth;
	407	struct crypto_alg *auth_base;
	408	struct crypto_alg *enc;
	409	struct authenc_esn_instance_ctx *ctx;
	410	const char *enc_name;
	411	int err;
	412
	413	algt = crypto_get_attr_type(tb);
a5079d08	414	if (IS_ERR(algt))
104880a6	415	return PTR_ERR(algt);
a5079d08	416
5e4b8c1f	417	if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask)
104880a6	418	return -EINVAL;
a5079d08 SK	419
	420	auth = ahash_attr_alg(tb[1], CRYPTO_ALG_TYPE_HASH,
	421	CRYPTO_ALG_TYPE_AHASH_MASK);
	422	if (IS_ERR(auth))
104880a6	423	return PTR_ERR(auth);
a5079d08 SK	424
	425	auth_base = &auth->base;
	426
	427	enc_name = crypto_attr_alg_name(tb[2]);
	428	err = PTR_ERR(enc_name);
	429	if (IS_ERR(enc_name))
	430	goto out_put_auth;
	431
	432	inst = kzalloc(sizeof(inst) + sizeof(ctx), GFP_KERNEL);
	433	err = -ENOMEM;
	434	if (!inst)
	435	goto out_put_auth;
	436
104880a6	437	ctx = aead_instance_ctx(inst);
a5079d08	438
104880a6 HX	439	err = crypto_init_ahash_spawn(&ctx->auth, auth,
104880a6 HX	440	aead_crypto_instance(inst));
a5079d08 SK	441	if (err)
	442	goto err_free_inst;
	443
104880a6	444	crypto_set_skcipher_spawn(&ctx->enc, aead_crypto_instance(inst));
a5079d08 SK	445	err = crypto_grab_skcipher(&ctx->enc, enc_name, 0,
	446	crypto_requires_sync(algt->type,
	447	algt->mask));
	448	if (err)
	449	goto err_drop_auth;
	450
	451	enc = crypto_skcipher_spawn_alg(&ctx->enc);
	452
	453	err = -ENAMETOOLONG;
104880a6 HX	454	if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
	455	"authencesn(%s,%s)", auth_base->cra_name,
	456	enc->cra_name) >= CRYPTO_MAX_ALG_NAME)
a5079d08 SK	457	goto err_drop_enc;
a5079d08 SK	458
104880a6	459	if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
a5079d08 SK	460	"authencesn(%s,%s)", auth_base->cra_driver_name,
	461	enc->cra_driver_name) >= CRYPTO_MAX_ALG_NAME)
	462	goto err_drop_enc;
	463
104880a6	464	inst->alg.base.cra_flags = enc->cra_flags & CRYPTO_ALG_ASYNC;
104880a6 HX	465	inst->alg.base.cra_priority = enc->cra_priority * 10 +
	466	auth_base->cra_priority;
	467	inst->alg.base.cra_blocksize = enc->cra_blocksize;
	468	inst->alg.base.cra_alignmask = auth_base->cra_alignmask \|
	469	enc->cra_alignmask;
	470	inst->alg.base.cra_ctxsize = sizeof(struct crypto_authenc_esn_ctx);
	471
	472	inst->alg.ivsize = enc->cra_ablkcipher.ivsize;
	473	inst->alg.maxauthsize = auth->digestsize;
a5079d08	474
104880a6 HX	475	inst->alg.init = crypto_authenc_esn_init_tfm;
104880a6 HX	476	inst->alg.exit = crypto_authenc_esn_exit_tfm;
a5079d08	477
104880a6 HX	478	inst->alg.setkey = crypto_authenc_esn_setkey;
	479	inst->alg.setauthsize = crypto_authenc_esn_setauthsize;
	480	inst->alg.encrypt = crypto_authenc_esn_encrypt;
	481	inst->alg.decrypt = crypto_authenc_esn_decrypt;
a5079d08	482
104880a6	483	inst->free = crypto_authenc_esn_free,
a5079d08	484
104880a6 HX	485	err = aead_register_instance(tmpl, inst);
	486	if (err)
	487	goto err_drop_enc;
a5079d08 SK	488
	489	out:
	490	crypto_mod_put(auth_base);
104880a6	491	return err;
a5079d08 SK	492
	493	err_drop_enc:
	494	crypto_drop_skcipher(&ctx->enc);
	495	err_drop_auth:
	496	crypto_drop_ahash(&ctx->auth);
	497	err_free_inst:
	498	kfree(inst);
	499	out_put_auth:
a5079d08 SK	500	goto out;
	501	}
	502
a5079d08 SK	503	static struct crypto_template crypto_authenc_esn_tmpl = {
a5079d08 SK	504	.name = "authencesn",
104880a6	505	.create = crypto_authenc_esn_create,
a5079d08 SK	506	.module = THIS_MODULE,
	507	};
	508
	509	static int __init crypto_authenc_esn_module_init(void)
	510	{
	511	return crypto_register_template(&crypto_authenc_esn_tmpl);
	512	}
	513
	514	static void __exit crypto_authenc_esn_module_exit(void)
	515	{
	516	crypto_unregister_template(&crypto_authenc_esn_tmpl);
	517	}
	518
	519	module_init(crypto_authenc_esn_module_init);
	520	module_exit(crypto_authenc_esn_module_exit);
	521
	522	MODULE_LICENSE("GPL");
	523	MODULE_AUTHOR("Steffen Klassert <steffen.klassert@secunet.com>");
	524	MODULE_DESCRIPTION("AEAD wrapper for IPsec with extended sequence numbers");
4943ba16	525	MODULE_ALIAS_CRYPTO("authencesn");