[thirdparty/kernel/linux.git] / crypto / authencesn.c

// SPDX-License-Identifier: GPL-2.0-or-later
/*
 * authencesn.c - AEAD wrapper for IPsec with extended sequence numbers,
 *                 derived from authenc.c
 *
 * Copyright (C) 2010 secunet Security Networks AG
 * Copyright (C) 2010 Steffen Klassert <steffen.klassert@secunet.com>
 * Copyright (c) 2015 Herbert Xu <herbert@gondor.apana.org.au>
 */

#include <crypto/internal/aead.h>
#include <crypto/internal/hash.h>
#include <crypto/internal/skcipher.h>
#include <crypto/authenc.h>
#include <crypto/null.h>
#include <crypto/scatterwalk.h>
#include <linux/err.h>
#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/rtnetlink.h>
#include <linux/slab.h>
#include <linux/spinlock.h>

struct authenc_esn_instance_ctx {
	struct crypto_ahash_spawn auth;
	struct crypto_skcipher_spawn enc;
};

struct crypto_authenc_esn_ctx {
	unsigned int reqoff;
	struct crypto_ahash *auth;
	struct crypto_skcipher *enc;
	struct crypto_sync_skcipher *null;
};

struct authenc_esn_request_ctx {
	struct scatterlist src[2];
	struct scatterlist dst[2];
	char tail[];
};

static void authenc_esn_request_complete(struct aead_request *req, int err)
{
	if (err != -EINPROGRESS)
		aead_request_complete(req, err);
}

static int crypto_authenc_esn_setauthsize(struct crypto_aead *authenc_esn,
					  unsigned int authsize)
{
	if (authsize > 0 && authsize < 4)
		return -EINVAL;

	return 0;
}

static int crypto_authenc_esn_setkey(struct crypto_aead *authenc_esn, const u8 *key,
				     unsigned int keylen)
{
	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
	struct crypto_ahash *auth = ctx->auth;
	struct crypto_skcipher *enc = ctx->enc;
	struct crypto_authenc_keys keys;
	int err = -EINVAL;

	if (crypto_authenc_extractkeys(&keys, key, keylen) != 0)
		goto out;

	crypto_ahash_clear_flags(auth, CRYPTO_TFM_REQ_MASK);
	crypto_ahash_set_flags(auth, crypto_aead_get_flags(authenc_esn) &
				     CRYPTO_TFM_REQ_MASK);
	err = crypto_ahash_setkey(auth, keys.authkey, keys.authkeylen);
	if (err)
		goto out;

	crypto_skcipher_clear_flags(enc, CRYPTO_TFM_REQ_MASK);
	crypto_skcipher_set_flags(enc, crypto_aead_get_flags(authenc_esn) &
					 CRYPTO_TFM_REQ_MASK);
	err = crypto_skcipher_setkey(enc, keys.enckey, keys.enckeylen);
out:
	memzero_explicit(&keys, sizeof(keys));
	return err;
}

static int crypto_authenc_esn_genicv_tail(struct aead_request *req,
					  unsigned int flags)
{
	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
	struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
	u8 *hash = areq_ctx->tail;
	unsigned int authsize = crypto_aead_authsize(authenc_esn);
	unsigned int assoclen = req->assoclen;
	unsigned int cryptlen = req->cryptlen;
	struct scatterlist *dst = req->dst;
	u32 tmp[2];

	/* Move high-order bits of sequence number back. */
	scatterwalk_map_and_copy(tmp, dst, 4, 4, 0);
	scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 0);
	scatterwalk_map_and_copy(tmp, dst, 0, 8, 1);

	scatterwalk_map_and_copy(hash, dst, assoclen + cryptlen, authsize, 1);
	return 0;
}

static void authenc_esn_geniv_ahash_done(void *data, int err)
{
	struct aead_request *req = data;

	err = err ?: crypto_authenc_esn_genicv_tail(req, 0);
	aead_request_complete(req, err);
}

static int crypto_authenc_esn_genicv(struct aead_request *req,
				     unsigned int flags)
{
	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
	struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
	struct crypto_ahash *auth = ctx->auth;
	u8 *hash = areq_ctx->tail;
	struct ahash_request *ahreq = (void *)(areq_ctx->tail + ctx->reqoff);
	unsigned int authsize = crypto_aead_authsize(authenc_esn);
	unsigned int assoclen = req->assoclen;
	unsigned int cryptlen = req->cryptlen;
	struct scatterlist *dst = req->dst;
	u32 tmp[2];

	if (!authsize)
		return 0;

	/* Move high-order bits of sequence number to the end. */
	scatterwalk_map_and_copy(tmp, dst, 0, 8, 0);
	scatterwalk_map_and_copy(tmp, dst, 4, 4, 1);
	scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 1);

	sg_init_table(areq_ctx->dst, 2);
	dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4);

	ahash_request_set_tfm(ahreq, auth);
	ahash_request_set_crypt(ahreq, dst, hash, assoclen + cryptlen);
	ahash_request_set_callback(ahreq, flags,
				   authenc_esn_geniv_ahash_done, req);

	return crypto_ahash_digest(ahreq) ?:
	       crypto_authenc_esn_genicv_tail(req, aead_request_flags(req));
}


static void crypto_authenc_esn_encrypt_done(void *data, int err)
{
	struct aead_request *areq = data;

	if (!err)
		err = crypto_authenc_esn_genicv(areq, 0);

	authenc_esn_request_complete(areq, err);
}

static int crypto_authenc_esn_copy(struct aead_request *req, unsigned int len)
{
	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
	SYNC_SKCIPHER_REQUEST_ON_STACK(skreq, ctx->null);

	skcipher_request_set_sync_tfm(skreq, ctx->null);
	skcipher_request_set_callback(skreq, aead_request_flags(req),
				      NULL, NULL);
	skcipher_request_set_crypt(skreq, req->src, req->dst, len, NULL);

	return crypto_skcipher_encrypt(skreq);
}

static int crypto_authenc_esn_encrypt(struct aead_request *req)
{
	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
	struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
	struct skcipher_request *skreq = (void *)(areq_ctx->tail +
						  ctx->reqoff);
	struct crypto_skcipher *enc = ctx->enc;
	unsigned int assoclen = req->assoclen;
	unsigned int cryptlen = req->cryptlen;
	struct scatterlist *src, *dst;
	int err;

	sg_init_table(areq_ctx->src, 2);
	src = scatterwalk_ffwd(areq_ctx->src, req->src, assoclen);
	dst = src;

	if (req->src != req->dst) {
		err = crypto_authenc_esn_copy(req, assoclen);
		if (err)
			return err;

		sg_init_table(areq_ctx->dst, 2);
		dst = scatterwalk_ffwd(areq_ctx->dst, req->dst, assoclen);
	}

	skcipher_request_set_tfm(skreq, enc);
	skcipher_request_set_callback(skreq, aead_request_flags(req),
				      crypto_authenc_esn_encrypt_done, req);
	skcipher_request_set_crypt(skreq, src, dst, cryptlen, req->iv);

	err = crypto_skcipher_encrypt(skreq);
	if (err)
		return err;

	return crypto_authenc_esn_genicv(req, aead_request_flags(req));
}

static int crypto_authenc_esn_decrypt_tail(struct aead_request *req,
					   unsigned int flags)
{
	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
	unsigned int authsize = crypto_aead_authsize(authenc_esn);
	struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
	struct skcipher_request *skreq = (void *)(areq_ctx->tail +
						  ctx->reqoff);
	struct crypto_ahash *auth = ctx->auth;
	u8 *ohash = areq_ctx->tail;
	unsigned int cryptlen = req->cryptlen - authsize;
	unsigned int assoclen = req->assoclen;
	struct scatterlist *dst = req->dst;
	u8 *ihash = ohash + crypto_ahash_digestsize(auth);
	u32 tmp[2];

	if (!authsize)
		goto decrypt;

	/* Move high-order bits of sequence number back. */
	scatterwalk_map_and_copy(tmp, dst, 4, 4, 0);
	scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 0);
	scatterwalk_map_and_copy(tmp, dst, 0, 8, 1);

	if (crypto_memneq(ihash, ohash, authsize))
		return -EBADMSG;

decrypt:

	sg_init_table(areq_ctx->dst, 2);
	dst = scatterwalk_ffwd(areq_ctx->dst, dst, assoclen);

	skcipher_request_set_tfm(skreq, ctx->enc);
	skcipher_request_set_callback(skreq, flags,
				      req->base.complete, req->base.data);
	skcipher_request_set_crypt(skreq, dst, dst, cryptlen, req->iv);

	return crypto_skcipher_decrypt(skreq);
}

static void authenc_esn_verify_ahash_done(void *data, int err)
{
	struct aead_request *req = data;

	err = err ?: crypto_authenc_esn_decrypt_tail(req, 0);
	authenc_esn_request_complete(req, err);
}

static int crypto_authenc_esn_decrypt(struct aead_request *req)
{
	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
	struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
	struct ahash_request *ahreq = (void *)(areq_ctx->tail + ctx->reqoff);
	unsigned int authsize = crypto_aead_authsize(authenc_esn);
	struct crypto_ahash *auth = ctx->auth;
	u8 *ohash = areq_ctx->tail;
	unsigned int assoclen = req->assoclen;
	unsigned int cryptlen = req->cryptlen;
	u8 *ihash = ohash + crypto_ahash_digestsize(auth);
	struct scatterlist *dst = req->dst;
	u32 tmp[2];
	int err;

	cryptlen -= authsize;

	if (req->src != dst) {
		err = crypto_authenc_esn_copy(req, assoclen + cryptlen);
		if (err)
			return err;
	}

	scatterwalk_map_and_copy(ihash, req->src, assoclen + cryptlen,
				 authsize, 0);

	if (!authsize)
		goto tail;

	/* Move high-order bits of sequence number to the end. */
	scatterwalk_map_and_copy(tmp, dst, 0, 8, 0);
	scatterwalk_map_and_copy(tmp, dst, 4, 4, 1);
	scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 1);

	sg_init_table(areq_ctx->dst, 2);
	dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4);

	ahash_request_set_tfm(ahreq, auth);
	ahash_request_set_crypt(ahreq, dst, ohash, assoclen + cryptlen);
	ahash_request_set_callback(ahreq, aead_request_flags(req),
				   authenc_esn_verify_ahash_done, req);

	err = crypto_ahash_digest(ahreq);
	if (err)
		return err;

tail:
	return crypto_authenc_esn_decrypt_tail(req, aead_request_flags(req));
}

static int crypto_authenc_esn_init_tfm(struct crypto_aead *tfm)
{
	struct aead_instance *inst = aead_alg_instance(tfm);
	struct authenc_esn_instance_ctx *ictx = aead_instance_ctx(inst);
	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(tfm);
	struct crypto_ahash *auth;
	struct crypto_skcipher *enc;
	struct crypto_sync_skcipher *null;
	int err;

	auth = crypto_spawn_ahash(&ictx->auth);
	if (IS_ERR(auth))
		return PTR_ERR(auth);

	enc = crypto_spawn_skcipher(&ictx->enc);
	err = PTR_ERR(enc);
	if (IS_ERR(enc))
		goto err_free_ahash;

	null = crypto_get_default_null_skcipher();
	err = PTR_ERR(null);
	if (IS_ERR(null))
		goto err_free_skcipher;

	ctx->auth = auth;
	ctx->enc = enc;
	ctx->null = null;

	ctx->reqoff = 2 * crypto_ahash_digestsize(auth);

	crypto_aead_set_reqsize(
		tfm,
		sizeof(struct authenc_esn_request_ctx) +
		ctx->reqoff +
		max_t(unsigned int,
		      crypto_ahash_reqsize(auth) +
		      sizeof(struct ahash_request),
		      sizeof(struct skcipher_request) +
		      crypto_skcipher_reqsize(enc)));

	return 0;

err_free_skcipher:
	crypto_free_skcipher(enc);
err_free_ahash:
	crypto_free_ahash(auth);
	return err;
}

static void crypto_authenc_esn_exit_tfm(struct crypto_aead *tfm)
{
	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(tfm);

	crypto_free_ahash(ctx->auth);
	crypto_free_skcipher(ctx->enc);
	crypto_put_default_null_skcipher();
}

static void crypto_authenc_esn_free(struct aead_instance *inst)
{
	struct authenc_esn_instance_ctx *ctx = aead_instance_ctx(inst);

	crypto_drop_skcipher(&ctx->enc);
	crypto_drop_ahash(&ctx->auth);
	kfree(inst);
}

static int crypto_authenc_esn_create(struct crypto_template *tmpl,
				     struct rtattr **tb)
{
	u32 mask;
	struct aead_instance *inst;
	struct authenc_esn_instance_ctx *ctx;
	struct skcipher_alg_common *enc;
	struct hash_alg_common *auth;
	struct crypto_alg *auth_base;
	int err;

	err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_AEAD, &mask);
	if (err)
		return err;

	inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
	if (!inst)
		return -ENOMEM;
	ctx = aead_instance_ctx(inst);

	err = crypto_grab_ahash(&ctx->auth, aead_crypto_instance(inst),
				crypto_attr_alg_name(tb[1]), 0, mask);
	if (err)
		goto err_free_inst;
	auth = crypto_spawn_ahash_alg(&ctx->auth);
	auth_base = &auth->base;

	err = crypto_grab_skcipher(&ctx->enc, aead_crypto_instance(inst),
				   crypto_attr_alg_name(tb[2]), 0, mask);
	if (err)
		goto err_free_inst;
	enc = crypto_spawn_skcipher_alg_common(&ctx->enc);

	err = -ENAMETOOLONG;
	if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
		     "authencesn(%s,%s)", auth_base->cra_name,
		     enc->base.cra_name) >= CRYPTO_MAX_ALG_NAME)
		goto err_free_inst;

	if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
		     "authencesn(%s,%s)", auth_base->cra_driver_name,
		     enc->base.cra_driver_name) >= CRYPTO_MAX_ALG_NAME)
		goto err_free_inst;

	inst->alg.base.cra_priority = enc->base.cra_priority * 10 +
				      auth_base->cra_priority;
	inst->alg.base.cra_blocksize = enc->base.cra_blocksize;
	inst->alg.base.cra_alignmask = enc->base.cra_alignmask;
	inst->alg.base.cra_ctxsize = sizeof(struct crypto_authenc_esn_ctx);

	inst->alg.ivsize = enc->ivsize;
	inst->alg.chunksize = enc->chunksize;
	inst->alg.maxauthsize = auth->digestsize;

	inst->alg.init = crypto_authenc_esn_init_tfm;
	inst->alg.exit = crypto_authenc_esn_exit_tfm;

	inst->alg.setkey = crypto_authenc_esn_setkey;
	inst->alg.setauthsize = crypto_authenc_esn_setauthsize;
	inst->alg.encrypt = crypto_authenc_esn_encrypt;
	inst->alg.decrypt = crypto_authenc_esn_decrypt;

	inst->free = crypto_authenc_esn_free;

	err = aead_register_instance(tmpl, inst);
	if (err) {
err_free_inst:
		crypto_authenc_esn_free(inst);
	}
	return err;
}

static struct crypto_template crypto_authenc_esn_tmpl = {
	.name = "authencesn",
	.create = crypto_authenc_esn_create,
	.module = THIS_MODULE,
};

static int __init crypto_authenc_esn_module_init(void)
{
	return crypto_register_template(&crypto_authenc_esn_tmpl);
}

static void __exit crypto_authenc_esn_module_exit(void)
{
	crypto_unregister_template(&crypto_authenc_esn_tmpl);
}

subsys_initcall(crypto_authenc_esn_module_init);
module_exit(crypto_authenc_esn_module_exit);

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Steffen Klassert <steffen.klassert@secunet.com>");
MODULE_DESCRIPTION("AEAD wrapper for IPsec with extended sequence numbers");
MODULE_ALIAS_CRYPTO("authencesn");
Commit	Line	Data
2874c5fd	1	// SPDX-License-Identifier: GPL-2.0-or-later
a5079d08 SK	2	/*
	3	* authencesn.c - AEAD wrapper for IPsec with extended sequence numbers,
	4	* derived from authenc.c
	5	*
	6	* Copyright (C) 2010 secunet Security Networks AG
	7	* Copyright (C) 2010 Steffen Klassert <steffen.klassert@secunet.com>
104880a6	8	* Copyright (c) 2015 Herbert Xu <herbert@gondor.apana.org.au>
a5079d08 SK	9	*/
a5079d08 SK	10
7fb2a4bd	11	#include <crypto/internal/aead.h>
a5079d08 SK	12	#include <crypto/internal/hash.h>
	13	#include <crypto/internal/skcipher.h>
	14	#include <crypto/authenc.h>
104880a6	15	#include <crypto/null.h>
a5079d08 SK	16	#include <crypto/scatterwalk.h>
	17	#include <linux/err.h>
	18	#include <linux/init.h>
	19	#include <linux/kernel.h>
	20	#include <linux/module.h>
	21	#include <linux/rtnetlink.h>
	22	#include <linux/slab.h>
	23	#include <linux/spinlock.h>
	24
	25	struct authenc_esn_instance_ctx {
	26	struct crypto_ahash_spawn auth;
	27	struct crypto_skcipher_spawn enc;
	28	};
	29
	30	struct crypto_authenc_esn_ctx {
	31	unsigned int reqoff;
	32	struct crypto_ahash *auth;
e75445a8	33	struct crypto_skcipher *enc;
8d605398	34	struct crypto_sync_skcipher *null;
a5079d08 SK	35	};
	36
	37	struct authenc_esn_request_ctx {
104880a6 HX	38	struct scatterlist src[2];
104880a6 HX	39	struct scatterlist dst[2];
a5079d08 SK	40	char tail[];
	41	};
	42
	43	static void authenc_esn_request_complete(struct aead_request *req, int err)
	44	{
	45	if (err != -EINPROGRESS)
	46	aead_request_complete(req, err);
	47	}
	48
104880a6 HX	49	static int crypto_authenc_esn_setauthsize(struct crypto_aead *authenc_esn,
	50	unsigned int authsize)
	51	{
	52	if (authsize > 0 && authsize < 4)
	53	return -EINVAL;
	54
	55	return 0;
	56	}
	57
a5079d08 SK	58	static int crypto_authenc_esn_setkey(struct crypto_aead authenc_esn, const u8 key,
	59	unsigned int keylen)
	60	{
a5079d08 SK	61	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
a5079d08 SK	62	struct crypto_ahash *auth = ctx->auth;
e75445a8	63	struct crypto_skcipher *enc = ctx->enc;
fddc2c43	64	struct crypto_authenc_keys keys;
a5079d08 SK	65	int err = -EINVAL;
a5079d08 SK	66
fddc2c43	67	if (crypto_authenc_extractkeys(&keys, key, keylen) != 0)
674f368a	68	goto out;
a5079d08 SK	69
	70	crypto_ahash_clear_flags(auth, CRYPTO_TFM_REQ_MASK);
	71	crypto_ahash_set_flags(auth, crypto_aead_get_flags(authenc_esn) &
	72	CRYPTO_TFM_REQ_MASK);
fddc2c43	73	err = crypto_ahash_setkey(auth, keys.authkey, keys.authkeylen);
a5079d08 SK	74	if (err)
	75	goto out;
	76
e75445a8 HX	77	crypto_skcipher_clear_flags(enc, CRYPTO_TFM_REQ_MASK);
e75445a8 HX	78	crypto_skcipher_set_flags(enc, crypto_aead_get_flags(authenc_esn) &
a5079d08	79	CRYPTO_TFM_REQ_MASK);
e75445a8	80	err = crypto_skcipher_setkey(enc, keys.enckey, keys.enckeylen);
a5079d08	81	out:
31545df3	82	memzero_explicit(&keys, sizeof(keys));
a5079d08	83	return err;
a5079d08 SK	84	}
a5079d08 SK	85
104880a6 HX	86	static int crypto_authenc_esn_genicv_tail(struct aead_request *req,
104880a6 HX	87	unsigned int flags)
a5079d08	88	{
a5079d08	89	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
a5079d08	90	struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
03be4e45	91	u8 *hash = areq_ctx->tail;
104880a6 HX	92	unsigned int authsize = crypto_aead_authsize(authenc_esn);
	93	unsigned int assoclen = req->assoclen;
	94	unsigned int cryptlen = req->cryptlen;
	95	struct scatterlist *dst = req->dst;
	96	u32 tmp[2];
a5079d08	97
104880a6 HX	98	/* Move high-order bits of sequence number back. */
	99	scatterwalk_map_and_copy(tmp, dst, 4, 4, 0);
	100	scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 0);
	101	scatterwalk_map_and_copy(tmp, dst, 0, 8, 1);
a5079d08	102
104880a6 HX	103	scatterwalk_map_and_copy(hash, dst, assoclen + cryptlen, authsize, 1);
104880a6 HX	104	return 0;
a5079d08 SK	105	}
a5079d08 SK	106
255e48eb	107	static void authenc_esn_geniv_ahash_done(void *data, int err)
a5079d08	108	{
255e48eb	109	struct aead_request *req = data;
a5079d08	110
104880a6	111	err = err ?: crypto_authenc_esn_genicv_tail(req, 0);
a5079d08 SK	112	aead_request_complete(req, err);
	113	}
	114
104880a6 HX	115	static int crypto_authenc_esn_genicv(struct aead_request *req,
104880a6 HX	116	unsigned int flags)
a5079d08	117	{
a5079d08	118	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
a5079d08	119	struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
a5079d08	120	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
104880a6	121	struct crypto_ahash *auth = ctx->auth;
03be4e45	122	u8 *hash = areq_ctx->tail;
a5079d08	123	struct ahash_request ahreq = (void )(areq_ctx->tail + ctx->reqoff);
104880a6 HX	124	unsigned int authsize = crypto_aead_authsize(authenc_esn);
104880a6 HX	125	unsigned int assoclen = req->assoclen;
a5079d08	126	unsigned int cryptlen = req->cryptlen;
104880a6 HX	127	struct scatterlist *dst = req->dst;
104880a6 HX	128	u32 tmp[2];
a5079d08	129
104880a6 HX	130	if (!authsize)
104880a6 HX	131	return 0;
a5079d08	132
104880a6 HX	133	/* Move high-order bits of sequence number to the end. */
	134	scatterwalk_map_and_copy(tmp, dst, 0, 8, 0);
	135	scatterwalk_map_and_copy(tmp, dst, 4, 4, 1);
	136	scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 1);
a5079d08	137
104880a6 HX	138	sg_init_table(areq_ctx->dst, 2);
104880a6 HX	139	dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4);
a5079d08	140
104880a6 HX	141	ahash_request_set_tfm(ahreq, auth);
	142	ahash_request_set_crypt(ahreq, dst, hash, assoclen + cryptlen);
	143	ahash_request_set_callback(ahreq, flags,
	144	authenc_esn_geniv_ahash_done, req);
a5079d08	145
104880a6 HX	146	return crypto_ahash_digest(ahreq) ?:
104880a6 HX	147	crypto_authenc_esn_genicv_tail(req, aead_request_flags(req));
a5079d08 SK	148	}
	149
	150
255e48eb	151	static void crypto_authenc_esn_encrypt_done(void *data, int err)
a5079d08	152	{
255e48eb	153	struct aead_request *areq = data;
a5079d08	154
104880a6 HX	155	if (!err)
104880a6 HX	156	err = crypto_authenc_esn_genicv(areq, 0);
a5079d08	157
104880a6	158	authenc_esn_request_complete(areq, err);
a5079d08 SK	159	}
a5079d08 SK	160
104880a6	161	static int crypto_authenc_esn_copy(struct aead_request *req, unsigned int len)
a5079d08 SK	162	{
	163	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
	164	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
8d605398	165	SYNC_SKCIPHER_REQUEST_ON_STACK(skreq, ctx->null);
a5079d08	166
8d605398	167	skcipher_request_set_sync_tfm(skreq, ctx->null);
e75445a8 HX	168	skcipher_request_set_callback(skreq, aead_request_flags(req),
	169	NULL, NULL);
	170	skcipher_request_set_crypt(skreq, req->src, req->dst, len, NULL);
	171
	172	return crypto_skcipher_encrypt(skreq);
a5079d08 SK	173	}
a5079d08 SK	174
104880a6	175	static int crypto_authenc_esn_encrypt(struct aead_request *req)
a5079d08 SK	176	{
	177	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
	178	struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
104880a6	179	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
e75445a8 HX	180	struct skcipher_request skreq = (void )(areq_ctx->tail +
	181	ctx->reqoff);
	182	struct crypto_skcipher *enc = ctx->enc;
104880a6	183	unsigned int assoclen = req->assoclen;
a5079d08	184	unsigned int cryptlen = req->cryptlen;
104880a6 HX	185	struct scatterlist src, dst;
104880a6 HX	186	int err;
a5079d08	187
104880a6 HX	188	sg_init_table(areq_ctx->src, 2);
	189	src = scatterwalk_ffwd(areq_ctx->src, req->src, assoclen);
	190	dst = src;
a5079d08	191
104880a6 HX	192	if (req->src != req->dst) {
	193	err = crypto_authenc_esn_copy(req, assoclen);
	194	if (err)
	195	return err;
a5079d08	196
104880a6 HX	197	sg_init_table(areq_ctx->dst, 2);
104880a6 HX	198	dst = scatterwalk_ffwd(areq_ctx->dst, req->dst, assoclen);
a5079d08 SK	199	}
a5079d08 SK	200
e75445a8 HX	201	skcipher_request_set_tfm(skreq, enc);
	202	skcipher_request_set_callback(skreq, aead_request_flags(req),
	203	crypto_authenc_esn_encrypt_done, req);
	204	skcipher_request_set_crypt(skreq, src, dst, cryptlen, req->iv);
a5079d08	205
e75445a8	206	err = crypto_skcipher_encrypt(skreq);
a5079d08 SK	207	if (err)
	208	return err;
	209
104880a6	210	return crypto_authenc_esn_genicv(req, aead_request_flags(req));
a5079d08 SK	211	}
a5079d08 SK	212
104880a6 HX	213	static int crypto_authenc_esn_decrypt_tail(struct aead_request *req,
104880a6 HX	214	unsigned int flags)
a5079d08	215	{
104880a6 HX	216	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
	217	unsigned int authsize = crypto_aead_authsize(authenc_esn);
	218	struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
	219	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
e75445a8 HX	220	struct skcipher_request skreq = (void )(areq_ctx->tail +
e75445a8 HX	221	ctx->reqoff);
104880a6	222	struct crypto_ahash *auth = ctx->auth;
03be4e45	223	u8 *ohash = areq_ctx->tail;
104880a6 HX	224	unsigned int cryptlen = req->cryptlen - authsize;
	225	unsigned int assoclen = req->assoclen;
	226	struct scatterlist *dst = req->dst;
	227	u8 *ihash = ohash + crypto_ahash_digestsize(auth);
	228	u32 tmp[2];
a5079d08	229
41cdf7a4 HX	230	if (!authsize)
	231	goto decrypt;
	232
104880a6 HX	233	/* Move high-order bits of sequence number back. */
	234	scatterwalk_map_and_copy(tmp, dst, 4, 4, 0);
	235	scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 0);
	236	scatterwalk_map_and_copy(tmp, dst, 0, 8, 1);
a5079d08	237
104880a6 HX	238	if (crypto_memneq(ihash, ohash, authsize))
104880a6 HX	239	return -EBADMSG;
a5079d08	240
41cdf7a4 HX	241	decrypt:
41cdf7a4 HX	242
104880a6 HX	243	sg_init_table(areq_ctx->dst, 2);
104880a6 HX	244	dst = scatterwalk_ffwd(areq_ctx->dst, dst, assoclen);
a5079d08	245
e75445a8 HX	246	skcipher_request_set_tfm(skreq, ctx->enc);
	247	skcipher_request_set_callback(skreq, flags,
	248	req->base.complete, req->base.data);
	249	skcipher_request_set_crypt(skreq, dst, dst, cryptlen, req->iv);
a5079d08	250
e75445a8	251	return crypto_skcipher_decrypt(skreq);
a5079d08 SK	252	}
a5079d08 SK	253
255e48eb	254	static void authenc_esn_verify_ahash_done(void *data, int err)
a5079d08	255	{
255e48eb	256	struct aead_request *req = data;
a5079d08	257
104880a6	258	err = err ?: crypto_authenc_esn_decrypt_tail(req, 0);
a7773363	259	authenc_esn_request_complete(req, err);
a5079d08 SK	260	}
a5079d08 SK	261
104880a6	262	static int crypto_authenc_esn_decrypt(struct aead_request *req)
a5079d08 SK	263	{
	264	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
	265	struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
104880a6 HX	266	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
	267	struct ahash_request ahreq = (void )(areq_ctx->tail + ctx->reqoff);
	268	unsigned int authsize = crypto_aead_authsize(authenc_esn);
	269	struct crypto_ahash *auth = ctx->auth;
03be4e45	270	u8 *ohash = areq_ctx->tail;
104880a6 HX	271	unsigned int assoclen = req->assoclen;
	272	unsigned int cryptlen = req->cryptlen;
	273	u8 *ihash = ohash + crypto_ahash_digestsize(auth);
	274	struct scatterlist *dst = req->dst;
	275	u32 tmp[2];
	276	int err;
a5079d08	277
104880a6	278	cryptlen -= authsize;
a5079d08	279
104880a6 HX	280	if (req->src != dst) {
	281	err = crypto_authenc_esn_copy(req, assoclen + cryptlen);
	282	if (err)
	283	return err;
	284	}
a5079d08	285
104880a6 HX	286	scatterwalk_map_and_copy(ihash, req->src, assoclen + cryptlen,
104880a6 HX	287	authsize, 0);
a5079d08	288
104880a6 HX	289	if (!authsize)
104880a6 HX	290	goto tail;
a5079d08	291
104880a6 HX	292	/* Move high-order bits of sequence number to the end. */
	293	scatterwalk_map_and_copy(tmp, dst, 0, 8, 0);
	294	scatterwalk_map_and_copy(tmp, dst, 4, 4, 1);
	295	scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 1);
a5079d08	296
104880a6 HX	297	sg_init_table(areq_ctx->dst, 2);
104880a6 HX	298	dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4);
a5079d08	299
104880a6 HX	300	ahash_request_set_tfm(ahreq, auth);
	301	ahash_request_set_crypt(ahreq, dst, ohash, assoclen + cryptlen);
	302	ahash_request_set_callback(ahreq, aead_request_flags(req),
	303	authenc_esn_verify_ahash_done, req);
a5079d08	304
104880a6	305	err = crypto_ahash_digest(ahreq);
a5079d08 SK	306	if (err)
	307	return err;
	308
104880a6 HX	309	tail:
104880a6 HX	310	return crypto_authenc_esn_decrypt_tail(req, aead_request_flags(req));
a5079d08 SK	311	}
a5079d08 SK	312
104880a6	313	static int crypto_authenc_esn_init_tfm(struct crypto_aead *tfm)
a5079d08	314	{
104880a6 HX	315	struct aead_instance *inst = aead_alg_instance(tfm);
	316	struct authenc_esn_instance_ctx *ictx = aead_instance_ctx(inst);
	317	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(tfm);
a5079d08	318	struct crypto_ahash *auth;
e75445a8	319	struct crypto_skcipher *enc;
8d605398	320	struct crypto_sync_skcipher *null;
a5079d08 SK	321	int err;
	322
	323	auth = crypto_spawn_ahash(&ictx->auth);
	324	if (IS_ERR(auth))
	325	return PTR_ERR(auth);
	326
60425a8b	327	enc = crypto_spawn_skcipher(&ictx->enc);
a5079d08 SK	328	err = PTR_ERR(enc);
	329	if (IS_ERR(enc))
	330	goto err_free_ahash;
	331
3a2d4fb5	332	null = crypto_get_default_null_skcipher();
104880a6 HX	333	err = PTR_ERR(null);
	334	if (IS_ERR(null))
	335	goto err_free_skcipher;
	336
a5079d08 SK	337	ctx->auth = auth;
a5079d08 SK	338	ctx->enc = enc;
104880a6	339	ctx->null = null;
a5079d08	340
03be4e45	341	ctx->reqoff = 2 * crypto_ahash_digestsize(auth);
a5079d08	342
104880a6 HX	343	crypto_aead_set_reqsize(
104880a6 HX	344	tfm,
6650d09b HX	345	sizeof(struct authenc_esn_request_ctx) +
	346	ctx->reqoff +
	347	max_t(unsigned int,
e75445a8 HX	348	crypto_ahash_reqsize(auth) +
	349	sizeof(struct ahash_request),
	350	sizeof(struct skcipher_request) +
	351	crypto_skcipher_reqsize(enc)));
a5079d08 SK	352
	353	return 0;
	354
104880a6	355	err_free_skcipher:
e75445a8	356	crypto_free_skcipher(enc);
a5079d08 SK	357	err_free_ahash:
	358	crypto_free_ahash(auth);
	359	return err;
	360	}
	361
104880a6	362	static void crypto_authenc_esn_exit_tfm(struct crypto_aead *tfm)
a5079d08	363	{
104880a6	364	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(tfm);
a5079d08 SK	365
a5079d08 SK	366	crypto_free_ahash(ctx->auth);
e75445a8	367	crypto_free_skcipher(ctx->enc);
3a2d4fb5	368	crypto_put_default_null_skcipher();
104880a6 HX	369	}
	370
	371	static void crypto_authenc_esn_free(struct aead_instance *inst)
	372	{
	373	struct authenc_esn_instance_ctx *ctx = aead_instance_ctx(inst);
	374
	375	crypto_drop_skcipher(&ctx->enc);
	376	crypto_drop_ahash(&ctx->auth);
	377	kfree(inst);
a5079d08 SK	378	}
a5079d08 SK	379
104880a6 HX	380	static int crypto_authenc_esn_create(struct crypto_template *tmpl,
104880a6 HX	381	struct rtattr **tb)
a5079d08	382	{
b9f76ddd	383	u32 mask;
104880a6	384	struct aead_instance *inst;
37073882	385	struct authenc_esn_instance_ctx *ctx;
24a285ce	386	struct skcipher_alg_common *enc;
a5079d08 SK	387	struct hash_alg_common *auth;
a5079d08 SK	388	struct crypto_alg *auth_base;
a5079d08 SK	389	int err;
a5079d08 SK	390
7bcb2c99 EB	391	err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_AEAD, &mask);
	392	if (err)
	393	return err;
b9f76ddd	394
a5079d08	395	inst = kzalloc(sizeof(inst) + sizeof(ctx), GFP_KERNEL);
a5079d08	396	if (!inst)
37073882	397	return -ENOMEM;
104880a6	398	ctx = aead_instance_ctx(inst);
a5079d08	399
37073882 EB	400	err = crypto_grab_ahash(&ctx->auth, aead_crypto_instance(inst),
37073882 EB	401	crypto_attr_alg_name(tb[1]), 0, mask);
a5079d08 SK	402	if (err)
a5079d08 SK	403	goto err_free_inst;
37073882 EB	404	auth = crypto_spawn_ahash_alg(&ctx->auth);
37073882 EB	405	auth_base = &auth->base;
a5079d08	406
b9f76ddd	407	err = crypto_grab_skcipher(&ctx->enc, aead_crypto_instance(inst),
37073882	408	crypto_attr_alg_name(tb[2]), 0, mask);
a5079d08	409	if (err)
37073882	410	goto err_free_inst;
24a285ce	411	enc = crypto_spawn_skcipher_alg_common(&ctx->enc);
a5079d08 SK	412
a5079d08 SK	413	err = -ENAMETOOLONG;
104880a6 HX	414	if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
104880a6 HX	415	"authencesn(%s,%s)", auth_base->cra_name,
e75445a8	416	enc->base.cra_name) >= CRYPTO_MAX_ALG_NAME)
37073882	417	goto err_free_inst;
a5079d08	418
104880a6	419	if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
a5079d08	420	"authencesn(%s,%s)", auth_base->cra_driver_name,
e75445a8	421	enc->base.cra_driver_name) >= CRYPTO_MAX_ALG_NAME)
37073882	422	goto err_free_inst;
a5079d08	423
e75445a8	424	inst->alg.base.cra_priority = enc->base.cra_priority * 10 +
104880a6	425	auth_base->cra_priority;
e75445a8	426	inst->alg.base.cra_blocksize = enc->base.cra_blocksize;
03be4e45	427	inst->alg.base.cra_alignmask = enc->base.cra_alignmask;
104880a6 HX	428	inst->alg.base.cra_ctxsize = sizeof(struct crypto_authenc_esn_ctx);
104880a6 HX	429
24a285ce HX	430	inst->alg.ivsize = enc->ivsize;
24a285ce HX	431	inst->alg.chunksize = enc->chunksize;
104880a6	432	inst->alg.maxauthsize = auth->digestsize;
a5079d08	433
104880a6 HX	434	inst->alg.init = crypto_authenc_esn_init_tfm;
104880a6 HX	435	inst->alg.exit = crypto_authenc_esn_exit_tfm;
a5079d08	436
104880a6 HX	437	inst->alg.setkey = crypto_authenc_esn_setkey;
	438	inst->alg.setauthsize = crypto_authenc_esn_setauthsize;
	439	inst->alg.encrypt = crypto_authenc_esn_encrypt;
	440	inst->alg.decrypt = crypto_authenc_esn_decrypt;
a5079d08	441
d1dc4df1	442	inst->free = crypto_authenc_esn_free;
a5079d08	443
104880a6	444	err = aead_register_instance(tmpl, inst);
37073882	445	if (err) {
a5079d08	446	err_free_inst:
37073882 EB	447	crypto_authenc_esn_free(inst);
	448	}
	449	return err;
a5079d08 SK	450	}
a5079d08 SK	451
a5079d08 SK	452	static struct crypto_template crypto_authenc_esn_tmpl = {
a5079d08 SK	453	.name = "authencesn",
104880a6	454	.create = crypto_authenc_esn_create,
a5079d08 SK	455	.module = THIS_MODULE,
	456	};
	457
	458	static int __init crypto_authenc_esn_module_init(void)
	459	{
	460	return crypto_register_template(&crypto_authenc_esn_tmpl);
	461	}
	462
	463	static void __exit crypto_authenc_esn_module_exit(void)
	464	{
	465	crypto_unregister_template(&crypto_authenc_esn_tmpl);
	466	}
	467
c4741b23	468	subsys_initcall(crypto_authenc_esn_module_init);
a5079d08 SK	469	module_exit(crypto_authenc_esn_module_exit);
	470
	471	MODULE_LICENSE("GPL");
	472	MODULE_AUTHOR("Steffen Klassert <steffen.klassert@secunet.com>");
	473	MODULE_DESCRIPTION("AEAD wrapper for IPsec with extended sequence numbers");
4943ba16	474	MODULE_ALIAS_CRYPTO("authencesn");