2 * AEAD: Authenticated Encryption with Associated Data
4 * This file provides API support for AEAD algorithms.
6 * Copyright (c) 2007 Herbert Xu <herbert@gondor.apana.org.au>
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the Free
10 * Software Foundation; either version 2 of the License, or (at your option)
15 #include <crypto/internal/aead.h>
16 #include <crypto/scatterwalk.h>
17 #include <linux/err.h>
18 #include <linux/init.h>
19 #include <linux/kernel.h>
20 #include <linux/module.h>
21 #include <linux/rtnetlink.h>
22 #include <linux/sched.h>
23 #include <linux/slab.h>
24 #include <linux/seq_file.h>
25 #include <linux/cryptouser.h>
26 #include <net/netlink.h>
30 static int aead_null_givencrypt(struct aead_givcrypt_request
*req
);
31 static int aead_null_givdecrypt(struct aead_givcrypt_request
*req
);
33 static int setkey_unaligned(struct crypto_aead
*tfm
, const u8
*key
,
36 struct old_aead_alg
*aead
= crypto_old_aead_alg(tfm
);
37 unsigned long alignmask
= crypto_aead_alignmask(tfm
);
39 u8
*buffer
, *alignbuffer
;
42 absize
= keylen
+ alignmask
;
43 buffer
= kmalloc(absize
, GFP_ATOMIC
);
47 alignbuffer
= (u8
*)ALIGN((unsigned long)buffer
, alignmask
+ 1);
48 memcpy(alignbuffer
, key
, keylen
);
49 ret
= aead
->setkey(tfm
, alignbuffer
, keylen
);
50 memset(alignbuffer
, 0, keylen
);
55 int crypto_aead_setkey(struct crypto_aead
*tfm
,
56 const u8
*key
, unsigned int keylen
)
58 struct old_aead_alg
*aead
= crypto_old_aead_alg(tfm
);
59 unsigned long alignmask
= crypto_aead_alignmask(tfm
);
63 if ((unsigned long)key
& alignmask
)
64 return setkey_unaligned(tfm
, key
, keylen
);
66 return aead
->setkey(tfm
, key
, keylen
);
68 EXPORT_SYMBOL_GPL(crypto_aead_setkey
);
70 int crypto_aead_setauthsize(struct crypto_aead
*tfm
, unsigned int authsize
)
74 if (authsize
> crypto_old_aead_alg(tfm
)->maxauthsize
)
77 if (crypto_old_aead_alg(tfm
)->setauthsize
) {
78 err
= crypto_old_aead_alg(tfm
)->setauthsize(
79 tfm
->child
, authsize
);
84 tfm
->child
->authsize
= authsize
;
85 tfm
->authsize
= authsize
;
88 EXPORT_SYMBOL_GPL(crypto_aead_setauthsize
);
90 struct aead_old_request
{
91 struct scatterlist srcbuf
[2];
92 struct scatterlist dstbuf
[2];
93 struct aead_request subreq
;
96 unsigned int crypto_aead_reqsize(struct crypto_aead
*tfm
)
98 return tfm
->reqsize
+ sizeof(struct aead_old_request
);
100 EXPORT_SYMBOL_GPL(crypto_aead_reqsize
);
102 static int old_crypt(struct aead_request
*req
,
103 int (*crypt
)(struct aead_request
*req
))
105 struct aead_old_request
*nreq
= aead_request_ctx(req
);
106 struct crypto_aead
*aead
= crypto_aead_reqtfm(req
);
107 struct scatterlist
*src
, *dst
;
112 src
= scatterwalk_ffwd(nreq
->srcbuf
, req
->src
,
113 req
->assoclen
+ req
->cryptoff
);
114 dst
= scatterwalk_ffwd(nreq
->dstbuf
, req
->dst
,
115 req
->assoclen
+ req
->cryptoff
);
117 aead_request_set_tfm(&nreq
->subreq
, aead
);
118 aead_request_set_callback(&nreq
->subreq
, aead_request_flags(req
),
119 req
->base
.complete
, req
->base
.data
);
120 aead_request_set_crypt(&nreq
->subreq
, src
, dst
, req
->cryptlen
,
122 aead_request_set_assoc(&nreq
->subreq
, req
->src
, req
->assoclen
);
124 return crypt(&nreq
->subreq
);
127 static int old_encrypt(struct aead_request
*req
)
129 struct crypto_aead
*aead
= crypto_aead_reqtfm(req
);
130 struct old_aead_alg
*alg
= crypto_old_aead_alg(aead
);
132 return old_crypt(req
, alg
->encrypt
);
135 static int old_decrypt(struct aead_request
*req
)
137 struct crypto_aead
*aead
= crypto_aead_reqtfm(req
);
138 struct old_aead_alg
*alg
= crypto_old_aead_alg(aead
);
140 return old_crypt(req
, alg
->decrypt
);
143 static int no_givcrypt(struct aead_givcrypt_request
*req
)
148 static int crypto_aead_init_tfm(struct crypto_tfm
*tfm
)
150 struct old_aead_alg
*alg
= &tfm
->__crt_alg
->cra_aead
;
151 struct crypto_aead
*crt
= __crypto_aead_cast(tfm
);
153 if (max(alg
->maxauthsize
, alg
->ivsize
) > PAGE_SIZE
/ 8)
156 crt
->encrypt
= old_encrypt
;
157 crt
->decrypt
= old_decrypt
;
159 crt
->givencrypt
= alg
->givencrypt
?: no_givcrypt
;
160 crt
->givdecrypt
= alg
->givdecrypt
?: no_givcrypt
;
162 crt
->givencrypt
= aead_null_givencrypt
;
163 crt
->givdecrypt
= aead_null_givdecrypt
;
165 crt
->child
= __crypto_aead_cast(tfm
);
166 crt
->ivsize
= alg
->ivsize
;
167 crt
->authsize
= alg
->maxauthsize
;
173 static int crypto_aead_report(struct sk_buff
*skb
, struct crypto_alg
*alg
)
175 struct crypto_report_aead raead
;
176 struct old_aead_alg
*aead
= &alg
->cra_aead
;
178 strncpy(raead
.type
, "aead", sizeof(raead
.type
));
179 strncpy(raead
.geniv
, aead
->geniv
?: "<built-in>", sizeof(raead
.geniv
));
181 raead
.blocksize
= alg
->cra_blocksize
;
182 raead
.maxauthsize
= aead
->maxauthsize
;
183 raead
.ivsize
= aead
->ivsize
;
185 if (nla_put(skb
, CRYPTOCFGA_REPORT_AEAD
,
186 sizeof(struct crypto_report_aead
), &raead
))
187 goto nla_put_failure
;
194 static int crypto_aead_report(struct sk_buff
*skb
, struct crypto_alg
*alg
)
200 static void crypto_aead_show(struct seq_file
*m
, struct crypto_alg
*alg
)
201 __attribute__ ((unused
));
202 static void crypto_aead_show(struct seq_file
*m
, struct crypto_alg
*alg
)
204 struct old_aead_alg
*aead
= &alg
->cra_aead
;
206 seq_printf(m
, "type : aead\n");
207 seq_printf(m
, "async : %s\n", alg
->cra_flags
& CRYPTO_ALG_ASYNC
?
209 seq_printf(m
, "blocksize : %u\n", alg
->cra_blocksize
);
210 seq_printf(m
, "ivsize : %u\n", aead
->ivsize
);
211 seq_printf(m
, "maxauthsize : %u\n", aead
->maxauthsize
);
212 seq_printf(m
, "geniv : %s\n", aead
->geniv
?: "<built-in>");
215 const struct crypto_type crypto_aead_type
= {
216 .extsize
= crypto_alg_extsize
,
217 .init_tfm
= crypto_aead_init_tfm
,
218 #ifdef CONFIG_PROC_FS
219 .show
= crypto_aead_show
,
221 .report
= crypto_aead_report
,
222 .lookup
= crypto_lookup_aead
,
223 .maskclear
= ~(CRYPTO_ALG_TYPE_MASK
| CRYPTO_ALG_GENIV
),
224 .maskset
= CRYPTO_ALG_TYPE_MASK
,
225 .type
= CRYPTO_ALG_TYPE_AEAD
,
226 .tfmsize
= offsetof(struct crypto_aead
, base
),
228 EXPORT_SYMBOL_GPL(crypto_aead_type
);
230 static int aead_null_givencrypt(struct aead_givcrypt_request
*req
)
232 return crypto_aead_encrypt(&req
->areq
);
235 static int aead_null_givdecrypt(struct aead_givcrypt_request
*req
)
237 return crypto_aead_decrypt(&req
->areq
);
241 static int crypto_nivaead_report(struct sk_buff
*skb
, struct crypto_alg
*alg
)
243 struct crypto_report_aead raead
;
244 struct old_aead_alg
*aead
= &alg
->cra_aead
;
246 strncpy(raead
.type
, "nivaead", sizeof(raead
.type
));
247 strncpy(raead
.geniv
, aead
->geniv
, sizeof(raead
.geniv
));
249 raead
.blocksize
= alg
->cra_blocksize
;
250 raead
.maxauthsize
= aead
->maxauthsize
;
251 raead
.ivsize
= aead
->ivsize
;
253 if (nla_put(skb
, CRYPTOCFGA_REPORT_AEAD
,
254 sizeof(struct crypto_report_aead
), &raead
))
255 goto nla_put_failure
;
262 static int crypto_nivaead_report(struct sk_buff
*skb
, struct crypto_alg
*alg
)
269 static void crypto_nivaead_show(struct seq_file
*m
, struct crypto_alg
*alg
)
270 __attribute__ ((unused
));
271 static void crypto_nivaead_show(struct seq_file
*m
, struct crypto_alg
*alg
)
273 struct old_aead_alg
*aead
= &alg
->cra_aead
;
275 seq_printf(m
, "type : nivaead\n");
276 seq_printf(m
, "async : %s\n", alg
->cra_flags
& CRYPTO_ALG_ASYNC
?
278 seq_printf(m
, "blocksize : %u\n", alg
->cra_blocksize
);
279 seq_printf(m
, "ivsize : %u\n", aead
->ivsize
);
280 seq_printf(m
, "maxauthsize : %u\n", aead
->maxauthsize
);
281 seq_printf(m
, "geniv : %s\n", aead
->geniv
);
284 const struct crypto_type crypto_nivaead_type
= {
285 .extsize
= crypto_alg_extsize
,
286 .init_tfm
= crypto_aead_init_tfm
,
287 #ifdef CONFIG_PROC_FS
288 .show
= crypto_nivaead_show
,
290 .report
= crypto_nivaead_report
,
291 .maskclear
= ~(CRYPTO_ALG_TYPE_MASK
| CRYPTO_ALG_GENIV
),
292 .maskset
= CRYPTO_ALG_TYPE_MASK
| CRYPTO_ALG_GENIV
,
293 .type
= CRYPTO_ALG_TYPE_AEAD
,
294 .tfmsize
= offsetof(struct crypto_aead
, base
),
296 EXPORT_SYMBOL_GPL(crypto_nivaead_type
);
298 static int crypto_grab_nivaead(struct crypto_aead_spawn
*spawn
,
299 const char *name
, u32 type
, u32 mask
)
301 spawn
->base
.frontend
= &crypto_nivaead_type
;
302 return crypto_grab_spawn(&spawn
->base
, name
, type
, mask
);
305 struct crypto_instance
*aead_geniv_alloc(struct crypto_template
*tmpl
,
306 struct rtattr
**tb
, u32 type
,
310 struct crypto_aead_spawn
*spawn
;
311 struct crypto_attr_type
*algt
;
312 struct crypto_instance
*inst
;
313 struct crypto_alg
*alg
;
316 algt
= crypto_get_attr_type(tb
);
318 return ERR_CAST(algt
);
320 if ((algt
->type
^ (CRYPTO_ALG_TYPE_AEAD
| CRYPTO_ALG_GENIV
)) &
322 return ERR_PTR(-EINVAL
);
324 name
= crypto_attr_alg_name(tb
[1]);
326 return ERR_CAST(name
);
328 inst
= kzalloc(sizeof(*inst
) + sizeof(*spawn
), GFP_KERNEL
);
330 return ERR_PTR(-ENOMEM
);
332 spawn
= crypto_instance_ctx(inst
);
334 /* Ignore async algorithms if necessary. */
335 mask
|= crypto_requires_sync(algt
->type
, algt
->mask
);
337 crypto_set_aead_spawn(spawn
, inst
);
338 err
= crypto_grab_nivaead(spawn
, name
, type
, mask
);
342 alg
= crypto_aead_spawn_alg(spawn
);
345 if (!alg
->cra_aead
.ivsize
)
349 * This is only true if we're constructing an algorithm with its
350 * default IV generator. For the default generator we elide the
351 * template name and double-check the IV generator.
353 if (algt
->mask
& CRYPTO_ALG_GENIV
) {
354 if (strcmp(tmpl
->name
, alg
->cra_aead
.geniv
))
357 memcpy(inst
->alg
.cra_name
, alg
->cra_name
, CRYPTO_MAX_ALG_NAME
);
358 memcpy(inst
->alg
.cra_driver_name
, alg
->cra_driver_name
,
359 CRYPTO_MAX_ALG_NAME
);
362 if (snprintf(inst
->alg
.cra_name
, CRYPTO_MAX_ALG_NAME
,
363 "%s(%s)", tmpl
->name
, alg
->cra_name
) >=
366 if (snprintf(inst
->alg
.cra_driver_name
, CRYPTO_MAX_ALG_NAME
,
367 "%s(%s)", tmpl
->name
, alg
->cra_driver_name
) >=
372 inst
->alg
.cra_flags
= CRYPTO_ALG_TYPE_AEAD
| CRYPTO_ALG_GENIV
;
373 inst
->alg
.cra_flags
|= alg
->cra_flags
& CRYPTO_ALG_ASYNC
;
374 inst
->alg
.cra_priority
= alg
->cra_priority
;
375 inst
->alg
.cra_blocksize
= alg
->cra_blocksize
;
376 inst
->alg
.cra_alignmask
= alg
->cra_alignmask
;
377 inst
->alg
.cra_type
= &crypto_aead_type
;
379 inst
->alg
.cra_aead
.ivsize
= alg
->cra_aead
.ivsize
;
380 inst
->alg
.cra_aead
.maxauthsize
= alg
->cra_aead
.maxauthsize
;
381 inst
->alg
.cra_aead
.geniv
= alg
->cra_aead
.geniv
;
383 inst
->alg
.cra_aead
.setkey
= alg
->cra_aead
.setkey
;
384 inst
->alg
.cra_aead
.setauthsize
= alg
->cra_aead
.setauthsize
;
385 inst
->alg
.cra_aead
.encrypt
= alg
->cra_aead
.encrypt
;
386 inst
->alg
.cra_aead
.decrypt
= alg
->cra_aead
.decrypt
;
392 crypto_drop_aead(spawn
);
398 EXPORT_SYMBOL_GPL(aead_geniv_alloc
);
400 void aead_geniv_free(struct crypto_instance
*inst
)
402 crypto_drop_aead(crypto_instance_ctx(inst
));
405 EXPORT_SYMBOL_GPL(aead_geniv_free
);
407 int aead_geniv_init(struct crypto_tfm
*tfm
)
409 struct crypto_instance
*inst
= (void *)tfm
->__crt_alg
;
410 struct crypto_aead
*child
;
411 struct crypto_aead
*aead
;
413 aead
= __crypto_aead_cast(tfm
);
415 child
= crypto_spawn_aead(crypto_instance_ctx(inst
));
417 return PTR_ERR(child
);
420 aead
->reqsize
+= crypto_aead_reqsize(child
);
424 EXPORT_SYMBOL_GPL(aead_geniv_init
);
426 void aead_geniv_exit(struct crypto_tfm
*tfm
)
428 crypto_free_aead(__crypto_aead_cast(tfm
)->child
);
430 EXPORT_SYMBOL_GPL(aead_geniv_exit
);
432 static int crypto_nivaead_default(struct crypto_alg
*alg
, u32 type
, u32 mask
)
434 struct rtattr
*tb
[3];
437 struct crypto_attr_type data
;
441 struct crypto_attr_alg data
;
443 struct crypto_template
*tmpl
;
444 struct crypto_instance
*inst
;
445 struct crypto_alg
*larval
;
449 larval
= crypto_larval_lookup(alg
->cra_driver_name
,
450 CRYPTO_ALG_TYPE_AEAD
| CRYPTO_ALG_GENIV
,
451 CRYPTO_ALG_TYPE_MASK
| CRYPTO_ALG_GENIV
);
452 err
= PTR_ERR(larval
);
457 if (!crypto_is_larval(larval
))
460 ptype
.attr
.rta_len
= sizeof(ptype
);
461 ptype
.attr
.rta_type
= CRYPTOA_TYPE
;
462 ptype
.data
.type
= type
| CRYPTO_ALG_GENIV
;
463 /* GENIV tells the template that we're making a default geniv. */
464 ptype
.data
.mask
= mask
| CRYPTO_ALG_GENIV
;
467 palg
.attr
.rta_len
= sizeof(palg
);
468 palg
.attr
.rta_type
= CRYPTOA_ALG
;
469 /* Must use the exact name to locate ourselves. */
470 memcpy(palg
.data
.name
, alg
->cra_driver_name
, CRYPTO_MAX_ALG_NAME
);
475 geniv
= alg
->cra_aead
.geniv
;
477 tmpl
= crypto_lookup_template(geniv
);
482 inst
= tmpl
->alloc(tb
);
487 err
= crypto_register_instance(tmpl
, inst
);
493 /* Redo the lookup to use the instance we just registered. */
497 crypto_tmpl_put(tmpl
);
499 crypto_larval_kill(larval
);
501 crypto_mod_put(larval
);
507 struct crypto_alg
*crypto_lookup_aead(const char *name
, u32 type
, u32 mask
)
509 struct crypto_alg
*alg
;
511 alg
= crypto_alg_mod_lookup(name
, type
, mask
);
515 if (alg
->cra_type
== &crypto_aead_type
)
518 if (!alg
->cra_aead
.ivsize
)
522 alg
= crypto_alg_mod_lookup(name
, type
| CRYPTO_ALG_TESTED
,
523 mask
& ~CRYPTO_ALG_TESTED
);
527 if (alg
->cra_type
== &crypto_aead_type
) {
528 if (~alg
->cra_flags
& (type
^ ~mask
) & CRYPTO_ALG_TESTED
) {
530 alg
= ERR_PTR(-ENOENT
);
535 BUG_ON(!alg
->cra_aead
.ivsize
);
537 return ERR_PTR(crypto_nivaead_default(alg
, type
, mask
));
539 EXPORT_SYMBOL_GPL(crypto_lookup_aead
);
541 int crypto_grab_aead(struct crypto_aead_spawn
*spawn
, const char *name
,
544 spawn
->base
.frontend
= &crypto_aead_type
;
545 return crypto_grab_spawn(&spawn
->base
, name
, type
, mask
);
547 EXPORT_SYMBOL_GPL(crypto_grab_aead
);
549 struct crypto_aead
*crypto_alloc_aead(const char *alg_name
, u32 type
, u32 mask
)
551 return crypto_alloc_tfm(alg_name
, &crypto_aead_type
, type
, mask
);
553 EXPORT_SYMBOL_GPL(crypto_alloc_aead
);
555 MODULE_LICENSE("GPL");
556 MODULE_DESCRIPTION("Authenticated Encryption with Associated Data (AEAD)");