2 * AEAD: Authenticated Encryption with Associated Data
4 * This file provides API support for AEAD algorithms.
6 * Copyright (c) 2007 Herbert Xu <herbert@gondor.apana.org.au>
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the Free
10 * Software Foundation; either version 2 of the License, or (at your option)
15 #include <crypto/internal/aead.h>
16 #include <crypto/scatterwalk.h>
17 #include <linux/err.h>
18 #include <linux/init.h>
19 #include <linux/kernel.h>
20 #include <linux/module.h>
21 #include <linux/rtnetlink.h>
22 #include <linux/sched.h>
23 #include <linux/slab.h>
24 #include <linux/seq_file.h>
25 #include <linux/cryptouser.h>
26 #include <net/netlink.h>
30 static int aead_null_givencrypt(struct aead_givcrypt_request
*req
);
31 static int aead_null_givdecrypt(struct aead_givcrypt_request
*req
);
33 static int setkey_unaligned(struct crypto_aead
*tfm
, const u8
*key
,
36 unsigned long alignmask
= crypto_aead_alignmask(tfm
);
38 u8
*buffer
, *alignbuffer
;
41 absize
= keylen
+ alignmask
;
42 buffer
= kmalloc(absize
, GFP_ATOMIC
);
46 alignbuffer
= (u8
*)ALIGN((unsigned long)buffer
, alignmask
+ 1);
47 memcpy(alignbuffer
, key
, keylen
);
48 ret
= tfm
->setkey(tfm
, alignbuffer
, keylen
);
49 memset(alignbuffer
, 0, keylen
);
54 int crypto_aead_setkey(struct crypto_aead
*tfm
,
55 const u8
*key
, unsigned int keylen
)
57 unsigned long alignmask
= crypto_aead_alignmask(tfm
);
61 if ((unsigned long)key
& alignmask
)
62 return setkey_unaligned(tfm
, key
, keylen
);
64 return tfm
->setkey(tfm
, key
, keylen
);
66 EXPORT_SYMBOL_GPL(crypto_aead_setkey
);
68 int crypto_aead_setauthsize(struct crypto_aead
*tfm
, unsigned int authsize
)
72 if (authsize
> crypto_aead_maxauthsize(tfm
))
75 if (tfm
->setauthsize
) {
76 err
= tfm
->setauthsize(tfm
->child
, authsize
);
81 tfm
->child
->authsize
= authsize
;
82 tfm
->authsize
= authsize
;
85 EXPORT_SYMBOL_GPL(crypto_aead_setauthsize
);
87 struct aead_old_request
{
88 struct scatterlist srcbuf
[2];
89 struct scatterlist dstbuf
[2];
90 struct aead_request subreq
;
93 unsigned int crypto_aead_reqsize(struct crypto_aead
*tfm
)
95 return tfm
->reqsize
+ sizeof(struct aead_old_request
);
97 EXPORT_SYMBOL_GPL(crypto_aead_reqsize
);
99 static int old_crypt(struct aead_request
*req
,
100 int (*crypt
)(struct aead_request
*req
))
102 struct aead_old_request
*nreq
= aead_request_ctx(req
);
103 struct crypto_aead
*aead
= crypto_aead_reqtfm(req
);
104 struct scatterlist
*src
, *dst
;
109 src
= scatterwalk_ffwd(nreq
->srcbuf
, req
->src
, req
->assoclen
);
110 dst
= req
->src
== req
->dst
?
111 src
: scatterwalk_ffwd(nreq
->dstbuf
, req
->dst
, req
->assoclen
);
113 aead_request_set_tfm(&nreq
->subreq
, aead
);
114 aead_request_set_callback(&nreq
->subreq
, aead_request_flags(req
),
115 req
->base
.complete
, req
->base
.data
);
116 aead_request_set_crypt(&nreq
->subreq
, src
, dst
, req
->cryptlen
,
118 aead_request_set_assoc(&nreq
->subreq
, req
->src
, req
->assoclen
);
120 return crypt(&nreq
->subreq
);
123 static int old_encrypt(struct aead_request
*req
)
125 struct crypto_aead
*aead
= crypto_aead_reqtfm(req
);
126 struct old_aead_alg
*alg
= crypto_old_aead_alg(aead
);
128 return old_crypt(req
, alg
->encrypt
);
131 static int old_decrypt(struct aead_request
*req
)
133 struct crypto_aead
*aead
= crypto_aead_reqtfm(req
);
134 struct old_aead_alg
*alg
= crypto_old_aead_alg(aead
);
136 return old_crypt(req
, alg
->decrypt
);
139 static int no_givcrypt(struct aead_givcrypt_request
*req
)
144 static int crypto_old_aead_init_tfm(struct crypto_tfm
*tfm
)
146 struct old_aead_alg
*alg
= &tfm
->__crt_alg
->cra_aead
;
147 struct crypto_aead
*crt
= __crypto_aead_cast(tfm
);
149 if (max(alg
->maxauthsize
, alg
->ivsize
) > PAGE_SIZE
/ 8)
152 crt
->setkey
= alg
->setkey
;
153 crt
->setauthsize
= alg
->setauthsize
;
154 crt
->encrypt
= old_encrypt
;
155 crt
->decrypt
= old_decrypt
;
157 crt
->givencrypt
= alg
->givencrypt
?: no_givcrypt
;
158 crt
->givdecrypt
= alg
->givdecrypt
?: no_givcrypt
;
160 crt
->givencrypt
= aead_null_givencrypt
;
161 crt
->givdecrypt
= aead_null_givdecrypt
;
163 crt
->child
= __crypto_aead_cast(tfm
);
164 crt
->authsize
= alg
->maxauthsize
;
169 static int crypto_aead_init_tfm(struct crypto_tfm
*tfm
)
171 struct crypto_aead
*aead
= __crypto_aead_cast(tfm
);
172 struct aead_alg
*alg
= crypto_aead_alg(aead
);
174 if (crypto_old_aead_alg(aead
)->encrypt
)
175 return crypto_old_aead_init_tfm(tfm
);
177 aead
->setkey
= alg
->setkey
;
178 aead
->setauthsize
= alg
->setauthsize
;
179 aead
->encrypt
= alg
->encrypt
;
180 aead
->decrypt
= alg
->decrypt
;
181 aead
->child
= __crypto_aead_cast(tfm
);
182 aead
->authsize
= alg
->maxauthsize
;
188 static int crypto_old_aead_report(struct sk_buff
*skb
, struct crypto_alg
*alg
)
190 struct crypto_report_aead raead
;
191 struct old_aead_alg
*aead
= &alg
->cra_aead
;
193 strncpy(raead
.type
, "aead", sizeof(raead
.type
));
194 strncpy(raead
.geniv
, aead
->geniv
?: "<built-in>", sizeof(raead
.geniv
));
196 raead
.blocksize
= alg
->cra_blocksize
;
197 raead
.maxauthsize
= aead
->maxauthsize
;
198 raead
.ivsize
= aead
->ivsize
;
200 if (nla_put(skb
, CRYPTOCFGA_REPORT_AEAD
,
201 sizeof(struct crypto_report_aead
), &raead
))
202 goto nla_put_failure
;
209 static int crypto_old_aead_report(struct sk_buff
*skb
, struct crypto_alg
*alg
)
215 static void crypto_old_aead_show(struct seq_file
*m
, struct crypto_alg
*alg
)
216 __attribute__ ((unused
));
217 static void crypto_old_aead_show(struct seq_file
*m
, struct crypto_alg
*alg
)
219 struct old_aead_alg
*aead
= &alg
->cra_aead
;
221 seq_printf(m
, "type : aead\n");
222 seq_printf(m
, "async : %s\n", alg
->cra_flags
& CRYPTO_ALG_ASYNC
?
224 seq_printf(m
, "blocksize : %u\n", alg
->cra_blocksize
);
225 seq_printf(m
, "ivsize : %u\n", aead
->ivsize
);
226 seq_printf(m
, "maxauthsize : %u\n", aead
->maxauthsize
);
227 seq_printf(m
, "geniv : %s\n", aead
->geniv
?: "<built-in>");
230 const struct crypto_type crypto_aead_type
= {
231 .extsize
= crypto_alg_extsize
,
232 .init_tfm
= crypto_aead_init_tfm
,
233 #ifdef CONFIG_PROC_FS
234 .show
= crypto_old_aead_show
,
236 .report
= crypto_old_aead_report
,
237 .lookup
= crypto_lookup_aead
,
238 .maskclear
= ~(CRYPTO_ALG_TYPE_MASK
| CRYPTO_ALG_GENIV
),
239 .maskset
= CRYPTO_ALG_TYPE_MASK
,
240 .type
= CRYPTO_ALG_TYPE_AEAD
,
241 .tfmsize
= offsetof(struct crypto_aead
, base
),
243 EXPORT_SYMBOL_GPL(crypto_aead_type
);
246 static int crypto_aead_report(struct sk_buff
*skb
, struct crypto_alg
*alg
)
248 struct crypto_report_aead raead
;
249 struct aead_alg
*aead
= container_of(alg
, struct aead_alg
, base
);
251 strncpy(raead
.type
, "aead", sizeof(raead
.type
));
252 strncpy(raead
.geniv
, "<none>", sizeof(raead
.geniv
));
254 raead
.blocksize
= alg
->cra_blocksize
;
255 raead
.maxauthsize
= aead
->maxauthsize
;
256 raead
.ivsize
= aead
->ivsize
;
258 if (nla_put(skb
, CRYPTOCFGA_REPORT_AEAD
,
259 sizeof(struct crypto_report_aead
), &raead
))
260 goto nla_put_failure
;
267 static int crypto_aead_report(struct sk_buff
*skb
, struct crypto_alg
*alg
)
273 static void crypto_aead_show(struct seq_file
*m
, struct crypto_alg
*alg
)
274 __attribute__ ((unused
));
275 static void crypto_aead_show(struct seq_file
*m
, struct crypto_alg
*alg
)
277 struct aead_alg
*aead
= container_of(alg
, struct aead_alg
, base
);
279 seq_printf(m
, "type : aead\n");
280 seq_printf(m
, "async : %s\n", alg
->cra_flags
& CRYPTO_ALG_ASYNC
?
282 seq_printf(m
, "blocksize : %u\n", alg
->cra_blocksize
);
283 seq_printf(m
, "ivsize : %u\n", aead
->ivsize
);
284 seq_printf(m
, "maxauthsize : %u\n", aead
->maxauthsize
);
285 seq_printf(m
, "geniv : <none>\n");
288 static const struct crypto_type crypto_new_aead_type
= {
289 .extsize
= crypto_alg_extsize
,
290 .init_tfm
= crypto_aead_init_tfm
,
291 #ifdef CONFIG_PROC_FS
292 .show
= crypto_aead_show
,
294 .report
= crypto_aead_report
,
295 .maskclear
= ~CRYPTO_ALG_TYPE_MASK
,
296 .maskset
= CRYPTO_ALG_TYPE_MASK
,
297 .type
= CRYPTO_ALG_TYPE_AEAD
,
298 .tfmsize
= offsetof(struct crypto_aead
, base
),
301 static int aead_null_givencrypt(struct aead_givcrypt_request
*req
)
303 return crypto_aead_encrypt(&req
->areq
);
306 static int aead_null_givdecrypt(struct aead_givcrypt_request
*req
)
308 return crypto_aead_decrypt(&req
->areq
);
312 static int crypto_nivaead_report(struct sk_buff
*skb
, struct crypto_alg
*alg
)
314 struct crypto_report_aead raead
;
315 struct old_aead_alg
*aead
= &alg
->cra_aead
;
317 strncpy(raead
.type
, "nivaead", sizeof(raead
.type
));
318 strncpy(raead
.geniv
, aead
->geniv
, sizeof(raead
.geniv
));
320 raead
.blocksize
= alg
->cra_blocksize
;
321 raead
.maxauthsize
= aead
->maxauthsize
;
322 raead
.ivsize
= aead
->ivsize
;
324 if (nla_put(skb
, CRYPTOCFGA_REPORT_AEAD
,
325 sizeof(struct crypto_report_aead
), &raead
))
326 goto nla_put_failure
;
333 static int crypto_nivaead_report(struct sk_buff
*skb
, struct crypto_alg
*alg
)
340 static void crypto_nivaead_show(struct seq_file
*m
, struct crypto_alg
*alg
)
341 __attribute__ ((unused
));
342 static void crypto_nivaead_show(struct seq_file
*m
, struct crypto_alg
*alg
)
344 struct old_aead_alg
*aead
= &alg
->cra_aead
;
346 seq_printf(m
, "type : nivaead\n");
347 seq_printf(m
, "async : %s\n", alg
->cra_flags
& CRYPTO_ALG_ASYNC
?
349 seq_printf(m
, "blocksize : %u\n", alg
->cra_blocksize
);
350 seq_printf(m
, "ivsize : %u\n", aead
->ivsize
);
351 seq_printf(m
, "maxauthsize : %u\n", aead
->maxauthsize
);
352 seq_printf(m
, "geniv : %s\n", aead
->geniv
);
355 const struct crypto_type crypto_nivaead_type
= {
356 .extsize
= crypto_alg_extsize
,
357 .init_tfm
= crypto_aead_init_tfm
,
358 #ifdef CONFIG_PROC_FS
359 .show
= crypto_nivaead_show
,
361 .report
= crypto_nivaead_report
,
362 .maskclear
= ~(CRYPTO_ALG_TYPE_MASK
| CRYPTO_ALG_GENIV
),
363 .maskset
= CRYPTO_ALG_TYPE_MASK
| CRYPTO_ALG_GENIV
,
364 .type
= CRYPTO_ALG_TYPE_AEAD
,
365 .tfmsize
= offsetof(struct crypto_aead
, base
),
367 EXPORT_SYMBOL_GPL(crypto_nivaead_type
);
369 static int crypto_grab_nivaead(struct crypto_aead_spawn
*spawn
,
370 const char *name
, u32 type
, u32 mask
)
372 spawn
->base
.frontend
= &crypto_nivaead_type
;
373 return crypto_grab_spawn(&spawn
->base
, name
, type
, mask
);
376 struct aead_instance
*aead_geniv_alloc(struct crypto_template
*tmpl
,
377 struct rtattr
**tb
, u32 type
, u32 mask
)
380 struct crypto_aead_spawn
*spawn
;
381 struct crypto_attr_type
*algt
;
382 struct aead_instance
*inst
;
383 struct aead_alg
*alg
;
385 unsigned int maxauthsize
;
388 algt
= crypto_get_attr_type(tb
);
390 return ERR_CAST(algt
);
392 if ((algt
->type
^ (CRYPTO_ALG_TYPE_AEAD
| CRYPTO_ALG_GENIV
)) &
394 return ERR_PTR(-EINVAL
);
396 name
= crypto_attr_alg_name(tb
[1]);
398 return ERR_CAST(name
);
400 inst
= kzalloc(sizeof(*inst
) + sizeof(*spawn
), GFP_KERNEL
);
402 return ERR_PTR(-ENOMEM
);
404 spawn
= aead_instance_ctx(inst
);
406 /* Ignore async algorithms if necessary. */
407 mask
|= crypto_requires_sync(algt
->type
, algt
->mask
);
409 crypto_set_aead_spawn(spawn
, aead_crypto_instance(inst
));
410 err
= crypto_grab_nivaead(spawn
, name
, type
, mask
);
414 alg
= crypto_spawn_aead_alg(spawn
);
416 ivsize
= crypto_aead_alg_ivsize(alg
);
417 maxauthsize
= crypto_aead_alg_maxauthsize(alg
);
424 * This is only true if we're constructing an algorithm with its
425 * default IV generator. For the default generator we elide the
426 * template name and double-check the IV generator.
428 if (algt
->mask
& CRYPTO_ALG_GENIV
) {
429 if (!alg
->base
.cra_aead
.encrypt
)
431 if (strcmp(tmpl
->name
, alg
->base
.cra_aead
.geniv
))
434 memcpy(inst
->alg
.base
.cra_name
, alg
->base
.cra_name
,
435 CRYPTO_MAX_ALG_NAME
);
436 memcpy(inst
->alg
.base
.cra_driver_name
,
437 alg
->base
.cra_driver_name
, CRYPTO_MAX_ALG_NAME
);
439 inst
->alg
.base
.cra_flags
= CRYPTO_ALG_TYPE_AEAD
|
441 inst
->alg
.base
.cra_flags
|= alg
->base
.cra_flags
&
443 inst
->alg
.base
.cra_priority
= alg
->base
.cra_priority
;
444 inst
->alg
.base
.cra_blocksize
= alg
->base
.cra_blocksize
;
445 inst
->alg
.base
.cra_alignmask
= alg
->base
.cra_alignmask
;
446 inst
->alg
.base
.cra_type
= &crypto_aead_type
;
448 inst
->alg
.base
.cra_aead
.ivsize
= ivsize
;
449 inst
->alg
.base
.cra_aead
.maxauthsize
= maxauthsize
;
451 inst
->alg
.base
.cra_aead
.setkey
= alg
->base
.cra_aead
.setkey
;
452 inst
->alg
.base
.cra_aead
.setauthsize
=
453 alg
->base
.cra_aead
.setauthsize
;
454 inst
->alg
.base
.cra_aead
.encrypt
= alg
->base
.cra_aead
.encrypt
;
455 inst
->alg
.base
.cra_aead
.decrypt
= alg
->base
.cra_aead
.decrypt
;
461 if (snprintf(inst
->alg
.base
.cra_name
, CRYPTO_MAX_ALG_NAME
,
462 "%s(%s)", tmpl
->name
, alg
->base
.cra_name
) >=
465 if (snprintf(inst
->alg
.base
.cra_driver_name
, CRYPTO_MAX_ALG_NAME
,
466 "%s(%s)", tmpl
->name
, alg
->base
.cra_driver_name
) >=
470 inst
->alg
.base
.cra_flags
= alg
->base
.cra_flags
& CRYPTO_ALG_ASYNC
;
471 inst
->alg
.base
.cra_priority
= alg
->base
.cra_priority
;
472 inst
->alg
.base
.cra_blocksize
= alg
->base
.cra_blocksize
;
473 inst
->alg
.base
.cra_alignmask
= alg
->base
.cra_alignmask
;
475 inst
->alg
.ivsize
= ivsize
;
476 inst
->alg
.maxauthsize
= maxauthsize
;
482 crypto_drop_aead(spawn
);
488 EXPORT_SYMBOL_GPL(aead_geniv_alloc
);
490 void aead_geniv_free(struct aead_instance
*inst
)
492 crypto_drop_aead(aead_instance_ctx(inst
));
495 EXPORT_SYMBOL_GPL(aead_geniv_free
);
497 int aead_geniv_init(struct crypto_tfm
*tfm
)
499 struct crypto_instance
*inst
= (void *)tfm
->__crt_alg
;
500 struct crypto_aead
*child
;
501 struct crypto_aead
*aead
;
503 aead
= __crypto_aead_cast(tfm
);
505 child
= crypto_spawn_aead(crypto_instance_ctx(inst
));
507 return PTR_ERR(child
);
510 aead
->reqsize
+= crypto_aead_reqsize(child
);
514 EXPORT_SYMBOL_GPL(aead_geniv_init
);
516 void aead_geniv_exit(struct crypto_tfm
*tfm
)
518 crypto_free_aead(__crypto_aead_cast(tfm
)->child
);
520 EXPORT_SYMBOL_GPL(aead_geniv_exit
);
522 static int crypto_nivaead_default(struct crypto_alg
*alg
, u32 type
, u32 mask
)
524 struct rtattr
*tb
[3];
527 struct crypto_attr_type data
;
531 struct crypto_attr_alg data
;
533 struct crypto_template
*tmpl
;
534 struct crypto_instance
*inst
;
535 struct crypto_alg
*larval
;
539 larval
= crypto_larval_lookup(alg
->cra_driver_name
,
540 CRYPTO_ALG_TYPE_AEAD
| CRYPTO_ALG_GENIV
,
541 CRYPTO_ALG_TYPE_MASK
| CRYPTO_ALG_GENIV
);
542 err
= PTR_ERR(larval
);
547 if (!crypto_is_larval(larval
))
550 ptype
.attr
.rta_len
= sizeof(ptype
);
551 ptype
.attr
.rta_type
= CRYPTOA_TYPE
;
552 ptype
.data
.type
= type
| CRYPTO_ALG_GENIV
;
553 /* GENIV tells the template that we're making a default geniv. */
554 ptype
.data
.mask
= mask
| CRYPTO_ALG_GENIV
;
557 palg
.attr
.rta_len
= sizeof(palg
);
558 palg
.attr
.rta_type
= CRYPTOA_ALG
;
559 /* Must use the exact name to locate ourselves. */
560 memcpy(palg
.data
.name
, alg
->cra_driver_name
, CRYPTO_MAX_ALG_NAME
);
565 geniv
= alg
->cra_aead
.geniv
;
567 tmpl
= crypto_lookup_template(geniv
);
573 err
= tmpl
->create(tmpl
, tb
);
579 inst
= tmpl
->alloc(tb
);
584 err
= crypto_register_instance(tmpl
, inst
);
591 /* Redo the lookup to use the instance we just registered. */
595 crypto_tmpl_put(tmpl
);
597 crypto_larval_kill(larval
);
599 crypto_mod_put(larval
);
605 struct crypto_alg
*crypto_lookup_aead(const char *name
, u32 type
, u32 mask
)
607 struct crypto_alg
*alg
;
609 alg
= crypto_alg_mod_lookup(name
, type
, mask
);
613 if (alg
->cra_type
== &crypto_aead_type
)
616 if (!alg
->cra_aead
.ivsize
)
620 alg
= crypto_alg_mod_lookup(name
, type
| CRYPTO_ALG_TESTED
,
621 mask
& ~CRYPTO_ALG_TESTED
);
625 if (alg
->cra_type
== &crypto_aead_type
) {
626 if (~alg
->cra_flags
& (type
^ ~mask
) & CRYPTO_ALG_TESTED
) {
628 alg
= ERR_PTR(-ENOENT
);
633 BUG_ON(!alg
->cra_aead
.ivsize
);
635 return ERR_PTR(crypto_nivaead_default(alg
, type
, mask
));
637 EXPORT_SYMBOL_GPL(crypto_lookup_aead
);
639 int crypto_grab_aead(struct crypto_aead_spawn
*spawn
, const char *name
,
642 spawn
->base
.frontend
= &crypto_aead_type
;
643 return crypto_grab_spawn(&spawn
->base
, name
, type
, mask
);
645 EXPORT_SYMBOL_GPL(crypto_grab_aead
);
647 struct crypto_aead
*crypto_alloc_aead(const char *alg_name
, u32 type
, u32 mask
)
649 return crypto_alloc_tfm(alg_name
, &crypto_aead_type
, type
, mask
);
651 EXPORT_SYMBOL_GPL(crypto_alloc_aead
);
653 static int aead_prepare_alg(struct aead_alg
*alg
)
655 struct crypto_alg
*base
= &alg
->base
;
657 if (max(alg
->maxauthsize
, alg
->ivsize
) > PAGE_SIZE
/ 8)
660 base
->cra_type
= &crypto_new_aead_type
;
661 base
->cra_flags
&= ~CRYPTO_ALG_TYPE_MASK
;
662 base
->cra_flags
|= CRYPTO_ALG_TYPE_AEAD
;
667 int crypto_register_aead(struct aead_alg
*alg
)
669 struct crypto_alg
*base
= &alg
->base
;
672 err
= aead_prepare_alg(alg
);
676 return crypto_register_alg(base
);
678 EXPORT_SYMBOL_GPL(crypto_register_aead
);
680 int crypto_unregister_aead(struct aead_alg
*alg
)
682 return crypto_unregister_alg(&alg
->base
);
684 EXPORT_SYMBOL_GPL(crypto_unregister_aead
);
686 int aead_register_instance(struct crypto_template
*tmpl
,
687 struct aead_instance
*inst
)
691 err
= aead_prepare_alg(&inst
->alg
);
695 return crypto_register_instance(tmpl
, aead_crypto_instance(inst
));
697 EXPORT_SYMBOL_GPL(aead_register_instance
);
699 MODULE_LICENSE("GPL");
700 MODULE_DESCRIPTION("Authenticated Encryption with Associated Data (AEAD)");