xref: /linux/crypto/skcipher.c (revision 621cde16e49b3ecf7d59a8106a20aaebfb4a59a9)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Symmetric key cipher operations.
4  *
5  * Generic encrypt/decrypt wrapper for ciphers, handles operations across
6  * multiple page boundaries by using temporary blocks.  In user context,
7  * the kernel is given a chance to schedule us once per page.
8  *
9  * Copyright (c) 2015 Herbert Xu <herbert@gondor.apana.org.au>
10  */
11 
12 #include <crypto/internal/aead.h>
13 #include <crypto/internal/cipher.h>
14 #include <crypto/internal/skcipher.h>
15 #include <crypto/scatterwalk.h>
16 #include <linux/bug.h>
17 #include <linux/cryptouser.h>
18 #include <linux/err.h>
19 #include <linux/kernel.h>
20 #include <linux/list.h>
21 #include <linux/mm.h>
22 #include <linux/module.h>
23 #include <linux/seq_file.h>
24 #include <linux/slab.h>
25 #include <linux/string.h>
26 #include <net/netlink.h>
27 #include "skcipher.h"
28 
29 #define CRYPTO_ALG_TYPE_SKCIPHER_MASK	0x0000000e
30 
31 enum {
32 	SKCIPHER_WALK_PHYS = 1 << 0,
33 	SKCIPHER_WALK_SLOW = 1 << 1,
34 	SKCIPHER_WALK_COPY = 1 << 2,
35 	SKCIPHER_WALK_DIFF = 1 << 3,
36 	SKCIPHER_WALK_SLEEP = 1 << 4,
37 };
38 
39 struct skcipher_walk_buffer {
40 	struct list_head entry;
41 	struct scatter_walk dst;
42 	unsigned int len;
43 	u8 *data;
44 	u8 buffer[];
45 };
46 
47 static const struct crypto_type crypto_skcipher_type;
48 
49 static int skcipher_walk_next(struct skcipher_walk *walk);
50 
skcipher_map_src(struct skcipher_walk * walk)51 static inline void skcipher_map_src(struct skcipher_walk *walk)
52 {
53 	walk->src.virt.addr = scatterwalk_map(&walk->in);
54 }
55 
skcipher_map_dst(struct skcipher_walk * walk)56 static inline void skcipher_map_dst(struct skcipher_walk *walk)
57 {
58 	walk->dst.virt.addr = scatterwalk_map(&walk->out);
59 }
60 
skcipher_unmap_src(struct skcipher_walk * walk)61 static inline void skcipher_unmap_src(struct skcipher_walk *walk)
62 {
63 	scatterwalk_unmap(walk->src.virt.addr);
64 }
65 
skcipher_unmap_dst(struct skcipher_walk * walk)66 static inline void skcipher_unmap_dst(struct skcipher_walk *walk)
67 {
68 	scatterwalk_unmap(walk->dst.virt.addr);
69 }
70 
skcipher_walk_gfp(struct skcipher_walk * walk)71 static inline gfp_t skcipher_walk_gfp(struct skcipher_walk *walk)
72 {
73 	return walk->flags & SKCIPHER_WALK_SLEEP ? GFP_KERNEL : GFP_ATOMIC;
74 }
75 
76 /* Get a spot of the specified length that does not straddle a page.
77  * The caller needs to ensure that there is enough space for this operation.
78  */
skcipher_get_spot(u8 * start,unsigned int len)79 static inline u8 *skcipher_get_spot(u8 *start, unsigned int len)
80 {
81 	u8 *end_page = (u8 *)(((unsigned long)(start + len - 1)) & PAGE_MASK);
82 
83 	return max(start, end_page);
84 }
85 
__crypto_skcipher_alg(struct crypto_alg * alg)86 static inline struct skcipher_alg *__crypto_skcipher_alg(
87 	struct crypto_alg *alg)
88 {
89 	return container_of(alg, struct skcipher_alg, base);
90 }
91 
skcipher_done_slow(struct skcipher_walk * walk,unsigned int bsize)92 static int skcipher_done_slow(struct skcipher_walk *walk, unsigned int bsize)
93 {
94 	u8 *addr;
95 
96 	addr = (u8 *)ALIGN((unsigned long)walk->buffer, walk->alignmask + 1);
97 	addr = skcipher_get_spot(addr, bsize);
98 	scatterwalk_copychunks(addr, &walk->out, bsize,
99 			       (walk->flags & SKCIPHER_WALK_PHYS) ? 2 : 1);
100 	return 0;
101 }
102 
skcipher_walk_done(struct skcipher_walk * walk,int err)103 int skcipher_walk_done(struct skcipher_walk *walk, int err)
104 {
105 	unsigned int n = walk->nbytes;
106 	unsigned int nbytes = 0;
107 
108 	if (!n)
109 		goto finish;
110 
111 	if (likely(err >= 0)) {
112 		n -= err;
113 		nbytes = walk->total - n;
114 	}
115 
116 	if (likely(!(walk->flags & (SKCIPHER_WALK_PHYS |
117 				    SKCIPHER_WALK_SLOW |
118 				    SKCIPHER_WALK_COPY |
119 				    SKCIPHER_WALK_DIFF)))) {
120 unmap_src:
121 		skcipher_unmap_src(walk);
122 	} else if (walk->flags & SKCIPHER_WALK_DIFF) {
123 		skcipher_unmap_dst(walk);
124 		goto unmap_src;
125 	} else if (walk->flags & SKCIPHER_WALK_COPY) {
126 		skcipher_map_dst(walk);
127 		memcpy(walk->dst.virt.addr, walk->page, n);
128 		skcipher_unmap_dst(walk);
129 	} else if (unlikely(walk->flags & SKCIPHER_WALK_SLOW)) {
130 		if (err > 0) {
131 			/*
132 			 * Didn't process all bytes.  Either the algorithm is
133 			 * broken, or this was the last step and it turned out
134 			 * the message wasn't evenly divisible into blocks but
135 			 * the algorithm requires it.
136 			 */
137 			err = -EINVAL;
138 			nbytes = 0;
139 		} else
140 			n = skcipher_done_slow(walk, n);
141 	}
142 
143 	if (err > 0)
144 		err = 0;
145 
146 	walk->total = nbytes;
147 	walk->nbytes = 0;
148 
149 	scatterwalk_advance(&walk->in, n);
150 	scatterwalk_advance(&walk->out, n);
151 	scatterwalk_done(&walk->in, 0, nbytes);
152 	scatterwalk_done(&walk->out, 1, nbytes);
153 
154 	if (nbytes) {
155 		crypto_yield(walk->flags & SKCIPHER_WALK_SLEEP ?
156 			     CRYPTO_TFM_REQ_MAY_SLEEP : 0);
157 		return skcipher_walk_next(walk);
158 	}
159 
160 finish:
161 	/* Short-circuit for the common/fast path. */
162 	if (!((unsigned long)walk->buffer | (unsigned long)walk->page))
163 		goto out;
164 
165 	if (walk->flags & SKCIPHER_WALK_PHYS)
166 		goto out;
167 
168 	if (walk->iv != walk->oiv)
169 		memcpy(walk->oiv, walk->iv, walk->ivsize);
170 	if (walk->buffer != walk->page)
171 		kfree(walk->buffer);
172 	if (walk->page)
173 		free_page((unsigned long)walk->page);
174 
175 out:
176 	return err;
177 }
178 EXPORT_SYMBOL_GPL(skcipher_walk_done);
179 
skcipher_walk_complete(struct skcipher_walk * walk,int err)180 void skcipher_walk_complete(struct skcipher_walk *walk, int err)
181 {
182 	struct skcipher_walk_buffer *p, *tmp;
183 
184 	list_for_each_entry_safe(p, tmp, &walk->buffers, entry) {
185 		u8 *data;
186 
187 		if (err)
188 			goto done;
189 
190 		data = p->data;
191 		if (!data) {
192 			data = PTR_ALIGN(&p->buffer[0], walk->alignmask + 1);
193 			data = skcipher_get_spot(data, walk->stride);
194 		}
195 
196 		scatterwalk_copychunks(data, &p->dst, p->len, 1);
197 
198 		if (offset_in_page(p->data) + p->len + walk->stride >
199 		    PAGE_SIZE)
200 			free_page((unsigned long)p->data);
201 
202 done:
203 		list_del(&p->entry);
204 		kfree(p);
205 	}
206 
207 	if (!err && walk->iv != walk->oiv)
208 		memcpy(walk->oiv, walk->iv, walk->ivsize);
209 	if (walk->buffer != walk->page)
210 		kfree(walk->buffer);
211 	if (walk->page)
212 		free_page((unsigned long)walk->page);
213 }
214 EXPORT_SYMBOL_GPL(skcipher_walk_complete);
215 
skcipher_queue_write(struct skcipher_walk * walk,struct skcipher_walk_buffer * p)216 static void skcipher_queue_write(struct skcipher_walk *walk,
217 				 struct skcipher_walk_buffer *p)
218 {
219 	p->dst = walk->out;
220 	list_add_tail(&p->entry, &walk->buffers);
221 }
222 
skcipher_next_slow(struct skcipher_walk * walk,unsigned int bsize)223 static int skcipher_next_slow(struct skcipher_walk *walk, unsigned int bsize)
224 {
225 	bool phys = walk->flags & SKCIPHER_WALK_PHYS;
226 	unsigned alignmask = walk->alignmask;
227 	struct skcipher_walk_buffer *p;
228 	unsigned a;
229 	unsigned n;
230 	u8 *buffer;
231 	void *v;
232 
233 	if (!phys) {
234 		if (!walk->buffer)
235 			walk->buffer = walk->page;
236 		buffer = walk->buffer;
237 		if (buffer)
238 			goto ok;
239 	}
240 
241 	/* Start with the minimum alignment of kmalloc. */
242 	a = crypto_tfm_ctx_alignment() - 1;
243 	n = bsize;
244 
245 	if (phys) {
246 		/* Calculate the minimum alignment of p->buffer. */
247 		a &= (sizeof(*p) ^ (sizeof(*p) - 1)) >> 1;
248 		n += sizeof(*p);
249 	}
250 
251 	/* Minimum size to align p->buffer by alignmask. */
252 	n += alignmask & ~a;
253 
254 	/* Minimum size to ensure p->buffer does not straddle a page. */
255 	n += (bsize - 1) & ~(alignmask | a);
256 
257 	v = kzalloc(n, skcipher_walk_gfp(walk));
258 	if (!v)
259 		return skcipher_walk_done(walk, -ENOMEM);
260 
261 	if (phys) {
262 		p = v;
263 		p->len = bsize;
264 		skcipher_queue_write(walk, p);
265 		buffer = p->buffer;
266 	} else {
267 		walk->buffer = v;
268 		buffer = v;
269 	}
270 
271 ok:
272 	walk->dst.virt.addr = PTR_ALIGN(buffer, alignmask + 1);
273 	walk->dst.virt.addr = skcipher_get_spot(walk->dst.virt.addr, bsize);
274 	walk->src.virt.addr = walk->dst.virt.addr;
275 
276 	scatterwalk_copychunks(walk->src.virt.addr, &walk->in, bsize, 0);
277 
278 	walk->nbytes = bsize;
279 	walk->flags |= SKCIPHER_WALK_SLOW;
280 
281 	return 0;
282 }
283 
skcipher_next_copy(struct skcipher_walk * walk)284 static int skcipher_next_copy(struct skcipher_walk *walk)
285 {
286 	struct skcipher_walk_buffer *p;
287 	u8 *tmp = walk->page;
288 
289 	skcipher_map_src(walk);
290 	memcpy(tmp, walk->src.virt.addr, walk->nbytes);
291 	skcipher_unmap_src(walk);
292 
293 	walk->src.virt.addr = tmp;
294 	walk->dst.virt.addr = tmp;
295 
296 	if (!(walk->flags & SKCIPHER_WALK_PHYS))
297 		return 0;
298 
299 	p = kmalloc(sizeof(*p), skcipher_walk_gfp(walk));
300 	if (!p)
301 		return -ENOMEM;
302 
303 	p->data = walk->page;
304 	p->len = walk->nbytes;
305 	skcipher_queue_write(walk, p);
306 
307 	if (offset_in_page(walk->page) + walk->nbytes + walk->stride >
308 	    PAGE_SIZE)
309 		walk->page = NULL;
310 	else
311 		walk->page += walk->nbytes;
312 
313 	return 0;
314 }
315 
skcipher_next_fast(struct skcipher_walk * walk)316 static int skcipher_next_fast(struct skcipher_walk *walk)
317 {
318 	unsigned long diff;
319 
320 	walk->src.phys.page = scatterwalk_page(&walk->in);
321 	walk->src.phys.offset = offset_in_page(walk->in.offset);
322 	walk->dst.phys.page = scatterwalk_page(&walk->out);
323 	walk->dst.phys.offset = offset_in_page(walk->out.offset);
324 
325 	if (walk->flags & SKCIPHER_WALK_PHYS)
326 		return 0;
327 
328 	diff = walk->src.phys.offset - walk->dst.phys.offset;
329 	diff |= walk->src.virt.page - walk->dst.virt.page;
330 
331 	skcipher_map_src(walk);
332 	walk->dst.virt.addr = walk->src.virt.addr;
333 
334 	if (diff) {
335 		walk->flags |= SKCIPHER_WALK_DIFF;
336 		skcipher_map_dst(walk);
337 	}
338 
339 	return 0;
340 }
341 
skcipher_walk_next(struct skcipher_walk * walk)342 static int skcipher_walk_next(struct skcipher_walk *walk)
343 {
344 	unsigned int bsize;
345 	unsigned int n;
346 	int err;
347 
348 	walk->flags &= ~(SKCIPHER_WALK_SLOW | SKCIPHER_WALK_COPY |
349 			 SKCIPHER_WALK_DIFF);
350 
351 	n = walk->total;
352 	bsize = min(walk->stride, max(n, walk->blocksize));
353 	n = scatterwalk_clamp(&walk->in, n);
354 	n = scatterwalk_clamp(&walk->out, n);
355 
356 	if (unlikely(n < bsize)) {
357 		if (unlikely(walk->total < walk->blocksize))
358 			return skcipher_walk_done(walk, -EINVAL);
359 
360 slow_path:
361 		err = skcipher_next_slow(walk, bsize);
362 		goto set_phys_lowmem;
363 	}
364 
365 	if (unlikely((walk->in.offset | walk->out.offset) & walk->alignmask)) {
366 		if (!walk->page) {
367 			gfp_t gfp = skcipher_walk_gfp(walk);
368 
369 			walk->page = (void *)__get_free_page(gfp);
370 			if (!walk->page)
371 				goto slow_path;
372 		}
373 
374 		walk->nbytes = min_t(unsigned, n,
375 				     PAGE_SIZE - offset_in_page(walk->page));
376 		walk->flags |= SKCIPHER_WALK_COPY;
377 		err = skcipher_next_copy(walk);
378 		goto set_phys_lowmem;
379 	}
380 
381 	walk->nbytes = n;
382 
383 	return skcipher_next_fast(walk);
384 
385 set_phys_lowmem:
386 	if (!err && (walk->flags & SKCIPHER_WALK_PHYS)) {
387 		walk->src.phys.page = virt_to_page(walk->src.virt.addr);
388 		walk->dst.phys.page = virt_to_page(walk->dst.virt.addr);
389 		walk->src.phys.offset &= PAGE_SIZE - 1;
390 		walk->dst.phys.offset &= PAGE_SIZE - 1;
391 	}
392 	return err;
393 }
394 
skcipher_copy_iv(struct skcipher_walk * walk)395 static int skcipher_copy_iv(struct skcipher_walk *walk)
396 {
397 	unsigned a = crypto_tfm_ctx_alignment() - 1;
398 	unsigned alignmask = walk->alignmask;
399 	unsigned ivsize = walk->ivsize;
400 	unsigned bs = walk->stride;
401 	unsigned aligned_bs;
402 	unsigned size;
403 	u8 *iv;
404 
405 	aligned_bs = ALIGN(bs, alignmask + 1);
406 
407 	/* Minimum size to align buffer by alignmask. */
408 	size = alignmask & ~a;
409 
410 	if (walk->flags & SKCIPHER_WALK_PHYS)
411 		size += ivsize;
412 	else {
413 		size += aligned_bs + ivsize;
414 
415 		/* Minimum size to ensure buffer does not straddle a page. */
416 		size += (bs - 1) & ~(alignmask | a);
417 	}
418 
419 	walk->buffer = kmalloc(size, skcipher_walk_gfp(walk));
420 	if (!walk->buffer)
421 		return -ENOMEM;
422 
423 	iv = PTR_ALIGN(walk->buffer, alignmask + 1);
424 	iv = skcipher_get_spot(iv, bs) + aligned_bs;
425 
426 	walk->iv = memcpy(iv, walk->iv, walk->ivsize);
427 	return 0;
428 }
429 
skcipher_walk_first(struct skcipher_walk * walk)430 static int skcipher_walk_first(struct skcipher_walk *walk)
431 {
432 	if (WARN_ON_ONCE(in_hardirq()))
433 		return -EDEADLK;
434 
435 	walk->buffer = NULL;
436 	if (unlikely(((unsigned long)walk->iv & walk->alignmask))) {
437 		int err = skcipher_copy_iv(walk);
438 		if (err)
439 			return err;
440 	}
441 
442 	walk->page = NULL;
443 
444 	return skcipher_walk_next(walk);
445 }
446 
skcipher_walk_skcipher(struct skcipher_walk * walk,struct skcipher_request * req)447 static int skcipher_walk_skcipher(struct skcipher_walk *walk,
448 				  struct skcipher_request *req)
449 {
450 	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
451 	struct skcipher_alg *alg = crypto_skcipher_alg(tfm);
452 
453 	walk->total = req->cryptlen;
454 	walk->nbytes = 0;
455 	walk->iv = req->iv;
456 	walk->oiv = req->iv;
457 
458 	if (unlikely(!walk->total))
459 		return 0;
460 
461 	scatterwalk_start(&walk->in, req->src);
462 	scatterwalk_start(&walk->out, req->dst);
463 
464 	walk->flags &= ~SKCIPHER_WALK_SLEEP;
465 	walk->flags |= req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP ?
466 		       SKCIPHER_WALK_SLEEP : 0;
467 
468 	walk->blocksize = crypto_skcipher_blocksize(tfm);
469 	walk->ivsize = crypto_skcipher_ivsize(tfm);
470 	walk->alignmask = crypto_skcipher_alignmask(tfm);
471 
472 	if (alg->co.base.cra_type != &crypto_skcipher_type)
473 		walk->stride = alg->co.chunksize;
474 	else
475 		walk->stride = alg->walksize;
476 
477 	return skcipher_walk_first(walk);
478 }
479 
skcipher_walk_virt(struct skcipher_walk * walk,struct skcipher_request * req,bool atomic)480 int skcipher_walk_virt(struct skcipher_walk *walk,
481 		       struct skcipher_request *req, bool atomic)
482 {
483 	int err;
484 
485 	might_sleep_if(req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP);
486 
487 	walk->flags &= ~SKCIPHER_WALK_PHYS;
488 
489 	err = skcipher_walk_skcipher(walk, req);
490 
491 	walk->flags &= atomic ? ~SKCIPHER_WALK_SLEEP : ~0;
492 
493 	return err;
494 }
495 EXPORT_SYMBOL_GPL(skcipher_walk_virt);
496 
skcipher_walk_async(struct skcipher_walk * walk,struct skcipher_request * req)497 int skcipher_walk_async(struct skcipher_walk *walk,
498 			struct skcipher_request *req)
499 {
500 	walk->flags |= SKCIPHER_WALK_PHYS;
501 
502 	INIT_LIST_HEAD(&walk->buffers);
503 
504 	return skcipher_walk_skcipher(walk, req);
505 }
506 EXPORT_SYMBOL_GPL(skcipher_walk_async);
507 
skcipher_walk_aead_common(struct skcipher_walk * walk,struct aead_request * req,bool atomic)508 static int skcipher_walk_aead_common(struct skcipher_walk *walk,
509 				     struct aead_request *req, bool atomic)
510 {
511 	struct crypto_aead *tfm = crypto_aead_reqtfm(req);
512 	int err;
513 
514 	walk->nbytes = 0;
515 	walk->iv = req->iv;
516 	walk->oiv = req->iv;
517 
518 	if (unlikely(!walk->total))
519 		return 0;
520 
521 	walk->flags &= ~SKCIPHER_WALK_PHYS;
522 
523 	scatterwalk_start(&walk->in, req->src);
524 	scatterwalk_start(&walk->out, req->dst);
525 
526 	scatterwalk_copychunks(NULL, &walk->in, req->assoclen, 2);
527 	scatterwalk_copychunks(NULL, &walk->out, req->assoclen, 2);
528 
529 	scatterwalk_done(&walk->in, 0, walk->total);
530 	scatterwalk_done(&walk->out, 0, walk->total);
531 
532 	if (req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP)
533 		walk->flags |= SKCIPHER_WALK_SLEEP;
534 	else
535 		walk->flags &= ~SKCIPHER_WALK_SLEEP;
536 
537 	walk->blocksize = crypto_aead_blocksize(tfm);
538 	walk->stride = crypto_aead_chunksize(tfm);
539 	walk->ivsize = crypto_aead_ivsize(tfm);
540 	walk->alignmask = crypto_aead_alignmask(tfm);
541 
542 	err = skcipher_walk_first(walk);
543 
544 	if (atomic)
545 		walk->flags &= ~SKCIPHER_WALK_SLEEP;
546 
547 	return err;
548 }
549 
skcipher_walk_aead_encrypt(struct skcipher_walk * walk,struct aead_request * req,bool atomic)550 int skcipher_walk_aead_encrypt(struct skcipher_walk *walk,
551 			       struct aead_request *req, bool atomic)
552 {
553 	walk->total = req->cryptlen;
554 
555 	return skcipher_walk_aead_common(walk, req, atomic);
556 }
557 EXPORT_SYMBOL_GPL(skcipher_walk_aead_encrypt);
558 
skcipher_walk_aead_decrypt(struct skcipher_walk * walk,struct aead_request * req,bool atomic)559 int skcipher_walk_aead_decrypt(struct skcipher_walk *walk,
560 			       struct aead_request *req, bool atomic)
561 {
562 	struct crypto_aead *tfm = crypto_aead_reqtfm(req);
563 
564 	walk->total = req->cryptlen - crypto_aead_authsize(tfm);
565 
566 	return skcipher_walk_aead_common(walk, req, atomic);
567 }
568 EXPORT_SYMBOL_GPL(skcipher_walk_aead_decrypt);
569 
skcipher_set_needkey(struct crypto_skcipher * tfm)570 static void skcipher_set_needkey(struct crypto_skcipher *tfm)
571 {
572 	if (crypto_skcipher_max_keysize(tfm) != 0)
573 		crypto_skcipher_set_flags(tfm, CRYPTO_TFM_NEED_KEY);
574 }
575 
skcipher_setkey_unaligned(struct crypto_skcipher * tfm,const u8 * key,unsigned int keylen)576 static int skcipher_setkey_unaligned(struct crypto_skcipher *tfm,
577 				     const u8 *key, unsigned int keylen)
578 {
579 	unsigned long alignmask = crypto_skcipher_alignmask(tfm);
580 	struct skcipher_alg *cipher = crypto_skcipher_alg(tfm);
581 	u8 *buffer, *alignbuffer;
582 	unsigned long absize;
583 	int ret;
584 
585 	absize = keylen + alignmask;
586 	buffer = kmalloc(absize, GFP_ATOMIC);
587 	if (!buffer)
588 		return -ENOMEM;
589 
590 	alignbuffer = (u8 *)ALIGN((unsigned long)buffer, alignmask + 1);
591 	memcpy(alignbuffer, key, keylen);
592 	ret = cipher->setkey(tfm, alignbuffer, keylen);
593 	kfree_sensitive(buffer);
594 	return ret;
595 }
596 
crypto_skcipher_setkey(struct crypto_skcipher * tfm,const u8 * key,unsigned int keylen)597 int crypto_skcipher_setkey(struct crypto_skcipher *tfm, const u8 *key,
598 			   unsigned int keylen)
599 {
600 	struct skcipher_alg *cipher = crypto_skcipher_alg(tfm);
601 	unsigned long alignmask = crypto_skcipher_alignmask(tfm);
602 	int err;
603 
604 	if (cipher->co.base.cra_type != &crypto_skcipher_type) {
605 		struct crypto_lskcipher **ctx = crypto_skcipher_ctx(tfm);
606 
607 		crypto_lskcipher_clear_flags(*ctx, CRYPTO_TFM_REQ_MASK);
608 		crypto_lskcipher_set_flags(*ctx,
609 					   crypto_skcipher_get_flags(tfm) &
610 					   CRYPTO_TFM_REQ_MASK);
611 		err = crypto_lskcipher_setkey(*ctx, key, keylen);
612 		goto out;
613 	}
614 
615 	if (keylen < cipher->min_keysize || keylen > cipher->max_keysize)
616 		return -EINVAL;
617 
618 	if ((unsigned long)key & alignmask)
619 		err = skcipher_setkey_unaligned(tfm, key, keylen);
620 	else
621 		err = cipher->setkey(tfm, key, keylen);
622 
623 out:
624 	if (unlikely(err)) {
625 		skcipher_set_needkey(tfm);
626 		return err;
627 	}
628 
629 	crypto_skcipher_clear_flags(tfm, CRYPTO_TFM_NEED_KEY);
630 	return 0;
631 }
632 EXPORT_SYMBOL_GPL(crypto_skcipher_setkey);
633 
crypto_skcipher_encrypt(struct skcipher_request * req)634 int crypto_skcipher_encrypt(struct skcipher_request *req)
635 {
636 	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
637 	struct skcipher_alg *alg = crypto_skcipher_alg(tfm);
638 
639 	if (crypto_skcipher_get_flags(tfm) & CRYPTO_TFM_NEED_KEY)
640 		return -ENOKEY;
641 	if (alg->co.base.cra_type != &crypto_skcipher_type)
642 		return crypto_lskcipher_encrypt_sg(req);
643 	return alg->encrypt(req);
644 }
645 EXPORT_SYMBOL_GPL(crypto_skcipher_encrypt);
646 
crypto_skcipher_decrypt(struct skcipher_request * req)647 int crypto_skcipher_decrypt(struct skcipher_request *req)
648 {
649 	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
650 	struct skcipher_alg *alg = crypto_skcipher_alg(tfm);
651 
652 	if (crypto_skcipher_get_flags(tfm) & CRYPTO_TFM_NEED_KEY)
653 		return -ENOKEY;
654 	if (alg->co.base.cra_type != &crypto_skcipher_type)
655 		return crypto_lskcipher_decrypt_sg(req);
656 	return alg->decrypt(req);
657 }
658 EXPORT_SYMBOL_GPL(crypto_skcipher_decrypt);
659 
crypto_lskcipher_export(struct skcipher_request * req,void * out)660 static int crypto_lskcipher_export(struct skcipher_request *req, void *out)
661 {
662 	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
663 	u8 *ivs = skcipher_request_ctx(req);
664 
665 	ivs = PTR_ALIGN(ivs, crypto_skcipher_alignmask(tfm) + 1);
666 
667 	memcpy(out, ivs + crypto_skcipher_ivsize(tfm),
668 	       crypto_skcipher_statesize(tfm));
669 
670 	return 0;
671 }
672 
crypto_lskcipher_import(struct skcipher_request * req,const void * in)673 static int crypto_lskcipher_import(struct skcipher_request *req, const void *in)
674 {
675 	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
676 	u8 *ivs = skcipher_request_ctx(req);
677 
678 	ivs = PTR_ALIGN(ivs, crypto_skcipher_alignmask(tfm) + 1);
679 
680 	memcpy(ivs + crypto_skcipher_ivsize(tfm), in,
681 	       crypto_skcipher_statesize(tfm));
682 
683 	return 0;
684 }
685 
skcipher_noexport(struct skcipher_request * req,void * out)686 static int skcipher_noexport(struct skcipher_request *req, void *out)
687 {
688 	return 0;
689 }
690 
skcipher_noimport(struct skcipher_request * req,const void * in)691 static int skcipher_noimport(struct skcipher_request *req, const void *in)
692 {
693 	return 0;
694 }
695 
crypto_skcipher_export(struct skcipher_request * req,void * out)696 int crypto_skcipher_export(struct skcipher_request *req, void *out)
697 {
698 	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
699 	struct skcipher_alg *alg = crypto_skcipher_alg(tfm);
700 
701 	if (alg->co.base.cra_type != &crypto_skcipher_type)
702 		return crypto_lskcipher_export(req, out);
703 	return alg->export(req, out);
704 }
705 EXPORT_SYMBOL_GPL(crypto_skcipher_export);
706 
crypto_skcipher_import(struct skcipher_request * req,const void * in)707 int crypto_skcipher_import(struct skcipher_request *req, const void *in)
708 {
709 	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
710 	struct skcipher_alg *alg = crypto_skcipher_alg(tfm);
711 
712 	if (alg->co.base.cra_type != &crypto_skcipher_type)
713 		return crypto_lskcipher_import(req, in);
714 	return alg->import(req, in);
715 }
716 EXPORT_SYMBOL_GPL(crypto_skcipher_import);
717 
crypto_skcipher_exit_tfm(struct crypto_tfm * tfm)718 static void crypto_skcipher_exit_tfm(struct crypto_tfm *tfm)
719 {
720 	struct crypto_skcipher *skcipher = __crypto_skcipher_cast(tfm);
721 	struct skcipher_alg *alg = crypto_skcipher_alg(skcipher);
722 
723 	alg->exit(skcipher);
724 }
725 
crypto_skcipher_init_tfm(struct crypto_tfm * tfm)726 static int crypto_skcipher_init_tfm(struct crypto_tfm *tfm)
727 {
728 	struct crypto_skcipher *skcipher = __crypto_skcipher_cast(tfm);
729 	struct skcipher_alg *alg = crypto_skcipher_alg(skcipher);
730 
731 	skcipher_set_needkey(skcipher);
732 
733 	if (tfm->__crt_alg->cra_type != &crypto_skcipher_type) {
734 		unsigned am = crypto_skcipher_alignmask(skcipher);
735 		unsigned reqsize;
736 
737 		reqsize = am & ~(crypto_tfm_ctx_alignment() - 1);
738 		reqsize += crypto_skcipher_ivsize(skcipher);
739 		reqsize += crypto_skcipher_statesize(skcipher);
740 		crypto_skcipher_set_reqsize(skcipher, reqsize);
741 
742 		return crypto_init_lskcipher_ops_sg(tfm);
743 	}
744 
745 	if (alg->exit)
746 		skcipher->base.exit = crypto_skcipher_exit_tfm;
747 
748 	if (alg->init)
749 		return alg->init(skcipher);
750 
751 	return 0;
752 }
753 
crypto_skcipher_extsize(struct crypto_alg * alg)754 static unsigned int crypto_skcipher_extsize(struct crypto_alg *alg)
755 {
756 	if (alg->cra_type != &crypto_skcipher_type)
757 		return sizeof(struct crypto_lskcipher *);
758 
759 	return crypto_alg_extsize(alg);
760 }
761 
crypto_skcipher_free_instance(struct crypto_instance * inst)762 static void crypto_skcipher_free_instance(struct crypto_instance *inst)
763 {
764 	struct skcipher_instance *skcipher =
765 		container_of(inst, struct skcipher_instance, s.base);
766 
767 	skcipher->free(skcipher);
768 }
769 
770 static void crypto_skcipher_show(struct seq_file *m, struct crypto_alg *alg)
771 	__maybe_unused;
crypto_skcipher_show(struct seq_file * m,struct crypto_alg * alg)772 static void crypto_skcipher_show(struct seq_file *m, struct crypto_alg *alg)
773 {
774 	struct skcipher_alg *skcipher = __crypto_skcipher_alg(alg);
775 
776 	seq_printf(m, "type         : skcipher\n");
777 	seq_printf(m, "async        : %s\n",
778 		   alg->cra_flags & CRYPTO_ALG_ASYNC ?  "yes" : "no");
779 	seq_printf(m, "blocksize    : %u\n", alg->cra_blocksize);
780 	seq_printf(m, "min keysize  : %u\n", skcipher->min_keysize);
781 	seq_printf(m, "max keysize  : %u\n", skcipher->max_keysize);
782 	seq_printf(m, "ivsize       : %u\n", skcipher->ivsize);
783 	seq_printf(m, "chunksize    : %u\n", skcipher->chunksize);
784 	seq_printf(m, "walksize     : %u\n", skcipher->walksize);
785 	seq_printf(m, "statesize    : %u\n", skcipher->statesize);
786 }
787 
crypto_skcipher_report(struct sk_buff * skb,struct crypto_alg * alg)788 static int __maybe_unused crypto_skcipher_report(
789 	struct sk_buff *skb, struct crypto_alg *alg)
790 {
791 	struct skcipher_alg *skcipher = __crypto_skcipher_alg(alg);
792 	struct crypto_report_blkcipher rblkcipher;
793 
794 	memset(&rblkcipher, 0, sizeof(rblkcipher));
795 
796 	strscpy(rblkcipher.type, "skcipher", sizeof(rblkcipher.type));
797 	strscpy(rblkcipher.geniv, "<none>", sizeof(rblkcipher.geniv));
798 
799 	rblkcipher.blocksize = alg->cra_blocksize;
800 	rblkcipher.min_keysize = skcipher->min_keysize;
801 	rblkcipher.max_keysize = skcipher->max_keysize;
802 	rblkcipher.ivsize = skcipher->ivsize;
803 
804 	return nla_put(skb, CRYPTOCFGA_REPORT_BLKCIPHER,
805 		       sizeof(rblkcipher), &rblkcipher);
806 }
807 
808 static const struct crypto_type crypto_skcipher_type = {
809 	.extsize = crypto_skcipher_extsize,
810 	.init_tfm = crypto_skcipher_init_tfm,
811 	.free = crypto_skcipher_free_instance,
812 #ifdef CONFIG_PROC_FS
813 	.show = crypto_skcipher_show,
814 #endif
815 #if IS_ENABLED(CONFIG_CRYPTO_USER)
816 	.report = crypto_skcipher_report,
817 #endif
818 	.maskclear = ~CRYPTO_ALG_TYPE_MASK,
819 	.maskset = CRYPTO_ALG_TYPE_SKCIPHER_MASK,
820 	.type = CRYPTO_ALG_TYPE_SKCIPHER,
821 	.tfmsize = offsetof(struct crypto_skcipher, base),
822 };
823 
crypto_grab_skcipher(struct crypto_skcipher_spawn * spawn,struct crypto_instance * inst,const char * name,u32 type,u32 mask)824 int crypto_grab_skcipher(struct crypto_skcipher_spawn *spawn,
825 			 struct crypto_instance *inst,
826 			 const char *name, u32 type, u32 mask)
827 {
828 	spawn->base.frontend = &crypto_skcipher_type;
829 	return crypto_grab_spawn(&spawn->base, inst, name, type, mask);
830 }
831 EXPORT_SYMBOL_GPL(crypto_grab_skcipher);
832 
crypto_alloc_skcipher(const char * alg_name,u32 type,u32 mask)833 struct crypto_skcipher *crypto_alloc_skcipher(const char *alg_name,
834 					      u32 type, u32 mask)
835 {
836 	return crypto_alloc_tfm(alg_name, &crypto_skcipher_type, type, mask);
837 }
838 EXPORT_SYMBOL_GPL(crypto_alloc_skcipher);
839 
crypto_alloc_sync_skcipher(const char * alg_name,u32 type,u32 mask)840 struct crypto_sync_skcipher *crypto_alloc_sync_skcipher(
841 				const char *alg_name, u32 type, u32 mask)
842 {
843 	struct crypto_skcipher *tfm;
844 
845 	/* Only sync algorithms allowed. */
846 	mask |= CRYPTO_ALG_ASYNC | CRYPTO_ALG_SKCIPHER_REQSIZE_LARGE;
847 
848 	tfm = crypto_alloc_tfm(alg_name, &crypto_skcipher_type, type, mask);
849 
850 	/*
851 	 * Make sure we do not allocate something that might get used with
852 	 * an on-stack request: check the request size.
853 	 */
854 	if (!IS_ERR(tfm) && WARN_ON(crypto_skcipher_reqsize(tfm) >
855 				    MAX_SYNC_SKCIPHER_REQSIZE)) {
856 		crypto_free_skcipher(tfm);
857 		return ERR_PTR(-EINVAL);
858 	}
859 
860 	return (struct crypto_sync_skcipher *)tfm;
861 }
862 EXPORT_SYMBOL_GPL(crypto_alloc_sync_skcipher);
863 
crypto_has_skcipher(const char * alg_name,u32 type,u32 mask)864 int crypto_has_skcipher(const char *alg_name, u32 type, u32 mask)
865 {
866 	return crypto_type_has_alg(alg_name, &crypto_skcipher_type, type, mask);
867 }
868 EXPORT_SYMBOL_GPL(crypto_has_skcipher);
869 
skcipher_prepare_alg_common(struct skcipher_alg_common * alg)870 int skcipher_prepare_alg_common(struct skcipher_alg_common *alg)
871 {
872 	struct crypto_alg *base = &alg->base;
873 
874 	if (alg->ivsize > PAGE_SIZE / 8 || alg->chunksize > PAGE_SIZE / 8 ||
875 	    alg->statesize > PAGE_SIZE / 2 ||
876 	    (alg->ivsize + alg->statesize) > PAGE_SIZE / 2)
877 		return -EINVAL;
878 
879 	if (!alg->chunksize)
880 		alg->chunksize = base->cra_blocksize;
881 
882 	base->cra_flags &= ~CRYPTO_ALG_TYPE_MASK;
883 
884 	return 0;
885 }
886 
skcipher_prepare_alg(struct skcipher_alg * alg)887 static int skcipher_prepare_alg(struct skcipher_alg *alg)
888 {
889 	struct crypto_alg *base = &alg->base;
890 	int err;
891 
892 	err = skcipher_prepare_alg_common(&alg->co);
893 	if (err)
894 		return err;
895 
896 	if (alg->walksize > PAGE_SIZE / 8)
897 		return -EINVAL;
898 
899 	if (!alg->walksize)
900 		alg->walksize = alg->chunksize;
901 
902 	if (!alg->statesize) {
903 		alg->import = skcipher_noimport;
904 		alg->export = skcipher_noexport;
905 	} else if (!(alg->import && alg->export))
906 		return -EINVAL;
907 
908 	base->cra_type = &crypto_skcipher_type;
909 	base->cra_flags |= CRYPTO_ALG_TYPE_SKCIPHER;
910 
911 	return 0;
912 }
913 
crypto_register_skcipher(struct skcipher_alg * alg)914 int crypto_register_skcipher(struct skcipher_alg *alg)
915 {
916 	struct crypto_alg *base = &alg->base;
917 	int err;
918 
919 	err = skcipher_prepare_alg(alg);
920 	if (err)
921 		return err;
922 
923 	return crypto_register_alg(base);
924 }
925 EXPORT_SYMBOL_GPL(crypto_register_skcipher);
926 
crypto_unregister_skcipher(struct skcipher_alg * alg)927 void crypto_unregister_skcipher(struct skcipher_alg *alg)
928 {
929 	crypto_unregister_alg(&alg->base);
930 }
931 EXPORT_SYMBOL_GPL(crypto_unregister_skcipher);
932 
crypto_register_skciphers(struct skcipher_alg * algs,int count)933 int crypto_register_skciphers(struct skcipher_alg *algs, int count)
934 {
935 	int i, ret;
936 
937 	for (i = 0; i < count; i++) {
938 		ret = crypto_register_skcipher(&algs[i]);
939 		if (ret)
940 			goto err;
941 	}
942 
943 	return 0;
944 
945 err:
946 	for (--i; i >= 0; --i)
947 		crypto_unregister_skcipher(&algs[i]);
948 
949 	return ret;
950 }
951 EXPORT_SYMBOL_GPL(crypto_register_skciphers);
952 
crypto_unregister_skciphers(struct skcipher_alg * algs,int count)953 void crypto_unregister_skciphers(struct skcipher_alg *algs, int count)
954 {
955 	int i;
956 
957 	for (i = count - 1; i >= 0; --i)
958 		crypto_unregister_skcipher(&algs[i]);
959 }
960 EXPORT_SYMBOL_GPL(crypto_unregister_skciphers);
961 
skcipher_register_instance(struct crypto_template * tmpl,struct skcipher_instance * inst)962 int skcipher_register_instance(struct crypto_template *tmpl,
963 			   struct skcipher_instance *inst)
964 {
965 	int err;
966 
967 	if (WARN_ON(!inst->free))
968 		return -EINVAL;
969 
970 	err = skcipher_prepare_alg(&inst->alg);
971 	if (err)
972 		return err;
973 
974 	return crypto_register_instance(tmpl, skcipher_crypto_instance(inst));
975 }
976 EXPORT_SYMBOL_GPL(skcipher_register_instance);
977 
skcipher_setkey_simple(struct crypto_skcipher * tfm,const u8 * key,unsigned int keylen)978 static int skcipher_setkey_simple(struct crypto_skcipher *tfm, const u8 *key,
979 				  unsigned int keylen)
980 {
981 	struct crypto_cipher *cipher = skcipher_cipher_simple(tfm);
982 
983 	crypto_cipher_clear_flags(cipher, CRYPTO_TFM_REQ_MASK);
984 	crypto_cipher_set_flags(cipher, crypto_skcipher_get_flags(tfm) &
985 				CRYPTO_TFM_REQ_MASK);
986 	return crypto_cipher_setkey(cipher, key, keylen);
987 }
988 
skcipher_init_tfm_simple(struct crypto_skcipher * tfm)989 static int skcipher_init_tfm_simple(struct crypto_skcipher *tfm)
990 {
991 	struct skcipher_instance *inst = skcipher_alg_instance(tfm);
992 	struct crypto_cipher_spawn *spawn = skcipher_instance_ctx(inst);
993 	struct skcipher_ctx_simple *ctx = crypto_skcipher_ctx(tfm);
994 	struct crypto_cipher *cipher;
995 
996 	cipher = crypto_spawn_cipher(spawn);
997 	if (IS_ERR(cipher))
998 		return PTR_ERR(cipher);
999 
1000 	ctx->cipher = cipher;
1001 	return 0;
1002 }
1003 
skcipher_exit_tfm_simple(struct crypto_skcipher * tfm)1004 static void skcipher_exit_tfm_simple(struct crypto_skcipher *tfm)
1005 {
1006 	struct skcipher_ctx_simple *ctx = crypto_skcipher_ctx(tfm);
1007 
1008 	crypto_free_cipher(ctx->cipher);
1009 }
1010 
skcipher_free_instance_simple(struct skcipher_instance * inst)1011 static void skcipher_free_instance_simple(struct skcipher_instance *inst)
1012 {
1013 	crypto_drop_cipher(skcipher_instance_ctx(inst));
1014 	kfree(inst);
1015 }
1016 
1017 /**
1018  * skcipher_alloc_instance_simple - allocate instance of simple block cipher mode
1019  *
1020  * Allocate an skcipher_instance for a simple block cipher mode of operation,
1021  * e.g. cbc or ecb.  The instance context will have just a single crypto_spawn,
1022  * that for the underlying cipher.  The {min,max}_keysize, ivsize, blocksize,
1023  * alignmask, and priority are set from the underlying cipher but can be
1024  * overridden if needed.  The tfm context defaults to skcipher_ctx_simple, and
1025  * default ->setkey(), ->init(), and ->exit() methods are installed.
1026  *
1027  * @tmpl: the template being instantiated
1028  * @tb: the template parameters
1029  *
1030  * Return: a pointer to the new instance, or an ERR_PTR().  The caller still
1031  *	   needs to register the instance.
1032  */
skcipher_alloc_instance_simple(struct crypto_template * tmpl,struct rtattr ** tb)1033 struct skcipher_instance *skcipher_alloc_instance_simple(
1034 	struct crypto_template *tmpl, struct rtattr **tb)
1035 {
1036 	u32 mask;
1037 	struct skcipher_instance *inst;
1038 	struct crypto_cipher_spawn *spawn;
1039 	struct crypto_alg *cipher_alg;
1040 	int err;
1041 
1042 	err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_SKCIPHER, &mask);
1043 	if (err)
1044 		return ERR_PTR(err);
1045 
1046 	inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL);
1047 	if (!inst)
1048 		return ERR_PTR(-ENOMEM);
1049 	spawn = skcipher_instance_ctx(inst);
1050 
1051 	err = crypto_grab_cipher(spawn, skcipher_crypto_instance(inst),
1052 				 crypto_attr_alg_name(tb[1]), 0, mask);
1053 	if (err)
1054 		goto err_free_inst;
1055 	cipher_alg = crypto_spawn_cipher_alg(spawn);
1056 
1057 	err = crypto_inst_setname(skcipher_crypto_instance(inst), tmpl->name,
1058 				  cipher_alg);
1059 	if (err)
1060 		goto err_free_inst;
1061 
1062 	inst->free = skcipher_free_instance_simple;
1063 
1064 	/* Default algorithm properties, can be overridden */
1065 	inst->alg.base.cra_blocksize = cipher_alg->cra_blocksize;
1066 	inst->alg.base.cra_alignmask = cipher_alg->cra_alignmask;
1067 	inst->alg.base.cra_priority = cipher_alg->cra_priority;
1068 	inst->alg.min_keysize = cipher_alg->cra_cipher.cia_min_keysize;
1069 	inst->alg.max_keysize = cipher_alg->cra_cipher.cia_max_keysize;
1070 	inst->alg.ivsize = cipher_alg->cra_blocksize;
1071 
1072 	/* Use skcipher_ctx_simple by default, can be overridden */
1073 	inst->alg.base.cra_ctxsize = sizeof(struct skcipher_ctx_simple);
1074 	inst->alg.setkey = skcipher_setkey_simple;
1075 	inst->alg.init = skcipher_init_tfm_simple;
1076 	inst->alg.exit = skcipher_exit_tfm_simple;
1077 
1078 	return inst;
1079 
1080 err_free_inst:
1081 	skcipher_free_instance_simple(inst);
1082 	return ERR_PTR(err);
1083 }
1084 EXPORT_SYMBOL_GPL(skcipher_alloc_instance_simple);
1085 
1086 MODULE_LICENSE("GPL");
1087 MODULE_DESCRIPTION("Symmetric key cipher type");
1088 MODULE_IMPORT_NS(CRYPTO_INTERNAL);
1089