]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blame - crypto/algif_aead.c
projects / mirror_ubuntu-bionic-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
crypto: caam - Remove unused dentry members
[mirror_ubuntu-bionic-kernel.git] / crypto / algif_aead.c
CommitLineData
400c40cf
SM		 1/*
2 * algif_aead: User-space interface for AEAD algorithms
3 *
4 * Copyright (C) 2014, Stephan Mueller <smueller@chronox.de>
5 *
6 * This file provides the user-space API for AEAD ciphers.
7 *
400c40cf
SM		 8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the Free
10 * Software Foundation; either version 2 of the License, or (at your option)
11 * any later version.
d887c52d
SM		 12 *
13 * The following concept of the memory management is used:
14 *
15 * The kernel maintains two SGLs, the TX SGL and the RX SGL. The TX SGL is
16 * filled by user space with the data submitted via sendpage/sendmsg. Filling
17 * up the TX SGL does not cause a crypto operation -- the data will only be
18 * tracked by the kernel. Upon receipt of one recvmsg call, the caller must
19 * provide a buffer which is tracked with the RX SGL.
20 *
21 * During the processing of the recvmsg operation, the cipher request is
22 * allocated and prepared. As part of the recvmsg operation, the processed
23 * TX buffers are extracted from the TX SGL into a separate SGL.
24 *
25 * After the completion of the crypto operation, the RX SGL and the cipher
26 * request is released. The extracted TX SGL parts are released together with
27 * the RX SGL release.
400c40cf
SM		 28 */
29
83094e5e 30#include <crypto/internal/aead.h>
400c40cf
SM		 31#include <crypto/scatterwalk.h>
32#include <crypto/if_alg.h>
72548b09
SM		 33#include <crypto/skcipher.h>
34#include <crypto/null.h>
400c40cf
SM		 35#include <linux/init.h>
36#include <linux/list.h>
37#include <linux/kernel.h>
174cd4b1 38#include <linux/sched/signal.h>
400c40cf
SM		 39#include <linux/mm.h>
40#include <linux/module.h>
41#include <linux/net.h>
42#include <net/sock.h>
43
d887c52d
SM		 44struct aead_tsgl {
45 struct list_head list;
46 unsigned int cur; /* Last processed SG entry */
47 struct scatterlist sg[0]; /* Array of SGs forming the SGL */
400c40cf
SM		 48};
49
d887c52d 50struct aead_rsgl {
83094e5e
TS		 51 struct af_alg_sgl sgl;
52 struct list_head list;
d887c52d 53 size_t sg_num_bytes; /* Bytes of data in that SGL */
83094e5e
TS		 54};
55
56struct aead_async_req {
83094e5e 57 struct kiocb *iocb;
e6534aeb 58 struct sock *sk;
d887c52d
SM		 59
60 struct aead_rsgl first_rsgl; /* First RX SG */
61 struct list_head rsgl_list; /* Track RX SGs */
62
63 struct scatterlist *tsgl; /* priv. TX SGL of buffers to process */
64 unsigned int tsgl_entries; /* number of entries in priv. TX SGL */
65
66 unsigned int outlen; /* Filled output buf length */
67
68 unsigned int areqlen; /* Length of this data struct */
69 struct aead_request aead_req; /* req ctx trails this struct */
83094e5e
TS		 70};
71
2a2a251f
SM		 72struct aead_tfm {
73 struct crypto_aead *aead;
74 bool has_key;
72548b09 75 struct crypto_skcipher *null_tfm;
2a2a251f
SM		 76};
77
400c40cf 78struct aead_ctx {
d887c52d 79 struct list_head tsgl_list; /* Link to TX SGL */
400c40cf
SM		 80
81 void *iv;
d887c52d 82 size_t aead_assoclen;
400c40cf 83
d887c52d 84 struct af_alg_completion completion; /* sync work queue */
400c40cf 85
d887c52d
SM		 86 size_t used; /* TX bytes sent to kernel */
87 size_t rcvused; /* total RX bytes to be processed by kernel */
400c40cf 88
d887c52d
SM		 89 bool more; /* More data to be expected? */
90 bool merge; /* Merge new data into existing SG */
91 bool enc; /* Crypto operation: enc, dec */
400c40cf 92
d887c52d 93 unsigned int len; /* Length of allocated memory for this struct */
400c40cf
SM		 94};
95
d887c52d
SM		 96#define MAX_SGL_ENTS ((4096 - sizeof(struct aead_tsgl)) / \
97 sizeof(struct scatterlist) - 1)
98
400c40cf
SM		 99static inline int aead_sndbuf(struct sock *sk)
100{
101 struct alg_sock *ask = alg_sk(sk);
102 struct aead_ctx *ctx = ask->private;
103
104 return max_t(int, max_t(int, sk->sk_sndbuf & PAGE_MASK, PAGE_SIZE) -
105 ctx->used, 0);
106}
107
108static inline bool aead_writable(struct sock *sk)
109{
110 return PAGE_SIZE <= aead_sndbuf(sk);
111}
112
d887c52d 113static inline int aead_rcvbuf(struct sock *sk)
400c40cf 114{
d887c52d
SM		 115 struct alg_sock *ask = alg_sk(sk);
116 struct aead_ctx *ctx = ask->private;
117
118 return max_t(int, max_t(int, sk->sk_rcvbuf & PAGE_MASK, PAGE_SIZE) -
119 ctx->rcvused, 0);
120}
121
122static inline bool aead_readable(struct sock *sk)
123{
124 return PAGE_SIZE <= aead_rcvbuf(sk);
125}
126
127static inline bool aead_sufficient_data(struct sock *sk)
128{
129 struct alg_sock *ask = alg_sk(sk);
130 struct sock *psk = ask->parent;
131 struct alg_sock *pask = alg_sk(psk);
132 struct aead_ctx *ctx = ask->private;
133 struct aead_tfm *aeadc = pask->private;
134 struct crypto_aead *tfm = aeadc->aead;
135 unsigned int as = crypto_aead_authsize(tfm);
400c40cf 136
0c1e16cd
SM		 137 /*
138 * The minimum amount of memory needed for an AEAD cipher is
139 * the AAD and in case of decryption the tag.
140 */
141 return ctx->used >= ctx->aead_assoclen + (ctx->enc ? 0 : as);
400c40cf
SM		 142}
143
d887c52d 144static int aead_alloc_tsgl(struct sock *sk)
83094e5e 145{
d887c52d
SM		 146 struct alg_sock *ask = alg_sk(sk);
147 struct aead_ctx *ctx = ask->private;
148 struct aead_tsgl *sgl;
149 struct scatterlist *sg = NULL;
83094e5e 150
d887c52d
SM		 151 sgl = list_entry(ctx->tsgl_list.prev, struct aead_tsgl, list);
152 if (!list_empty(&ctx->tsgl_list))
153 sg = sgl->sg;
154
155 if (!sg || sgl->cur >= MAX_SGL_ENTS) {
156 sgl = sock_kmalloc(sk, sizeof(*sgl) +
157 sizeof(sgl->sg[0]) * (MAX_SGL_ENTS + 1),
158 GFP_KERNEL);
159 if (!sgl)
160 return -ENOMEM;
161
162 sg_init_table(sgl->sg, MAX_SGL_ENTS + 1);
163 sgl->cur = 0;
164
165 if (sg)
166 sg_chain(sg, MAX_SGL_ENTS + 1, sgl->sg);
167
168 list_add_tail(&sgl->list, &ctx->tsgl_list);
169 }
170
171 return 0;
172}
173
72548b09
SM		 174/**
175 * Count number of SG entries from the beginning of the SGL to @bytes. If
176 * an offset is provided, the counting of the SG entries starts at the offset.
177 */
178static unsigned int aead_count_tsgl(struct sock *sk, size_t bytes,
179 size_t offset)
d887c52d
SM		 180{
181 struct alg_sock *ask = alg_sk(sk);
182 struct aead_ctx *ctx = ask->private;
183 struct aead_tsgl *sgl, *tmp;
184 unsigned int i;
185 unsigned int sgl_count = 0;
186
187 if (!bytes)
188 return 0;
189
190 list_for_each_entry_safe(sgl, tmp, &ctx->tsgl_list, list) {
191 struct scatterlist *sg = sgl->sg;
192
193 for (i = 0; i < sgl->cur; i++) {
72548b09
SM		 194 size_t bytes_count;
195
196 /* Skip offset */
197 if (offset >= sg[i].length) {
198 offset -= sg[i].length;
199 bytes -= sg[i].length;
200 continue;
201 }
202
203 bytes_count = sg[i].length - offset;
204
205 offset = 0;
d887c52d 206 sgl_count++;
72548b09
SM		 207
208 /* If we have seen requested number of bytes, stop */
209 if (bytes_count >= bytes)
d887c52d
SM		 210 return sgl_count;
211
72548b09 212 bytes -= bytes_count;
d887c52d
SM		 213 }
214 }
215
216 return sgl_count;
83094e5e
TS		 217}
218
72548b09
SM		 219/**
220 * Release the specified buffers from TX SGL pointed to by ctx->tsgl_list for
221 * @used bytes.
222 *
223 * If @dst is non-null, reassign the pages to dst. The caller must release
224 * the pages. If @dst_offset is given only reassign the pages to @dst starting
225 * at the @dst_offset (byte). The caller must ensure that @dst is large
226 * enough (e.g. by using aead_count_tsgl with the same offset).
227 */
d887c52d 228static void aead_pull_tsgl(struct sock *sk, size_t used,
72548b09 229 struct scatterlist *dst, size_t dst_offset)
400c40cf
SM		 230{
231 struct alg_sock *ask = alg_sk(sk);
232 struct aead_ctx *ctx = ask->private;
d887c52d
SM		 233 struct aead_tsgl *sgl;
234 struct scatterlist *sg;
72548b09 235 unsigned int i, j;
400c40cf 236
d887c52d
SM		 237 while (!list_empty(&ctx->tsgl_list)) {
238 sgl = list_first_entry(&ctx->tsgl_list, struct aead_tsgl,
239 list);
240 sg = sgl->sg;
241
72548b09 242 for (i = 0, j = 0; i < sgl->cur; i++) {
d887c52d
SM		 243 size_t plen = min_t(size_t, used, sg[i].length);
244 struct page *page = sg_page(sg + i);
245
246 if (!page)
247 continue;
248
249 /*
250 * Assumption: caller created aead_count_tsgl(len)
251 * SG entries in dst.
252 */
72548b09
SM		 253 if (dst) {
254 if (dst_offset >= plen) {
255 /* discard page before offset */
256 dst_offset -= plen;
257 put_page(page);
258 } else {
259 /* reassign page to dst after offset */
260 sg_set_page(dst + j, page,
261 plen - dst_offset,
262 sg[i].offset + dst_offset);
263 dst_offset = 0;
264 j++;
265 }
266 }
d887c52d
SM		 267
268 sg[i].length -= plen;
269 sg[i].offset += plen;
270
271 used -= plen;
272 ctx->used -= plen;
273
274 if (sg[i].length)
275 return;
276
277 if (!dst)
278 put_page(page);
72548b09 279
d887c52d
SM		 280 sg_assign_page(sg + i, NULL);
281 }
282
283 list_del(&sgl->list);
284 sock_kfree_s(sk, sgl, sizeof(*sgl) + sizeof(sgl->sg[0]) *
285 (MAX_SGL_ENTS + 1));
286 }
287
288 if (!ctx->used)
289 ctx->merge = 0;
290}
291
292static void aead_free_areq_sgls(struct aead_async_req *areq)
293{
294 struct sock *sk = areq->sk;
295 struct alg_sock *ask = alg_sk(sk);
296 struct aead_ctx *ctx = ask->private;
297 struct aead_rsgl *rsgl, *tmp;
298 struct scatterlist *tsgl;
299 struct scatterlist *sg;
300 unsigned int i;
301
302 list_for_each_entry_safe(rsgl, tmp, &areq->rsgl_list, list) {
303 ctx->rcvused -= rsgl->sg_num_bytes;
304 af_alg_free_sg(&rsgl->sgl);
305 list_del(&rsgl->list);
306 if (rsgl != &areq->first_rsgl)
307 sock_kfree_s(sk, rsgl, sizeof(*rsgl));
308 }
309
310 tsgl = areq->tsgl;
311 for_each_sg(tsgl, sg, areq->tsgl_entries, i) {
312 if (!sg_page(sg))
400c40cf 313 continue;
d887c52d
SM		 314 put_page(sg_page(sg));
315 }
316
317 if (areq->tsgl && areq->tsgl_entries)
318 sock_kfree_s(sk, tsgl, areq->tsgl_entries * sizeof(*tsgl));
319}
320
321static int aead_wait_for_wmem(struct sock *sk, unsigned int flags)
322{
323 DEFINE_WAIT_FUNC(wait, woken_wake_function);
324 int err = -ERESTARTSYS;
325 long timeout;
326
327 if (flags & MSG_DONTWAIT)
328 return -EAGAIN;
400c40cf 329
d887c52d
SM		 330 sk_set_bit(SOCKWQ_ASYNC_NOSPACE, sk);
331
332 add_wait_queue(sk_sleep(sk), &wait);
333 for (;;) {
334 if (signal_pending(current))
335 break;
336 timeout = MAX_SCHEDULE_TIMEOUT;
337 if (sk_wait_event(sk, &timeout, aead_writable(sk), &wait)) {
338 err = 0;
339 break;
340 }
400c40cf 341 }
d887c52d
SM		 342 remove_wait_queue(sk_sleep(sk), &wait);
343
344 return err;
400c40cf
SM		 345}
346
347static void aead_wmem_wakeup(struct sock *sk)
348{
349 struct socket_wq *wq;
350
351 if (!aead_writable(sk))
352 return;
353
354 rcu_read_lock();
355 wq = rcu_dereference(sk->sk_wq);
1ce0bf50 356 if (skwq_has_sleeper(wq))
400c40cf
SM		 357 wake_up_interruptible_sync_poll(&wq->wait, POLLIN |
358 POLLRDNORM |
359 POLLRDBAND);
360 sk_wake_async(sk, SOCK_WAKE_WAITD, POLL_IN);
361 rcu_read_unlock();
362}
363
364static int aead_wait_for_data(struct sock *sk, unsigned flags)
365{
d9dc8b0f 366 DEFINE_WAIT_FUNC(wait, woken_wake_function);
400c40cf
SM		 367 struct alg_sock *ask = alg_sk(sk);
368 struct aead_ctx *ctx = ask->private;
369 long timeout;
400c40cf
SM		 370 int err = -ERESTARTSYS;
371
372 if (flags & MSG_DONTWAIT)
373 return -EAGAIN;
374
9cd3e072 375 sk_set_bit(SOCKWQ_ASYNC_WAITDATA, sk);
d887c52d 376
d9dc8b0f 377 add_wait_queue(sk_sleep(sk), &wait);
400c40cf
SM		 378 for (;;) {
379 if (signal_pending(current))
380 break;
400c40cf 381 timeout = MAX_SCHEDULE_TIMEOUT;
d9dc8b0f 382 if (sk_wait_event(sk, &timeout, !ctx->more, &wait)) {
400c40cf
SM		 383 err = 0;
384 break;
385 }
386 }
d9dc8b0f 387 remove_wait_queue(sk_sleep(sk), &wait);
400c40cf 388
9cd3e072 389 sk_clear_bit(SOCKWQ_ASYNC_WAITDATA, sk);
400c40cf
SM		 390
391 return err;
392}
393
394static void aead_data_wakeup(struct sock *sk)
395{
396 struct alg_sock *ask = alg_sk(sk);
397 struct aead_ctx *ctx = ask->private;
398 struct socket_wq *wq;
399
400c40cf
SM		 400 if (!ctx->used)
401 return;
402
403 rcu_read_lock();
404 wq = rcu_dereference(sk->sk_wq);
1ce0bf50 405 if (skwq_has_sleeper(wq))
400c40cf
SM		 406 wake_up_interruptible_sync_poll(&wq->wait, POLLOUT |
407 POLLRDNORM |
408 POLLRDBAND);
409 sk_wake_async(sk, SOCK_WAKE_SPACE, POLL_OUT);
410 rcu_read_unlock();
411}
412
eccd02f3 413static int aead_sendmsg(struct socket *sock, struct msghdr *msg, size_t size)
400c40cf
SM		 414{
415 struct sock *sk = sock->sk;
416 struct alg_sock *ask = alg_sk(sk);
d887c52d
SM		 417 struct sock *psk = ask->parent;
418 struct alg_sock *pask = alg_sk(psk);
400c40cf 419 struct aead_ctx *ctx = ask->private;
d887c52d
SM		 420 struct aead_tfm *aeadc = pask->private;
421 struct crypto_aead *tfm = aeadc->aead;
422 unsigned int ivsize = crypto_aead_ivsize(tfm);
423 struct aead_tsgl *sgl;
400c40cf
SM		 424 struct af_alg_control con = {};
425 long copied = 0;
426 bool enc = 0;
427 bool init = 0;
d887c52d 428 int err = 0;
400c40cf
SM		 429
430 if (msg->msg_controllen) {
431 err = af_alg_cmsg_send(msg, &con);
432 if (err)
433 return err;
434
435 init = 1;
436 switch (con.op) {
437 case ALG_OP_ENCRYPT:
438 enc = 1;
439 break;
440 case ALG_OP_DECRYPT:
441 enc = 0;
442 break;
443 default:
444 return -EINVAL;
445 }
446
447 if (con.iv && con.iv->ivlen != ivsize)
448 return -EINVAL;
449 }
450
451 lock_sock(sk);
d887c52d
SM		 452 if (!ctx->more && ctx->used) {
453 err = -EINVAL;
400c40cf 454 goto unlock;
d887c52d 455 }
400c40cf
SM		 456
457 if (init) {
458 ctx->enc = enc;
459 if (con.iv)
460 memcpy(ctx->iv, con.iv->iv, ivsize);
461
462 ctx->aead_assoclen = con.aead_assoclen;
463 }
464
465 while (size) {
d887c52d 466 struct scatterlist *sg;
652d5b8a 467 size_t len = size;
d887c52d 468 size_t plen;
400c40cf
SM		 469
470 /* use the existing memory in an allocated page */
471 if (ctx->merge) {
d887c52d
SM		 472 sgl = list_entry(ctx->tsgl_list.prev,
473 struct aead_tsgl, list);
400c40cf
SM		 474 sg = sgl->sg + sgl->cur - 1;
475 len = min_t(unsigned long, len,
476 PAGE_SIZE - sg->offset - sg->length);
477 err = memcpy_from_msg(page_address(sg_page(sg)) +
478 sg->offset + sg->length,
479 msg, len);
480 if (err)
481 goto unlock;
482
483 sg->length += len;
484 ctx->merge = (sg->offset + sg->length) &
485 (PAGE_SIZE - 1);
486
487 ctx->used += len;
488 copied += len;
489 size -= len;
490 continue;
491 }
492
493 if (!aead_writable(sk)) {
d887c52d
SM		 494 err = aead_wait_for_wmem(sk, msg->msg_flags);
495 if (err)
496 goto unlock;
400c40cf
SM		 497 }
498
499 /* allocate a new page */
500 len = min_t(unsigned long, size, aead_sndbuf(sk));
400c40cf 501
d887c52d
SM		 502 err = aead_alloc_tsgl(sk);
503 if (err)
504 goto unlock;
505
506 sgl = list_entry(ctx->tsgl_list.prev, struct aead_tsgl,
507 list);
508 sg = sgl->sg;
509 if (sgl->cur)
510 sg_unmark_end(sg + sgl->cur - 1);
511
512 do {
513 unsigned int i = sgl->cur;
400c40cf 514
652d5b8a 515 plen = min_t(size_t, len, PAGE_SIZE);
400c40cf 516
d887c52d
SM		 517 sg_assign_page(sg + i, alloc_page(GFP_KERNEL));
518 if (!sg_page(sg + i)) {
519 err = -ENOMEM;
400c40cf 520 goto unlock;
d887c52d 521 }
400c40cf 522
d887c52d 523 err = memcpy_from_msg(page_address(sg_page(sg + i)),
400c40cf
SM		 524 msg, plen);
525 if (err) {
d887c52d
SM		 526 __free_page(sg_page(sg + i));
527 sg_assign_page(sg + i, NULL);
400c40cf
SM		 528 goto unlock;
529 }
530
d887c52d 531 sg[i].length = plen;
400c40cf
SM		 532 len -= plen;
533 ctx->used += plen;
534 copied += plen;
400c40cf 535 size -= plen;
d887c52d
SM		 536 sgl->cur++;
537 } while (len && sgl->cur < MAX_SGL_ENTS);
538
539 if (!size)
540 sg_mark_end(sg + sgl->cur - 1);
541
542 ctx->merge = plen & (PAGE_SIZE - 1);
400c40cf
SM		 543 }
544
545 err = 0;
546
547 ctx->more = msg->msg_flags & MSG_MORE;
400c40cf
SM		 548
549unlock:
550 aead_data_wakeup(sk);
551 release_sock(sk);
552
553 return err ?: copied;
554}
555
556static ssize_t aead_sendpage(struct socket *sock, struct page *page,
557 int offset, size_t size, int flags)
558{
559 struct sock *sk = sock->sk;
560 struct alg_sock *ask = alg_sk(sk);
561 struct aead_ctx *ctx = ask->private;
d887c52d 562 struct aead_tsgl *sgl;
400c40cf
SM		 563 int err = -EINVAL;
564
565 if (flags & MSG_SENDPAGE_NOTLAST)
566 flags |= MSG_MORE;
567
400c40cf
SM		 568 lock_sock(sk);
569 if (!ctx->more && ctx->used)
570 goto unlock;
571
572 if (!size)
573 goto done;
574
575 if (!aead_writable(sk)) {
d887c52d
SM		 576 err = aead_wait_for_wmem(sk, flags);
577 if (err)
578 goto unlock;
400c40cf
SM		 579 }
580
d887c52d
SM		 581 err = aead_alloc_tsgl(sk);
582 if (err)
583 goto unlock;
584
400c40cf 585 ctx->merge = 0;
d887c52d
SM		 586 sgl = list_entry(ctx->tsgl_list.prev, struct aead_tsgl, list);
587
588 if (sgl->cur)
589 sg_unmark_end(sgl->sg + sgl->cur - 1);
590
591 sg_mark_end(sgl->sg + sgl->cur);
400c40cf
SM		 592
593 get_page(page);
594 sg_set_page(sgl->sg + sgl->cur, page, size, offset);
595 sgl->cur++;
596 ctx->used += size;
597
598 err = 0;
599
600done:
601 ctx->more = flags & MSG_MORE;
400c40cf
SM		 602unlock:
603 aead_data_wakeup(sk);
604 release_sock(sk);
605
606 return err ?: size;
607}
608
83094e5e
TS		 609static void aead_async_cb(struct crypto_async_request *_req, int err)
610{
d887c52d 611 struct aead_async_req *areq = _req->data;
e6534aeb 612 struct sock *sk = areq->sk;
83094e5e 613 struct kiocb *iocb = areq->iocb;
d887c52d 614 unsigned int resultlen;
83094e5e
TS		 615
616 lock_sock(sk);
83094e5e 617
d887c52d
SM		 618 /* Buffer size written by crypto operation. */
619 resultlen = areq->outlen;
0c1e16cd 620
d887c52d
SM		 621 aead_free_areq_sgls(areq);
622 sock_kfree_s(sk, areq, areq->areqlen);
623 __sock_put(sk);
83094e5e 624
d887c52d 625 iocb->ki_complete(iocb, err ? err : resultlen, 0);
83094e5e 626
83094e5e 627 release_sock(sk);
83094e5e
TS		 628}
629
72548b09
SM		 630static int crypto_aead_copy_sgl(struct crypto_skcipher *null_tfm,
631 struct scatterlist *src,
632 struct scatterlist *dst, unsigned int len)
633{
634 SKCIPHER_REQUEST_ON_STACK(skreq, null_tfm);
635
636 skcipher_request_set_tfm(skreq, null_tfm);
637 skcipher_request_set_callback(skreq, CRYPTO_TFM_REQ_MAY_BACKLOG,
638 NULL, NULL);
639 skcipher_request_set_crypt(skreq, src, dst, len, NULL);
640
641 return crypto_skcipher_encrypt(skreq);
642}
643
d887c52d
SM		 644static int _aead_recvmsg(struct socket *sock, struct msghdr *msg,
645 size_t ignored, int flags)
400c40cf
SM		 646{
647 struct sock *sk = sock->sk;
648 struct alg_sock *ask = alg_sk(sk);
d887c52d
SM		 649 struct sock *psk = ask->parent;
650 struct alg_sock *pask = alg_sk(psk);
400c40cf 651 struct aead_ctx *ctx = ask->private;
d887c52d
SM		 652 struct aead_tfm *aeadc = pask->private;
653 struct crypto_aead *tfm = aeadc->aead;
72548b09 654 struct crypto_skcipher *null_tfm = aeadc->null_tfm;
d887c52d
SM		 655 unsigned int as = crypto_aead_authsize(tfm);
656 unsigned int areqlen =
657 sizeof(struct aead_async_req) + crypto_aead_reqsize(tfm);
658 struct aead_async_req *areq;
659 struct aead_rsgl *last_rsgl = NULL;
72548b09
SM		 660 struct aead_tsgl *tsgl;
661 struct scatterlist *src;
d887c52d
SM		 662 int err = 0;
663 size_t used = 0; /* [in] TX bufs to be en/decrypted */
664 size_t outlen = 0; /* [out] RX bufs produced by kernel */
665 size_t usedpages = 0; /* [in] RX bufs to be used from user */
666 size_t processed = 0; /* [in] TX bufs to be consumed */
400c40cf
SM		 667
668 /*
d887c52d
SM		 669 * Data length provided by caller via sendmsg/sendpage that has not
670 * yet been processed.
400c40cf 671 */
400c40cf
SM		 672 used = ctx->used;
673
674 /*
675 * Make sure sufficient data is present -- note, the same check is
676 * is also present in sendmsg/sendpage. The checks in sendpage/sendmsg
677 * shall provide an information to the data sender that something is
678 * wrong, but they are irrelevant to maintain the kernel integrity.
679 * We need this check here too in case user space decides to not honor
680 * the error message in sendmsg/sendpage and still call recvmsg. This
681 * check here protects the kernel integrity.
682 */
d887c52d
SM		 683 if (!aead_sufficient_data(sk))
684 return -EINVAL;
400c40cf 685
0c1e16cd
SM		 686 /*
687 * Calculate the minimum output buffer size holding the result of the
688 * cipher operation. When encrypting data, the receiving buffer is
689 * larger by the tag length compared to the input buffer as the
690 * encryption operation generates the tag. For decryption, the input
691 * buffer provides the tag which is consumed resulting in only the
692 * plaintext without a buffer for the tag returned to the caller.
693 */
694 if (ctx->enc)
695 outlen = used + as;
696 else
697 outlen = used - as;
19fa7752 698
400c40cf
SM		 699 /*
700 * The cipher operation input data is reduced by the associated data
701 * length as this data is processed separately later on.
702 */
0c1e16cd 703 used -= ctx->aead_assoclen;
400c40cf 704
d887c52d
SM		 705 /* Allocate cipher request for current operation. */
706 areq = sock_kmalloc(sk, areqlen, GFP_KERNEL);
707 if (unlikely(!areq))
708 return -ENOMEM;
709 areq->areqlen = areqlen;
710 areq->sk = sk;
711 INIT_LIST_HEAD(&areq->rsgl_list);
712 areq->tsgl = NULL;
713 areq->tsgl_entries = 0;
714
715 /* convert iovecs of output buffers into RX SGL */
716 while (outlen > usedpages && msg_data_left(msg)) {
717 struct aead_rsgl *rsgl;
718 size_t seglen;
719
720 /* limit the amount of readable buffers */
721 if (!aead_readable(sk))
722 break;
400c40cf 723
d887c52d
SM		 724 if (!ctx->used) {
725 err = aead_wait_for_data(sk, flags);
726 if (err)
727 goto free;
728 }
729
730 seglen = min_t(size_t, (outlen - usedpages),
731 msg_data_left(msg));
732
733 if (list_empty(&areq->rsgl_list)) {
734 rsgl = &areq->first_rsgl;
83094e5e
TS		 735 } else {
736 rsgl = sock_kmalloc(sk, sizeof(*rsgl), GFP_KERNEL);
737 if (unlikely(!rsgl)) {
738 err = -ENOMEM;
d887c52d 739 goto free;
83094e5e
TS		 740 }
741 }
d887c52d 742
83094e5e 743 rsgl->sgl.npages = 0;
d887c52d 744 list_add_tail(&rsgl->list, &areq->rsgl_list);
83094e5e 745
400c40cf 746 /* make one iovec available as scatterlist */
83094e5e 747 err = af_alg_make_sg(&rsgl->sgl, &msg->msg_iter, seglen);
400c40cf 748 if (err < 0)
d887c52d
SM		 749 goto free;
750
7b2a18e0 751 /* chain the new scatterlist with previous one */
83094e5e
TS		 752 if (last_rsgl)
753 af_alg_link_sg(&last_rsgl->sgl, &rsgl->sgl);
754
755 last_rsgl = rsgl;
d887c52d
SM		 756 usedpages += err;
757 ctx->rcvused += err;
758 rsgl->sg_num_bytes = err;
400c40cf 759 iov_iter_advance(&msg->msg_iter, err);
400c40cf
SM		 760 }
761
d887c52d
SM		 762 /*
763 * Ensure output buffer is sufficiently large. If the caller provides
764 * less buffer space, only use the relative required input size. This
765 * allows AIO operation where the caller sent all data to be processed
766 * and the AIO operation performs the operation on the different chunks
767 * of the input data.
768 */
0c1e16cd 769 if (usedpages < outlen) {
d887c52d 770 size_t less = outlen - usedpages;
400c40cf 771
d887c52d
SM		 772 if (used < less) {
773 err = -EINVAL;
774 goto free;
775 }
776 used -= less;
777 outlen -= less;
778 }
400c40cf 779
72548b09
SM		 780 processed = used + ctx->aead_assoclen;
781 tsgl = list_first_entry(&ctx->tsgl_list, struct aead_tsgl, list);
782
d887c52d 783 /*
72548b09
SM		 784 * Copy of AAD from source to destination
785 *
786 * The AAD is copied to the destination buffer without change. Even
787 * when user space uses an in-place cipher operation, the kernel
788 * will copy the data as it does not see whether such in-place operation
789 * is initiated.
790 *
791 * To ensure efficiency, the following implementation ensure that the
792 * ciphers are invoked to perform a crypto operation in-place. This
793 * is achieved by memory management specified as follows.
d887c52d 794 */
72548b09
SM		 795
796 /* Use the RX SGL as source (and destination) for crypto op. */
797 src = areq->first_rsgl.sgl.sg;
798
799 if (ctx->enc) {
800 /*
801 * Encryption operation - The in-place cipher operation is
802 * achieved by the following operation:
803 *
804 * TX SGL: AAD || PT || Tag
805 * | |
806 * | copy |
807 * v v
808 * RX SGL: AAD || PT
809 */
810 err = crypto_aead_copy_sgl(null_tfm, tsgl->sg,
811 areq->first_rsgl.sgl.sg, processed);
812 if (err)
813 goto free;
814 aead_pull_tsgl(sk, processed, NULL, 0);
815 } else {
816 /*
817 * Decryption operation - To achieve an in-place cipher
818 * operation, the following SGL structure is used:
819 *
820 * TX SGL: AAD || CT || Tag
821 * | | ^
822 * | copy | | Create SGL link.
823 * v v |
824 * RX SGL: AAD || CT ----+
825 */
826
827 /* Copy AAD || CT to RX SGL buffer for in-place operation. */
828 err = crypto_aead_copy_sgl(null_tfm, tsgl->sg,
829 areq->first_rsgl.sgl.sg, outlen);
830 if (err)
831 goto free;
832
833 /* Create TX SGL for tag and chain it to RX SGL. */
834 areq->tsgl_entries = aead_count_tsgl(sk, processed,
835 processed - as);
836 if (!areq->tsgl_entries)
837 areq->tsgl_entries = 1;
838 areq->tsgl = sock_kmalloc(sk, sizeof(*areq->tsgl) *
839 areq->tsgl_entries,
840 GFP_KERNEL);
841 if (!areq->tsgl) {
842 err = -ENOMEM;
843 goto free;
844 }
845 sg_init_table(areq->tsgl, areq->tsgl_entries);
846
847 /* Release TX SGL, except for tag data and reassign tag data. */
848 aead_pull_tsgl(sk, processed, areq->tsgl, processed - as);
849
850 /* chain the areq TX SGL holding the tag with RX SGL */
851 if (last_rsgl) {
852 /* RX SGL present */
853 struct af_alg_sgl *sgl_prev = &last_rsgl->sgl;
854
855 sg_unmark_end(sgl_prev->sg + sgl_prev->npages - 1);
856 sg_chain(sgl_prev->sg, sgl_prev->npages + 1,
857 areq->tsgl);
858 } else
859 /* no RX SGL present (e.g. authentication only) */
860 src = areq->tsgl;
d887c52d 861 }
d887c52d
SM		 862
863 /* Initialize the crypto operation */
72548b09 864 aead_request_set_crypt(&areq->aead_req, src,
d887c52d
SM		 865 areq->first_rsgl.sgl.sg, used, ctx->iv);
866 aead_request_set_ad(&areq->aead_req, ctx->aead_assoclen);
867 aead_request_set_tfm(&areq->aead_req, tfm);
868
869 if (msg->msg_iocb && !is_sync_kiocb(msg->msg_iocb)) {
870 /* AIO operation */
871 areq->iocb = msg->msg_iocb;
872 aead_request_set_callback(&areq->aead_req,
873 CRYPTO_TFM_REQ_MAY_BACKLOG,
874 aead_async_cb, areq);
875 err = ctx->enc ? crypto_aead_encrypt(&areq->aead_req) :
876 crypto_aead_decrypt(&areq->aead_req);
877 } else {
878 /* Synchronous operation */
879 aead_request_set_callback(&areq->aead_req,
880 CRYPTO_TFM_REQ_MAY_BACKLOG,
881 af_alg_complete, &ctx->completion);
882 err = af_alg_wait_for_completion(ctx->enc ?
883 crypto_aead_encrypt(&areq->aead_req) :
884 crypto_aead_decrypt(&areq->aead_req),
400c40cf 885 &ctx->completion);
400c40cf
SM		 886 }
887
d887c52d
SM		 888 /* AIO operation in progress */
889 if (err == -EINPROGRESS) {
890 sock_hold(sk);
400c40cf 891
d887c52d
SM		 892 /* Remember output size that will be generated. */
893 areq->outlen = outlen;
894
895 return -EIOCBQUEUED;
83094e5e 896 }
d887c52d
SM		 897
898free:
899 aead_free_areq_sgls(areq);
900 if (areq)
901 sock_kfree_s(sk, areq, areqlen);
400c40cf
SM		 902
903 return err ? err : outlen;
904}
905
d887c52d
SM		 906static int aead_recvmsg(struct socket *sock, struct msghdr *msg,
907 size_t ignored, int flags)
83094e5e 908{
d887c52d
SM		 909 struct sock *sk = sock->sk;
910 int ret = 0;
911
912 lock_sock(sk);
913 while (msg_data_left(msg)) {
914 int err = _aead_recvmsg(sock, msg, ignored, flags);
915
916 /*
917 * This error covers -EIOCBQUEUED which implies that we can
918 * only handle one AIO request. If the caller wants to have
919 * multiple AIO requests in parallel, he must make multiple
920 * separate AIO calls.
5703c826
SM		 921 *
922 * Also return the error if no data has been processed so far.
d887c52d
SM		 923 */
924 if (err <= 0) {
5703c826 925 if (err == -EIOCBQUEUED || err == -EBADMSG || !ret)
d887c52d
SM		 926 ret = err;
927 goto out;
928 }
929
930 ret += err;
931 }
932
933out:
934 aead_wmem_wakeup(sk);
935 release_sock(sk);
936 return ret;
83094e5e
TS		 937}
938
400c40cf
SM		 939static unsigned int aead_poll(struct file *file, struct socket *sock,
940 poll_table *wait)
941{
942 struct sock *sk = sock->sk;
943 struct alg_sock *ask = alg_sk(sk);
944 struct aead_ctx *ctx = ask->private;
945 unsigned int mask;
946
947 sock_poll_wait(file, sk_sleep(sk), wait);
948 mask = 0;
949
950 if (!ctx->more)
951 mask |= POLLIN | POLLRDNORM;
952
953 if (aead_writable(sk))
954 mask |= POLLOUT | POLLWRNORM | POLLWRBAND;
955
956 return mask;
957}
958
959static struct proto_ops algif_aead_ops = {
960 .family = PF_ALG,
961
962 .connect = sock_no_connect,
963 .socketpair = sock_no_socketpair,
964 .getname = sock_no_getname,
965 .ioctl = sock_no_ioctl,
966 .listen = sock_no_listen,
967 .shutdown = sock_no_shutdown,
968 .getsockopt = sock_no_getsockopt,
969 .mmap = sock_no_mmap,
970 .bind = sock_no_bind,
971 .accept = sock_no_accept,
972 .setsockopt = sock_no_setsockopt,
973
974 .release = af_alg_release,
975 .sendmsg = aead_sendmsg,
976 .sendpage = aead_sendpage,
977 .recvmsg = aead_recvmsg,
978 .poll = aead_poll,
979};
980
2a2a251f
SM		 981static int aead_check_key(struct socket *sock)
982{
983 int err = 0;
984 struct sock *psk;
985 struct alg_sock *pask;
986 struct aead_tfm *tfm;
987 struct sock *sk = sock->sk;
988 struct alg_sock *ask = alg_sk(sk);
989
990 lock_sock(sk);
991 if (ask->refcnt)
992 goto unlock_child;
993
994 psk = ask->parent;
995 pask = alg_sk(ask->parent);
996 tfm = pask->private;
997
998 err = -ENOKEY;
999 lock_sock_nested(psk, SINGLE_DEPTH_NESTING);
1000 if (!tfm->has_key)
1001 goto unlock;
1002
1003 if (!pask->refcnt++)
1004 sock_hold(psk);
1005
1006 ask->refcnt = 1;
1007 sock_put(psk);
1008
1009 err = 0;
1010
1011unlock:
1012 release_sock(psk);
1013unlock_child:
1014 release_sock(sk);
1015
1016 return err;
1017}
1018
1019static int aead_sendmsg_nokey(struct socket *sock, struct msghdr *msg,
1020 size_t size)
1021{
1022 int err;
1023
1024 err = aead_check_key(sock);
1025 if (err)
1026 return err;
1027
1028 return aead_sendmsg(sock, msg, size);
1029}
1030
1031static ssize_t aead_sendpage_nokey(struct socket *sock, struct page *page,
1032 int offset, size_t size, int flags)
1033{
1034 int err;
1035
1036 err = aead_check_key(sock);
1037 if (err)
1038 return err;
1039
1040 return aead_sendpage(sock, page, offset, size, flags);
1041}
1042
1043static int aead_recvmsg_nokey(struct socket *sock, struct msghdr *msg,
1044 size_t ignored, int flags)
1045{
1046 int err;
1047
1048 err = aead_check_key(sock);
1049 if (err)
1050 return err;
1051
1052 return aead_recvmsg(sock, msg, ignored, flags);
1053}
1054
1055static struct proto_ops algif_aead_ops_nokey = {
1056 .family = PF_ALG,
1057
1058 .connect = sock_no_connect,
1059 .socketpair = sock_no_socketpair,
1060 .getname = sock_no_getname,
1061 .ioctl = sock_no_ioctl,
1062 .listen = sock_no_listen,
1063 .shutdown = sock_no_shutdown,
1064 .getsockopt = sock_no_getsockopt,
1065 .mmap = sock_no_mmap,
1066 .bind = sock_no_bind,
1067 .accept = sock_no_accept,
1068 .setsockopt = sock_no_setsockopt,
1069
1070 .release = af_alg_release,
1071 .sendmsg = aead_sendmsg_nokey,
1072 .sendpage = aead_sendpage_nokey,
1073 .recvmsg = aead_recvmsg_nokey,
1074 .poll = aead_poll,
1075};
1076
400c40cf
SM		 1077static void *aead_bind(const char *name, u32 type, u32 mask)
1078{
2a2a251f
SM		 1079 struct aead_tfm *tfm;
1080 struct crypto_aead *aead;
72548b09 1081 struct crypto_skcipher *null_tfm;
2a2a251f
SM		 1082
1083 tfm = kzalloc(sizeof(*tfm), GFP_KERNEL);
1084 if (!tfm)
1085 return ERR_PTR(-ENOMEM);
1086
1087 aead = crypto_alloc_aead(name, type, mask);
1088 if (IS_ERR(aead)) {
1089 kfree(tfm);
1090 return ERR_CAST(aead);
1091 }
1092
72548b09
SM		 1093 null_tfm = crypto_get_default_null_skcipher2();
1094 if (IS_ERR(null_tfm)) {
1095 crypto_free_aead(aead);
1096 kfree(tfm);
1097 return ERR_CAST(null_tfm);
1098 }
1099
2a2a251f 1100 tfm->aead = aead;
72548b09 1101 tfm->null_tfm = null_tfm;
2a2a251f
SM		 1102
1103 return tfm;
400c40cf
SM		 1104}
1105
1106static void aead_release(void *private)
1107{
2a2a251f
SM		 1108 struct aead_tfm *tfm = private;
1109
1110 crypto_free_aead(tfm->aead);
1111 kfree(tfm);
400c40cf
SM		 1112}
1113
1114static int aead_setauthsize(void *private, unsigned int authsize)
1115{
2a2a251f
SM		 1116 struct aead_tfm *tfm = private;
1117
1118 return crypto_aead_setauthsize(tfm->aead, authsize);
400c40cf
SM		 1119}
1120
1121static int aead_setkey(void *private, const u8 *key, unsigned int keylen)
1122{
2a2a251f
SM		 1123 struct aead_tfm *tfm = private;
1124 int err;
1125
1126 err = crypto_aead_setkey(tfm->aead, key, keylen);
1127 tfm->has_key = !err;
1128
1129 return err;
400c40cf
SM		 1130}
1131
1132static void aead_sock_destruct(struct sock *sk)
1133{
1134 struct alg_sock *ask = alg_sk(sk);
1135 struct aead_ctx *ctx = ask->private;
d887c52d
SM		 1136 struct sock *psk = ask->parent;
1137 struct alg_sock *pask = alg_sk(psk);
1138 struct aead_tfm *aeadc = pask->private;
1139 struct crypto_aead *tfm = aeadc->aead;
1140 unsigned int ivlen = crypto_aead_ivsize(tfm);
400c40cf 1141
72548b09
SM		 1142 aead_pull_tsgl(sk, ctx->used, NULL, 0);
1143 crypto_put_default_null_skcipher2();
400c40cf
SM		 1144 sock_kzfree_s(sk, ctx->iv, ivlen);
1145 sock_kfree_s(sk, ctx, ctx->len);
1146 af_alg_release_parent(sk);
1147}
1148
2a2a251f 1149static int aead_accept_parent_nokey(void *private, struct sock *sk)
400c40cf
SM		 1150{
1151 struct aead_ctx *ctx;
1152 struct alg_sock *ask = alg_sk(sk);
2a2a251f
SM		 1153 struct aead_tfm *tfm = private;
1154 struct crypto_aead *aead = tfm->aead;
d887c52d 1155 unsigned int len = sizeof(*ctx);
2a2a251f 1156 unsigned int ivlen = crypto_aead_ivsize(aead);
400c40cf
SM		 1157
1158 ctx = sock_kmalloc(sk, len, GFP_KERNEL);
1159 if (!ctx)
1160 return -ENOMEM;
1161 memset(ctx, 0, len);
1162
1163 ctx->iv = sock_kmalloc(sk, ivlen, GFP_KERNEL);
1164 if (!ctx->iv) {
1165 sock_kfree_s(sk, ctx, len);
1166 return -ENOMEM;
1167 }
1168 memset(ctx->iv, 0, ivlen);
1169
d887c52d 1170 INIT_LIST_HEAD(&ctx->tsgl_list);
400c40cf
SM		 1171 ctx->len = len;
1172 ctx->used = 0;
d887c52d 1173 ctx->rcvused = 0;
400c40cf
SM		 1174 ctx->more = 0;
1175 ctx->merge = 0;
1176 ctx->enc = 0;
400c40cf
SM		 1177 ctx->aead_assoclen = 0;
1178 af_alg_init_completion(&ctx->completion);
400c40cf
SM		 1179
1180 ask->private = ctx;
1181
400c40cf
SM		 1182 sk->sk_destruct = aead_sock_destruct;
1183
1184 return 0;
1185}
1186
2a2a251f
SM		 1187static int aead_accept_parent(void *private, struct sock *sk)
1188{
1189 struct aead_tfm *tfm = private;
1190
1191 if (!tfm->has_key)
1192 return -ENOKEY;
1193
1194 return aead_accept_parent_nokey(private, sk);
1195}
1196
400c40cf
SM		 1197static const struct af_alg_type algif_type_aead = {
1198 .bind = aead_bind,
1199 .release = aead_release,
1200 .setkey = aead_setkey,
1201 .setauthsize = aead_setauthsize,
1202 .accept = aead_accept_parent,
2a2a251f 1203 .accept_nokey = aead_accept_parent_nokey,
400c40cf 1204 .ops = &algif_aead_ops,
2a2a251f 1205 .ops_nokey = &algif_aead_ops_nokey,
400c40cf
SM		 1206 .name = "aead",
1207 .owner = THIS_MODULE
1208};
1209
1210static int __init algif_aead_init(void)
1211{
1212 return af_alg_register_type(&algif_type_aead);
1213}
1214
1215static void __exit algif_aead_exit(void)
1216{
1217 int err = af_alg_unregister_type(&algif_type_aead);
1218 BUG_ON(err);
1219}
1220
1221module_init(algif_aead_init);
1222module_exit(algif_aead_exit);
1223MODULE_LICENSE("GPL");
1224MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
1225MODULE_DESCRIPTION("AEAD kernel crypto API user space interface");
ubuntu-bionic-kernel mirror