// SPDX-License-Identifier: GPL-2.0-or-later
/*
 * seqiv: Sequence Number IV Generator
 *
 * This generator generates an IV based on a sequence number by xoring it
 * with a salt.  This algorithm is mainly useful for CTR and similar modes.
 *
 * Copyright (c) 2007 Herbert Xu <herbert@gondor.apana.org.au>
 */

#include <crypto/internal/geniv.h>
#include <crypto/scatterwalk.h>
#include <crypto/skcipher.h>
#include <linux/err.h>
#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/slab.h>
#include <linux/string.h>

static void seqiv_aead_encrypt_complete2(struct aead_request *req, int err)
{
        struct aead_request *subreq = aead_request_ctx(req);
        struct crypto_aead *geniv;

        if (err == -EINPROGRESS || err == -EBUSY)
                return;

        if (err)
                goto out;

        geniv = crypto_aead_reqtfm(req);
        memcpy(req->iv, subreq->iv, crypto_aead_ivsize(geniv));

out:
        kfree_sensitive(subreq->iv);
}

static void seqiv_aead_encrypt_complete(void *data, int err)
{
        struct aead_request *req = data;

        seqiv_aead_encrypt_complete2(req, err);
        aead_request_complete(req, err);
}

static int seqiv_aead_encrypt(struct aead_request *req)
{
        struct crypto_aead *geniv = crypto_aead_reqtfm(req);
        struct aead_geniv_ctx *ctx = crypto_aead_ctx(geniv);
        struct aead_request *subreq = aead_request_ctx(req);
        crypto_completion_t compl;
        void *data;
        u8 *info;
        unsigned int ivsize = 8;
        int err;

        if (req->cryptlen < ivsize)
                return -EINVAL;

        aead_request_set_tfm(subreq, ctx->child);

        compl = req->base.complete;
        data = req->base.data;
        info = req->iv;

        if (req->src != req->dst) {
                SYNC_SKCIPHER_REQUEST_ON_STACK(nreq, ctx->sknull);

                skcipher_request_set_sync_tfm(nreq, ctx->sknull);
                skcipher_request_set_callback(nreq, req->base.flags,
                                              NULL, NULL);
                skcipher_request_set_crypt(nreq, req->src, req->dst,
                                           req->assoclen + req->cryptlen,
                                           NULL);

                err = crypto_skcipher_encrypt(nreq);
                if (err)
                        return err;
        }

        if (unlikely(!IS_ALIGNED((unsigned long)info,
                                 crypto_aead_alignmask(geniv) + 1))) {
                info = kmemdup(req->iv, ivsize, req->base.flags &
                               CRYPTO_TFM_REQ_MAY_SLEEP ? GFP_KERNEL :
                               GFP_ATOMIC);
                if (!info)
                        return -ENOMEM;

                compl = seqiv_aead_encrypt_complete;
                data = req;
        }

        aead_request_set_callback(subreq, req->base.flags, compl, data);
        aead_request_set_crypt(subreq, req->dst, req->dst,
                               req->cryptlen - ivsize, info);
        aead_request_set_ad(subreq, req->assoclen + ivsize);

        crypto_xor(info, ctx->salt, ivsize);
        scatterwalk_map_and_copy(info, req->dst, req->assoclen, ivsize, 1);

        err = crypto_aead_encrypt(subreq);
        if (unlikely(info != req->iv))
                seqiv_aead_encrypt_complete2(req, err);
        return err;
}

static int seqiv_aead_decrypt(struct aead_request *req)
{
        struct crypto_aead *geniv = crypto_aead_reqtfm(req);
        struct aead_geniv_ctx *ctx = crypto_aead_ctx(geniv);
        struct aead_request *subreq = aead_request_ctx(req);
        crypto_completion_t compl;
        void *data;
        unsigned int ivsize = 8;

        if (req->cryptlen < ivsize + crypto_aead_authsize(geniv))
                return -EINVAL;

        aead_request_set_tfm(subreq, ctx->child);

        compl = req->base.complete;
        data = req->base.data;

        aead_request_set_callback(subreq, req->base.flags, compl, data);
        aead_request_set_crypt(subreq, req->src, req->dst,
                               req->cryptlen - ivsize, req->iv);
        aead_request_set_ad(subreq, req->assoclen + ivsize);

        scatterwalk_map_and_copy(req->iv, req->src, req->assoclen, ivsize, 0);

        return crypto_aead_decrypt(subreq);
}

static int seqiv_aead_create(struct crypto_template *tmpl, struct rtattr **tb)
{
        struct aead_instance *inst;
        int err;

        inst = aead_geniv_alloc(tmpl, tb);

        if (IS_ERR(inst))
                return PTR_ERR(inst);

        err = -EINVAL;
        if (inst->alg.ivsize != sizeof(u64))
                goto free_inst;

        inst->alg.encrypt = seqiv_aead_encrypt;
        inst->alg.decrypt = seqiv_aead_decrypt;

        inst->alg.init = aead_init_geniv;
        inst->alg.exit = aead_exit_geniv;

        inst->alg.base.cra_ctxsize = sizeof(struct aead_geniv_ctx);
        inst->alg.base.cra_ctxsize += inst->alg.ivsize;

        err = aead_register_instance(tmpl, inst);
        if (err) {
free_inst:
                inst->free(inst);
        }
        return err;
}

static struct crypto_template seqiv_tmpl = {
        .name = "seqiv",
        .create = seqiv_aead_create,
        .module = THIS_MODULE,
};

static int __init seqiv_module_init(void)
{
        return crypto_register_template(&seqiv_tmpl);
}

static void __exit seqiv_module_exit(void)
{
        crypto_unregister_template(&seqiv_tmpl);
}

subsys_initcall(seqiv_module_init);
module_exit(seqiv_module_exit);

MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("Sequence Number IV Generator");
MODULE_ALIAS_CRYPTO("seqiv");