LXR linux/crypto/essiv.c

   1// SPDX-License-Identifier: GPL-2.0
   2/*
   3 * ESSIV skcipher and aead template for block encryption
   4 *
   5 * This template encapsulates the ESSIV IV generation algorithm used by
   6 * dm-crypt and fscrypt, which converts the initial vector for the skcipher
   7 * used for block encryption, by encrypting it using the hash of the
   8 * skcipher key as encryption key. Usually, the input IV is a 64-bit sector
   9 * number in LE representation zero-padded to the size of the IV, but this
  10 * is not assumed by this driver.
  11 *
  12 * The typical use of this template is to instantiate the skcipher
  13 * 'essiv(cbc(aes),sha256)', which is the only instantiation used by
  14 * fscrypt, and the most relevant one for dm-crypt. However, dm-crypt
  15 * also permits ESSIV to be used in combination with the authenc template,
  16 * e.g., 'essiv(authenc(hmac(sha256),cbc(aes)),sha256)', in which case
  17 * we need to instantiate an aead that accepts the same special key format
  18 * as the authenc template, and deals with the way the encrypted IV is
  19 * embedded into the AAD area of the aead request. This means the AEAD
  20 * flavor produced by this template is tightly coupled to the way dm-crypt
  21 * happens to use it.
  22 *
  23 * Copyright (c) 2019 Linaro, Ltd. <ard.biesheuvel@linaro.org>
  24 *
  25 * Heavily based on:
  26 * adiantum length-preserving encryption mode
  27 *
  28 * Copyright 2018 Google LLC
  29 */
  30
  31#include <crypto/authenc.h>
  32#include <crypto/internal/aead.h>
  33#include <crypto/internal/cipher.h>
  34#include <crypto/internal/hash.h>
  35#include <crypto/internal/skcipher.h>
  36#include <crypto/scatterwalk.h>
  37#include <linux/module.h>
  38
  39#include "internal.h"
  40
  41struct essiv_instance_ctx {
  42        union {
  43                struct crypto_skcipher_spawn    skcipher_spawn;
  44                struct crypto_aead_spawn        aead_spawn;
  45        } u;
  46        char    essiv_cipher_name[CRYPTO_MAX_ALG_NAME];
  47        char    shash_driver_name[CRYPTO_MAX_ALG_NAME];
  48};
  49
  50struct essiv_tfm_ctx {
  51        union {
  52                struct crypto_skcipher  *skcipher;
  53                struct crypto_aead      *aead;
  54        } u;
  55        struct crypto_cipher            *essiv_cipher;
  56        struct crypto_shash             *hash;
  57        int                             ivoffset;
  58};
  59
  60struct essiv_aead_request_ctx {
  61        struct scatterlist              sg[4];
  62        u8                              *assoc;
  63        struct aead_request             aead_req;
  64};
  65
  66static int essiv_skcipher_setkey(struct crypto_skcipher *tfm,
  67                                 const u8 *key, unsigned int keylen)
  68{
  69        struct essiv_tfm_ctx *tctx = crypto_skcipher_ctx(tfm);
  70        u8 salt[HASH_MAX_DIGESTSIZE];
  71        int err;
  72
  73        crypto_skcipher_clear_flags(tctx->u.skcipher, CRYPTO_TFM_REQ_MASK);
  74        crypto_skcipher_set_flags(tctx->u.skcipher,
  75                                  crypto_skcipher_get_flags(tfm) &
  76                                  CRYPTO_TFM_REQ_MASK);
  77        err = crypto_skcipher_setkey(tctx->u.skcipher, key, keylen);
  78        if (err)
  79                return err;
  80
  81        err = crypto_shash_tfm_digest(tctx->hash, key, keylen, salt);
  82        if (err)
  83                return err;
  84
  85        crypto_cipher_clear_flags(tctx->essiv_cipher, CRYPTO_TFM_REQ_MASK);
  86        crypto_cipher_set_flags(tctx->essiv_cipher,
  87                                crypto_skcipher_get_flags(tfm) &
  88                                CRYPTO_TFM_REQ_MASK);
  89        return crypto_cipher_setkey(tctx->essiv_cipher, salt,
  90                                    crypto_shash_digestsize(tctx->hash));
  91}
  92
  93static int essiv_aead_setkey(struct crypto_aead *tfm, const u8 *key,
  94                             unsigned int keylen)
  95{
  96        struct essiv_tfm_ctx *tctx = crypto_aead_ctx(tfm);
  97        SHASH_DESC_ON_STACK(desc, tctx->hash);
  98        struct crypto_authenc_keys keys;
  99        u8 salt[HASH_MAX_DIGESTSIZE];
 100        int err;
 101
 102        crypto_aead_clear_flags(tctx->u.aead, CRYPTO_TFM_REQ_MASK);
 103        crypto_aead_set_flags(tctx->u.aead, crypto_aead_get_flags(tfm) &
 104                                            CRYPTO_TFM_REQ_MASK);
 105        err = crypto_aead_setkey(tctx->u.aead, key, keylen);
 106        if (err)
 107                return err;
 108
 109        if (crypto_authenc_extractkeys(&keys, key, keylen) != 0)
 110                return -EINVAL;
 111
 112        desc->tfm = tctx->hash;
 113        err = crypto_shash_init(desc) ?:
 114              crypto_shash_update(desc, keys.enckey, keys.enckeylen) ?:
 115              crypto_shash_finup(desc, keys.authkey, keys.authkeylen, salt);
 116        if (err)
 117                return err;
 118
 119        crypto_cipher_clear_flags(tctx->essiv_cipher, CRYPTO_TFM_REQ_MASK);
 120        crypto_cipher_set_flags(tctx->essiv_cipher, crypto_aead_get_flags(tfm) &
 121                                                    CRYPTO_TFM_REQ_MASK);
 122        return crypto_cipher_setkey(tctx->essiv_cipher, salt,
 123                                    crypto_shash_digestsize(tctx->hash));
 124}
 125
 126static int essiv_aead_setauthsize(struct crypto_aead *tfm,
 127                                  unsigned int authsize)
 128{
 129        struct essiv_tfm_ctx *tctx = crypto_aead_ctx(tfm);
 130
 131        return crypto_aead_setauthsize(tctx->u.aead, authsize);
 132}
 133
 134static void essiv_skcipher_done(struct crypto_async_request *areq, int err)
 135{
 136        struct skcipher_request *req = areq->data;
 137
 138        skcipher_request_complete(req, err);
 139}
 140
 141static int essiv_skcipher_crypt(struct skcipher_request *req, bool enc)
 142{
 143        struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
 144        const struct essiv_tfm_ctx *tctx = crypto_skcipher_ctx(tfm);
 145        struct skcipher_request *subreq = skcipher_request_ctx(req);
 146
 147        crypto_cipher_encrypt_one(tctx->essiv_cipher, req->iv, req->iv);
 148
 149        skcipher_request_set_tfm(subreq, tctx->u.skcipher);
 150        skcipher_request_set_crypt(subreq, req->src, req->dst, req->cryptlen,
 151                                   req->iv);
 152        skcipher_request_set_callback(subreq, skcipher_request_flags(req),
 153                                      essiv_skcipher_done, req);
 154
 155        return enc ? crypto_skcipher_encrypt(subreq) :
 156                     crypto_skcipher_decrypt(subreq);
 157}
 158
 159static int essiv_skcipher_encrypt(struct skcipher_request *req)
 160{
 161        return essiv_skcipher_crypt(req, true);
 162}
 163
 164static int essiv_skcipher_decrypt(struct skcipher_request *req)
 165{
 166        return essiv_skcipher_crypt(req, false);
 167}
 168
 169static void essiv_aead_done(struct crypto_async_request *areq, int err)
 170{
 171        struct aead_request *req = areq->data;
 172        struct essiv_aead_request_ctx *rctx = aead_request_ctx(req);
 173
 174        kfree(rctx->assoc);
 175        aead_request_complete(req, err);
 176}
 177
 178static int essiv_aead_crypt(struct aead_request *req, bool enc)
 179{
 180        struct crypto_aead *tfm = crypto_aead_reqtfm(req);
 181        const struct essiv_tfm_ctx *tctx = crypto_aead_ctx(tfm);
 182        struct essiv_aead_request_ctx *rctx = aead_request_ctx(req);
 183        struct aead_request *subreq = &rctx->aead_req;
 184        struct scatterlist *src = req->src;
 185        int err;
 186
 187        crypto_cipher_encrypt_one(tctx->essiv_cipher, req->iv, req->iv);
 188
 189        /*
 190         * dm-crypt embeds the sector number and the IV in the AAD region, so
 191         * we have to copy the converted IV into the right scatterlist before
 192         * we pass it on.
 193         */
 194        rctx->assoc = NULL;
 195        if (req->src == req->dst || !enc) {
 196                scatterwalk_map_and_copy(req->iv, req->dst,
 197                                         req->assoclen - crypto_aead_ivsize(tfm),
 198                                         crypto_aead_ivsize(tfm), 1);
 199        } else {
 200                u8 *iv = (u8 *)aead_request_ctx(req) + tctx->ivoffset;
 201                int ivsize = crypto_aead_ivsize(tfm);
 202                int ssize = req->assoclen - ivsize;
 203                struct scatterlist *sg;
 204                int nents;
 205
 206                if (ssize < 0)
 207                        return -EINVAL;
 208
 209                nents = sg_nents_for_len(req->src, ssize);
 210                if (nents < 0)
 211                        return -EINVAL;
 212
 213                memcpy(iv, req->iv, ivsize);
 214                sg_init_table(rctx->sg, 4);
 215
 216                if (unlikely(nents > 1)) {
 217                        /*
 218                         * This is a case that rarely occurs in practice, but
 219                         * for correctness, we have to deal with it nonetheless.
 220                         */
 221                        rctx->assoc = kmalloc(ssize, GFP_ATOMIC);
 222                        if (!rctx->assoc)
 223                                return -ENOMEM;
 224
 225                        scatterwalk_map_and_copy(rctx->assoc, req->src, 0,
 226                                                 ssize, 0);
 227                        sg_set_buf(rctx->sg, rctx->assoc, ssize);
 228                } else {
 229                        sg_set_page(rctx->sg, sg_page(req->src), ssize,
 230                                    req->src->offset);
 231                }
 232
 233                sg_set_buf(rctx->sg + 1, iv, ivsize);
 234                sg = scatterwalk_ffwd(rctx->sg + 2, req->src, req->assoclen);
 235                if (sg != rctx->sg + 2)
 236                        sg_chain(rctx->sg, 3, sg);
 237
 238                src = rctx->sg;
 239        }
 240
 241        aead_request_set_tfm(subreq, tctx->u.aead);
 242        aead_request_set_ad(subreq, req->assoclen);
 243        aead_request_set_callback(subreq, aead_request_flags(req),
 244                                  essiv_aead_done, req);
 245        aead_request_set_crypt(subreq, src, req->dst, req->cryptlen, req->iv);
 246
 247        err = enc ? crypto_aead_encrypt(subreq) :
 248                    crypto_aead_decrypt(subreq);
 249
 250        if (rctx->assoc && err != -EINPROGRESS)
 251                kfree(rctx->assoc);
 252        return err;
 253}
 254
 255static int essiv_aead_encrypt(struct aead_request *req)
 256{
 257        return essiv_aead_crypt(req, true);
 258}
 259
 260static int essiv_aead_decrypt(struct aead_request *req)
 261{
 262        return essiv_aead_crypt(req, false);
 263}
 264
 265static int essiv_init_tfm(struct essiv_instance_ctx *ictx,
 266                          struct essiv_tfm_ctx *tctx)
 267{
 268        struct crypto_cipher *essiv_cipher;
 269        struct crypto_shash *hash;
 270        int err;
 271
 272        essiv_cipher = crypto_alloc_cipher(ictx->essiv_cipher_name, 0, 0);
 273        if (IS_ERR(essiv_cipher))
 274                return PTR_ERR(essiv_cipher);
 275
 276        hash = crypto_alloc_shash(ictx->shash_driver_name, 0, 0);
 277        if (IS_ERR(hash)) {
 278                err = PTR_ERR(hash);
 279                goto err_free_essiv_cipher;
 280        }
 281
 282        tctx->essiv_cipher = essiv_cipher;
 283        tctx->hash = hash;
 284
 285        return 0;
 286
 287err_free_essiv_cipher:
 288        crypto_free_cipher(essiv_cipher);
 289        return err;
 290}
 291
 292static int essiv_skcipher_init_tfm(struct crypto_skcipher *tfm)
 293{
 294        struct skcipher_instance *inst = skcipher_alg_instance(tfm);
 295        struct essiv_instance_ctx *ictx = skcipher_instance_ctx(inst);
 296        struct essiv_tfm_ctx *tctx = crypto_skcipher_ctx(tfm);
 297        struct crypto_skcipher *skcipher;
 298        int err;
 299
 300        skcipher = crypto_spawn_skcipher(&ictx->u.skcipher_spawn);
 301        if (IS_ERR(skcipher))
 302                return PTR_ERR(skcipher);
 303
 304        crypto_skcipher_set_reqsize(tfm, sizeof(struct skcipher_request) +
 305                                         crypto_skcipher_reqsize(skcipher));
 306
 307        err = essiv_init_tfm(ictx, tctx);
 308        if (err) {
 309                crypto_free_skcipher(skcipher);
 310                return err;
 311        }
 312
 313        tctx->u.skcipher = skcipher;
 314        return 0;
 315}
 316
 317static int essiv_aead_init_tfm(struct crypto_aead *tfm)
 318{
 319        struct aead_instance *inst = aead_alg_instance(tfm);
 320        struct essiv_instance_ctx *ictx = aead_instance_ctx(inst);
 321        struct essiv_tfm_ctx *tctx = crypto_aead_ctx(tfm);
 322        struct crypto_aead *aead;
 323        unsigned int subreq_size;
 324        int err;
 325
 326        BUILD_BUG_ON(offsetofend(struct essiv_aead_request_ctx, aead_req) !=
 327                     sizeof(struct essiv_aead_request_ctx));
 328
 329        aead = crypto_spawn_aead(&ictx->u.aead_spawn);
 330        if (IS_ERR(aead))
 331                return PTR_ERR(aead);
 332
 333        subreq_size = sizeof_field(struct essiv_aead_request_ctx, aead_req) +
 334                      crypto_aead_reqsize(aead);
 335
 336        tctx->ivoffset = offsetof(struct essiv_aead_request_ctx, aead_req) +
 337                         subreq_size;
 338        crypto_aead_set_reqsize(tfm, tctx->ivoffset + crypto_aead_ivsize(aead));
 339
 340        err = essiv_init_tfm(ictx, tctx);
 341        if (err) {
 342                crypto_free_aead(aead);
 343                return err;
 344        }
 345
 346        tctx->u.aead = aead;
 347        return 0;
 348}
 349
 350static void essiv_skcipher_exit_tfm(struct crypto_skcipher *tfm)
 351{
 352        struct essiv_tfm_ctx *tctx = crypto_skcipher_ctx(tfm);
 353
 354        crypto_free_skcipher(tctx->u.skcipher);
 355        crypto_free_cipher(tctx->essiv_cipher);
 356        crypto_free_shash(tctx->hash);
 357}
 358
 359static void essiv_aead_exit_tfm(struct crypto_aead *tfm)
 360{
 361        struct essiv_tfm_ctx *tctx = crypto_aead_ctx(tfm);
 362
 363        crypto_free_aead(tctx->u.aead);
 364        crypto_free_cipher(tctx->essiv_cipher);
 365        crypto_free_shash(tctx->hash);
 366}
 367
 368static void essiv_skcipher_free_instance(struct skcipher_instance *inst)
 369{
 370        struct essiv_instance_ctx *ictx = skcipher_instance_ctx(inst);
 371
 372        crypto_drop_skcipher(&ictx->u.skcipher_spawn);
 373        kfree(inst);
 374}
 375
 376static void essiv_aead_free_instance(struct aead_instance *inst)
 377{
 378        struct essiv_instance_ctx *ictx = aead_instance_ctx(inst);
 379
 380        crypto_drop_aead(&ictx->u.aead_spawn);
 381        kfree(inst);
 382}
 383
 384static bool parse_cipher_name(char *essiv_cipher_name, const char *cra_name)
 385{
 386        const char *p, *q;
 387        int len;
 388
 389        /* find the last opening parens */
 390        p = strrchr(cra_name, '(');
 391        if (!p++)
 392                return false;
 393
 394        /* find the first closing parens in the tail of the string */
 395        q = strchr(p, ')');
 396        if (!q)
 397                return false;
 398
 399        len = q - p;
 400        if (len >= CRYPTO_MAX_ALG_NAME)
 401                return false;
 402
 403        memcpy(essiv_cipher_name, p, len);
 404        essiv_cipher_name[len] = '\0';
 405        return true;
 406}
 407
 408static bool essiv_supported_algorithms(const char *essiv_cipher_name,
 409                                       struct shash_alg *hash_alg,
 410                                       int ivsize)
 411{
 412        struct crypto_alg *alg;
 413        bool ret = false;
 414
 415        alg = crypto_alg_mod_lookup(essiv_cipher_name,
 416                                    CRYPTO_ALG_TYPE_CIPHER,
 417                                    CRYPTO_ALG_TYPE_MASK);
 418        if (IS_ERR(alg))
 419                return false;
 420
 421        if (hash_alg->digestsize < alg->cra_cipher.cia_min_keysize ||
 422            hash_alg->digestsize > alg->cra_cipher.cia_max_keysize)
 423                goto out;
 424
 425        if (ivsize != alg->cra_blocksize)
 426                goto out;
 427
 428        if (crypto_shash_alg_needs_key(hash_alg))
 429                goto out;
 430
 431        ret = true;
 432
 433out:
 434        crypto_mod_put(alg);
 435        return ret;
 436}
 437
 438static int essiv_create(struct crypto_template *tmpl, struct rtattr **tb)
 439{
 440        struct crypto_attr_type *algt;
 441        const char *inner_cipher_name;
 442        const char *shash_name;
 443        struct skcipher_instance *skcipher_inst = NULL;
 444        struct aead_instance *aead_inst = NULL;
 445        struct crypto_instance *inst;
 446        struct crypto_alg *base, *block_base;
 447        struct essiv_instance_ctx *ictx;
 448        struct skcipher_alg *skcipher_alg = NULL;
 449        struct aead_alg *aead_alg = NULL;
 450        struct crypto_alg *_hash_alg;
 451        struct shash_alg *hash_alg;
 452        int ivsize;
 453        u32 type;
 454        u32 mask;
 455        int err;
 456
 457        algt = crypto_get_attr_type(tb);
 458        if (IS_ERR(algt))
 459                return PTR_ERR(algt);
 460
 461        inner_cipher_name = crypto_attr_alg_name(tb[1]);
 462        if (IS_ERR(inner_cipher_name))
 463                return PTR_ERR(inner_cipher_name);
 464
 465        shash_name = crypto_attr_alg_name(tb[2]);
 466        if (IS_ERR(shash_name))
 467                return PTR_ERR(shash_name);
 468
 469        type = algt->type & algt->mask;
 470        mask = crypto_algt_inherited_mask(algt);
 471
 472        switch (type) {
 473        case CRYPTO_ALG_TYPE_SKCIPHER:
 474                skcipher_inst = kzalloc(sizeof(*skcipher_inst) +
 475                                        sizeof(*ictx), GFP_KERNEL);
 476                if (!skcipher_inst)
 477                        return -ENOMEM;
 478                inst = skcipher_crypto_instance(skcipher_inst);
 479                base = &skcipher_inst->alg.base;
 480                ictx = crypto_instance_ctx(inst);
 481
 482                /* Symmetric cipher, e.g., "cbc(aes)" */
 483                err = crypto_grab_skcipher(&ictx->u.skcipher_spawn, inst,
 484                                           inner_cipher_name, 0, mask);
 485                if (err)
 486                        goto out_free_inst;
 487                skcipher_alg = crypto_spawn_skcipher_alg(&ictx->u.skcipher_spawn);
 488                block_base = &skcipher_alg->base;
 489                ivsize = crypto_skcipher_alg_ivsize(skcipher_alg);
 490                break;
 491
 492        case CRYPTO_ALG_TYPE_AEAD:
 493                aead_inst = kzalloc(sizeof(*aead_inst) +
 494                                    sizeof(*ictx), GFP_KERNEL);
 495                if (!aead_inst)
 496                        return -ENOMEM;
 497                inst = aead_crypto_instance(aead_inst);
 498                base = &aead_inst->alg.base;
 499                ictx = crypto_instance_ctx(inst);
 500
 501                /* AEAD cipher, e.g., "authenc(hmac(sha256),cbc(aes))" */
 502                err = crypto_grab_aead(&ictx->u.aead_spawn, inst,
 503                                       inner_cipher_name, 0, mask);
 504                if (err)
 505                        goto out_free_inst;
 506                aead_alg = crypto_spawn_aead_alg(&ictx->u.aead_spawn);
 507                block_base = &aead_alg->base;
 508                if (!strstarts(block_base->cra_name, "authenc(")) {
 509                        pr_warn("Only authenc() type AEADs are supported by ESSIV\n");
 510                        err = -EINVAL;
 511                        goto out_drop_skcipher;
 512                }
 513                ivsize = aead_alg->ivsize;
 514                break;
 515
 516        default:
 517                return -EINVAL;
 518        }
 519
 520        if (!parse_cipher_name(ictx->essiv_cipher_name, block_base->cra_name)) {
 521                pr_warn("Failed to parse ESSIV cipher name from skcipher cra_name\n");
 522                err = -EINVAL;
 523                goto out_drop_skcipher;
 524        }
 525
 526        /* Synchronous hash, e.g., "sha256" */
 527        _hash_alg = crypto_alg_mod_lookup(shash_name,
 528                                          CRYPTO_ALG_TYPE_SHASH,
 529                                          CRYPTO_ALG_TYPE_MASK | mask);
 530        if (IS_ERR(_hash_alg)) {
 531                err = PTR_ERR(_hash_alg);
 532                goto out_drop_skcipher;
 533        }
 534        hash_alg = __crypto_shash_alg(_hash_alg);
 535
 536        /* Check the set of algorithms */
 537        if (!essiv_supported_algorithms(ictx->essiv_cipher_name, hash_alg,
 538                                        ivsize)) {
 539                pr_warn("Unsupported essiv instantiation: essiv(%s,%s)\n",
 540                        block_base->cra_name, hash_alg->base.cra_name);
 541                err = -EINVAL;
 542                goto out_free_hash;
 543        }
 544
 545        /* record the driver name so we can instantiate this exact algo later */
 546        strlcpy(ictx->shash_driver_name, hash_alg->base.cra_driver_name,
 547                CRYPTO_MAX_ALG_NAME);
 548
 549        /* Instance fields */
 550
 551        err = -ENAMETOOLONG;
 552        if (snprintf(base->cra_name, CRYPTO_MAX_ALG_NAME,
 553                     "essiv(%s,%s)", block_base->cra_name,
 554                     hash_alg->base.cra_name) >= CRYPTO_MAX_ALG_NAME)
 555                goto out_free_hash;
 556        if (snprintf(base->cra_driver_name, CRYPTO_MAX_ALG_NAME,
 557                     "essiv(%s,%s)", block_base->cra_driver_name,
 558                     hash_alg->base.cra_driver_name) >= CRYPTO_MAX_ALG_NAME)
 559                goto out_free_hash;
 560
 561        /*
 562         * hash_alg wasn't gotten via crypto_grab*(), so we need to inherit its
 563         * flags manually.
 564         */
 565        base->cra_flags        |= (hash_alg->base.cra_flags &
 566                                   CRYPTO_ALG_INHERITED_FLAGS);
 567        base->cra_blocksize     = block_base->cra_blocksize;
 568        base->cra_ctxsize       = sizeof(struct essiv_tfm_ctx);
 569        base->cra_alignmask     = block_base->cra_alignmask;
 570        base->cra_priority      = block_base->cra_priority;
 571
 572        if (type == CRYPTO_ALG_TYPE_SKCIPHER) {
 573                skcipher_inst->alg.setkey       = essiv_skcipher_setkey;
 574                skcipher_inst->alg.encrypt      = essiv_skcipher_encrypt;
 575                skcipher_inst->alg.decrypt      = essiv_skcipher_decrypt;
 576                skcipher_inst->alg.init         = essiv_skcipher_init_tfm;
 577                skcipher_inst->alg.exit         = essiv_skcipher_exit_tfm;
 578
 579                skcipher_inst->alg.min_keysize  = crypto_skcipher_alg_min_keysize(skcipher_alg);
 580                skcipher_inst->alg.max_keysize  = crypto_skcipher_alg_max_keysize(skcipher_alg);
 581                skcipher_inst->alg.ivsize       = ivsize;
 582                skcipher_inst->alg.chunksize    = crypto_skcipher_alg_chunksize(skcipher_alg);
 583                skcipher_inst->alg.walksize     = crypto_skcipher_alg_walksize(skcipher_alg);
 584
 585                skcipher_inst->free             = essiv_skcipher_free_instance;
 586
 587                err = skcipher_register_instance(tmpl, skcipher_inst);
 588        } else {
 589                aead_inst->alg.setkey           = essiv_aead_setkey;
 590                aead_inst->alg.setauthsize      = essiv_aead_setauthsize;
 591                aead_inst->alg.encrypt          = essiv_aead_encrypt;
 592                aead_inst->alg.decrypt          = essiv_aead_decrypt;
 593                aead_inst->alg.init             = essiv_aead_init_tfm;
 594                aead_inst->alg.exit             = essiv_aead_exit_tfm;
 595
 596                aead_inst->alg.ivsize           = ivsize;
 597                aead_inst->alg.maxauthsize      = crypto_aead_alg_maxauthsize(aead_alg);
 598                aead_inst->alg.chunksize        = crypto_aead_alg_chunksize(aead_alg);
 599
 600                aead_inst->free                 = essiv_aead_free_instance;
 601
 602                err = aead_register_instance(tmpl, aead_inst);
 603        }
 604
 605        if (err)
 606                goto out_free_hash;
 607
 608        crypto_mod_put(_hash_alg);
 609        return 0;
 610
 611out_free_hash:
 612        crypto_mod_put(_hash_alg);
 613out_drop_skcipher:
 614        if (type == CRYPTO_ALG_TYPE_SKCIPHER)
 615                crypto_drop_skcipher(&ictx->u.skcipher_spawn);
 616        else
 617                crypto_drop_aead(&ictx->u.aead_spawn);
 618out_free_inst:
 619        kfree(skcipher_inst);
 620        kfree(aead_inst);
 621        return err;
 622}
 623
 624/* essiv(cipher_name, shash_name) */
 625static struct crypto_template essiv_tmpl = {
 626        .name   = "essiv",
 627        .create = essiv_create,
 628        .module = THIS_MODULE,
 629};
 630
 631static int __init essiv_module_init(void)
 632{
 633        return crypto_register_template(&essiv_tmpl);
 634}
 635
 636static void __exit essiv_module_exit(void)
 637{
 638        crypto_unregister_template(&essiv_tmpl);
 639}
 640
 641subsys_initcall(essiv_module_init);
 642module_exit(essiv_module_exit);
 643
 644MODULE_DESCRIPTION("ESSIV skcipher/aead wrapper for block encryption");
 645MODULE_LICENSE("GPL v2");
 646MODULE_ALIAS_CRYPTO("essiv");
 647MODULE_IMPORT_NS(CRYPTO_INTERNAL);
 648