//SPDX-License-Identifier: GPL-2.0
/*
 * CFB: Cipher FeedBack mode
 *
 * Copyright (c) 2018 James.Bottomley@HansenPartnership.com
 *
 * CFB is a stream cipher mode which is layered on to a block
 * encryption scheme.  It works very much like a one time pad where
 * the pad is generated initially from the encrypted IV and then
 * subsequently from the encrypted previous block of ciphertext.  The
 * pad is XOR'd into the plain text to get the final ciphertext.
 *
 * The scheme of CFB is best described by wikipedia:
 *
 * https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#CFB
 *
 * Note that since the pad for both encryption and decryption is
 * generated by an encryption operation, CFB never uses the block
 * decryption function.
 */

#include <crypto/algapi.h>
#include <crypto/internal/skcipher.h>
#include <linux/err.h>
#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/string.h>

static unsigned int crypto_cfb_bsize(struct crypto_skcipher *tfm)
{
        return crypto_cipher_blocksize(skcipher_cipher_simple(tfm));
}

static void crypto_cfb_encrypt_one(struct crypto_skcipher *tfm,
                                          const u8 *src, u8 *dst)
{
        crypto_cipher_encrypt_one(skcipher_cipher_simple(tfm), dst, src);
}

/* final encrypt and decrypt is the same */
static void crypto_cfb_final(struct skcipher_walk *walk,
                             struct crypto_skcipher *tfm)
{
        const unsigned long alignmask = crypto_skcipher_alignmask(tfm);
        u8 tmp[MAX_CIPHER_BLOCKSIZE + MAX_CIPHER_ALIGNMASK];
        u8 *stream = PTR_ALIGN(tmp + 0, alignmask + 1);
        u8 *src = walk->src.virt.addr;
        u8 *dst = walk->dst.virt.addr;
        u8 *iv = walk->iv;
        unsigned int nbytes = walk->nbytes;

        crypto_cfb_encrypt_one(tfm, iv, stream);
        crypto_xor_cpy(dst, stream, src, nbytes);
}

static int crypto_cfb_encrypt_segment(struct skcipher_walk *walk,
                                      struct crypto_skcipher *tfm)
{
        const unsigned int bsize = crypto_cfb_bsize(tfm);
        unsigned int nbytes = walk->nbytes;
        u8 *src = walk->src.virt.addr;
        u8 *dst = walk->dst.virt.addr;
        u8 *iv = walk->iv;

        do {
                crypto_cfb_encrypt_one(tfm, iv, dst);
                crypto_xor(dst, src, bsize);
                iv = dst;

                src += bsize;
                dst += bsize;
        } while ((nbytes -= bsize) >= bsize);

        memcpy(walk->iv, iv, bsize);

        return nbytes;
}

static int crypto_cfb_encrypt_inplace(struct skcipher_walk *walk,
                                      struct crypto_skcipher *tfm)
{
        const unsigned int bsize = crypto_cfb_bsize(tfm);
        unsigned int nbytes = walk->nbytes;
        u8 *src = walk->src.virt.addr;
        u8 *iv = walk->iv;
        u8 tmp[MAX_CIPHER_BLOCKSIZE];

        do {
                crypto_cfb_encrypt_one(tfm, iv, tmp);
                crypto_xor(src, tmp, bsize);
                iv = src;

                src += bsize;
        } while ((nbytes -= bsize) >= bsize);

        memcpy(walk->iv, iv, bsize);

        return nbytes;
}

static int crypto_cfb_encrypt(struct skcipher_request *req)
{
        struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
        struct skcipher_walk walk;
        unsigned int bsize = crypto_cfb_bsize(tfm);
        int err;

        err = skcipher_walk_virt(&walk, req, false);

        while (walk.nbytes >= bsize) {
                if (walk.src.virt.addr == walk.dst.virt.addr)
                        err = crypto_cfb_encrypt_inplace(&walk, tfm);
                else
                        err = crypto_cfb_encrypt_segment(&walk, tfm);
                err = skcipher_walk_done(&walk, err);
        }

        if (walk.nbytes) {
                crypto_cfb_final(&walk, tfm);
                err = skcipher_walk_done(&walk, 0);
        }

        return err;
}

static int crypto_cfb_decrypt_segment(struct skcipher_walk *walk,
                                      struct crypto_skcipher *tfm)
{
        const unsigned int bsize = crypto_cfb_bsize(tfm);
        unsigned int nbytes = walk->nbytes;
        u8 *src = walk->src.virt.addr;
        u8 *dst = walk->dst.virt.addr;
        u8 *iv = walk->iv;

        do {
                crypto_cfb_encrypt_one(tfm, iv, dst);
                crypto_xor(dst, src, bsize);
                iv = src;

                src += bsize;
                dst += bsize;
        } while ((nbytes -= bsize) >= bsize);

        memcpy(walk->iv, iv, bsize);

        return nbytes;
}

static int crypto_cfb_decrypt_inplace(struct skcipher_walk *walk,
                                      struct crypto_skcipher *tfm)
{
        const unsigned int bsize = crypto_cfb_bsize(tfm);
        unsigned int nbytes = walk->nbytes;
        u8 *src = walk->src.virt.addr;
        u8 * const iv = walk->iv;
        u8 tmp[MAX_CIPHER_BLOCKSIZE];

        do {
                crypto_cfb_encrypt_one(tfm, iv, tmp);
                memcpy(iv, src, bsize);
                crypto_xor(src, tmp, bsize);
                src += bsize;
        } while ((nbytes -= bsize) >= bsize);

        return nbytes;
}

static int crypto_cfb_decrypt_blocks(struct skcipher_walk *walk,
                                     struct crypto_skcipher *tfm)
{
        if (walk->src.virt.addr == walk->dst.virt.addr)
                return crypto_cfb_decrypt_inplace(walk, tfm);
        else
                return crypto_cfb_decrypt_segment(walk, tfm);
}

static int crypto_cfb_decrypt(struct skcipher_request *req)
{
        struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
        struct skcipher_walk walk;
        const unsigned int bsize = crypto_cfb_bsize(tfm);
        int err;

        err = skcipher_walk_virt(&walk, req, false);

        while (walk.nbytes >= bsize) {
                err = crypto_cfb_decrypt_blocks(&walk, tfm);
                err = skcipher_walk_done(&walk, err);
        }

        if (walk.nbytes) {
                crypto_cfb_final(&walk, tfm);
                err = skcipher_walk_done(&walk, 0);
        }

        return err;
}

static int crypto_cfb_create(struct crypto_template *tmpl, struct rtattr **tb)
{
        struct skcipher_instance *inst;
        struct crypto_alg *alg;
        int err;

        inst = skcipher_alloc_instance_simple(tmpl, tb, &alg);
        if (IS_ERR(inst))
                return PTR_ERR(inst);

        /* CFB mode is a stream cipher. */
        inst->alg.base.cra_blocksize = 1;

        /*
         * To simplify the implementation, configure the skcipher walk to only
         * give a partial block at the very end, never earlier.
         */
        inst->alg.chunksize = alg->cra_blocksize;

        inst->alg.encrypt = crypto_cfb_encrypt;
        inst->alg.decrypt = crypto_cfb_decrypt;

        err = skcipher_register_instance(tmpl, inst);
        if (err)
                inst->free(inst);

        crypto_mod_put(alg);
        return err;
}

static struct crypto_template crypto_cfb_tmpl = {
        .name = "cfb",
        .create = crypto_cfb_create,
        .module = THIS_MODULE,
};

static int __init crypto_cfb_module_init(void)
{
        return crypto_register_template(&crypto_cfb_tmpl);
}

static void __exit crypto_cfb_module_exit(void)
{
        crypto_unregister_template(&crypto_cfb_tmpl);
}

subsys_initcall(crypto_cfb_module_init);
module_exit(crypto_cfb_module_exit);

MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("CFB block cipher mode of operation");
MODULE_ALIAS_CRYPTO("cfb");