authenc.c 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454
  1. // SPDX-License-Identifier: GPL-2.0-or-later
  2. /*
  3. * Authenc: Simple AEAD wrapper for IPsec
  4. *
  5. * Copyright (c) 2007-2015 Herbert Xu <herbert@gondor.apana.org.au>
  6. */
  7. #include <crypto/internal/aead.h>
  8. #include <crypto/internal/hash.h>
  9. #include <crypto/internal/skcipher.h>
  10. #include <crypto/authenc.h>
  11. #include <crypto/scatterwalk.h>
  12. #include <linux/err.h>
  13. #include <linux/init.h>
  14. #include <linux/kernel.h>
  15. #include <linux/module.h>
  16. #include <linux/rtnetlink.h>
  17. #include <linux/slab.h>
  18. #include <linux/spinlock.h>
  19. struct authenc_instance_ctx {
  20. struct crypto_ahash_spawn auth;
  21. struct crypto_skcipher_spawn enc;
  22. unsigned int reqoff;
  23. };
  24. struct crypto_authenc_ctx {
  25. struct crypto_ahash *auth;
  26. struct crypto_skcipher *enc;
  27. };
  28. struct authenc_request_ctx {
  29. struct scatterlist src[2];
  30. struct scatterlist dst[2];
  31. char tail[];
  32. };
  33. static void authenc_request_complete(struct aead_request *req, int err)
  34. {
  35. if (err != -EINPROGRESS && err != -EBUSY)
  36. aead_request_complete(req, err);
  37. }
  38. int crypto_authenc_extractkeys(struct crypto_authenc_keys *keys, const u8 *key,
  39. unsigned int keylen)
  40. {
  41. struct rtattr *rta = (struct rtattr *)key;
  42. struct crypto_authenc_key_param *param;
  43. if (!RTA_OK(rta, keylen))
  44. return -EINVAL;
  45. if (rta->rta_type != CRYPTO_AUTHENC_KEYA_PARAM)
  46. return -EINVAL;
  47. /*
  48. * RTA_OK() didn't align the rtattr's payload when validating that it
  49. * fits in the buffer. Yet, the keys should start on the next 4-byte
  50. * aligned boundary. To avoid confusion, require that the rtattr
  51. * payload be exactly the param struct, which has a 4-byte aligned size.
  52. */
  53. if (RTA_PAYLOAD(rta) != sizeof(*param))
  54. return -EINVAL;
  55. BUILD_BUG_ON(sizeof(*param) % RTA_ALIGNTO);
  56. param = RTA_DATA(rta);
  57. keys->enckeylen = be32_to_cpu(param->enckeylen);
  58. key += rta->rta_len;
  59. keylen -= rta->rta_len;
  60. if (keylen < keys->enckeylen)
  61. return -EINVAL;
  62. keys->authkeylen = keylen - keys->enckeylen;
  63. keys->authkey = key;
  64. keys->enckey = key + keys->authkeylen;
  65. return 0;
  66. }
  67. EXPORT_SYMBOL_GPL(crypto_authenc_extractkeys);
  68. static int crypto_authenc_setkey(struct crypto_aead *authenc, const u8 *key,
  69. unsigned int keylen)
  70. {
  71. struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);
  72. struct crypto_ahash *auth = ctx->auth;
  73. struct crypto_skcipher *enc = ctx->enc;
  74. struct crypto_authenc_keys keys;
  75. int err = -EINVAL;
  76. if (crypto_authenc_extractkeys(&keys, key, keylen) != 0)
  77. goto out;
  78. crypto_ahash_clear_flags(auth, CRYPTO_TFM_REQ_MASK);
  79. crypto_ahash_set_flags(auth, crypto_aead_get_flags(authenc) &
  80. CRYPTO_TFM_REQ_MASK);
  81. err = crypto_ahash_setkey(auth, keys.authkey, keys.authkeylen);
  82. if (err)
  83. goto out;
  84. crypto_skcipher_clear_flags(enc, CRYPTO_TFM_REQ_MASK);
  85. crypto_skcipher_set_flags(enc, crypto_aead_get_flags(authenc) &
  86. CRYPTO_TFM_REQ_MASK);
  87. err = crypto_skcipher_setkey(enc, keys.enckey, keys.enckeylen);
  88. out:
  89. memzero_explicit(&keys, sizeof(keys));
  90. return err;
  91. }
  92. static void authenc_geniv_ahash_finish(struct aead_request *req)
  93. {
  94. struct crypto_aead *authenc = crypto_aead_reqtfm(req);
  95. struct aead_instance *inst = aead_alg_instance(authenc);
  96. struct authenc_instance_ctx *ictx = aead_instance_ctx(inst);
  97. struct authenc_request_ctx *areq_ctx = aead_request_ctx(req);
  98. struct ahash_request *ahreq = (void *)(areq_ctx->tail + ictx->reqoff);
  99. scatterwalk_map_and_copy(ahreq->result, req->dst,
  100. req->assoclen + req->cryptlen,
  101. crypto_aead_authsize(authenc), 1);
  102. }
  103. static void authenc_geniv_ahash_done(void *data, int err)
  104. {
  105. struct aead_request *req = data;
  106. if (!err)
  107. authenc_geniv_ahash_finish(req);
  108. aead_request_complete(req, err);
  109. }
  110. /*
  111. * Used when the ahash request was invoked in the async callback context
  112. * of the previous skcipher request. Eat any EINPROGRESS notifications.
  113. */
  114. static void authenc_geniv_ahash_done2(void *data, int err)
  115. {
  116. struct aead_request *req = data;
  117. if (!err)
  118. authenc_geniv_ahash_finish(req);
  119. authenc_request_complete(req, err);
  120. }
  121. static int crypto_authenc_genicv(struct aead_request *req, unsigned int mask)
  122. {
  123. struct crypto_aead *authenc = crypto_aead_reqtfm(req);
  124. struct aead_instance *inst = aead_alg_instance(authenc);
  125. struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);
  126. struct authenc_instance_ctx *ictx = aead_instance_ctx(inst);
  127. struct crypto_ahash *auth = ctx->auth;
  128. struct authenc_request_ctx *areq_ctx = aead_request_ctx(req);
  129. struct ahash_request *ahreq = (void *)(areq_ctx->tail + ictx->reqoff);
  130. unsigned int flags = aead_request_flags(req) & ~mask;
  131. u8 *hash = areq_ctx->tail;
  132. int err;
  133. ahash_request_set_tfm(ahreq, auth);
  134. ahash_request_set_crypt(ahreq, req->dst, hash,
  135. req->assoclen + req->cryptlen);
  136. ahash_request_set_callback(ahreq, flags,
  137. mask ? authenc_geniv_ahash_done2 :
  138. authenc_geniv_ahash_done, req);
  139. err = crypto_ahash_digest(ahreq);
  140. if (err)
  141. return err;
  142. scatterwalk_map_and_copy(hash, req->dst, req->assoclen + req->cryptlen,
  143. crypto_aead_authsize(authenc), 1);
  144. return 0;
  145. }
  146. static void crypto_authenc_encrypt_done(void *data, int err)
  147. {
  148. struct aead_request *areq = data;
  149. if (err) {
  150. aead_request_complete(areq, err);
  151. return;
  152. }
  153. err = crypto_authenc_genicv(areq, CRYPTO_TFM_REQ_MAY_SLEEP);
  154. authenc_request_complete(areq, err);
  155. }
  156. static int crypto_authenc_encrypt(struct aead_request *req)
  157. {
  158. struct crypto_aead *authenc = crypto_aead_reqtfm(req);
  159. struct aead_instance *inst = aead_alg_instance(authenc);
  160. struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);
  161. struct authenc_instance_ctx *ictx = aead_instance_ctx(inst);
  162. struct authenc_request_ctx *areq_ctx = aead_request_ctx(req);
  163. struct crypto_skcipher *enc = ctx->enc;
  164. unsigned int cryptlen = req->cryptlen;
  165. struct skcipher_request *skreq = (void *)(areq_ctx->tail +
  166. ictx->reqoff);
  167. struct scatterlist *src, *dst;
  168. int err;
  169. src = scatterwalk_ffwd(areq_ctx->src, req->src, req->assoclen);
  170. dst = src;
  171. if (req->src != req->dst) {
  172. memcpy_sglist(req->dst, req->src, req->assoclen);
  173. dst = scatterwalk_ffwd(areq_ctx->dst, req->dst, req->assoclen);
  174. }
  175. skcipher_request_set_tfm(skreq, enc);
  176. skcipher_request_set_callback(skreq, aead_request_flags(req),
  177. crypto_authenc_encrypt_done, req);
  178. skcipher_request_set_crypt(skreq, src, dst, cryptlen, req->iv);
  179. err = crypto_skcipher_encrypt(skreq);
  180. if (err)
  181. return err;
  182. return crypto_authenc_genicv(req, 0);
  183. }
  184. static void authenc_decrypt_tail_done(void *data, int err)
  185. {
  186. struct aead_request *req = data;
  187. authenc_request_complete(req, err);
  188. }
  189. static int crypto_authenc_decrypt_tail(struct aead_request *req,
  190. unsigned int mask)
  191. {
  192. struct crypto_aead *authenc = crypto_aead_reqtfm(req);
  193. struct aead_instance *inst = aead_alg_instance(authenc);
  194. struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);
  195. struct authenc_instance_ctx *ictx = aead_instance_ctx(inst);
  196. struct authenc_request_ctx *areq_ctx = aead_request_ctx(req);
  197. struct ahash_request *ahreq = (void *)(areq_ctx->tail + ictx->reqoff);
  198. struct skcipher_request *skreq = (void *)(areq_ctx->tail +
  199. ictx->reqoff);
  200. unsigned int authsize = crypto_aead_authsize(authenc);
  201. unsigned int flags = aead_request_flags(req) & ~mask;
  202. u8 *ihash = ahreq->result + authsize;
  203. struct scatterlist *src, *dst;
  204. scatterwalk_map_and_copy(ihash, req->src, ahreq->nbytes, authsize, 0);
  205. if (crypto_memneq(ihash, ahreq->result, authsize))
  206. return -EBADMSG;
  207. src = scatterwalk_ffwd(areq_ctx->src, req->src, req->assoclen);
  208. dst = src;
  209. if (req->src != req->dst)
  210. dst = scatterwalk_ffwd(areq_ctx->dst, req->dst, req->assoclen);
  211. skcipher_request_set_tfm(skreq, ctx->enc);
  212. skcipher_request_set_callback(skreq, flags,
  213. mask ? authenc_decrypt_tail_done :
  214. req->base.complete,
  215. mask ? req : req->base.data);
  216. skcipher_request_set_crypt(skreq, src, dst,
  217. req->cryptlen - authsize, req->iv);
  218. return crypto_skcipher_decrypt(skreq);
  219. }
  220. static void authenc_verify_ahash_done(void *data, int err)
  221. {
  222. struct aead_request *req = data;
  223. if (err) {
  224. aead_request_complete(req, err);
  225. return;
  226. }
  227. err = crypto_authenc_decrypt_tail(req, CRYPTO_TFM_REQ_MAY_SLEEP);
  228. authenc_request_complete(req, err);
  229. }
  230. static int crypto_authenc_decrypt(struct aead_request *req)
  231. {
  232. struct crypto_aead *authenc = crypto_aead_reqtfm(req);
  233. unsigned int authsize = crypto_aead_authsize(authenc);
  234. struct aead_instance *inst = aead_alg_instance(authenc);
  235. struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);
  236. struct authenc_instance_ctx *ictx = aead_instance_ctx(inst);
  237. struct crypto_ahash *auth = ctx->auth;
  238. struct authenc_request_ctx *areq_ctx = aead_request_ctx(req);
  239. struct ahash_request *ahreq = (void *)(areq_ctx->tail + ictx->reqoff);
  240. u8 *hash = areq_ctx->tail;
  241. int err;
  242. ahash_request_set_tfm(ahreq, auth);
  243. ahash_request_set_crypt(ahreq, req->src, hash,
  244. req->assoclen + req->cryptlen - authsize);
  245. ahash_request_set_callback(ahreq, aead_request_flags(req),
  246. authenc_verify_ahash_done, req);
  247. err = crypto_ahash_digest(ahreq);
  248. if (err)
  249. return err;
  250. return crypto_authenc_decrypt_tail(req, 0);
  251. }
  252. static int crypto_authenc_init_tfm(struct crypto_aead *tfm)
  253. {
  254. struct aead_instance *inst = aead_alg_instance(tfm);
  255. struct authenc_instance_ctx *ictx = aead_instance_ctx(inst);
  256. struct crypto_authenc_ctx *ctx = crypto_aead_ctx(tfm);
  257. struct crypto_ahash *auth;
  258. struct crypto_skcipher *enc;
  259. int err;
  260. auth = crypto_spawn_ahash(&ictx->auth);
  261. if (IS_ERR(auth))
  262. return PTR_ERR(auth);
  263. enc = crypto_spawn_skcipher(&ictx->enc);
  264. err = PTR_ERR(enc);
  265. if (IS_ERR(enc))
  266. goto err_free_ahash;
  267. ctx->auth = auth;
  268. ctx->enc = enc;
  269. crypto_aead_set_reqsize(
  270. tfm,
  271. sizeof(struct authenc_request_ctx) +
  272. ictx->reqoff +
  273. max_t(unsigned int,
  274. crypto_ahash_reqsize(auth) +
  275. sizeof(struct ahash_request),
  276. sizeof(struct skcipher_request) +
  277. crypto_skcipher_reqsize(enc)));
  278. return 0;
  279. err_free_ahash:
  280. crypto_free_ahash(auth);
  281. return err;
  282. }
  283. static void crypto_authenc_exit_tfm(struct crypto_aead *tfm)
  284. {
  285. struct crypto_authenc_ctx *ctx = crypto_aead_ctx(tfm);
  286. crypto_free_ahash(ctx->auth);
  287. crypto_free_skcipher(ctx->enc);
  288. }
  289. static void crypto_authenc_free(struct aead_instance *inst)
  290. {
  291. struct authenc_instance_ctx *ctx = aead_instance_ctx(inst);
  292. crypto_drop_skcipher(&ctx->enc);
  293. crypto_drop_ahash(&ctx->auth);
  294. kfree(inst);
  295. }
  296. static int crypto_authenc_create(struct crypto_template *tmpl,
  297. struct rtattr **tb)
  298. {
  299. u32 mask;
  300. struct aead_instance *inst;
  301. struct authenc_instance_ctx *ctx;
  302. struct skcipher_alg_common *enc;
  303. struct hash_alg_common *auth;
  304. struct crypto_alg *auth_base;
  305. int err;
  306. err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_AEAD, &mask);
  307. if (err)
  308. return err;
  309. inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
  310. if (!inst)
  311. return -ENOMEM;
  312. ctx = aead_instance_ctx(inst);
  313. err = crypto_grab_ahash(&ctx->auth, aead_crypto_instance(inst),
  314. crypto_attr_alg_name(tb[1]), 0, mask);
  315. if (err)
  316. goto err_free_inst;
  317. auth = crypto_spawn_ahash_alg(&ctx->auth);
  318. auth_base = &auth->base;
  319. err = crypto_grab_skcipher(&ctx->enc, aead_crypto_instance(inst),
  320. crypto_attr_alg_name(tb[2]), 0, mask);
  321. if (err)
  322. goto err_free_inst;
  323. enc = crypto_spawn_skcipher_alg_common(&ctx->enc);
  324. ctx->reqoff = 2 * auth->digestsize;
  325. err = -ENAMETOOLONG;
  326. if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
  327. "authenc(%s,%s)", auth_base->cra_name,
  328. enc->base.cra_name) >=
  329. CRYPTO_MAX_ALG_NAME)
  330. goto err_free_inst;
  331. if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
  332. "authenc(%s,%s)", auth_base->cra_driver_name,
  333. enc->base.cra_driver_name) >= CRYPTO_MAX_ALG_NAME)
  334. goto err_free_inst;
  335. inst->alg.base.cra_priority = enc->base.cra_priority * 10 +
  336. auth_base->cra_priority;
  337. inst->alg.base.cra_blocksize = enc->base.cra_blocksize;
  338. inst->alg.base.cra_alignmask = enc->base.cra_alignmask;
  339. inst->alg.base.cra_ctxsize = sizeof(struct crypto_authenc_ctx);
  340. inst->alg.ivsize = enc->ivsize;
  341. inst->alg.chunksize = enc->chunksize;
  342. inst->alg.maxauthsize = auth->digestsize;
  343. inst->alg.init = crypto_authenc_init_tfm;
  344. inst->alg.exit = crypto_authenc_exit_tfm;
  345. inst->alg.setkey = crypto_authenc_setkey;
  346. inst->alg.encrypt = crypto_authenc_encrypt;
  347. inst->alg.decrypt = crypto_authenc_decrypt;
  348. inst->free = crypto_authenc_free;
  349. err = aead_register_instance(tmpl, inst);
  350. if (err) {
  351. err_free_inst:
  352. crypto_authenc_free(inst);
  353. }
  354. return err;
  355. }
  356. static struct crypto_template crypto_authenc_tmpl = {
  357. .name = "authenc",
  358. .create = crypto_authenc_create,
  359. .module = THIS_MODULE,
  360. };
  361. static int __init crypto_authenc_module_init(void)
  362. {
  363. return crypto_register_template(&crypto_authenc_tmpl);
  364. }
  365. static void __exit crypto_authenc_module_exit(void)
  366. {
  367. crypto_unregister_template(&crypto_authenc_tmpl);
  368. }
  369. module_init(crypto_authenc_module_init);
  370. module_exit(crypto_authenc_module_exit);
  371. MODULE_LICENSE("GPL");
  372. MODULE_DESCRIPTION("Simple AEAD wrapper for IPsec");
  373. MODULE_ALIAS_CRYPTO("authenc");