authencesn.c 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458
  1. // SPDX-License-Identifier: GPL-2.0-or-later
  2. /*
  3. * authencesn.c - AEAD wrapper for IPsec with extended sequence numbers,
  4. * derived from authenc.c
  5. *
  6. * Copyright (C) 2010 secunet Security Networks AG
  7. * Copyright (C) 2010 Steffen Klassert <steffen.klassert@secunet.com>
  8. * Copyright (c) 2015 Herbert Xu <herbert@gondor.apana.org.au>
  9. */
  10. #include <crypto/internal/aead.h>
  11. #include <crypto/internal/hash.h>
  12. #include <crypto/internal/skcipher.h>
  13. #include <crypto/authenc.h>
  14. #include <crypto/scatterwalk.h>
  15. #include <linux/err.h>
  16. #include <linux/init.h>
  17. #include <linux/kernel.h>
  18. #include <linux/module.h>
  19. #include <linux/rtnetlink.h>
  20. #include <linux/slab.h>
  21. #include <linux/spinlock.h>
  22. struct authenc_esn_instance_ctx {
  23. struct crypto_ahash_spawn auth;
  24. struct crypto_skcipher_spawn enc;
  25. };
  26. struct crypto_authenc_esn_ctx {
  27. unsigned int reqoff;
  28. struct crypto_ahash *auth;
  29. struct crypto_skcipher *enc;
  30. };
  31. struct authenc_esn_request_ctx {
  32. struct scatterlist src[2];
  33. struct scatterlist dst[2];
  34. char tail[];
  35. };
  36. static void authenc_esn_request_complete(struct aead_request *req, int err)
  37. {
  38. if (err != -EINPROGRESS)
  39. aead_request_complete(req, err);
  40. }
  41. static int crypto_authenc_esn_setauthsize(struct crypto_aead *authenc_esn,
  42. unsigned int authsize)
  43. {
  44. if (authsize > 0 && authsize < 4)
  45. return -EINVAL;
  46. return 0;
  47. }
  48. static int crypto_authenc_esn_setkey(struct crypto_aead *authenc_esn, const u8 *key,
  49. unsigned int keylen)
  50. {
  51. struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
  52. struct crypto_ahash *auth = ctx->auth;
  53. struct crypto_skcipher *enc = ctx->enc;
  54. struct crypto_authenc_keys keys;
  55. int err = -EINVAL;
  56. if (crypto_authenc_extractkeys(&keys, key, keylen) != 0)
  57. goto out;
  58. crypto_ahash_clear_flags(auth, CRYPTO_TFM_REQ_MASK);
  59. crypto_ahash_set_flags(auth, crypto_aead_get_flags(authenc_esn) &
  60. CRYPTO_TFM_REQ_MASK);
  61. err = crypto_ahash_setkey(auth, keys.authkey, keys.authkeylen);
  62. if (err)
  63. goto out;
  64. crypto_skcipher_clear_flags(enc, CRYPTO_TFM_REQ_MASK);
  65. crypto_skcipher_set_flags(enc, crypto_aead_get_flags(authenc_esn) &
  66. CRYPTO_TFM_REQ_MASK);
  67. err = crypto_skcipher_setkey(enc, keys.enckey, keys.enckeylen);
  68. out:
  69. memzero_explicit(&keys, sizeof(keys));
  70. return err;
  71. }
  72. static int crypto_authenc_esn_genicv_tail(struct aead_request *req,
  73. unsigned int flags)
  74. {
  75. struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
  76. struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
  77. u8 *hash = areq_ctx->tail;
  78. unsigned int authsize = crypto_aead_authsize(authenc_esn);
  79. unsigned int assoclen = req->assoclen;
  80. unsigned int cryptlen = req->cryptlen;
  81. struct scatterlist *dst = req->dst;
  82. u32 tmp[2];
  83. /* Move high-order bits of sequence number back. */
  84. scatterwalk_map_and_copy(tmp, dst, 4, 4, 0);
  85. scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 0);
  86. scatterwalk_map_and_copy(tmp, dst, 0, 8, 1);
  87. scatterwalk_map_and_copy(hash, dst, assoclen + cryptlen, authsize, 1);
  88. return 0;
  89. }
  90. static void authenc_esn_geniv_ahash_done(void *data, int err)
  91. {
  92. struct aead_request *req = data;
  93. err = err ?: crypto_authenc_esn_genicv_tail(req, 0);
  94. aead_request_complete(req, err);
  95. }
  96. static int crypto_authenc_esn_genicv(struct aead_request *req,
  97. unsigned int flags)
  98. {
  99. struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
  100. struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
  101. struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
  102. struct crypto_ahash *auth = ctx->auth;
  103. u8 *hash = areq_ctx->tail;
  104. struct ahash_request *ahreq = (void *)(areq_ctx->tail + ctx->reqoff);
  105. unsigned int authsize = crypto_aead_authsize(authenc_esn);
  106. unsigned int assoclen = req->assoclen;
  107. unsigned int cryptlen = req->cryptlen;
  108. struct scatterlist *dst = req->dst;
  109. u32 tmp[2];
  110. if (!authsize)
  111. return 0;
  112. /* Move high-order bits of sequence number to the end. */
  113. scatterwalk_map_and_copy(tmp, dst, 0, 8, 0);
  114. scatterwalk_map_and_copy(tmp, dst, 4, 4, 1);
  115. scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 1);
  116. sg_init_table(areq_ctx->dst, 2);
  117. dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4);
  118. ahash_request_set_tfm(ahreq, auth);
  119. ahash_request_set_crypt(ahreq, dst, hash, assoclen + cryptlen);
  120. ahash_request_set_callback(ahreq, flags,
  121. authenc_esn_geniv_ahash_done, req);
  122. return crypto_ahash_digest(ahreq) ?:
  123. crypto_authenc_esn_genicv_tail(req, aead_request_flags(req));
  124. }
  125. static void crypto_authenc_esn_encrypt_done(void *data, int err)
  126. {
  127. struct aead_request *areq = data;
  128. if (!err)
  129. err = crypto_authenc_esn_genicv(areq, 0);
  130. authenc_esn_request_complete(areq, err);
  131. }
  132. static int crypto_authenc_esn_encrypt(struct aead_request *req)
  133. {
  134. struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
  135. struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
  136. struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
  137. struct skcipher_request *skreq = (void *)(areq_ctx->tail +
  138. ctx->reqoff);
  139. struct crypto_skcipher *enc = ctx->enc;
  140. unsigned int assoclen = req->assoclen;
  141. unsigned int cryptlen = req->cryptlen;
  142. struct scatterlist *src, *dst;
  143. int err;
  144. if (assoclen < 8)
  145. return -EINVAL;
  146. sg_init_table(areq_ctx->src, 2);
  147. src = scatterwalk_ffwd(areq_ctx->src, req->src, assoclen);
  148. dst = src;
  149. if (req->src != req->dst) {
  150. memcpy_sglist(req->dst, req->src, assoclen);
  151. sg_init_table(areq_ctx->dst, 2);
  152. dst = scatterwalk_ffwd(areq_ctx->dst, req->dst, assoclen);
  153. }
  154. skcipher_request_set_tfm(skreq, enc);
  155. skcipher_request_set_callback(skreq, aead_request_flags(req),
  156. crypto_authenc_esn_encrypt_done, req);
  157. skcipher_request_set_crypt(skreq, src, dst, cryptlen, req->iv);
  158. err = crypto_skcipher_encrypt(skreq);
  159. if (err)
  160. return err;
  161. return crypto_authenc_esn_genicv(req, aead_request_flags(req));
  162. }
  163. static int crypto_authenc_esn_decrypt_tail(struct aead_request *req,
  164. unsigned int flags)
  165. {
  166. struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
  167. unsigned int authsize = crypto_aead_authsize(authenc_esn);
  168. struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
  169. struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
  170. struct skcipher_request *skreq = (void *)(areq_ctx->tail +
  171. ctx->reqoff);
  172. struct crypto_ahash *auth = ctx->auth;
  173. u8 *ohash = areq_ctx->tail;
  174. unsigned int cryptlen = req->cryptlen - authsize;
  175. unsigned int assoclen = req->assoclen;
  176. struct scatterlist *src = req->src;
  177. struct scatterlist *dst = req->dst;
  178. u8 *ihash = ohash + crypto_ahash_digestsize(auth);
  179. u32 tmp[2];
  180. if (!authsize)
  181. goto decrypt;
  182. if (src == dst) {
  183. /* Move high-order bits of sequence number back. */
  184. scatterwalk_map_and_copy(tmp, dst, 4, 4, 0);
  185. scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 0);
  186. scatterwalk_map_and_copy(tmp, dst, 0, 8, 1);
  187. } else
  188. memcpy_sglist(dst, src, assoclen);
  189. if (crypto_memneq(ihash, ohash, authsize))
  190. return -EBADMSG;
  191. decrypt:
  192. if (src != dst)
  193. src = scatterwalk_ffwd(areq_ctx->src, src, assoclen);
  194. dst = scatterwalk_ffwd(areq_ctx->dst, dst, assoclen);
  195. skcipher_request_set_tfm(skreq, ctx->enc);
  196. skcipher_request_set_callback(skreq, flags,
  197. req->base.complete, req->base.data);
  198. skcipher_request_set_crypt(skreq, src, dst, cryptlen, req->iv);
  199. return crypto_skcipher_decrypt(skreq);
  200. }
  201. static void authenc_esn_verify_ahash_done(void *data, int err)
  202. {
  203. struct aead_request *req = data;
  204. err = err ?: crypto_authenc_esn_decrypt_tail(req, 0);
  205. authenc_esn_request_complete(req, err);
  206. }
  207. static int crypto_authenc_esn_decrypt(struct aead_request *req)
  208. {
  209. struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
  210. struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
  211. struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
  212. struct ahash_request *ahreq = (void *)(areq_ctx->tail + ctx->reqoff);
  213. unsigned int authsize = crypto_aead_authsize(authenc_esn);
  214. struct crypto_ahash *auth = ctx->auth;
  215. u8 *ohash = areq_ctx->tail;
  216. unsigned int assoclen = req->assoclen;
  217. unsigned int cryptlen = req->cryptlen;
  218. u8 *ihash = ohash + crypto_ahash_digestsize(auth);
  219. struct scatterlist *src = req->src;
  220. struct scatterlist *dst = req->dst;
  221. u32 tmp[2];
  222. int err;
  223. if (assoclen < 8)
  224. return -EINVAL;
  225. if (!authsize)
  226. goto tail;
  227. cryptlen -= authsize;
  228. scatterwalk_map_and_copy(ihash, req->src, assoclen + cryptlen,
  229. authsize, 0);
  230. /* Move high-order bits of sequence number to the end. */
  231. scatterwalk_map_and_copy(tmp, src, 0, 8, 0);
  232. if (src == dst) {
  233. scatterwalk_map_and_copy(tmp, dst, 4, 4, 1);
  234. scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 1);
  235. dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4);
  236. } else {
  237. scatterwalk_map_and_copy(tmp, dst, 0, 4, 1);
  238. scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen - 4, 4, 1);
  239. src = scatterwalk_ffwd(areq_ctx->src, src, 8);
  240. dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4);
  241. memcpy_sglist(dst, src, assoclen + cryptlen - 8);
  242. dst = req->dst;
  243. }
  244. ahash_request_set_tfm(ahreq, auth);
  245. ahash_request_set_crypt(ahreq, dst, ohash, assoclen + cryptlen);
  246. ahash_request_set_callback(ahreq, aead_request_flags(req),
  247. authenc_esn_verify_ahash_done, req);
  248. err = crypto_ahash_digest(ahreq);
  249. if (err)
  250. return err;
  251. tail:
  252. return crypto_authenc_esn_decrypt_tail(req, aead_request_flags(req));
  253. }
  254. static int crypto_authenc_esn_init_tfm(struct crypto_aead *tfm)
  255. {
  256. struct aead_instance *inst = aead_alg_instance(tfm);
  257. struct authenc_esn_instance_ctx *ictx = aead_instance_ctx(inst);
  258. struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(tfm);
  259. struct crypto_ahash *auth;
  260. struct crypto_skcipher *enc;
  261. int err;
  262. auth = crypto_spawn_ahash(&ictx->auth);
  263. if (IS_ERR(auth))
  264. return PTR_ERR(auth);
  265. enc = crypto_spawn_skcipher(&ictx->enc);
  266. err = PTR_ERR(enc);
  267. if (IS_ERR(enc))
  268. goto err_free_ahash;
  269. ctx->auth = auth;
  270. ctx->enc = enc;
  271. ctx->reqoff = 2 * crypto_ahash_digestsize(auth);
  272. crypto_aead_set_reqsize(
  273. tfm,
  274. sizeof(struct authenc_esn_request_ctx) +
  275. ctx->reqoff +
  276. max_t(unsigned int,
  277. crypto_ahash_reqsize(auth) +
  278. sizeof(struct ahash_request),
  279. sizeof(struct skcipher_request) +
  280. crypto_skcipher_reqsize(enc)));
  281. return 0;
  282. err_free_ahash:
  283. crypto_free_ahash(auth);
  284. return err;
  285. }
  286. static void crypto_authenc_esn_exit_tfm(struct crypto_aead *tfm)
  287. {
  288. struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(tfm);
  289. crypto_free_ahash(ctx->auth);
  290. crypto_free_skcipher(ctx->enc);
  291. }
  292. static void crypto_authenc_esn_free(struct aead_instance *inst)
  293. {
  294. struct authenc_esn_instance_ctx *ctx = aead_instance_ctx(inst);
  295. crypto_drop_skcipher(&ctx->enc);
  296. crypto_drop_ahash(&ctx->auth);
  297. kfree(inst);
  298. }
  299. static int crypto_authenc_esn_create(struct crypto_template *tmpl,
  300. struct rtattr **tb)
  301. {
  302. u32 mask;
  303. struct aead_instance *inst;
  304. struct authenc_esn_instance_ctx *ctx;
  305. struct skcipher_alg_common *enc;
  306. struct hash_alg_common *auth;
  307. struct crypto_alg *auth_base;
  308. int err;
  309. err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_AEAD, &mask);
  310. if (err)
  311. return err;
  312. inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
  313. if (!inst)
  314. return -ENOMEM;
  315. ctx = aead_instance_ctx(inst);
  316. err = crypto_grab_ahash(&ctx->auth, aead_crypto_instance(inst),
  317. crypto_attr_alg_name(tb[1]), 0, mask);
  318. if (err)
  319. goto err_free_inst;
  320. auth = crypto_spawn_ahash_alg(&ctx->auth);
  321. auth_base = &auth->base;
  322. err = crypto_grab_skcipher(&ctx->enc, aead_crypto_instance(inst),
  323. crypto_attr_alg_name(tb[2]), 0, mask);
  324. if (err)
  325. goto err_free_inst;
  326. enc = crypto_spawn_skcipher_alg_common(&ctx->enc);
  327. err = -ENAMETOOLONG;
  328. if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
  329. "authencesn(%s,%s)", auth_base->cra_name,
  330. enc->base.cra_name) >= CRYPTO_MAX_ALG_NAME)
  331. goto err_free_inst;
  332. if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
  333. "authencesn(%s,%s)", auth_base->cra_driver_name,
  334. enc->base.cra_driver_name) >= CRYPTO_MAX_ALG_NAME)
  335. goto err_free_inst;
  336. inst->alg.base.cra_priority = enc->base.cra_priority * 10 +
  337. auth_base->cra_priority;
  338. inst->alg.base.cra_blocksize = enc->base.cra_blocksize;
  339. inst->alg.base.cra_alignmask = enc->base.cra_alignmask;
  340. inst->alg.base.cra_ctxsize = sizeof(struct crypto_authenc_esn_ctx);
  341. inst->alg.ivsize = enc->ivsize;
  342. inst->alg.chunksize = enc->chunksize;
  343. inst->alg.maxauthsize = auth->digestsize;
  344. inst->alg.init = crypto_authenc_esn_init_tfm;
  345. inst->alg.exit = crypto_authenc_esn_exit_tfm;
  346. inst->alg.setkey = crypto_authenc_esn_setkey;
  347. inst->alg.setauthsize = crypto_authenc_esn_setauthsize;
  348. inst->alg.encrypt = crypto_authenc_esn_encrypt;
  349. inst->alg.decrypt = crypto_authenc_esn_decrypt;
  350. inst->free = crypto_authenc_esn_free;
  351. err = aead_register_instance(tmpl, inst);
  352. if (err) {
  353. err_free_inst:
  354. crypto_authenc_esn_free(inst);
  355. }
  356. return err;
  357. }
  358. static struct crypto_template crypto_authenc_esn_tmpl = {
  359. .name = "authencesn",
  360. .create = crypto_authenc_esn_create,
  361. .module = THIS_MODULE,
  362. };
  363. static int __init crypto_authenc_esn_module_init(void)
  364. {
  365. return crypto_register_template(&crypto_authenc_esn_tmpl);
  366. }
  367. static void __exit crypto_authenc_esn_module_exit(void)
  368. {
  369. crypto_unregister_template(&crypto_authenc_esn_tmpl);
  370. }
  371. module_init(crypto_authenc_esn_module_init);
  372. module_exit(crypto_authenc_esn_module_exit);
  373. MODULE_LICENSE("GPL");
  374. MODULE_AUTHOR("Steffen Klassert <steffen.klassert@secunet.com>");
  375. MODULE_DESCRIPTION("AEAD wrapper for IPsec with extended sequence numbers");
  376. MODULE_ALIAS_CRYPTO("authencesn");