• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Authenc: Simple AEAD wrapper for IPsec
3  *
4  * Copyright (c) 2007 Herbert Xu <herbert@gondor.apana.org.au>
5  *
6  * This program is free software; you can redistribute it and/or modify it
7  * under the terms of the GNU General Public License as published by the Free
8  * Software Foundation; either version 2 of the License, or (at your option)
9  * any later version.
10  *
11  */
12 
13 #include <crypto/aead.h>
14 #include <crypto/internal/hash.h>
15 #include <crypto/internal/skcipher.h>
16 #include <crypto/authenc.h>
17 #include <crypto/scatterwalk.h>
18 #include <linux/err.h>
19 #include <linux/init.h>
20 #include <linux/kernel.h>
21 #include <linux/module.h>
22 #include <linux/rtnetlink.h>
23 #include <linux/slab.h>
24 #include <linux/spinlock.h>
25 
26 struct authenc_instance_ctx {
27 	struct crypto_spawn auth;
28 	struct crypto_skcipher_spawn enc;
29 };
30 
31 struct crypto_authenc_ctx {
32 	spinlock_t auth_lock;
33 	struct crypto_hash *auth;
34 	struct crypto_ablkcipher *enc;
35 };
36 
crypto_authenc_setkey(struct crypto_aead * authenc,const u8 * key,unsigned int keylen)37 static int crypto_authenc_setkey(struct crypto_aead *authenc, const u8 *key,
38 				 unsigned int keylen)
39 {
40 	unsigned int authkeylen;
41 	unsigned int enckeylen;
42 	struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);
43 	struct crypto_hash *auth = ctx->auth;
44 	struct crypto_ablkcipher *enc = ctx->enc;
45 	struct rtattr *rta = (void *)key;
46 	struct crypto_authenc_key_param *param;
47 	int err = -EINVAL;
48 
49 	if (!RTA_OK(rta, keylen))
50 		goto badkey;
51 	if (rta->rta_type != CRYPTO_AUTHENC_KEYA_PARAM)
52 		goto badkey;
53 	if (RTA_PAYLOAD(rta) < sizeof(*param))
54 		goto badkey;
55 
56 	param = RTA_DATA(rta);
57 	enckeylen = be32_to_cpu(param->enckeylen);
58 
59 	key += RTA_ALIGN(rta->rta_len);
60 	keylen -= RTA_ALIGN(rta->rta_len);
61 
62 	if (keylen < enckeylen)
63 		goto badkey;
64 
65 	authkeylen = keylen - enckeylen;
66 
67 	crypto_hash_clear_flags(auth, CRYPTO_TFM_REQ_MASK);
68 	crypto_hash_set_flags(auth, crypto_aead_get_flags(authenc) &
69 				    CRYPTO_TFM_REQ_MASK);
70 	err = crypto_hash_setkey(auth, key, authkeylen);
71 	crypto_aead_set_flags(authenc, crypto_hash_get_flags(auth) &
72 				       CRYPTO_TFM_RES_MASK);
73 
74 	if (err)
75 		goto out;
76 
77 	crypto_ablkcipher_clear_flags(enc, CRYPTO_TFM_REQ_MASK);
78 	crypto_ablkcipher_set_flags(enc, crypto_aead_get_flags(authenc) &
79 					 CRYPTO_TFM_REQ_MASK);
80 	err = crypto_ablkcipher_setkey(enc, key + authkeylen, enckeylen);
81 	crypto_aead_set_flags(authenc, crypto_ablkcipher_get_flags(enc) &
82 				       CRYPTO_TFM_RES_MASK);
83 
84 out:
85 	return err;
86 
87 badkey:
88 	crypto_aead_set_flags(authenc, CRYPTO_TFM_RES_BAD_KEY_LEN);
89 	goto out;
90 }
91 
authenc_chain(struct scatterlist * head,struct scatterlist * sg,int chain)92 static void authenc_chain(struct scatterlist *head, struct scatterlist *sg,
93 			  int chain)
94 {
95 	if (chain) {
96 		head->length += sg->length;
97 		sg = scatterwalk_sg_next(sg);
98 	}
99 
100 	if (sg)
101 		scatterwalk_sg_chain(head, 2, sg);
102 	else
103 		sg_mark_end(head);
104 }
105 
crypto_authenc_hash(struct aead_request * req,unsigned int flags,struct scatterlist * cipher,unsigned int cryptlen)106 static u8 *crypto_authenc_hash(struct aead_request *req, unsigned int flags,
107 			       struct scatterlist *cipher,
108 			       unsigned int cryptlen)
109 {
110 	struct crypto_aead *authenc = crypto_aead_reqtfm(req);
111 	struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);
112 	struct crypto_hash *auth = ctx->auth;
113 	struct hash_desc desc = {
114 		.tfm = auth,
115 		.flags = aead_request_flags(req) & flags,
116 	};
117 	u8 *hash = aead_request_ctx(req);
118 	int err;
119 
120 	hash = (u8 *)ALIGN((unsigned long)hash + crypto_hash_alignmask(auth),
121 			   crypto_hash_alignmask(auth) + 1);
122 
123 	spin_lock_bh(&ctx->auth_lock);
124 	err = crypto_hash_init(&desc);
125 	if (err)
126 		goto auth_unlock;
127 
128 	err = crypto_hash_update(&desc, req->assoc, req->assoclen);
129 	if (err)
130 		goto auth_unlock;
131 
132 	err = crypto_hash_update(&desc, cipher, cryptlen);
133 	if (err)
134 		goto auth_unlock;
135 
136 	err = crypto_hash_final(&desc, hash);
137 auth_unlock:
138 	spin_unlock_bh(&ctx->auth_lock);
139 
140 	if (err)
141 		return ERR_PTR(err);
142 
143 	return hash;
144 }
145 
crypto_authenc_genicv(struct aead_request * req,u8 * iv,unsigned int flags)146 static int crypto_authenc_genicv(struct aead_request *req, u8 *iv,
147 				 unsigned int flags)
148 {
149 	struct crypto_aead *authenc = crypto_aead_reqtfm(req);
150 	struct scatterlist *dst = req->dst;
151 	struct scatterlist cipher[2];
152 	struct page *dstp;
153 	unsigned int ivsize = crypto_aead_ivsize(authenc);
154 	unsigned int cryptlen;
155 	u8 *vdst;
156 	u8 *hash;
157 
158 	dstp = sg_page(dst);
159 	vdst = PageHighMem(dstp) ? NULL : page_address(dstp) + dst->offset;
160 
161 	if (ivsize) {
162 		sg_init_table(cipher, 2);
163 		sg_set_buf(cipher, iv, ivsize);
164 		authenc_chain(cipher, dst, vdst == iv + ivsize);
165 		dst = cipher;
166 	}
167 
168 	cryptlen = req->cryptlen + ivsize;
169 	hash = crypto_authenc_hash(req, flags, dst, cryptlen);
170 	if (IS_ERR(hash))
171 		return PTR_ERR(hash);
172 
173 	scatterwalk_map_and_copy(hash, dst, cryptlen,
174 				 crypto_aead_authsize(authenc), 1);
175 	return 0;
176 }
177 
crypto_authenc_encrypt_done(struct crypto_async_request * req,int err)178 static void crypto_authenc_encrypt_done(struct crypto_async_request *req,
179 					int err)
180 {
181 	struct aead_request *areq = req->data;
182 
183 	if (!err) {
184 		struct crypto_aead *authenc = crypto_aead_reqtfm(areq);
185 		struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);
186 		struct ablkcipher_request *abreq = aead_request_ctx(areq);
187 		u8 *iv = (u8 *)(abreq + 1) +
188 			 crypto_ablkcipher_reqsize(ctx->enc);
189 
190 		err = crypto_authenc_genicv(areq, iv, 0);
191 	}
192 
193 	aead_request_complete(areq, err);
194 }
195 
crypto_authenc_encrypt(struct aead_request * req)196 static int crypto_authenc_encrypt(struct aead_request *req)
197 {
198 	struct crypto_aead *authenc = crypto_aead_reqtfm(req);
199 	struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);
200 	struct ablkcipher_request *abreq = aead_request_ctx(req);
201 	struct crypto_ablkcipher *enc = ctx->enc;
202 	struct scatterlist *dst = req->dst;
203 	unsigned int cryptlen = req->cryptlen;
204 	u8 *iv = (u8 *)(abreq + 1) + crypto_ablkcipher_reqsize(enc);
205 	int err;
206 
207 	ablkcipher_request_set_tfm(abreq, enc);
208 	ablkcipher_request_set_callback(abreq, aead_request_flags(req),
209 					crypto_authenc_encrypt_done, req);
210 	ablkcipher_request_set_crypt(abreq, req->src, dst, cryptlen, req->iv);
211 
212 	memcpy(iv, req->iv, crypto_aead_ivsize(authenc));
213 
214 	err = crypto_ablkcipher_encrypt(abreq);
215 	if (err)
216 		return err;
217 
218 	return crypto_authenc_genicv(req, iv, CRYPTO_TFM_REQ_MAY_SLEEP);
219 }
220 
crypto_authenc_givencrypt_done(struct crypto_async_request * req,int err)221 static void crypto_authenc_givencrypt_done(struct crypto_async_request *req,
222 					   int err)
223 {
224 	struct aead_request *areq = req->data;
225 
226 	if (!err) {
227 		struct skcipher_givcrypt_request *greq = aead_request_ctx(areq);
228 
229 		err = crypto_authenc_genicv(areq, greq->giv, 0);
230 	}
231 
232 	aead_request_complete(areq, err);
233 }
234 
crypto_authenc_givencrypt(struct aead_givcrypt_request * req)235 static int crypto_authenc_givencrypt(struct aead_givcrypt_request *req)
236 {
237 	struct crypto_aead *authenc = aead_givcrypt_reqtfm(req);
238 	struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);
239 	struct aead_request *areq = &req->areq;
240 	struct skcipher_givcrypt_request *greq = aead_request_ctx(areq);
241 	u8 *iv = req->giv;
242 	int err;
243 
244 	skcipher_givcrypt_set_tfm(greq, ctx->enc);
245 	skcipher_givcrypt_set_callback(greq, aead_request_flags(areq),
246 				       crypto_authenc_givencrypt_done, areq);
247 	skcipher_givcrypt_set_crypt(greq, areq->src, areq->dst, areq->cryptlen,
248 				    areq->iv);
249 	skcipher_givcrypt_set_giv(greq, iv, req->seq);
250 
251 	err = crypto_skcipher_givencrypt(greq);
252 	if (err)
253 		return err;
254 
255 	return crypto_authenc_genicv(areq, iv, CRYPTO_TFM_REQ_MAY_SLEEP);
256 }
257 
crypto_authenc_verify(struct aead_request * req,struct scatterlist * cipher,unsigned int cryptlen)258 static int crypto_authenc_verify(struct aead_request *req,
259 				 struct scatterlist *cipher,
260 				 unsigned int cryptlen)
261 {
262 	struct crypto_aead *authenc = crypto_aead_reqtfm(req);
263 	u8 *ohash;
264 	u8 *ihash;
265 	unsigned int authsize;
266 
267 	ohash = crypto_authenc_hash(req, CRYPTO_TFM_REQ_MAY_SLEEP, cipher,
268 				    cryptlen);
269 	if (IS_ERR(ohash))
270 		return PTR_ERR(ohash);
271 
272 	authsize = crypto_aead_authsize(authenc);
273 	ihash = ohash + authsize;
274 	scatterwalk_map_and_copy(ihash, cipher, cryptlen, authsize, 0);
275 	return memcmp(ihash, ohash, authsize) ? -EBADMSG: 0;
276 }
277 
crypto_authenc_iverify(struct aead_request * req,u8 * iv,unsigned int cryptlen)278 static int crypto_authenc_iverify(struct aead_request *req, u8 *iv,
279 				  unsigned int cryptlen)
280 {
281 	struct crypto_aead *authenc = crypto_aead_reqtfm(req);
282 	struct scatterlist *src = req->src;
283 	struct scatterlist cipher[2];
284 	struct page *srcp;
285 	unsigned int ivsize = crypto_aead_ivsize(authenc);
286 	u8 *vsrc;
287 
288 	srcp = sg_page(src);
289 	vsrc = PageHighMem(srcp) ? NULL : page_address(srcp) + src->offset;
290 
291 	if (ivsize) {
292 		sg_init_table(cipher, 2);
293 		sg_set_buf(cipher, iv, ivsize);
294 		authenc_chain(cipher, src, vsrc == iv + ivsize);
295 		src = cipher;
296 	}
297 
298 	return crypto_authenc_verify(req, src, cryptlen + ivsize);
299 }
300 
crypto_authenc_decrypt(struct aead_request * req)301 static int crypto_authenc_decrypt(struct aead_request *req)
302 {
303 	struct crypto_aead *authenc = crypto_aead_reqtfm(req);
304 	struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);
305 	struct ablkcipher_request *abreq = aead_request_ctx(req);
306 	unsigned int cryptlen = req->cryptlen;
307 	unsigned int authsize = crypto_aead_authsize(authenc);
308 	u8 *iv = req->iv;
309 	int err;
310 
311 	if (cryptlen < authsize)
312 		return -EINVAL;
313 	cryptlen -= authsize;
314 
315 	err = crypto_authenc_iverify(req, iv, cryptlen);
316 	if (err)
317 		return err;
318 
319 	ablkcipher_request_set_tfm(abreq, ctx->enc);
320 	ablkcipher_request_set_callback(abreq, aead_request_flags(req),
321 					req->base.complete, req->base.data);
322 	ablkcipher_request_set_crypt(abreq, req->src, req->dst, cryptlen, iv);
323 
324 	return crypto_ablkcipher_decrypt(abreq);
325 }
326 
crypto_authenc_init_tfm(struct crypto_tfm * tfm)327 static int crypto_authenc_init_tfm(struct crypto_tfm *tfm)
328 {
329 	struct crypto_instance *inst = (void *)tfm->__crt_alg;
330 	struct authenc_instance_ctx *ictx = crypto_instance_ctx(inst);
331 	struct crypto_authenc_ctx *ctx = crypto_tfm_ctx(tfm);
332 	struct crypto_hash *auth;
333 	struct crypto_ablkcipher *enc;
334 	int err;
335 
336 	auth = crypto_spawn_hash(&ictx->auth);
337 	if (IS_ERR(auth))
338 		return PTR_ERR(auth);
339 
340 	enc = crypto_spawn_skcipher(&ictx->enc);
341 	err = PTR_ERR(enc);
342 	if (IS_ERR(enc))
343 		goto err_free_hash;
344 
345 	ctx->auth = auth;
346 	ctx->enc = enc;
347 	tfm->crt_aead.reqsize = max_t(unsigned int,
348 				      (crypto_hash_alignmask(auth) &
349 				       ~(crypto_tfm_ctx_alignment() - 1)) +
350 				      crypto_hash_digestsize(auth) * 2,
351 				      sizeof(struct skcipher_givcrypt_request) +
352 				      crypto_ablkcipher_reqsize(enc) +
353 				      crypto_ablkcipher_ivsize(enc));
354 
355 	spin_lock_init(&ctx->auth_lock);
356 
357 	return 0;
358 
359 err_free_hash:
360 	crypto_free_hash(auth);
361 	return err;
362 }
363 
crypto_authenc_exit_tfm(struct crypto_tfm * tfm)364 static void crypto_authenc_exit_tfm(struct crypto_tfm *tfm)
365 {
366 	struct crypto_authenc_ctx *ctx = crypto_tfm_ctx(tfm);
367 
368 	crypto_free_hash(ctx->auth);
369 	crypto_free_ablkcipher(ctx->enc);
370 }
371 
crypto_authenc_alloc(struct rtattr ** tb)372 static struct crypto_instance *crypto_authenc_alloc(struct rtattr **tb)
373 {
374 	struct crypto_attr_type *algt;
375 	struct crypto_instance *inst;
376 	struct crypto_alg *auth;
377 	struct crypto_alg *enc;
378 	struct authenc_instance_ctx *ctx;
379 	const char *enc_name;
380 	int err;
381 
382 	algt = crypto_get_attr_type(tb);
383 	err = PTR_ERR(algt);
384 	if (IS_ERR(algt))
385 		return ERR_PTR(err);
386 
387 	if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask)
388 		return ERR_PTR(-EINVAL);
389 
390 	auth = crypto_attr_alg(tb[1], CRYPTO_ALG_TYPE_HASH,
391 			       CRYPTO_ALG_TYPE_HASH_MASK);
392 	if (IS_ERR(auth))
393 		return ERR_PTR(PTR_ERR(auth));
394 
395 	enc_name = crypto_attr_alg_name(tb[2]);
396 	err = PTR_ERR(enc_name);
397 	if (IS_ERR(enc_name))
398 		goto out_put_auth;
399 
400 	inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
401 	err = -ENOMEM;
402 	if (!inst)
403 		goto out_put_auth;
404 
405 	ctx = crypto_instance_ctx(inst);
406 
407 	err = crypto_init_spawn(&ctx->auth, auth, inst, CRYPTO_ALG_TYPE_MASK);
408 	if (err)
409 		goto err_free_inst;
410 
411 	crypto_set_skcipher_spawn(&ctx->enc, inst);
412 	err = crypto_grab_skcipher(&ctx->enc, enc_name, 0,
413 				   crypto_requires_sync(algt->type,
414 							algt->mask));
415 	if (err)
416 		goto err_drop_auth;
417 
418 	enc = crypto_skcipher_spawn_alg(&ctx->enc);
419 
420 	err = -ENAMETOOLONG;
421 	if (snprintf(inst->alg.cra_name, CRYPTO_MAX_ALG_NAME,
422 		     "authenc(%s,%s)", auth->cra_name, enc->cra_name) >=
423 	    CRYPTO_MAX_ALG_NAME)
424 		goto err_drop_enc;
425 
426 	if (snprintf(inst->alg.cra_driver_name, CRYPTO_MAX_ALG_NAME,
427 		     "authenc(%s,%s)", auth->cra_driver_name,
428 		     enc->cra_driver_name) >= CRYPTO_MAX_ALG_NAME)
429 		goto err_drop_enc;
430 
431 	inst->alg.cra_flags = CRYPTO_ALG_TYPE_AEAD;
432 	inst->alg.cra_flags |= enc->cra_flags & CRYPTO_ALG_ASYNC;
433 	inst->alg.cra_priority = enc->cra_priority * 10 + auth->cra_priority;
434 	inst->alg.cra_blocksize = enc->cra_blocksize;
435 	inst->alg.cra_alignmask = auth->cra_alignmask | enc->cra_alignmask;
436 	inst->alg.cra_type = &crypto_aead_type;
437 
438 	inst->alg.cra_aead.ivsize = enc->cra_ablkcipher.ivsize;
439 	inst->alg.cra_aead.maxauthsize = auth->cra_type == &crypto_hash_type ?
440 					 auth->cra_hash.digestsize :
441 					 auth->cra_type ?
442 					 __crypto_shash_alg(auth)->digestsize :
443 					 auth->cra_digest.dia_digestsize;
444 
445 	inst->alg.cra_ctxsize = sizeof(struct crypto_authenc_ctx);
446 
447 	inst->alg.cra_init = crypto_authenc_init_tfm;
448 	inst->alg.cra_exit = crypto_authenc_exit_tfm;
449 
450 	inst->alg.cra_aead.setkey = crypto_authenc_setkey;
451 	inst->alg.cra_aead.encrypt = crypto_authenc_encrypt;
452 	inst->alg.cra_aead.decrypt = crypto_authenc_decrypt;
453 	inst->alg.cra_aead.givencrypt = crypto_authenc_givencrypt;
454 
455 out:
456 	crypto_mod_put(auth);
457 	return inst;
458 
459 err_drop_enc:
460 	crypto_drop_skcipher(&ctx->enc);
461 err_drop_auth:
462 	crypto_drop_spawn(&ctx->auth);
463 err_free_inst:
464 	kfree(inst);
465 out_put_auth:
466 	inst = ERR_PTR(err);
467 	goto out;
468 }
469 
crypto_authenc_free(struct crypto_instance * inst)470 static void crypto_authenc_free(struct crypto_instance *inst)
471 {
472 	struct authenc_instance_ctx *ctx = crypto_instance_ctx(inst);
473 
474 	crypto_drop_skcipher(&ctx->enc);
475 	crypto_drop_spawn(&ctx->auth);
476 	kfree(inst);
477 }
478 
479 static struct crypto_template crypto_authenc_tmpl = {
480 	.name = "authenc",
481 	.alloc = crypto_authenc_alloc,
482 	.free = crypto_authenc_free,
483 	.module = THIS_MODULE,
484 };
485 
crypto_authenc_module_init(void)486 static int __init crypto_authenc_module_init(void)
487 {
488 	return crypto_register_template(&crypto_authenc_tmpl);
489 }
490 
crypto_authenc_module_exit(void)491 static void __exit crypto_authenc_module_exit(void)
492 {
493 	crypto_unregister_template(&crypto_authenc_tmpl);
494 }
495 
496 module_init(crypto_authenc_module_init);
497 module_exit(crypto_authenc_module_exit);
498 
499 MODULE_LICENSE("GPL");
500 MODULE_DESCRIPTION("Simple AEAD wrapper for IPsec");
501