authencesn.c 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533
  1. /*
  2. * authencesn.c - AEAD wrapper for IPsec with extended sequence numbers,
  3. * derived from authenc.c
  4. *
  5. * Copyright (C) 2010 secunet Security Networks AG
  6. * Copyright (C) 2010 Steffen Klassert <steffen.klassert@secunet.com>
  7. * Copyright (c) 2015 Herbert Xu <herbert@gondor.apana.org.au>
  8. *
  9. * This program is free software; you can redistribute it and/or modify it
  10. * under the terms of the GNU General Public License as published by the Free
  11. * Software Foundation; either version 2 of the License, or (at your option)
  12. * any later version.
  13. *
  14. */
  15. #include <crypto/internal/aead.h>
  16. #include <crypto/internal/hash.h>
  17. #include <crypto/internal/skcipher.h>
  18. #include <crypto/authenc.h>
  19. #include <crypto/null.h>
  20. #include <crypto/scatterwalk.h>
  21. #include <linux/err.h>
  22. #include <linux/init.h>
  23. #include <linux/kernel.h>
  24. #include <linux/module.h>
  25. #include <linux/rtnetlink.h>
  26. #include <linux/slab.h>
  27. #include <linux/spinlock.h>
  28. struct authenc_esn_instance_ctx {
  29. struct crypto_ahash_spawn auth;
  30. struct crypto_skcipher_spawn enc;
  31. };
  32. struct crypto_authenc_esn_ctx {
  33. unsigned int reqoff;
  34. struct crypto_ahash *auth;
  35. struct crypto_skcipher *enc;
  36. struct crypto_skcipher *null;
  37. };
  38. struct authenc_esn_request_ctx {
  39. struct scatterlist src[2];
  40. struct scatterlist dst[2];
  41. char tail[];
  42. };
  43. static void authenc_esn_request_complete(struct aead_request *req, int err)
  44. {
  45. if (err != -EINPROGRESS)
  46. aead_request_complete(req, err);
  47. }
  48. static int crypto_authenc_esn_setauthsize(struct crypto_aead *authenc_esn,
  49. unsigned int authsize)
  50. {
  51. if (authsize > 0 && authsize < 4)
  52. return -EINVAL;
  53. return 0;
  54. }
  55. static int crypto_authenc_esn_setkey(struct crypto_aead *authenc_esn, const u8 *key,
  56. unsigned int keylen)
  57. {
  58. struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
  59. struct crypto_ahash *auth = ctx->auth;
  60. struct crypto_skcipher *enc = ctx->enc;
  61. struct crypto_authenc_keys keys;
  62. int err = -EINVAL;
  63. if (crypto_authenc_extractkeys(&keys, key, keylen) != 0)
  64. goto badkey;
  65. crypto_ahash_clear_flags(auth, CRYPTO_TFM_REQ_MASK);
  66. crypto_ahash_set_flags(auth, crypto_aead_get_flags(authenc_esn) &
  67. CRYPTO_TFM_REQ_MASK);
  68. err = crypto_ahash_setkey(auth, keys.authkey, keys.authkeylen);
  69. crypto_aead_set_flags(authenc_esn, crypto_ahash_get_flags(auth) &
  70. CRYPTO_TFM_RES_MASK);
  71. if (err)
  72. goto out;
  73. crypto_skcipher_clear_flags(enc, CRYPTO_TFM_REQ_MASK);
  74. crypto_skcipher_set_flags(enc, crypto_aead_get_flags(authenc_esn) &
  75. CRYPTO_TFM_REQ_MASK);
  76. err = crypto_skcipher_setkey(enc, keys.enckey, keys.enckeylen);
  77. crypto_aead_set_flags(authenc_esn, crypto_skcipher_get_flags(enc) &
  78. CRYPTO_TFM_RES_MASK);
  79. out:
  80. memzero_explicit(&keys, sizeof(keys));
  81. return err;
  82. badkey:
  83. crypto_aead_set_flags(authenc_esn, CRYPTO_TFM_RES_BAD_KEY_LEN);
  84. goto out;
  85. }
  86. static int crypto_authenc_esn_genicv_tail(struct aead_request *req,
  87. unsigned int flags)
  88. {
  89. struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
  90. struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
  91. struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
  92. struct crypto_ahash *auth = ctx->auth;
  93. u8 *hash = PTR_ALIGN((u8 *)areq_ctx->tail,
  94. crypto_ahash_alignmask(auth) + 1);
  95. unsigned int authsize = crypto_aead_authsize(authenc_esn);
  96. unsigned int assoclen = req->assoclen;
  97. unsigned int cryptlen = req->cryptlen;
  98. struct scatterlist *dst = req->dst;
  99. u32 tmp[2];
  100. /* Move high-order bits of sequence number back. */
  101. scatterwalk_map_and_copy(tmp, dst, 4, 4, 0);
  102. scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 0);
  103. scatterwalk_map_and_copy(tmp, dst, 0, 8, 1);
  104. scatterwalk_map_and_copy(hash, dst, assoclen + cryptlen, authsize, 1);
  105. return 0;
  106. }
  107. static void authenc_esn_geniv_ahash_done(struct crypto_async_request *areq,
  108. int err)
  109. {
  110. struct aead_request *req = areq->data;
  111. err = err ?: crypto_authenc_esn_genicv_tail(req, 0);
  112. aead_request_complete(req, err);
  113. }
  114. static int crypto_authenc_esn_genicv(struct aead_request *req,
  115. unsigned int flags)
  116. {
  117. struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
  118. struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
  119. struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
  120. struct crypto_ahash *auth = ctx->auth;
  121. u8 *hash = PTR_ALIGN((u8 *)areq_ctx->tail,
  122. crypto_ahash_alignmask(auth) + 1);
  123. struct ahash_request *ahreq = (void *)(areq_ctx->tail + ctx->reqoff);
  124. unsigned int authsize = crypto_aead_authsize(authenc_esn);
  125. unsigned int assoclen = req->assoclen;
  126. unsigned int cryptlen = req->cryptlen;
  127. struct scatterlist *dst = req->dst;
  128. u32 tmp[2];
  129. if (!authsize)
  130. return 0;
  131. /* Move high-order bits of sequence number to the end. */
  132. scatterwalk_map_and_copy(tmp, dst, 0, 8, 0);
  133. scatterwalk_map_and_copy(tmp, dst, 4, 4, 1);
  134. scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 1);
  135. sg_init_table(areq_ctx->dst, 2);
  136. dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4);
  137. ahash_request_set_tfm(ahreq, auth);
  138. ahash_request_set_crypt(ahreq, dst, hash, assoclen + cryptlen);
  139. ahash_request_set_callback(ahreq, flags,
  140. authenc_esn_geniv_ahash_done, req);
  141. return crypto_ahash_digest(ahreq) ?:
  142. crypto_authenc_esn_genicv_tail(req, aead_request_flags(req));
  143. }
  144. static void crypto_authenc_esn_encrypt_done(struct crypto_async_request *req,
  145. int err)
  146. {
  147. struct aead_request *areq = req->data;
  148. if (!err)
  149. err = crypto_authenc_esn_genicv(areq, 0);
  150. authenc_esn_request_complete(areq, err);
  151. }
  152. static int crypto_authenc_esn_copy(struct aead_request *req, unsigned int len)
  153. {
  154. struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
  155. struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
  156. SKCIPHER_REQUEST_ON_STACK(skreq, ctx->null);
  157. skcipher_request_set_tfm(skreq, ctx->null);
  158. skcipher_request_set_callback(skreq, aead_request_flags(req),
  159. NULL, NULL);
  160. skcipher_request_set_crypt(skreq, req->src, req->dst, len, NULL);
  161. return crypto_skcipher_encrypt(skreq);
  162. }
  163. static int crypto_authenc_esn_encrypt(struct aead_request *req)
  164. {
  165. struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
  166. struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
  167. struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
  168. struct skcipher_request *skreq = (void *)(areq_ctx->tail +
  169. ctx->reqoff);
  170. struct crypto_skcipher *enc = ctx->enc;
  171. unsigned int assoclen = req->assoclen;
  172. unsigned int cryptlen = req->cryptlen;
  173. struct scatterlist *src, *dst;
  174. int err;
  175. sg_init_table(areq_ctx->src, 2);
  176. src = scatterwalk_ffwd(areq_ctx->src, req->src, assoclen);
  177. dst = src;
  178. if (req->src != req->dst) {
  179. err = crypto_authenc_esn_copy(req, assoclen);
  180. if (err)
  181. return err;
  182. sg_init_table(areq_ctx->dst, 2);
  183. dst = scatterwalk_ffwd(areq_ctx->dst, req->dst, assoclen);
  184. }
  185. skcipher_request_set_tfm(skreq, enc);
  186. skcipher_request_set_callback(skreq, aead_request_flags(req),
  187. crypto_authenc_esn_encrypt_done, req);
  188. skcipher_request_set_crypt(skreq, src, dst, cryptlen, req->iv);
  189. err = crypto_skcipher_encrypt(skreq);
  190. if (err)
  191. return err;
  192. return crypto_authenc_esn_genicv(req, aead_request_flags(req));
  193. }
  194. static int crypto_authenc_esn_decrypt_tail(struct aead_request *req,
  195. unsigned int flags)
  196. {
  197. struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
  198. unsigned int authsize = crypto_aead_authsize(authenc_esn);
  199. struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
  200. struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
  201. struct skcipher_request *skreq = (void *)(areq_ctx->tail +
  202. ctx->reqoff);
  203. struct crypto_ahash *auth = ctx->auth;
  204. u8 *ohash = PTR_ALIGN((u8 *)areq_ctx->tail,
  205. crypto_ahash_alignmask(auth) + 1);
  206. unsigned int cryptlen = req->cryptlen - authsize;
  207. unsigned int assoclen = req->assoclen;
  208. struct scatterlist *dst = req->dst;
  209. u8 *ihash = ohash + crypto_ahash_digestsize(auth);
  210. u32 tmp[2];
  211. if (!authsize)
  212. goto decrypt;
  213. /* Move high-order bits of sequence number back. */
  214. scatterwalk_map_and_copy(tmp, dst, 4, 4, 0);
  215. scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 0);
  216. scatterwalk_map_and_copy(tmp, dst, 0, 8, 1);
  217. if (crypto_memneq(ihash, ohash, authsize))
  218. return -EBADMSG;
  219. decrypt:
  220. sg_init_table(areq_ctx->dst, 2);
  221. dst = scatterwalk_ffwd(areq_ctx->dst, dst, assoclen);
  222. skcipher_request_set_tfm(skreq, ctx->enc);
  223. skcipher_request_set_callback(skreq, flags,
  224. req->base.complete, req->base.data);
  225. skcipher_request_set_crypt(skreq, dst, dst, cryptlen, req->iv);
  226. return crypto_skcipher_decrypt(skreq);
  227. }
  228. static void authenc_esn_verify_ahash_done(struct crypto_async_request *areq,
  229. int err)
  230. {
  231. struct aead_request *req = areq->data;
  232. err = err ?: crypto_authenc_esn_decrypt_tail(req, 0);
  233. authenc_esn_request_complete(req, err);
  234. }
  235. static int crypto_authenc_esn_decrypt(struct aead_request *req)
  236. {
  237. struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
  238. struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req);
  239. struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
  240. struct ahash_request *ahreq = (void *)(areq_ctx->tail + ctx->reqoff);
  241. unsigned int authsize = crypto_aead_authsize(authenc_esn);
  242. struct crypto_ahash *auth = ctx->auth;
  243. u8 *ohash = PTR_ALIGN((u8 *)areq_ctx->tail,
  244. crypto_ahash_alignmask(auth) + 1);
  245. unsigned int assoclen = req->assoclen;
  246. unsigned int cryptlen = req->cryptlen;
  247. u8 *ihash = ohash + crypto_ahash_digestsize(auth);
  248. struct scatterlist *dst = req->dst;
  249. u32 tmp[2];
  250. int err;
  251. cryptlen -= authsize;
  252. if (req->src != dst) {
  253. err = crypto_authenc_esn_copy(req, assoclen + cryptlen);
  254. if (err)
  255. return err;
  256. }
  257. scatterwalk_map_and_copy(ihash, req->src, assoclen + cryptlen,
  258. authsize, 0);
  259. if (!authsize)
  260. goto tail;
  261. /* Move high-order bits of sequence number to the end. */
  262. scatterwalk_map_and_copy(tmp, dst, 0, 8, 0);
  263. scatterwalk_map_and_copy(tmp, dst, 4, 4, 1);
  264. scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 1);
  265. sg_init_table(areq_ctx->dst, 2);
  266. dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4);
  267. ahash_request_set_tfm(ahreq, auth);
  268. ahash_request_set_crypt(ahreq, dst, ohash, assoclen + cryptlen);
  269. ahash_request_set_callback(ahreq, aead_request_flags(req),
  270. authenc_esn_verify_ahash_done, req);
  271. err = crypto_ahash_digest(ahreq);
  272. if (err)
  273. return err;
  274. tail:
  275. return crypto_authenc_esn_decrypt_tail(req, aead_request_flags(req));
  276. }
  277. static int crypto_authenc_esn_init_tfm(struct crypto_aead *tfm)
  278. {
  279. struct aead_instance *inst = aead_alg_instance(tfm);
  280. struct authenc_esn_instance_ctx *ictx = aead_instance_ctx(inst);
  281. struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(tfm);
  282. struct crypto_ahash *auth;
  283. struct crypto_skcipher *enc;
  284. struct crypto_skcipher *null;
  285. int err;
  286. auth = crypto_spawn_ahash(&ictx->auth);
  287. if (IS_ERR(auth))
  288. return PTR_ERR(auth);
  289. enc = crypto_spawn_skcipher(&ictx->enc);
  290. err = PTR_ERR(enc);
  291. if (IS_ERR(enc))
  292. goto err_free_ahash;
  293. null = crypto_get_default_null_skcipher();
  294. err = PTR_ERR(null);
  295. if (IS_ERR(null))
  296. goto err_free_skcipher;
  297. ctx->auth = auth;
  298. ctx->enc = enc;
  299. ctx->null = null;
  300. ctx->reqoff = ALIGN(2 * crypto_ahash_digestsize(auth),
  301. crypto_ahash_alignmask(auth) + 1);
  302. crypto_aead_set_reqsize(
  303. tfm,
  304. sizeof(struct authenc_esn_request_ctx) +
  305. ctx->reqoff +
  306. max_t(unsigned int,
  307. crypto_ahash_reqsize(auth) +
  308. sizeof(struct ahash_request),
  309. sizeof(struct skcipher_request) +
  310. crypto_skcipher_reqsize(enc)));
  311. return 0;
  312. err_free_skcipher:
  313. crypto_free_skcipher(enc);
  314. err_free_ahash:
  315. crypto_free_ahash(auth);
  316. return err;
  317. }
  318. static void crypto_authenc_esn_exit_tfm(struct crypto_aead *tfm)
  319. {
  320. struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(tfm);
  321. crypto_free_ahash(ctx->auth);
  322. crypto_free_skcipher(ctx->enc);
  323. crypto_put_default_null_skcipher();
  324. }
  325. static void crypto_authenc_esn_free(struct aead_instance *inst)
  326. {
  327. struct authenc_esn_instance_ctx *ctx = aead_instance_ctx(inst);
  328. crypto_drop_skcipher(&ctx->enc);
  329. crypto_drop_ahash(&ctx->auth);
  330. kfree(inst);
  331. }
  332. static int crypto_authenc_esn_create(struct crypto_template *tmpl,
  333. struct rtattr **tb)
  334. {
  335. struct crypto_attr_type *algt;
  336. struct aead_instance *inst;
  337. struct hash_alg_common *auth;
  338. struct crypto_alg *auth_base;
  339. struct skcipher_alg *enc;
  340. struct authenc_esn_instance_ctx *ctx;
  341. const char *enc_name;
  342. int err;
  343. algt = crypto_get_attr_type(tb);
  344. if (IS_ERR(algt))
  345. return PTR_ERR(algt);
  346. if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask)
  347. return -EINVAL;
  348. auth = ahash_attr_alg(tb[1], CRYPTO_ALG_TYPE_HASH,
  349. CRYPTO_ALG_TYPE_AHASH_MASK |
  350. crypto_requires_sync(algt->type, algt->mask));
  351. if (IS_ERR(auth))
  352. return PTR_ERR(auth);
  353. auth_base = &auth->base;
  354. enc_name = crypto_attr_alg_name(tb[2]);
  355. err = PTR_ERR(enc_name);
  356. if (IS_ERR(enc_name))
  357. goto out_put_auth;
  358. inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
  359. err = -ENOMEM;
  360. if (!inst)
  361. goto out_put_auth;
  362. ctx = aead_instance_ctx(inst);
  363. err = crypto_init_ahash_spawn(&ctx->auth, auth,
  364. aead_crypto_instance(inst));
  365. if (err)
  366. goto err_free_inst;
  367. crypto_set_skcipher_spawn(&ctx->enc, aead_crypto_instance(inst));
  368. err = crypto_grab_skcipher(&ctx->enc, enc_name, 0,
  369. crypto_requires_sync(algt->type,
  370. algt->mask));
  371. if (err)
  372. goto err_drop_auth;
  373. enc = crypto_spawn_skcipher_alg(&ctx->enc);
  374. err = -ENAMETOOLONG;
  375. if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
  376. "authencesn(%s,%s)", auth_base->cra_name,
  377. enc->base.cra_name) >= CRYPTO_MAX_ALG_NAME)
  378. goto err_drop_enc;
  379. if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
  380. "authencesn(%s,%s)", auth_base->cra_driver_name,
  381. enc->base.cra_driver_name) >= CRYPTO_MAX_ALG_NAME)
  382. goto err_drop_enc;
  383. inst->alg.base.cra_flags = (auth_base->cra_flags |
  384. enc->base.cra_flags) & CRYPTO_ALG_ASYNC;
  385. inst->alg.base.cra_priority = enc->base.cra_priority * 10 +
  386. auth_base->cra_priority;
  387. inst->alg.base.cra_blocksize = enc->base.cra_blocksize;
  388. inst->alg.base.cra_alignmask = auth_base->cra_alignmask |
  389. enc->base.cra_alignmask;
  390. inst->alg.base.cra_ctxsize = sizeof(struct crypto_authenc_esn_ctx);
  391. inst->alg.ivsize = crypto_skcipher_alg_ivsize(enc);
  392. inst->alg.chunksize = crypto_skcipher_alg_chunksize(enc);
  393. inst->alg.maxauthsize = auth->digestsize;
  394. inst->alg.init = crypto_authenc_esn_init_tfm;
  395. inst->alg.exit = crypto_authenc_esn_exit_tfm;
  396. inst->alg.setkey = crypto_authenc_esn_setkey;
  397. inst->alg.setauthsize = crypto_authenc_esn_setauthsize;
  398. inst->alg.encrypt = crypto_authenc_esn_encrypt;
  399. inst->alg.decrypt = crypto_authenc_esn_decrypt;
  400. inst->free = crypto_authenc_esn_free,
  401. err = aead_register_instance(tmpl, inst);
  402. if (err)
  403. goto err_drop_enc;
  404. out:
  405. crypto_mod_put(auth_base);
  406. return err;
  407. err_drop_enc:
  408. crypto_drop_skcipher(&ctx->enc);
  409. err_drop_auth:
  410. crypto_drop_ahash(&ctx->auth);
  411. err_free_inst:
  412. kfree(inst);
  413. out_put_auth:
  414. goto out;
  415. }
  416. static struct crypto_template crypto_authenc_esn_tmpl = {
  417. .name = "authencesn",
  418. .create = crypto_authenc_esn_create,
  419. .module = THIS_MODULE,
  420. };
  421. static int __init crypto_authenc_esn_module_init(void)
  422. {
  423. return crypto_register_template(&crypto_authenc_esn_tmpl);
  424. }
  425. static void __exit crypto_authenc_esn_module_exit(void)
  426. {
  427. crypto_unregister_template(&crypto_authenc_esn_tmpl);
  428. }
  429. module_init(crypto_authenc_esn_module_init);
  430. module_exit(crypto_authenc_esn_module_exit);
  431. MODULE_LICENSE("GPL");
  432. MODULE_AUTHOR("Steffen Klassert <steffen.klassert@secunet.com>");
  433. MODULE_DESCRIPTION("AEAD wrapper for IPsec with extended sequence numbers");
  434. MODULE_ALIAS_CRYPTO("authencesn");