Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
torvalds
GitHub Repository: torvalds/linux
 Path: blob/master/crypto/authenc.c
48901 views
1
// SPDX-License-Identifier: GPL-2.0-or-later

2
/*

3
 * Authenc: Simple AEAD wrapper for IPsec

4
 *

5
 * Copyright (c) 2007-2015 Herbert Xu <[email protected]>

6
 */

7


8
#include <crypto/internal/aead.h>

9
#include <crypto/internal/hash.h>

10
#include <crypto/internal/skcipher.h>

11
#include <crypto/authenc.h>

12
#include <crypto/scatterwalk.h>

13
#include <linux/err.h>

14
#include <linux/init.h>

15
#include <linux/kernel.h>

16
#include <linux/module.h>

17
#include <linux/rtnetlink.h>

18
#include <linux/slab.h>

19
#include <linux/spinlock.h>

20


21
struct authenc_instance_ctx {

22
	struct crypto_ahash_spawn auth;

23
	struct crypto_skcipher_spawn enc;

24
	unsigned int reqoff;

25
};

26


27
struct crypto_authenc_ctx {

28
	struct crypto_ahash *auth;

29
	struct crypto_skcipher *enc;

30
};

31


32
struct authenc_request_ctx {

33
	struct scatterlist src[2];

34
	struct scatterlist dst[2];

35
	char tail[];

36
};

37


38
static void authenc_request_complete(struct aead_request *req, int err)

39
{

40
	if (err != -EINPROGRESS && err != -EBUSY)

41
		aead_request_complete(req, err);

42
}

43


44
int crypto_authenc_extractkeys(struct crypto_authenc_keys *keys, const u8 *key,

45
			       unsigned int keylen)

46
{

47
	struct rtattr *rta = (struct rtattr *)key;

48
	struct crypto_authenc_key_param *param;

49


50
	if (!RTA_OK(rta, keylen))

51
		return -EINVAL;

52
	if (rta->rta_type != CRYPTO_AUTHENC_KEYA_PARAM)

53
		return -EINVAL;

54


55
	/*

56
	 * RTA_OK() didn't align the rtattr's payload when validating that it

57
	 * fits in the buffer.  Yet, the keys should start on the next 4-byte

58
	 * aligned boundary.  To avoid confusion, require that the rtattr

59
	 * payload be exactly the param struct, which has a 4-byte aligned size.

60
	 */

61
	if (RTA_PAYLOAD(rta) != sizeof(*param))

62
		return -EINVAL;

63
	BUILD_BUG_ON(sizeof(*param) % RTA_ALIGNTO);

64


65
	param = RTA_DATA(rta);

66
	keys->enckeylen = be32_to_cpu(param->enckeylen);

67


68
	key += rta->rta_len;

69
	keylen -= rta->rta_len;

70


71
	if (keylen < keys->enckeylen)

72
		return -EINVAL;

73


74
	keys->authkeylen = keylen - keys->enckeylen;

75
	keys->authkey = key;

76
	keys->enckey = key + keys->authkeylen;

77


78
	return 0;

79
}

80
EXPORT_SYMBOL_GPL(crypto_authenc_extractkeys);

81


82
static int crypto_authenc_setkey(struct crypto_aead *authenc, const u8 *key,

83
				 unsigned int keylen)

84
{

85
	struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);

86
	struct crypto_ahash *auth = ctx->auth;

87
	struct crypto_skcipher *enc = ctx->enc;

88
	struct crypto_authenc_keys keys;

89
	int err = -EINVAL;

90


91
	if (crypto_authenc_extractkeys(&keys, key, keylen) != 0)

92
		goto out;

93


94
	crypto_ahash_clear_flags(auth, CRYPTO_TFM_REQ_MASK);

95
	crypto_ahash_set_flags(auth, crypto_aead_get_flags(authenc) &

96
				    CRYPTO_TFM_REQ_MASK);

97
	err = crypto_ahash_setkey(auth, keys.authkey, keys.authkeylen);

98
	if (err)

99
		goto out;

100


101
	crypto_skcipher_clear_flags(enc, CRYPTO_TFM_REQ_MASK);

102
	crypto_skcipher_set_flags(enc, crypto_aead_get_flags(authenc) &

103
				       CRYPTO_TFM_REQ_MASK);

104
	err = crypto_skcipher_setkey(enc, keys.enckey, keys.enckeylen);

105
out:

106
	memzero_explicit(&keys, sizeof(keys));

107
	return err;

108
}

109


110
static void authenc_geniv_ahash_finish(struct aead_request *req)

111
{

112
	struct crypto_aead *authenc = crypto_aead_reqtfm(req);

113
	struct aead_instance *inst = aead_alg_instance(authenc);

114
	struct authenc_instance_ctx *ictx = aead_instance_ctx(inst);

115
	struct authenc_request_ctx *areq_ctx = aead_request_ctx(req);

116
	struct ahash_request *ahreq = (void *)(areq_ctx->tail + ictx->reqoff);

117


118
	scatterwalk_map_and_copy(ahreq->result, req->dst,

119
				 req->assoclen + req->cryptlen,

120
				 crypto_aead_authsize(authenc), 1);

121
}

122


123
static void authenc_geniv_ahash_done(void *data, int err)

124
{

125
	struct aead_request *req = data;

126


127
	if (!err)

128
		authenc_geniv_ahash_finish(req);

129
	aead_request_complete(req, err);

130
}

131


132
/*

133
 * Used when the ahash request was invoked in the async callback context

134
 * of the previous skcipher request.  Eat any EINPROGRESS notifications.

135
 */

136
static void authenc_geniv_ahash_done2(void *data, int err)

137
{

138
	struct aead_request *req = data;

139


140
	if (!err)

141
		authenc_geniv_ahash_finish(req);

142
	authenc_request_complete(req, err);

143
}

144


145
static int crypto_authenc_genicv(struct aead_request *req, unsigned int mask)

146
{

147
	struct crypto_aead *authenc = crypto_aead_reqtfm(req);

148
	struct aead_instance *inst = aead_alg_instance(authenc);

149
	struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);

150
	struct authenc_instance_ctx *ictx = aead_instance_ctx(inst);

151
	struct crypto_ahash *auth = ctx->auth;

152
	struct authenc_request_ctx *areq_ctx = aead_request_ctx(req);

153
	struct ahash_request *ahreq = (void *)(areq_ctx->tail + ictx->reqoff);

154
	unsigned int flags = aead_request_flags(req) & ~mask;

155
	u8 *hash = areq_ctx->tail;

156
	int err;

157


158
	ahash_request_set_tfm(ahreq, auth);

159
	ahash_request_set_crypt(ahreq, req->dst, hash,

160
				req->assoclen + req->cryptlen);

161
	ahash_request_set_callback(ahreq, flags,

162
				   mask ? authenc_geniv_ahash_done2 :

163
					  authenc_geniv_ahash_done, req);

164


165
	err = crypto_ahash_digest(ahreq);

166
	if (err)

167
		return err;

168


169
	scatterwalk_map_and_copy(hash, req->dst, req->assoclen + req->cryptlen,

170
				 crypto_aead_authsize(authenc), 1);

171


172
	return 0;

173
}

174


175
static void crypto_authenc_encrypt_done(void *data, int err)

176
{

177
	struct aead_request *areq = data;

178


179
	if (err) {

180
		aead_request_complete(areq, err);

181
		return;

182
	}

183
	err = crypto_authenc_genicv(areq, CRYPTO_TFM_REQ_MAY_SLEEP);

184
	authenc_request_complete(areq, err);

185
}

186


187
static int crypto_authenc_encrypt(struct aead_request *req)

188
{

189
	struct crypto_aead *authenc = crypto_aead_reqtfm(req);

190
	struct aead_instance *inst = aead_alg_instance(authenc);

191
	struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);

192
	struct authenc_instance_ctx *ictx = aead_instance_ctx(inst);

193
	struct authenc_request_ctx *areq_ctx = aead_request_ctx(req);

194
	struct crypto_skcipher *enc = ctx->enc;

195
	unsigned int cryptlen = req->cryptlen;

196
	struct skcipher_request *skreq = (void *)(areq_ctx->tail +

197
						  ictx->reqoff);

198
	struct scatterlist *src, *dst;

199
	int err;

200


201
	src = scatterwalk_ffwd(areq_ctx->src, req->src, req->assoclen);

202
	dst = src;

203


204
	if (req->src != req->dst) {

205
		memcpy_sglist(req->dst, req->src, req->assoclen);

206
		dst = scatterwalk_ffwd(areq_ctx->dst, req->dst, req->assoclen);

207
	}

208


209
	skcipher_request_set_tfm(skreq, enc);

210
	skcipher_request_set_callback(skreq, aead_request_flags(req),

211
				      crypto_authenc_encrypt_done, req);

212
	skcipher_request_set_crypt(skreq, src, dst, cryptlen, req->iv);

213


214
	err = crypto_skcipher_encrypt(skreq);

215
	if (err)

216
		return err;

217


218
	return crypto_authenc_genicv(req, 0);

219
}

220


221
static void authenc_decrypt_tail_done(void *data, int err)

222
{

223
	struct aead_request *req = data;

224


225
	authenc_request_complete(req, err);

226
}

227


228
static int crypto_authenc_decrypt_tail(struct aead_request *req,

229
				       unsigned int mask)

230
{

231
	struct crypto_aead *authenc = crypto_aead_reqtfm(req);

232
	struct aead_instance *inst = aead_alg_instance(authenc);

233
	struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);

234
	struct authenc_instance_ctx *ictx = aead_instance_ctx(inst);

235
	struct authenc_request_ctx *areq_ctx = aead_request_ctx(req);

236
	struct ahash_request *ahreq = (void *)(areq_ctx->tail + ictx->reqoff);

237
	struct skcipher_request *skreq = (void *)(areq_ctx->tail +

238
						  ictx->reqoff);

239
	unsigned int authsize = crypto_aead_authsize(authenc);

240
	unsigned int flags = aead_request_flags(req) & ~mask;

241
	u8 *ihash = ahreq->result + authsize;

242
	struct scatterlist *src, *dst;

243


244
	scatterwalk_map_and_copy(ihash, req->src, ahreq->nbytes, authsize, 0);

245


246
	if (crypto_memneq(ihash, ahreq->result, authsize))

247
		return -EBADMSG;

248


249
	src = scatterwalk_ffwd(areq_ctx->src, req->src, req->assoclen);

250
	dst = src;

251


252
	if (req->src != req->dst)

253
		dst = scatterwalk_ffwd(areq_ctx->dst, req->dst, req->assoclen);

254


255
	skcipher_request_set_tfm(skreq, ctx->enc);

256
	skcipher_request_set_callback(skreq, flags,

257
				      mask ? authenc_decrypt_tail_done :

258
					     req->base.complete,

259
				      mask ? req : req->base.data);

260
	skcipher_request_set_crypt(skreq, src, dst,

261
				   req->cryptlen - authsize, req->iv);

262


263
	return crypto_skcipher_decrypt(skreq);

264
}

265


266
static void authenc_verify_ahash_done(void *data, int err)

267
{

268
	struct aead_request *req = data;

269


270
	if (err) {

271
		aead_request_complete(req, err);

272
		return;

273
	}

274
	err = crypto_authenc_decrypt_tail(req, CRYPTO_TFM_REQ_MAY_SLEEP);

275
	authenc_request_complete(req, err);

276
}

277


278
static int crypto_authenc_decrypt(struct aead_request *req)

279
{

280
	struct crypto_aead *authenc = crypto_aead_reqtfm(req);

281
	unsigned int authsize = crypto_aead_authsize(authenc);

282
	struct aead_instance *inst = aead_alg_instance(authenc);

283
	struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);

284
	struct authenc_instance_ctx *ictx = aead_instance_ctx(inst);

285
	struct crypto_ahash *auth = ctx->auth;

286
	struct authenc_request_ctx *areq_ctx = aead_request_ctx(req);

287
	struct ahash_request *ahreq = (void *)(areq_ctx->tail + ictx->reqoff);

288
	u8 *hash = areq_ctx->tail;

289
	int err;

290


291
	ahash_request_set_tfm(ahreq, auth);

292
	ahash_request_set_crypt(ahreq, req->src, hash,

293
				req->assoclen + req->cryptlen - authsize);

294
	ahash_request_set_callback(ahreq, aead_request_flags(req),

295
				   authenc_verify_ahash_done, req);

296


297
	err = crypto_ahash_digest(ahreq);

298
	if (err)

299
		return err;

300


301
	return crypto_authenc_decrypt_tail(req, 0);

302
}

303


304
static int crypto_authenc_init_tfm(struct crypto_aead *tfm)

305
{

306
	struct aead_instance *inst = aead_alg_instance(tfm);

307
	struct authenc_instance_ctx *ictx = aead_instance_ctx(inst);

308
	struct crypto_authenc_ctx *ctx = crypto_aead_ctx(tfm);

309
	struct crypto_ahash *auth;

310
	struct crypto_skcipher *enc;

311
	int err;

312


313
	auth = crypto_spawn_ahash(&ictx->auth);

314
	if (IS_ERR(auth))

315
		return PTR_ERR(auth);

316


317
	enc = crypto_spawn_skcipher(&ictx->enc);

318
	err = PTR_ERR(enc);

319
	if (IS_ERR(enc))

320
		goto err_free_ahash;

321


322
	ctx->auth = auth;

323
	ctx->enc = enc;

324


325
	crypto_aead_set_reqsize(

326
		tfm,

327
		sizeof(struct authenc_request_ctx) +

328
		ictx->reqoff +

329
		max_t(unsigned int,

330
		      crypto_ahash_reqsize(auth) +

331
		      sizeof(struct ahash_request),

332
		      sizeof(struct skcipher_request) +

333
		      crypto_skcipher_reqsize(enc)));

334


335
	return 0;

336


337
err_free_ahash:

338
	crypto_free_ahash(auth);

339
	return err;

340
}

341


342
static void crypto_authenc_exit_tfm(struct crypto_aead *tfm)

343
{

344
	struct crypto_authenc_ctx *ctx = crypto_aead_ctx(tfm);

345


346
	crypto_free_ahash(ctx->auth);

347
	crypto_free_skcipher(ctx->enc);

348
}

349


350
static void crypto_authenc_free(struct aead_instance *inst)

351
{

352
	struct authenc_instance_ctx *ctx = aead_instance_ctx(inst);

353


354
	crypto_drop_skcipher(&ctx->enc);

355
	crypto_drop_ahash(&ctx->auth);

356
	kfree(inst);

357
}

358


359
static int crypto_authenc_create(struct crypto_template *tmpl,

360
				 struct rtattr **tb)

361
{

362
	u32 mask;

363
	struct aead_instance *inst;

364
	struct authenc_instance_ctx *ctx;

365
	struct skcipher_alg_common *enc;

366
	struct hash_alg_common *auth;

367
	struct crypto_alg *auth_base;

368
	int err;

369


370
	err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_AEAD, &mask);

371
	if (err)

372
		return err;

373


374
	inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);

375
	if (!inst)

376
		return -ENOMEM;

377
	ctx = aead_instance_ctx(inst);

378


379
	err = crypto_grab_ahash(&ctx->auth, aead_crypto_instance(inst),

380
				crypto_attr_alg_name(tb[1]), 0, mask);

381
	if (err)

382
		goto err_free_inst;

383
	auth = crypto_spawn_ahash_alg(&ctx->auth);

384
	auth_base = &auth->base;

385


386
	err = crypto_grab_skcipher(&ctx->enc, aead_crypto_instance(inst),

387
				   crypto_attr_alg_name(tb[2]), 0, mask);

388
	if (err)

389
		goto err_free_inst;

390
	enc = crypto_spawn_skcipher_alg_common(&ctx->enc);

391


392
	ctx->reqoff = 2 * auth->digestsize;

393


394
	err = -ENAMETOOLONG;

395
	if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,

396
		     "authenc(%s,%s)", auth_base->cra_name,

397
		     enc->base.cra_name) >=

398
	    CRYPTO_MAX_ALG_NAME)

399
		goto err_free_inst;

400


401
	if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,

402
		     "authenc(%s,%s)", auth_base->cra_driver_name,

403
		     enc->base.cra_driver_name) >= CRYPTO_MAX_ALG_NAME)

404
		goto err_free_inst;

405


406
	inst->alg.base.cra_priority = enc->base.cra_priority * 10 +

407
				      auth_base->cra_priority;

408
	inst->alg.base.cra_blocksize = enc->base.cra_blocksize;

409
	inst->alg.base.cra_alignmask = enc->base.cra_alignmask;

410
	inst->alg.base.cra_ctxsize = sizeof(struct crypto_authenc_ctx);

411


412
	inst->alg.ivsize = enc->ivsize;

413
	inst->alg.chunksize = enc->chunksize;

414
	inst->alg.maxauthsize = auth->digestsize;

415


416
	inst->alg.init = crypto_authenc_init_tfm;

417
	inst->alg.exit = crypto_authenc_exit_tfm;

418


419
	inst->alg.setkey = crypto_authenc_setkey;

420
	inst->alg.encrypt = crypto_authenc_encrypt;

421
	inst->alg.decrypt = crypto_authenc_decrypt;

422


423
	inst->free = crypto_authenc_free;

424


425
	err = aead_register_instance(tmpl, inst);

426
	if (err) {

427
err_free_inst:

428
		crypto_authenc_free(inst);

429
	}

430
	return err;

431
}

432


433
static struct crypto_template crypto_authenc_tmpl = {

434
	.name = "authenc",

435
	.create = crypto_authenc_create,

436
	.module = THIS_MODULE,

437
};

438


439
static int __init crypto_authenc_module_init(void)

440
{

441
	return crypto_register_template(&crypto_authenc_tmpl);

442
}

443


444
static void __exit crypto_authenc_module_exit(void)

445
{

446
	crypto_unregister_template(&crypto_authenc_tmpl);

447
}

448


449
module_init(crypto_authenc_module_init);

450
module_exit(crypto_authenc_module_exit);

451


452
MODULE_LICENSE("GPL");

453
MODULE_DESCRIPTION("Simple AEAD wrapper for IPsec");

454
MODULE_ALIAS_CRYPTO("authenc");

455


456