Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
torvalds
GitHub Repository: torvalds/linux
 Path: blob/master/crypto/authenc.c
26131 views
1
// SPDX-License-Identifier: GPL-2.0-or-later

2
/*

3
 * Authenc: Simple AEAD wrapper for IPsec

4
 *

5
 * Copyright (c) 2007-2015 Herbert Xu <[email protected]>

6
 */

7


8
#include <crypto/internal/aead.h>

9
#include <crypto/internal/hash.h>

10
#include <crypto/internal/skcipher.h>

11
#include <crypto/authenc.h>

12
#include <crypto/scatterwalk.h>

13
#include <linux/err.h>

14
#include <linux/init.h>

15
#include <linux/kernel.h>

16
#include <linux/module.h>

17
#include <linux/rtnetlink.h>

18
#include <linux/slab.h>

19
#include <linux/spinlock.h>

20


21
struct authenc_instance_ctx {

22
	struct crypto_ahash_spawn auth;

23
	struct crypto_skcipher_spawn enc;

24
	unsigned int reqoff;

25
};

26


27
struct crypto_authenc_ctx {

28
	struct crypto_ahash *auth;

29
	struct crypto_skcipher *enc;

30
};

31


32
struct authenc_request_ctx {

33
	struct scatterlist src[2];

34
	struct scatterlist dst[2];

35
	char tail[];

36
};

37


38
static void authenc_request_complete(struct aead_request *req, int err)

39
{

40
	if (err != -EINPROGRESS)

41
		aead_request_complete(req, err);

42
}

43


44
int crypto_authenc_extractkeys(struct crypto_authenc_keys *keys, const u8 *key,

45
			       unsigned int keylen)

46
{

47
	struct rtattr *rta = (struct rtattr *)key;

48
	struct crypto_authenc_key_param *param;

49


50
	if (!RTA_OK(rta, keylen))

51
		return -EINVAL;

52
	if (rta->rta_type != CRYPTO_AUTHENC_KEYA_PARAM)

53
		return -EINVAL;

54


55
	/*

56
	 * RTA_OK() didn't align the rtattr's payload when validating that it

57
	 * fits in the buffer.  Yet, the keys should start on the next 4-byte

58
	 * aligned boundary.  To avoid confusion, require that the rtattr

59
	 * payload be exactly the param struct, which has a 4-byte aligned size.

60
	 */

61
	if (RTA_PAYLOAD(rta) != sizeof(*param))

62
		return -EINVAL;

63
	BUILD_BUG_ON(sizeof(*param) % RTA_ALIGNTO);

64


65
	param = RTA_DATA(rta);

66
	keys->enckeylen = be32_to_cpu(param->enckeylen);

67


68
	key += rta->rta_len;

69
	keylen -= rta->rta_len;

70


71
	if (keylen < keys->enckeylen)

72
		return -EINVAL;

73


74
	keys->authkeylen = keylen - keys->enckeylen;

75
	keys->authkey = key;

76
	keys->enckey = key + keys->authkeylen;

77


78
	return 0;

79
}

80
EXPORT_SYMBOL_GPL(crypto_authenc_extractkeys);

81


82
static int crypto_authenc_setkey(struct crypto_aead *authenc, const u8 *key,

83
				 unsigned int keylen)

84
{

85
	struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);

86
	struct crypto_ahash *auth = ctx->auth;

87
	struct crypto_skcipher *enc = ctx->enc;

88
	struct crypto_authenc_keys keys;

89
	int err = -EINVAL;

90


91
	if (crypto_authenc_extractkeys(&keys, key, keylen) != 0)

92
		goto out;

93


94
	crypto_ahash_clear_flags(auth, CRYPTO_TFM_REQ_MASK);

95
	crypto_ahash_set_flags(auth, crypto_aead_get_flags(authenc) &

96
				    CRYPTO_TFM_REQ_MASK);

97
	err = crypto_ahash_setkey(auth, keys.authkey, keys.authkeylen);

98
	if (err)

99
		goto out;

100


101
	crypto_skcipher_clear_flags(enc, CRYPTO_TFM_REQ_MASK);

102
	crypto_skcipher_set_flags(enc, crypto_aead_get_flags(authenc) &

103
				       CRYPTO_TFM_REQ_MASK);

104
	err = crypto_skcipher_setkey(enc, keys.enckey, keys.enckeylen);

105
out:

106
	memzero_explicit(&keys, sizeof(keys));

107
	return err;

108
}

109


110
static void authenc_geniv_ahash_done(void *data, int err)

111
{

112
	struct aead_request *req = data;

113
	struct crypto_aead *authenc = crypto_aead_reqtfm(req);

114
	struct aead_instance *inst = aead_alg_instance(authenc);

115
	struct authenc_instance_ctx *ictx = aead_instance_ctx(inst);

116
	struct authenc_request_ctx *areq_ctx = aead_request_ctx(req);

117
	struct ahash_request *ahreq = (void *)(areq_ctx->tail + ictx->reqoff);

118


119
	if (err)

120
		goto out;

121


122
	scatterwalk_map_and_copy(ahreq->result, req->dst,

123
				 req->assoclen + req->cryptlen,

124
				 crypto_aead_authsize(authenc), 1);

125


126
out:

127
	aead_request_complete(req, err);

128
}

129


130
static int crypto_authenc_genicv(struct aead_request *req, unsigned int flags)

131
{

132
	struct crypto_aead *authenc = crypto_aead_reqtfm(req);

133
	struct aead_instance *inst = aead_alg_instance(authenc);

134
	struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);

135
	struct authenc_instance_ctx *ictx = aead_instance_ctx(inst);

136
	struct crypto_ahash *auth = ctx->auth;

137
	struct authenc_request_ctx *areq_ctx = aead_request_ctx(req);

138
	struct ahash_request *ahreq = (void *)(areq_ctx->tail + ictx->reqoff);

139
	u8 *hash = areq_ctx->tail;

140
	int err;

141


142
	ahash_request_set_tfm(ahreq, auth);

143
	ahash_request_set_crypt(ahreq, req->dst, hash,

144
				req->assoclen + req->cryptlen);

145
	ahash_request_set_callback(ahreq, flags,

146
				   authenc_geniv_ahash_done, req);

147


148
	err = crypto_ahash_digest(ahreq);

149
	if (err)

150
		return err;

151


152
	scatterwalk_map_and_copy(hash, req->dst, req->assoclen + req->cryptlen,

153
				 crypto_aead_authsize(authenc), 1);

154


155
	return 0;

156
}

157


158
static void crypto_authenc_encrypt_done(void *data, int err)

159
{

160
	struct aead_request *areq = data;

161


162
	if (err)

163
		goto out;

164


165
	err = crypto_authenc_genicv(areq, 0);

166


167
out:

168
	authenc_request_complete(areq, err);

169
}

170


171
static int crypto_authenc_encrypt(struct aead_request *req)

172
{

173
	struct crypto_aead *authenc = crypto_aead_reqtfm(req);

174
	struct aead_instance *inst = aead_alg_instance(authenc);

175
	struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);

176
	struct authenc_instance_ctx *ictx = aead_instance_ctx(inst);

177
	struct authenc_request_ctx *areq_ctx = aead_request_ctx(req);

178
	struct crypto_skcipher *enc = ctx->enc;

179
	unsigned int cryptlen = req->cryptlen;

180
	struct skcipher_request *skreq = (void *)(areq_ctx->tail +

181
						  ictx->reqoff);

182
	struct scatterlist *src, *dst;

183
	int err;

184


185
	src = scatterwalk_ffwd(areq_ctx->src, req->src, req->assoclen);

186
	dst = src;

187


188
	if (req->src != req->dst) {

189
		memcpy_sglist(req->dst, req->src, req->assoclen);

190
		dst = scatterwalk_ffwd(areq_ctx->dst, req->dst, req->assoclen);

191
	}

192


193
	skcipher_request_set_tfm(skreq, enc);

194
	skcipher_request_set_callback(skreq, aead_request_flags(req),

195
				      crypto_authenc_encrypt_done, req);

196
	skcipher_request_set_crypt(skreq, src, dst, cryptlen, req->iv);

197


198
	err = crypto_skcipher_encrypt(skreq);

199
	if (err)

200
		return err;

201


202
	return crypto_authenc_genicv(req, aead_request_flags(req));

203
}

204


205
static int crypto_authenc_decrypt_tail(struct aead_request *req,

206
				       unsigned int flags)

207
{

208
	struct crypto_aead *authenc = crypto_aead_reqtfm(req);

209
	struct aead_instance *inst = aead_alg_instance(authenc);

210
	struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);

211
	struct authenc_instance_ctx *ictx = aead_instance_ctx(inst);

212
	struct authenc_request_ctx *areq_ctx = aead_request_ctx(req);

213
	struct ahash_request *ahreq = (void *)(areq_ctx->tail + ictx->reqoff);

214
	struct skcipher_request *skreq = (void *)(areq_ctx->tail +

215
						  ictx->reqoff);

216
	unsigned int authsize = crypto_aead_authsize(authenc);

217
	u8 *ihash = ahreq->result + authsize;

218
	struct scatterlist *src, *dst;

219


220
	scatterwalk_map_and_copy(ihash, req->src, ahreq->nbytes, authsize, 0);

221


222
	if (crypto_memneq(ihash, ahreq->result, authsize))

223
		return -EBADMSG;

224


225
	src = scatterwalk_ffwd(areq_ctx->src, req->src, req->assoclen);

226
	dst = src;

227


228
	if (req->src != req->dst)

229
		dst = scatterwalk_ffwd(areq_ctx->dst, req->dst, req->assoclen);

230


231
	skcipher_request_set_tfm(skreq, ctx->enc);

232
	skcipher_request_set_callback(skreq, flags,

233
				      req->base.complete, req->base.data);

234
	skcipher_request_set_crypt(skreq, src, dst,

235
				   req->cryptlen - authsize, req->iv);

236


237
	return crypto_skcipher_decrypt(skreq);

238
}

239


240
static void authenc_verify_ahash_done(void *data, int err)

241
{

242
	struct aead_request *req = data;

243


244
	if (err)

245
		goto out;

246


247
	err = crypto_authenc_decrypt_tail(req, 0);

248


249
out:

250
	authenc_request_complete(req, err);

251
}

252


253
static int crypto_authenc_decrypt(struct aead_request *req)

254
{

255
	struct crypto_aead *authenc = crypto_aead_reqtfm(req);

256
	unsigned int authsize = crypto_aead_authsize(authenc);

257
	struct aead_instance *inst = aead_alg_instance(authenc);

258
	struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);

259
	struct authenc_instance_ctx *ictx = aead_instance_ctx(inst);

260
	struct crypto_ahash *auth = ctx->auth;

261
	struct authenc_request_ctx *areq_ctx = aead_request_ctx(req);

262
	struct ahash_request *ahreq = (void *)(areq_ctx->tail + ictx->reqoff);

263
	u8 *hash = areq_ctx->tail;

264
	int err;

265


266
	ahash_request_set_tfm(ahreq, auth);

267
	ahash_request_set_crypt(ahreq, req->src, hash,

268
				req->assoclen + req->cryptlen - authsize);

269
	ahash_request_set_callback(ahreq, aead_request_flags(req),

270
				   authenc_verify_ahash_done, req);

271


272
	err = crypto_ahash_digest(ahreq);

273
	if (err)

274
		return err;

275


276
	return crypto_authenc_decrypt_tail(req, aead_request_flags(req));

277
}

278


279
static int crypto_authenc_init_tfm(struct crypto_aead *tfm)

280
{

281
	struct aead_instance *inst = aead_alg_instance(tfm);

282
	struct authenc_instance_ctx *ictx = aead_instance_ctx(inst);

283
	struct crypto_authenc_ctx *ctx = crypto_aead_ctx(tfm);

284
	struct crypto_ahash *auth;

285
	struct crypto_skcipher *enc;

286
	int err;

287


288
	auth = crypto_spawn_ahash(&ictx->auth);

289
	if (IS_ERR(auth))

290
		return PTR_ERR(auth);

291


292
	enc = crypto_spawn_skcipher(&ictx->enc);

293
	err = PTR_ERR(enc);

294
	if (IS_ERR(enc))

295
		goto err_free_ahash;

296


297
	ctx->auth = auth;

298
	ctx->enc = enc;

299


300
	crypto_aead_set_reqsize(

301
		tfm,

302
		sizeof(struct authenc_request_ctx) +

303
		ictx->reqoff +

304
		max_t(unsigned int,

305
		      crypto_ahash_reqsize(auth) +

306
		      sizeof(struct ahash_request),

307
		      sizeof(struct skcipher_request) +

308
		      crypto_skcipher_reqsize(enc)));

309


310
	return 0;

311


312
err_free_ahash:

313
	crypto_free_ahash(auth);

314
	return err;

315
}

316


317
static void crypto_authenc_exit_tfm(struct crypto_aead *tfm)

318
{

319
	struct crypto_authenc_ctx *ctx = crypto_aead_ctx(tfm);

320


321
	crypto_free_ahash(ctx->auth);

322
	crypto_free_skcipher(ctx->enc);

323
}

324


325
static void crypto_authenc_free(struct aead_instance *inst)

326
{

327
	struct authenc_instance_ctx *ctx = aead_instance_ctx(inst);

328


329
	crypto_drop_skcipher(&ctx->enc);

330
	crypto_drop_ahash(&ctx->auth);

331
	kfree(inst);

332
}

333


334
static int crypto_authenc_create(struct crypto_template *tmpl,

335
				 struct rtattr **tb)

336
{

337
	u32 mask;

338
	struct aead_instance *inst;

339
	struct authenc_instance_ctx *ctx;

340
	struct skcipher_alg_common *enc;

341
	struct hash_alg_common *auth;

342
	struct crypto_alg *auth_base;

343
	int err;

344


345
	err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_AEAD, &mask);

346
	if (err)

347
		return err;

348


349
	inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);

350
	if (!inst)

351
		return -ENOMEM;

352
	ctx = aead_instance_ctx(inst);

353


354
	err = crypto_grab_ahash(&ctx->auth, aead_crypto_instance(inst),

355
				crypto_attr_alg_name(tb[1]), 0, mask);

356
	if (err)

357
		goto err_free_inst;

358
	auth = crypto_spawn_ahash_alg(&ctx->auth);

359
	auth_base = &auth->base;

360


361
	err = crypto_grab_skcipher(&ctx->enc, aead_crypto_instance(inst),

362
				   crypto_attr_alg_name(tb[2]), 0, mask);

363
	if (err)

364
		goto err_free_inst;

365
	enc = crypto_spawn_skcipher_alg_common(&ctx->enc);

366


367
	ctx->reqoff = 2 * auth->digestsize;

368


369
	err = -ENAMETOOLONG;

370
	if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,

371
		     "authenc(%s,%s)", auth_base->cra_name,

372
		     enc->base.cra_name) >=

373
	    CRYPTO_MAX_ALG_NAME)

374
		goto err_free_inst;

375


376
	if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,

377
		     "authenc(%s,%s)", auth_base->cra_driver_name,

378
		     enc->base.cra_driver_name) >= CRYPTO_MAX_ALG_NAME)

379
		goto err_free_inst;

380


381
	inst->alg.base.cra_priority = enc->base.cra_priority * 10 +

382
				      auth_base->cra_priority;

383
	inst->alg.base.cra_blocksize = enc->base.cra_blocksize;

384
	inst->alg.base.cra_alignmask = enc->base.cra_alignmask;

385
	inst->alg.base.cra_ctxsize = sizeof(struct crypto_authenc_ctx);

386


387
	inst->alg.ivsize = enc->ivsize;

388
	inst->alg.chunksize = enc->chunksize;

389
	inst->alg.maxauthsize = auth->digestsize;

390


391
	inst->alg.init = crypto_authenc_init_tfm;

392
	inst->alg.exit = crypto_authenc_exit_tfm;

393


394
	inst->alg.setkey = crypto_authenc_setkey;

395
	inst->alg.encrypt = crypto_authenc_encrypt;

396
	inst->alg.decrypt = crypto_authenc_decrypt;

397


398
	inst->free = crypto_authenc_free;

399


400
	err = aead_register_instance(tmpl, inst);

401
	if (err) {

402
err_free_inst:

403
		crypto_authenc_free(inst);

404
	}

405
	return err;

406
}

407


408
static struct crypto_template crypto_authenc_tmpl = {

409
	.name = "authenc",

410
	.create = crypto_authenc_create,

411
	.module = THIS_MODULE,

412
};

413


414
static int __init crypto_authenc_module_init(void)

415
{

416
	return crypto_register_template(&crypto_authenc_tmpl);

417
}

418


419
static void __exit crypto_authenc_module_exit(void)

420
{

421
	crypto_unregister_template(&crypto_authenc_tmpl);

422
}

423


424
module_init(crypto_authenc_module_init);

425
module_exit(crypto_authenc_module_exit);

426


427
MODULE_LICENSE("GPL");

428
MODULE_DESCRIPTION("Simple AEAD wrapper for IPsec");

429
MODULE_ALIAS_CRYPTO("authenc");

430


431