1// SPDX-License-Identifier: GPL-2.0-or-later 2/* 3 * authencesn.c - AEAD wrapper for IPsec with extended sequence numbers, 4 * derived from authenc.c 5 * 6 * Copyright (C) 2010 secunet Security Networks AG 7 * Copyright (C) 2010 Steffen Klassert <steffen.klassert@secunet.com> 8 * Copyright (c) 2015 Herbert Xu <herbert@gondor.apana.org.au> 9 */ 10 11#include <crypto/internal/aead.h> 12#include <crypto/internal/hash.h> 13#include <crypto/internal/skcipher.h> 14#include <crypto/authenc.h> 15#include <crypto/null.h> 16#include <crypto/scatterwalk.h> 17#include <linux/err.h> 18#include <linux/init.h> 19#include <linux/kernel.h> 20#include <linux/module.h> 21#include <linux/rtnetlink.h> 22#include <linux/slab.h> 23#include <linux/spinlock.h> 24 25struct authenc_esn_instance_ctx { 26 struct crypto_ahash_spawn auth; 27 struct crypto_skcipher_spawn enc; 28}; 29 30struct crypto_authenc_esn_ctx { 31 unsigned int reqoff; 32 struct crypto_ahash *auth; 33 struct crypto_skcipher *enc; 34 struct crypto_sync_skcipher *null; 35}; 36 37struct authenc_esn_request_ctx { 38 struct scatterlist src[2]; 39 struct scatterlist dst[2]; 40 char tail[]; 41}; 42 43static void authenc_esn_request_complete(struct aead_request *req, int err) 44{ 45 if (err != -EINPROGRESS) 46 aead_request_complete(req, err); 47} 48 49static int crypto_authenc_esn_setauthsize(struct crypto_aead *authenc_esn, 50 unsigned int authsize) 51{ 52 if (authsize > 0 && authsize < 4) 53 return -EINVAL; 54 55 return 0; 56} 57 58static int crypto_authenc_esn_setkey(struct crypto_aead *authenc_esn, const u8 *key, 59 unsigned int keylen) 60{ 61 struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn); 62 struct crypto_ahash *auth = ctx->auth; 63 struct crypto_skcipher *enc = ctx->enc; 64 struct crypto_authenc_keys keys; 65 int err = -EINVAL; 66 67 if (crypto_authenc_extractkeys(&keys, key, keylen) != 0) 68 goto out; 69 70 crypto_ahash_clear_flags(auth, CRYPTO_TFM_REQ_MASK); 71 crypto_ahash_set_flags(auth, crypto_aead_get_flags(authenc_esn) & 72 CRYPTO_TFM_REQ_MASK); 73 err = crypto_ahash_setkey(auth, keys.authkey, keys.authkeylen); 74 if (err) 75 goto out; 76 77 crypto_skcipher_clear_flags(enc, CRYPTO_TFM_REQ_MASK); 78 crypto_skcipher_set_flags(enc, crypto_aead_get_flags(authenc_esn) & 79 CRYPTO_TFM_REQ_MASK); 80 err = crypto_skcipher_setkey(enc, keys.enckey, keys.enckeylen); 81out: 82 memzero_explicit(&keys, sizeof(keys)); 83 return err; 84} 85 86static int crypto_authenc_esn_genicv_tail(struct aead_request *req, 87 unsigned int flags) 88{ 89 struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req); 90 struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn); 91 struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req); 92 struct crypto_ahash *auth = ctx->auth; 93 u8 *hash = PTR_ALIGN((u8 *)areq_ctx->tail, 94 crypto_ahash_alignmask(auth) + 1); 95 unsigned int authsize = crypto_aead_authsize(authenc_esn); 96 unsigned int assoclen = req->assoclen; 97 unsigned int cryptlen = req->cryptlen; 98 struct scatterlist *dst = req->dst; 99 u32 tmp[2]; 100 101 /* Move high-order bits of sequence number back. */ 102 scatterwalk_map_and_copy(tmp, dst, 4, 4, 0); 103 scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 0); 104 scatterwalk_map_and_copy(tmp, dst, 0, 8, 1); 105 106 scatterwalk_map_and_copy(hash, dst, assoclen + cryptlen, authsize, 1); 107 return 0; 108} 109 110static void authenc_esn_geniv_ahash_done(void *data, int err) 111{ 112 struct aead_request *req = data; 113 114 err = err ?: crypto_authenc_esn_genicv_tail(req, 0); 115 aead_request_complete(req, err); 116} 117 118static int crypto_authenc_esn_genicv(struct aead_request *req, 119 unsigned int flags) 120{ 121 struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req); 122 struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req); 123 struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn); 124 struct crypto_ahash *auth = ctx->auth; 125 u8 *hash = PTR_ALIGN((u8 *)areq_ctx->tail, 126 crypto_ahash_alignmask(auth) + 1); 127 struct ahash_request *ahreq = (void *)(areq_ctx->tail + ctx->reqoff); 128 unsigned int authsize = crypto_aead_authsize(authenc_esn); 129 unsigned int assoclen = req->assoclen; 130 unsigned int cryptlen = req->cryptlen; 131 struct scatterlist *dst = req->dst; 132 u32 tmp[2]; 133 134 if (!authsize) 135 return 0; 136 137 /* Move high-order bits of sequence number to the end. */ 138 scatterwalk_map_and_copy(tmp, dst, 0, 8, 0); 139 scatterwalk_map_and_copy(tmp, dst, 4, 4, 1); 140 scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 1); 141 142 sg_init_table(areq_ctx->dst, 2); 143 dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4); 144 145 ahash_request_set_tfm(ahreq, auth); 146 ahash_request_set_crypt(ahreq, dst, hash, assoclen + cryptlen); 147 ahash_request_set_callback(ahreq, flags, 148 authenc_esn_geniv_ahash_done, req); 149 150 return crypto_ahash_digest(ahreq) ?: 151 crypto_authenc_esn_genicv_tail(req, aead_request_flags(req)); 152} 153 154 155static void crypto_authenc_esn_encrypt_done(void *data, int err) 156{ 157 struct aead_request *areq = data; 158 159 if (!err) 160 err = crypto_authenc_esn_genicv(areq, 0); 161 162 authenc_esn_request_complete(areq, err); 163} 164 165static int crypto_authenc_esn_copy(struct aead_request *req, unsigned int len) 166{ 167 struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req); 168 struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn); 169 SYNC_SKCIPHER_REQUEST_ON_STACK(skreq, ctx->null); 170 171 skcipher_request_set_sync_tfm(skreq, ctx->null); 172 skcipher_request_set_callback(skreq, aead_request_flags(req), 173 NULL, NULL); 174 skcipher_request_set_crypt(skreq, req->src, req->dst, len, NULL); 175 176 return crypto_skcipher_encrypt(skreq); 177} 178 179static int crypto_authenc_esn_encrypt(struct aead_request *req) 180{ 181 struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req); 182 struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req); 183 struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn); 184 struct skcipher_request *skreq = (void *)(areq_ctx->tail + 185 ctx->reqoff); 186 struct crypto_skcipher *enc = ctx->enc; 187 unsigned int assoclen = req->assoclen; 188 unsigned int cryptlen = req->cryptlen; 189 struct scatterlist *src, *dst; 190 int err; 191 192 sg_init_table(areq_ctx->src, 2); 193 src = scatterwalk_ffwd(areq_ctx->src, req->src, assoclen); 194 dst = src; 195 196 if (req->src != req->dst) { 197 err = crypto_authenc_esn_copy(req, assoclen); 198 if (err) 199 return err; 200 201 sg_init_table(areq_ctx->dst, 2); 202 dst = scatterwalk_ffwd(areq_ctx->dst, req->dst, assoclen); 203 } 204 205 skcipher_request_set_tfm(skreq, enc); 206 skcipher_request_set_callback(skreq, aead_request_flags(req), 207 crypto_authenc_esn_encrypt_done, req); 208 skcipher_request_set_crypt(skreq, src, dst, cryptlen, req->iv); 209 210 err = crypto_skcipher_encrypt(skreq); 211 if (err) 212 return err; 213 214 return crypto_authenc_esn_genicv(req, aead_request_flags(req)); 215} 216 217static int crypto_authenc_esn_decrypt_tail(struct aead_request *req, 218 unsigned int flags) 219{ 220 struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req); 221 unsigned int authsize = crypto_aead_authsize(authenc_esn); 222 struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req); 223 struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn); 224 struct skcipher_request *skreq = (void *)(areq_ctx->tail + 225 ctx->reqoff); 226 struct crypto_ahash *auth = ctx->auth; 227 u8 *ohash = PTR_ALIGN((u8 *)areq_ctx->tail, 228 crypto_ahash_alignmask(auth) + 1); 229 unsigned int cryptlen = req->cryptlen - authsize; 230 unsigned int assoclen = req->assoclen; 231 struct scatterlist *dst = req->dst; 232 u8 *ihash = ohash + crypto_ahash_digestsize(auth); 233 u32 tmp[2]; 234 235 if (!authsize) 236 goto decrypt; 237 238 /* Move high-order bits of sequence number back. */ 239 scatterwalk_map_and_copy(tmp, dst, 4, 4, 0); 240 scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 0); 241 scatterwalk_map_and_copy(tmp, dst, 0, 8, 1); 242 243 if (crypto_memneq(ihash, ohash, authsize)) 244 return -EBADMSG; 245 246decrypt: 247 248 sg_init_table(areq_ctx->dst, 2); 249 dst = scatterwalk_ffwd(areq_ctx->dst, dst, assoclen); 250 251 skcipher_request_set_tfm(skreq, ctx->enc); 252 skcipher_request_set_callback(skreq, flags, 253 req->base.complete, req->base.data); 254 skcipher_request_set_crypt(skreq, dst, dst, cryptlen, req->iv); 255 256 return crypto_skcipher_decrypt(skreq); 257} 258 259static void authenc_esn_verify_ahash_done(void *data, int err) 260{ 261 struct aead_request *req = data; 262 263 err = err ?: crypto_authenc_esn_decrypt_tail(req, 0); 264 authenc_esn_request_complete(req, err); 265} 266 267static int crypto_authenc_esn_decrypt(struct aead_request *req) 268{ 269 struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req); 270 struct authenc_esn_request_ctx *areq_ctx = aead_request_ctx(req); 271 struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn); 272 struct ahash_request *ahreq = (void *)(areq_ctx->tail + ctx->reqoff); 273 unsigned int authsize = crypto_aead_authsize(authenc_esn); 274 struct crypto_ahash *auth = ctx->auth; 275 u8 *ohash = PTR_ALIGN((u8 *)areq_ctx->tail, 276 crypto_ahash_alignmask(auth) + 1); 277 unsigned int assoclen = req->assoclen; 278 unsigned int cryptlen = req->cryptlen; 279 u8 *ihash = ohash + crypto_ahash_digestsize(auth); 280 struct scatterlist *dst = req->dst; 281 u32 tmp[2]; 282 int err; 283 284 cryptlen -= authsize; 285 286 if (req->src != dst) { 287 err = crypto_authenc_esn_copy(req, assoclen + cryptlen); 288 if (err) 289 return err; 290 } 291 292 scatterwalk_map_and_copy(ihash, req->src, assoclen + cryptlen, 293 authsize, 0); 294 295 if (!authsize) 296 goto tail; 297 298 /* Move high-order bits of sequence number to the end. */ 299 scatterwalk_map_and_copy(tmp, dst, 0, 8, 0); 300 scatterwalk_map_and_copy(tmp, dst, 4, 4, 1); 301 scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 1); 302 303 sg_init_table(areq_ctx->dst, 2); 304 dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4); 305 306 ahash_request_set_tfm(ahreq, auth); 307 ahash_request_set_crypt(ahreq, dst, ohash, assoclen + cryptlen); 308 ahash_request_set_callback(ahreq, aead_request_flags(req), 309 authenc_esn_verify_ahash_done, req); 310 311 err = crypto_ahash_digest(ahreq); 312 if (err) 313 return err; 314 315tail: 316 return crypto_authenc_esn_decrypt_tail(req, aead_request_flags(req)); 317} 318 319static int crypto_authenc_esn_init_tfm(struct crypto_aead *tfm) 320{ 321 struct aead_instance *inst = aead_alg_instance(tfm); 322 struct authenc_esn_instance_ctx *ictx = aead_instance_ctx(inst); 323 struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(tfm); 324 struct crypto_ahash *auth; 325 struct crypto_skcipher *enc; 326 struct crypto_sync_skcipher *null; 327 int err; 328 329 auth = crypto_spawn_ahash(&ictx->auth); 330 if (IS_ERR(auth)) 331 return PTR_ERR(auth); 332 333 enc = crypto_spawn_skcipher(&ictx->enc); 334 err = PTR_ERR(enc); 335 if (IS_ERR(enc)) 336 goto err_free_ahash; 337 338 null = crypto_get_default_null_skcipher(); 339 err = PTR_ERR(null); 340 if (IS_ERR(null)) 341 goto err_free_skcipher; 342 343 ctx->auth = auth; 344 ctx->enc = enc; 345 ctx->null = null; 346 347 ctx->reqoff = ALIGN(2 * crypto_ahash_digestsize(auth), 348 crypto_ahash_alignmask(auth) + 1); 349 350 crypto_aead_set_reqsize( 351 tfm, 352 sizeof(struct authenc_esn_request_ctx) + 353 ctx->reqoff + 354 max_t(unsigned int, 355 crypto_ahash_reqsize(auth) + 356 sizeof(struct ahash_request), 357 sizeof(struct skcipher_request) + 358 crypto_skcipher_reqsize(enc))); 359 360 return 0; 361 362err_free_skcipher: 363 crypto_free_skcipher(enc); 364err_free_ahash: 365 crypto_free_ahash(auth); 366 return err; 367} 368 369static void crypto_authenc_esn_exit_tfm(struct crypto_aead *tfm) 370{ 371 struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(tfm); 372 373 crypto_free_ahash(ctx->auth); 374 crypto_free_skcipher(ctx->enc); 375 crypto_put_default_null_skcipher(); 376} 377 378static void crypto_authenc_esn_free(struct aead_instance *inst) 379{ 380 struct authenc_esn_instance_ctx *ctx = aead_instance_ctx(inst); 381 382 crypto_drop_skcipher(&ctx->enc); 383 crypto_drop_ahash(&ctx->auth); 384 kfree(inst); 385} 386 387static int crypto_authenc_esn_create(struct crypto_template *tmpl, 388 struct rtattr **tb) 389{ 390 u32 mask; 391 struct aead_instance *inst; 392 struct authenc_esn_instance_ctx *ctx; 393 struct hash_alg_common *auth; 394 struct crypto_alg *auth_base; 395 struct skcipher_alg *enc; 396 int err; 397 398 err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_AEAD, &mask); 399 if (err) 400 return err; 401 402 inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL); 403 if (!inst) 404 return -ENOMEM; 405 ctx = aead_instance_ctx(inst); 406 407 err = crypto_grab_ahash(&ctx->auth, aead_crypto_instance(inst), 408 crypto_attr_alg_name(tb[1]), 0, mask); 409 if (err) 410 goto err_free_inst; 411 auth = crypto_spawn_ahash_alg(&ctx->auth); 412 auth_base = &auth->base; 413 414 err = crypto_grab_skcipher(&ctx->enc, aead_crypto_instance(inst), 415 crypto_attr_alg_name(tb[2]), 0, mask); 416 if (err) 417 goto err_free_inst; 418 enc = crypto_spawn_skcipher_alg(&ctx->enc); 419 420 err = -ENAMETOOLONG; 421 if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME, 422 "authencesn(%s,%s)", auth_base->cra_name, 423 enc->base.cra_name) >= CRYPTO_MAX_ALG_NAME) 424 goto err_free_inst; 425 426 if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME, 427 "authencesn(%s,%s)", auth_base->cra_driver_name, 428 enc->base.cra_driver_name) >= CRYPTO_MAX_ALG_NAME) 429 goto err_free_inst; 430 431 inst->alg.base.cra_priority = enc->base.cra_priority * 10 + 432 auth_base->cra_priority; 433 inst->alg.base.cra_blocksize = enc->base.cra_blocksize; 434 inst->alg.base.cra_alignmask = auth_base->cra_alignmask | 435 enc->base.cra_alignmask; 436 inst->alg.base.cra_ctxsize = sizeof(struct crypto_authenc_esn_ctx); 437 438 inst->alg.ivsize = crypto_skcipher_alg_ivsize(enc); 439 inst->alg.chunksize = crypto_skcipher_alg_chunksize(enc); 440 inst->alg.maxauthsize = auth->digestsize; 441 442 inst->alg.init = crypto_authenc_esn_init_tfm; 443 inst->alg.exit = crypto_authenc_esn_exit_tfm; 444 445 inst->alg.setkey = crypto_authenc_esn_setkey; 446 inst->alg.setauthsize = crypto_authenc_esn_setauthsize; 447 inst->alg.encrypt = crypto_authenc_esn_encrypt; 448 inst->alg.decrypt = crypto_authenc_esn_decrypt; 449 450 inst->free = crypto_authenc_esn_free; 451 452 err = aead_register_instance(tmpl, inst); 453 if (err) { 454err_free_inst: 455 crypto_authenc_esn_free(inst); 456 } 457 return err; 458} 459 460static struct crypto_template crypto_authenc_esn_tmpl = { 461 .name = "authencesn", 462 .create = crypto_authenc_esn_create, 463 .module = THIS_MODULE, 464}; 465 466static int __init crypto_authenc_esn_module_init(void) 467{ 468 return crypto_register_template(&crypto_authenc_esn_tmpl); 469} 470 471static void __exit crypto_authenc_esn_module_exit(void) 472{ 473 crypto_unregister_template(&crypto_authenc_esn_tmpl); 474} 475 476subsys_initcall(crypto_authenc_esn_module_init); 477module_exit(crypto_authenc_esn_module_exit); 478 479MODULE_LICENSE("GPL"); 480MODULE_AUTHOR("Steffen Klassert <steffen.klassert@secunet.com>"); 481MODULE_DESCRIPTION("AEAD wrapper for IPsec with extended sequence numbers"); 482MODULE_ALIAS_CRYPTO("authencesn"); 483