0001
0002
0003
0004
0005
0006
0007
0008 #include <crypto/internal/aead.h>
0009 #include <crypto/internal/hash.h>
0010 #include <crypto/internal/skcipher.h>
0011 #include <crypto/authenc.h>
0012 #include <crypto/null.h>
0013 #include <crypto/scatterwalk.h>
0014 #include <linux/err.h>
0015 #include <linux/init.h>
0016 #include <linux/kernel.h>
0017 #include <linux/module.h>
0018 #include <linux/rtnetlink.h>
0019 #include <linux/slab.h>
0020 #include <linux/spinlock.h>
0021
0022 struct authenc_instance_ctx {
0023 struct crypto_ahash_spawn auth;
0024 struct crypto_skcipher_spawn enc;
0025 unsigned int reqoff;
0026 };
0027
0028 struct crypto_authenc_ctx {
0029 struct crypto_ahash *auth;
0030 struct crypto_skcipher *enc;
0031 struct crypto_sync_skcipher *null;
0032 };
0033
0034 struct authenc_request_ctx {
0035 struct scatterlist src[2];
0036 struct scatterlist dst[2];
0037 char tail[];
0038 };
0039
0040 static void authenc_request_complete(struct aead_request *req, int err)
0041 {
0042 if (err != -EINPROGRESS)
0043 aead_request_complete(req, err);
0044 }
0045
0046 int crypto_authenc_extractkeys(struct crypto_authenc_keys *keys, const u8 *key,
0047 unsigned int keylen)
0048 {
0049 struct rtattr *rta = (struct rtattr *)key;
0050 struct crypto_authenc_key_param *param;
0051
0052 if (!RTA_OK(rta, keylen))
0053 return -EINVAL;
0054 if (rta->rta_type != CRYPTO_AUTHENC_KEYA_PARAM)
0055 return -EINVAL;
0056
0057
0058
0059
0060
0061
0062
0063 if (RTA_PAYLOAD(rta) != sizeof(*param))
0064 return -EINVAL;
0065 BUILD_BUG_ON(sizeof(*param) % RTA_ALIGNTO);
0066
0067 param = RTA_DATA(rta);
0068 keys->enckeylen = be32_to_cpu(param->enckeylen);
0069
0070 key += rta->rta_len;
0071 keylen -= rta->rta_len;
0072
0073 if (keylen < keys->enckeylen)
0074 return -EINVAL;
0075
0076 keys->authkeylen = keylen - keys->enckeylen;
0077 keys->authkey = key;
0078 keys->enckey = key + keys->authkeylen;
0079
0080 return 0;
0081 }
0082 EXPORT_SYMBOL_GPL(crypto_authenc_extractkeys);
0083
0084 static int crypto_authenc_setkey(struct crypto_aead *authenc, const u8 *key,
0085 unsigned int keylen)
0086 {
0087 struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);
0088 struct crypto_ahash *auth = ctx->auth;
0089 struct crypto_skcipher *enc = ctx->enc;
0090 struct crypto_authenc_keys keys;
0091 int err = -EINVAL;
0092
0093 if (crypto_authenc_extractkeys(&keys, key, keylen) != 0)
0094 goto out;
0095
0096 crypto_ahash_clear_flags(auth, CRYPTO_TFM_REQ_MASK);
0097 crypto_ahash_set_flags(auth, crypto_aead_get_flags(authenc) &
0098 CRYPTO_TFM_REQ_MASK);
0099 err = crypto_ahash_setkey(auth, keys.authkey, keys.authkeylen);
0100 if (err)
0101 goto out;
0102
0103 crypto_skcipher_clear_flags(enc, CRYPTO_TFM_REQ_MASK);
0104 crypto_skcipher_set_flags(enc, crypto_aead_get_flags(authenc) &
0105 CRYPTO_TFM_REQ_MASK);
0106 err = crypto_skcipher_setkey(enc, keys.enckey, keys.enckeylen);
0107 out:
0108 memzero_explicit(&keys, sizeof(keys));
0109 return err;
0110 }
0111
0112 static void authenc_geniv_ahash_done(struct crypto_async_request *areq, int err)
0113 {
0114 struct aead_request *req = areq->data;
0115 struct crypto_aead *authenc = crypto_aead_reqtfm(req);
0116 struct aead_instance *inst = aead_alg_instance(authenc);
0117 struct authenc_instance_ctx *ictx = aead_instance_ctx(inst);
0118 struct authenc_request_ctx *areq_ctx = aead_request_ctx(req);
0119 struct ahash_request *ahreq = (void *)(areq_ctx->tail + ictx->reqoff);
0120
0121 if (err)
0122 goto out;
0123
0124 scatterwalk_map_and_copy(ahreq->result, req->dst,
0125 req->assoclen + req->cryptlen,
0126 crypto_aead_authsize(authenc), 1);
0127
0128 out:
0129 aead_request_complete(req, err);
0130 }
0131
0132 static int crypto_authenc_genicv(struct aead_request *req, unsigned int flags)
0133 {
0134 struct crypto_aead *authenc = crypto_aead_reqtfm(req);
0135 struct aead_instance *inst = aead_alg_instance(authenc);
0136 struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);
0137 struct authenc_instance_ctx *ictx = aead_instance_ctx(inst);
0138 struct crypto_ahash *auth = ctx->auth;
0139 struct authenc_request_ctx *areq_ctx = aead_request_ctx(req);
0140 struct ahash_request *ahreq = (void *)(areq_ctx->tail + ictx->reqoff);
0141 u8 *hash = areq_ctx->tail;
0142 int err;
0143
0144 hash = (u8 *)ALIGN((unsigned long)hash + crypto_ahash_alignmask(auth),
0145 crypto_ahash_alignmask(auth) + 1);
0146
0147 ahash_request_set_tfm(ahreq, auth);
0148 ahash_request_set_crypt(ahreq, req->dst, hash,
0149 req->assoclen + req->cryptlen);
0150 ahash_request_set_callback(ahreq, flags,
0151 authenc_geniv_ahash_done, req);
0152
0153 err = crypto_ahash_digest(ahreq);
0154 if (err)
0155 return err;
0156
0157 scatterwalk_map_and_copy(hash, req->dst, req->assoclen + req->cryptlen,
0158 crypto_aead_authsize(authenc), 1);
0159
0160 return 0;
0161 }
0162
0163 static void crypto_authenc_encrypt_done(struct crypto_async_request *req,
0164 int err)
0165 {
0166 struct aead_request *areq = req->data;
0167
0168 if (err)
0169 goto out;
0170
0171 err = crypto_authenc_genicv(areq, 0);
0172
0173 out:
0174 authenc_request_complete(areq, err);
0175 }
0176
0177 static int crypto_authenc_copy_assoc(struct aead_request *req)
0178 {
0179 struct crypto_aead *authenc = crypto_aead_reqtfm(req);
0180 struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);
0181 SYNC_SKCIPHER_REQUEST_ON_STACK(skreq, ctx->null);
0182
0183 skcipher_request_set_sync_tfm(skreq, ctx->null);
0184 skcipher_request_set_callback(skreq, aead_request_flags(req),
0185 NULL, NULL);
0186 skcipher_request_set_crypt(skreq, req->src, req->dst, req->assoclen,
0187 NULL);
0188
0189 return crypto_skcipher_encrypt(skreq);
0190 }
0191
0192 static int crypto_authenc_encrypt(struct aead_request *req)
0193 {
0194 struct crypto_aead *authenc = crypto_aead_reqtfm(req);
0195 struct aead_instance *inst = aead_alg_instance(authenc);
0196 struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);
0197 struct authenc_instance_ctx *ictx = aead_instance_ctx(inst);
0198 struct authenc_request_ctx *areq_ctx = aead_request_ctx(req);
0199 struct crypto_skcipher *enc = ctx->enc;
0200 unsigned int cryptlen = req->cryptlen;
0201 struct skcipher_request *skreq = (void *)(areq_ctx->tail +
0202 ictx->reqoff);
0203 struct scatterlist *src, *dst;
0204 int err;
0205
0206 src = scatterwalk_ffwd(areq_ctx->src, req->src, req->assoclen);
0207 dst = src;
0208
0209 if (req->src != req->dst) {
0210 err = crypto_authenc_copy_assoc(req);
0211 if (err)
0212 return err;
0213
0214 dst = scatterwalk_ffwd(areq_ctx->dst, req->dst, req->assoclen);
0215 }
0216
0217 skcipher_request_set_tfm(skreq, enc);
0218 skcipher_request_set_callback(skreq, aead_request_flags(req),
0219 crypto_authenc_encrypt_done, req);
0220 skcipher_request_set_crypt(skreq, src, dst, cryptlen, req->iv);
0221
0222 err = crypto_skcipher_encrypt(skreq);
0223 if (err)
0224 return err;
0225
0226 return crypto_authenc_genicv(req, aead_request_flags(req));
0227 }
0228
0229 static int crypto_authenc_decrypt_tail(struct aead_request *req,
0230 unsigned int flags)
0231 {
0232 struct crypto_aead *authenc = crypto_aead_reqtfm(req);
0233 struct aead_instance *inst = aead_alg_instance(authenc);
0234 struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);
0235 struct authenc_instance_ctx *ictx = aead_instance_ctx(inst);
0236 struct authenc_request_ctx *areq_ctx = aead_request_ctx(req);
0237 struct ahash_request *ahreq = (void *)(areq_ctx->tail + ictx->reqoff);
0238 struct skcipher_request *skreq = (void *)(areq_ctx->tail +
0239 ictx->reqoff);
0240 unsigned int authsize = crypto_aead_authsize(authenc);
0241 u8 *ihash = ahreq->result + authsize;
0242 struct scatterlist *src, *dst;
0243
0244 scatterwalk_map_and_copy(ihash, req->src, ahreq->nbytes, authsize, 0);
0245
0246 if (crypto_memneq(ihash, ahreq->result, authsize))
0247 return -EBADMSG;
0248
0249 src = scatterwalk_ffwd(areq_ctx->src, req->src, req->assoclen);
0250 dst = src;
0251
0252 if (req->src != req->dst)
0253 dst = scatterwalk_ffwd(areq_ctx->dst, req->dst, req->assoclen);
0254
0255 skcipher_request_set_tfm(skreq, ctx->enc);
0256 skcipher_request_set_callback(skreq, flags,
0257 req->base.complete, req->base.data);
0258 skcipher_request_set_crypt(skreq, src, dst,
0259 req->cryptlen - authsize, req->iv);
0260
0261 return crypto_skcipher_decrypt(skreq);
0262 }
0263
0264 static void authenc_verify_ahash_done(struct crypto_async_request *areq,
0265 int err)
0266 {
0267 struct aead_request *req = areq->data;
0268
0269 if (err)
0270 goto out;
0271
0272 err = crypto_authenc_decrypt_tail(req, 0);
0273
0274 out:
0275 authenc_request_complete(req, err);
0276 }
0277
0278 static int crypto_authenc_decrypt(struct aead_request *req)
0279 {
0280 struct crypto_aead *authenc = crypto_aead_reqtfm(req);
0281 unsigned int authsize = crypto_aead_authsize(authenc);
0282 struct aead_instance *inst = aead_alg_instance(authenc);
0283 struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);
0284 struct authenc_instance_ctx *ictx = aead_instance_ctx(inst);
0285 struct crypto_ahash *auth = ctx->auth;
0286 struct authenc_request_ctx *areq_ctx = aead_request_ctx(req);
0287 struct ahash_request *ahreq = (void *)(areq_ctx->tail + ictx->reqoff);
0288 u8 *hash = areq_ctx->tail;
0289 int err;
0290
0291 hash = (u8 *)ALIGN((unsigned long)hash + crypto_ahash_alignmask(auth),
0292 crypto_ahash_alignmask(auth) + 1);
0293
0294 ahash_request_set_tfm(ahreq, auth);
0295 ahash_request_set_crypt(ahreq, req->src, hash,
0296 req->assoclen + req->cryptlen - authsize);
0297 ahash_request_set_callback(ahreq, aead_request_flags(req),
0298 authenc_verify_ahash_done, req);
0299
0300 err = crypto_ahash_digest(ahreq);
0301 if (err)
0302 return err;
0303
0304 return crypto_authenc_decrypt_tail(req, aead_request_flags(req));
0305 }
0306
0307 static int crypto_authenc_init_tfm(struct crypto_aead *tfm)
0308 {
0309 struct aead_instance *inst = aead_alg_instance(tfm);
0310 struct authenc_instance_ctx *ictx = aead_instance_ctx(inst);
0311 struct crypto_authenc_ctx *ctx = crypto_aead_ctx(tfm);
0312 struct crypto_ahash *auth;
0313 struct crypto_skcipher *enc;
0314 struct crypto_sync_skcipher *null;
0315 int err;
0316
0317 auth = crypto_spawn_ahash(&ictx->auth);
0318 if (IS_ERR(auth))
0319 return PTR_ERR(auth);
0320
0321 enc = crypto_spawn_skcipher(&ictx->enc);
0322 err = PTR_ERR(enc);
0323 if (IS_ERR(enc))
0324 goto err_free_ahash;
0325
0326 null = crypto_get_default_null_skcipher();
0327 err = PTR_ERR(null);
0328 if (IS_ERR(null))
0329 goto err_free_skcipher;
0330
0331 ctx->auth = auth;
0332 ctx->enc = enc;
0333 ctx->null = null;
0334
0335 crypto_aead_set_reqsize(
0336 tfm,
0337 sizeof(struct authenc_request_ctx) +
0338 ictx->reqoff +
0339 max_t(unsigned int,
0340 crypto_ahash_reqsize(auth) +
0341 sizeof(struct ahash_request),
0342 sizeof(struct skcipher_request) +
0343 crypto_skcipher_reqsize(enc)));
0344
0345 return 0;
0346
0347 err_free_skcipher:
0348 crypto_free_skcipher(enc);
0349 err_free_ahash:
0350 crypto_free_ahash(auth);
0351 return err;
0352 }
0353
0354 static void crypto_authenc_exit_tfm(struct crypto_aead *tfm)
0355 {
0356 struct crypto_authenc_ctx *ctx = crypto_aead_ctx(tfm);
0357
0358 crypto_free_ahash(ctx->auth);
0359 crypto_free_skcipher(ctx->enc);
0360 crypto_put_default_null_skcipher();
0361 }
0362
0363 static void crypto_authenc_free(struct aead_instance *inst)
0364 {
0365 struct authenc_instance_ctx *ctx = aead_instance_ctx(inst);
0366
0367 crypto_drop_skcipher(&ctx->enc);
0368 crypto_drop_ahash(&ctx->auth);
0369 kfree(inst);
0370 }
0371
0372 static int crypto_authenc_create(struct crypto_template *tmpl,
0373 struct rtattr **tb)
0374 {
0375 u32 mask;
0376 struct aead_instance *inst;
0377 struct authenc_instance_ctx *ctx;
0378 struct hash_alg_common *auth;
0379 struct crypto_alg *auth_base;
0380 struct skcipher_alg *enc;
0381 int err;
0382
0383 err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_AEAD, &mask);
0384 if (err)
0385 return err;
0386
0387 inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
0388 if (!inst)
0389 return -ENOMEM;
0390 ctx = aead_instance_ctx(inst);
0391
0392 err = crypto_grab_ahash(&ctx->auth, aead_crypto_instance(inst),
0393 crypto_attr_alg_name(tb[1]), 0, mask);
0394 if (err)
0395 goto err_free_inst;
0396 auth = crypto_spawn_ahash_alg(&ctx->auth);
0397 auth_base = &auth->base;
0398
0399 err = crypto_grab_skcipher(&ctx->enc, aead_crypto_instance(inst),
0400 crypto_attr_alg_name(tb[2]), 0, mask);
0401 if (err)
0402 goto err_free_inst;
0403 enc = crypto_spawn_skcipher_alg(&ctx->enc);
0404
0405 ctx->reqoff = ALIGN(2 * auth->digestsize + auth_base->cra_alignmask,
0406 auth_base->cra_alignmask + 1);
0407
0408 err = -ENAMETOOLONG;
0409 if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
0410 "authenc(%s,%s)", auth_base->cra_name,
0411 enc->base.cra_name) >=
0412 CRYPTO_MAX_ALG_NAME)
0413 goto err_free_inst;
0414
0415 if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
0416 "authenc(%s,%s)", auth_base->cra_driver_name,
0417 enc->base.cra_driver_name) >= CRYPTO_MAX_ALG_NAME)
0418 goto err_free_inst;
0419
0420 inst->alg.base.cra_priority = enc->base.cra_priority * 10 +
0421 auth_base->cra_priority;
0422 inst->alg.base.cra_blocksize = enc->base.cra_blocksize;
0423 inst->alg.base.cra_alignmask = auth_base->cra_alignmask |
0424 enc->base.cra_alignmask;
0425 inst->alg.base.cra_ctxsize = sizeof(struct crypto_authenc_ctx);
0426
0427 inst->alg.ivsize = crypto_skcipher_alg_ivsize(enc);
0428 inst->alg.chunksize = crypto_skcipher_alg_chunksize(enc);
0429 inst->alg.maxauthsize = auth->digestsize;
0430
0431 inst->alg.init = crypto_authenc_init_tfm;
0432 inst->alg.exit = crypto_authenc_exit_tfm;
0433
0434 inst->alg.setkey = crypto_authenc_setkey;
0435 inst->alg.encrypt = crypto_authenc_encrypt;
0436 inst->alg.decrypt = crypto_authenc_decrypt;
0437
0438 inst->free = crypto_authenc_free;
0439
0440 err = aead_register_instance(tmpl, inst);
0441 if (err) {
0442 err_free_inst:
0443 crypto_authenc_free(inst);
0444 }
0445 return err;
0446 }
0447
0448 static struct crypto_template crypto_authenc_tmpl = {
0449 .name = "authenc",
0450 .create = crypto_authenc_create,
0451 .module = THIS_MODULE,
0452 };
0453
0454 static int __init crypto_authenc_module_init(void)
0455 {
0456 return crypto_register_template(&crypto_authenc_tmpl);
0457 }
0458
0459 static void __exit crypto_authenc_module_exit(void)
0460 {
0461 crypto_unregister_template(&crypto_authenc_tmpl);
0462 }
0463
0464 subsys_initcall(crypto_authenc_module_init);
0465 module_exit(crypto_authenc_module_exit);
0466
0467 MODULE_LICENSE("GPL");
0468 MODULE_DESCRIPTION("Simple AEAD wrapper for IPsec");
0469 MODULE_ALIAS_CRYPTO("authenc");
