2 * authencesn.c - AEAD wrapper for IPsec with extended sequence numbers,
3 * derived from authenc.c
5 * Copyright (C) 2010 secunet Security Networks AG
6 * Copyright (C) 2010 Steffen Klassert <steffen.klassert@secunet.com>
7 * Copyright (c) 2015 Herbert Xu <herbert@gondor.apana.org.au>
9 * This program is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by the Free
11 * Software Foundation; either version 2 of the License, or (at your option)
16 #include <crypto/internal/aead.h>
17 #include <crypto/internal/hash.h>
18 #include <crypto/internal/skcipher.h>
19 #include <crypto/authenc.h>
20 #include <crypto/null.h>
21 #include <crypto/scatterwalk.h>
22 #include <linux/err.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/module.h>
26 #include <linux/rtnetlink.h>
27 #include <linux/slab.h>
28 #include <linux/spinlock.h>
30 struct authenc_esn_instance_ctx
{
31 struct crypto_ahash_spawn auth
;
32 struct crypto_skcipher_spawn enc
;
35 struct crypto_authenc_esn_ctx
{
37 struct crypto_ahash
*auth
;
38 struct crypto_skcipher
*enc
;
39 struct crypto_skcipher
*null
;
42 struct authenc_esn_request_ctx
{
43 struct scatterlist src
[2];
44 struct scatterlist dst
[2];
48 static void authenc_esn_request_complete(struct aead_request
*req
, int err
)
50 if (err
!= -EINPROGRESS
)
51 aead_request_complete(req
, err
);
54 static int crypto_authenc_esn_setauthsize(struct crypto_aead
*authenc_esn
,
55 unsigned int authsize
)
57 if (authsize
> 0 && authsize
< 4)
63 static int crypto_authenc_esn_setkey(struct crypto_aead
*authenc_esn
, const u8
*key
,
66 struct crypto_authenc_esn_ctx
*ctx
= crypto_aead_ctx(authenc_esn
);
67 struct crypto_ahash
*auth
= ctx
->auth
;
68 struct crypto_skcipher
*enc
= ctx
->enc
;
69 struct crypto_authenc_keys keys
;
72 if (crypto_authenc_extractkeys(&keys
, key
, keylen
) != 0)
75 crypto_ahash_clear_flags(auth
, CRYPTO_TFM_REQ_MASK
);
76 crypto_ahash_set_flags(auth
, crypto_aead_get_flags(authenc_esn
) &
78 err
= crypto_ahash_setkey(auth
, keys
.authkey
, keys
.authkeylen
);
79 crypto_aead_set_flags(authenc_esn
, crypto_ahash_get_flags(auth
) &
85 crypto_skcipher_clear_flags(enc
, CRYPTO_TFM_REQ_MASK
);
86 crypto_skcipher_set_flags(enc
, crypto_aead_get_flags(authenc_esn
) &
88 err
= crypto_skcipher_setkey(enc
, keys
.enckey
, keys
.enckeylen
);
89 crypto_aead_set_flags(authenc_esn
, crypto_skcipher_get_flags(enc
) &
96 crypto_aead_set_flags(authenc_esn
, CRYPTO_TFM_RES_BAD_KEY_LEN
);
100 static int crypto_authenc_esn_genicv_tail(struct aead_request
*req
,
103 struct crypto_aead
*authenc_esn
= crypto_aead_reqtfm(req
);
104 struct crypto_authenc_esn_ctx
*ctx
= crypto_aead_ctx(authenc_esn
);
105 struct authenc_esn_request_ctx
*areq_ctx
= aead_request_ctx(req
);
106 struct crypto_ahash
*auth
= ctx
->auth
;
107 u8
*hash
= PTR_ALIGN((u8
*)areq_ctx
->tail
,
108 crypto_ahash_alignmask(auth
) + 1);
109 unsigned int authsize
= crypto_aead_authsize(authenc_esn
);
110 unsigned int assoclen
= req
->assoclen
;
111 unsigned int cryptlen
= req
->cryptlen
;
112 struct scatterlist
*dst
= req
->dst
;
115 /* Move high-order bits of sequence number back. */
116 scatterwalk_map_and_copy(tmp
, dst
, 4, 4, 0);
117 scatterwalk_map_and_copy(tmp
+ 1, dst
, assoclen
+ cryptlen
, 4, 0);
118 scatterwalk_map_and_copy(tmp
, dst
, 0, 8, 1);
120 scatterwalk_map_and_copy(hash
, dst
, assoclen
+ cryptlen
, authsize
, 1);
124 static void authenc_esn_geniv_ahash_done(struct crypto_async_request
*areq
,
127 struct aead_request
*req
= areq
->data
;
129 err
= err
?: crypto_authenc_esn_genicv_tail(req
, 0);
130 aead_request_complete(req
, err
);
133 static int crypto_authenc_esn_genicv(struct aead_request
*req
,
136 struct crypto_aead
*authenc_esn
= crypto_aead_reqtfm(req
);
137 struct authenc_esn_request_ctx
*areq_ctx
= aead_request_ctx(req
);
138 struct crypto_authenc_esn_ctx
*ctx
= crypto_aead_ctx(authenc_esn
);
139 struct crypto_ahash
*auth
= ctx
->auth
;
140 u8
*hash
= PTR_ALIGN((u8
*)areq_ctx
->tail
,
141 crypto_ahash_alignmask(auth
) + 1);
142 struct ahash_request
*ahreq
= (void *)(areq_ctx
->tail
+ ctx
->reqoff
);
143 unsigned int authsize
= crypto_aead_authsize(authenc_esn
);
144 unsigned int assoclen
= req
->assoclen
;
145 unsigned int cryptlen
= req
->cryptlen
;
146 struct scatterlist
*dst
= req
->dst
;
152 /* Move high-order bits of sequence number to the end. */
153 scatterwalk_map_and_copy(tmp
, dst
, 0, 8, 0);
154 scatterwalk_map_and_copy(tmp
, dst
, 4, 4, 1);
155 scatterwalk_map_and_copy(tmp
+ 1, dst
, assoclen
+ cryptlen
, 4, 1);
157 sg_init_table(areq_ctx
->dst
, 2);
158 dst
= scatterwalk_ffwd(areq_ctx
->dst
, dst
, 4);
160 ahash_request_set_tfm(ahreq
, auth
);
161 ahash_request_set_crypt(ahreq
, dst
, hash
, assoclen
+ cryptlen
);
162 ahash_request_set_callback(ahreq
, flags
,
163 authenc_esn_geniv_ahash_done
, req
);
165 return crypto_ahash_digest(ahreq
) ?:
166 crypto_authenc_esn_genicv_tail(req
, aead_request_flags(req
));
170 static void crypto_authenc_esn_encrypt_done(struct crypto_async_request
*req
,
173 struct aead_request
*areq
= req
->data
;
176 err
= crypto_authenc_esn_genicv(areq
, 0);
178 authenc_esn_request_complete(areq
, err
);
181 static int crypto_authenc_esn_copy(struct aead_request
*req
, unsigned int len
)
183 struct crypto_aead
*authenc_esn
= crypto_aead_reqtfm(req
);
184 struct crypto_authenc_esn_ctx
*ctx
= crypto_aead_ctx(authenc_esn
);
185 SKCIPHER_REQUEST_ON_STACK(skreq
, ctx
->null
);
187 skcipher_request_set_tfm(skreq
, ctx
->null
);
188 skcipher_request_set_callback(skreq
, aead_request_flags(req
),
190 skcipher_request_set_crypt(skreq
, req
->src
, req
->dst
, len
, NULL
);
192 return crypto_skcipher_encrypt(skreq
);
195 static int crypto_authenc_esn_encrypt(struct aead_request
*req
)
197 struct crypto_aead
*authenc_esn
= crypto_aead_reqtfm(req
);
198 struct authenc_esn_request_ctx
*areq_ctx
= aead_request_ctx(req
);
199 struct crypto_authenc_esn_ctx
*ctx
= crypto_aead_ctx(authenc_esn
);
200 struct skcipher_request
*skreq
= (void *)(areq_ctx
->tail
+
202 struct crypto_skcipher
*enc
= ctx
->enc
;
203 unsigned int assoclen
= req
->assoclen
;
204 unsigned int cryptlen
= req
->cryptlen
;
205 struct scatterlist
*src
, *dst
;
208 sg_init_table(areq_ctx
->src
, 2);
209 src
= scatterwalk_ffwd(areq_ctx
->src
, req
->src
, assoclen
);
212 if (req
->src
!= req
->dst
) {
213 err
= crypto_authenc_esn_copy(req
, assoclen
);
217 sg_init_table(areq_ctx
->dst
, 2);
218 dst
= scatterwalk_ffwd(areq_ctx
->dst
, req
->dst
, assoclen
);
221 skcipher_request_set_tfm(skreq
, enc
);
222 skcipher_request_set_callback(skreq
, aead_request_flags(req
),
223 crypto_authenc_esn_encrypt_done
, req
);
224 skcipher_request_set_crypt(skreq
, src
, dst
, cryptlen
, req
->iv
);
226 err
= crypto_skcipher_encrypt(skreq
);
230 return crypto_authenc_esn_genicv(req
, aead_request_flags(req
));
233 static int crypto_authenc_esn_decrypt_tail(struct aead_request
*req
,
236 struct crypto_aead
*authenc_esn
= crypto_aead_reqtfm(req
);
237 unsigned int authsize
= crypto_aead_authsize(authenc_esn
);
238 struct authenc_esn_request_ctx
*areq_ctx
= aead_request_ctx(req
);
239 struct crypto_authenc_esn_ctx
*ctx
= crypto_aead_ctx(authenc_esn
);
240 struct skcipher_request
*skreq
= (void *)(areq_ctx
->tail
+
242 struct crypto_ahash
*auth
= ctx
->auth
;
243 u8
*ohash
= PTR_ALIGN((u8
*)areq_ctx
->tail
,
244 crypto_ahash_alignmask(auth
) + 1);
245 unsigned int cryptlen
= req
->cryptlen
- authsize
;
246 unsigned int assoclen
= req
->assoclen
;
247 struct scatterlist
*dst
= req
->dst
;
248 u8
*ihash
= ohash
+ crypto_ahash_digestsize(auth
);
251 /* Move high-order bits of sequence number back. */
252 scatterwalk_map_and_copy(tmp
, dst
, 4, 4, 0);
253 scatterwalk_map_and_copy(tmp
+ 1, dst
, assoclen
+ cryptlen
, 4, 0);
254 scatterwalk_map_and_copy(tmp
, dst
, 0, 8, 1);
256 if (crypto_memneq(ihash
, ohash
, authsize
))
259 sg_init_table(areq_ctx
->dst
, 2);
260 dst
= scatterwalk_ffwd(areq_ctx
->dst
, dst
, assoclen
);
262 skcipher_request_set_tfm(skreq
, ctx
->enc
);
263 skcipher_request_set_callback(skreq
, flags
,
264 req
->base
.complete
, req
->base
.data
);
265 skcipher_request_set_crypt(skreq
, dst
, dst
, cryptlen
, req
->iv
);
267 return crypto_skcipher_decrypt(skreq
);
270 static void authenc_esn_verify_ahash_done(struct crypto_async_request
*areq
,
273 struct aead_request
*req
= areq
->data
;
275 err
= err
?: crypto_authenc_esn_decrypt_tail(req
, 0);
276 aead_request_complete(req
, err
);
279 static int crypto_authenc_esn_decrypt(struct aead_request
*req
)
281 struct crypto_aead
*authenc_esn
= crypto_aead_reqtfm(req
);
282 struct authenc_esn_request_ctx
*areq_ctx
= aead_request_ctx(req
);
283 struct crypto_authenc_esn_ctx
*ctx
= crypto_aead_ctx(authenc_esn
);
284 struct ahash_request
*ahreq
= (void *)(areq_ctx
->tail
+ ctx
->reqoff
);
285 unsigned int authsize
= crypto_aead_authsize(authenc_esn
);
286 struct crypto_ahash
*auth
= ctx
->auth
;
287 u8
*ohash
= PTR_ALIGN((u8
*)areq_ctx
->tail
,
288 crypto_ahash_alignmask(auth
) + 1);
289 unsigned int assoclen
= req
->assoclen
;
290 unsigned int cryptlen
= req
->cryptlen
;
291 u8
*ihash
= ohash
+ crypto_ahash_digestsize(auth
);
292 struct scatterlist
*dst
= req
->dst
;
296 cryptlen
-= authsize
;
298 if (req
->src
!= dst
) {
299 err
= crypto_authenc_esn_copy(req
, assoclen
+ cryptlen
);
304 scatterwalk_map_and_copy(ihash
, req
->src
, assoclen
+ cryptlen
,
310 /* Move high-order bits of sequence number to the end. */
311 scatterwalk_map_and_copy(tmp
, dst
, 0, 8, 0);
312 scatterwalk_map_and_copy(tmp
, dst
, 4, 4, 1);
313 scatterwalk_map_and_copy(tmp
+ 1, dst
, assoclen
+ cryptlen
, 4, 1);
315 sg_init_table(areq_ctx
->dst
, 2);
316 dst
= scatterwalk_ffwd(areq_ctx
->dst
, dst
, 4);
318 ahash_request_set_tfm(ahreq
, auth
);
319 ahash_request_set_crypt(ahreq
, dst
, ohash
, assoclen
+ cryptlen
);
320 ahash_request_set_callback(ahreq
, aead_request_flags(req
),
321 authenc_esn_verify_ahash_done
, req
);
323 err
= crypto_ahash_digest(ahreq
);
328 return crypto_authenc_esn_decrypt_tail(req
, aead_request_flags(req
));
331 static int crypto_authenc_esn_init_tfm(struct crypto_aead
*tfm
)
333 struct aead_instance
*inst
= aead_alg_instance(tfm
);
334 struct authenc_esn_instance_ctx
*ictx
= aead_instance_ctx(inst
);
335 struct crypto_authenc_esn_ctx
*ctx
= crypto_aead_ctx(tfm
);
336 struct crypto_ahash
*auth
;
337 struct crypto_skcipher
*enc
;
338 struct crypto_skcipher
*null
;
341 auth
= crypto_spawn_ahash(&ictx
->auth
);
343 return PTR_ERR(auth
);
345 enc
= crypto_spawn_skcipher2(&ictx
->enc
);
350 null
= crypto_get_default_null_skcipher2();
353 goto err_free_skcipher
;
359 ctx
->reqoff
= ALIGN(2 * crypto_ahash_digestsize(auth
),
360 crypto_ahash_alignmask(auth
) + 1);
362 crypto_aead_set_reqsize(
364 sizeof(struct authenc_esn_request_ctx
) +
367 crypto_ahash_reqsize(auth
) +
368 sizeof(struct ahash_request
),
369 sizeof(struct skcipher_request
) +
370 crypto_skcipher_reqsize(enc
)));
375 crypto_free_skcipher(enc
);
377 crypto_free_ahash(auth
);
381 static void crypto_authenc_esn_exit_tfm(struct crypto_aead
*tfm
)
383 struct crypto_authenc_esn_ctx
*ctx
= crypto_aead_ctx(tfm
);
385 crypto_free_ahash(ctx
->auth
);
386 crypto_free_skcipher(ctx
->enc
);
387 crypto_put_default_null_skcipher2();
390 static void crypto_authenc_esn_free(struct aead_instance
*inst
)
392 struct authenc_esn_instance_ctx
*ctx
= aead_instance_ctx(inst
);
394 crypto_drop_skcipher(&ctx
->enc
);
395 crypto_drop_ahash(&ctx
->auth
);
399 static int crypto_authenc_esn_create(struct crypto_template
*tmpl
,
402 struct crypto_attr_type
*algt
;
403 struct aead_instance
*inst
;
404 struct hash_alg_common
*auth
;
405 struct crypto_alg
*auth_base
;
406 struct skcipher_alg
*enc
;
407 struct authenc_esn_instance_ctx
*ctx
;
408 const char *enc_name
;
411 algt
= crypto_get_attr_type(tb
);
413 return PTR_ERR(algt
);
415 if ((algt
->type
^ CRYPTO_ALG_TYPE_AEAD
) & algt
->mask
)
418 auth
= ahash_attr_alg(tb
[1], CRYPTO_ALG_TYPE_HASH
,
419 CRYPTO_ALG_TYPE_AHASH_MASK
|
420 crypto_requires_sync(algt
->type
, algt
->mask
));
422 return PTR_ERR(auth
);
424 auth_base
= &auth
->base
;
426 enc_name
= crypto_attr_alg_name(tb
[2]);
427 err
= PTR_ERR(enc_name
);
428 if (IS_ERR(enc_name
))
431 inst
= kzalloc(sizeof(*inst
) + sizeof(*ctx
), GFP_KERNEL
);
436 ctx
= aead_instance_ctx(inst
);
438 err
= crypto_init_ahash_spawn(&ctx
->auth
, auth
,
439 aead_crypto_instance(inst
));
443 crypto_set_skcipher_spawn(&ctx
->enc
, aead_crypto_instance(inst
));
444 err
= crypto_grab_skcipher2(&ctx
->enc
, enc_name
, 0,
445 crypto_requires_sync(algt
->type
,
450 enc
= crypto_spawn_skcipher_alg(&ctx
->enc
);
453 if (snprintf(inst
->alg
.base
.cra_name
, CRYPTO_MAX_ALG_NAME
,
454 "authencesn(%s,%s)", auth_base
->cra_name
,
455 enc
->base
.cra_name
) >= CRYPTO_MAX_ALG_NAME
)
458 if (snprintf(inst
->alg
.base
.cra_driver_name
, CRYPTO_MAX_ALG_NAME
,
459 "authencesn(%s,%s)", auth_base
->cra_driver_name
,
460 enc
->base
.cra_driver_name
) >= CRYPTO_MAX_ALG_NAME
)
463 inst
->alg
.base
.cra_flags
= (auth_base
->cra_flags
|
464 enc
->base
.cra_flags
) & CRYPTO_ALG_ASYNC
;
465 inst
->alg
.base
.cra_priority
= enc
->base
.cra_priority
* 10 +
466 auth_base
->cra_priority
;
467 inst
->alg
.base
.cra_blocksize
= enc
->base
.cra_blocksize
;
468 inst
->alg
.base
.cra_alignmask
= auth_base
->cra_alignmask
|
469 enc
->base
.cra_alignmask
;
470 inst
->alg
.base
.cra_ctxsize
= sizeof(struct crypto_authenc_esn_ctx
);
472 inst
->alg
.ivsize
= crypto_skcipher_alg_ivsize(enc
);
473 inst
->alg
.chunksize
= crypto_skcipher_alg_chunksize(enc
);
474 inst
->alg
.maxauthsize
= auth
->digestsize
;
476 inst
->alg
.init
= crypto_authenc_esn_init_tfm
;
477 inst
->alg
.exit
= crypto_authenc_esn_exit_tfm
;
479 inst
->alg
.setkey
= crypto_authenc_esn_setkey
;
480 inst
->alg
.setauthsize
= crypto_authenc_esn_setauthsize
;
481 inst
->alg
.encrypt
= crypto_authenc_esn_encrypt
;
482 inst
->alg
.decrypt
= crypto_authenc_esn_decrypt
;
484 inst
->free
= crypto_authenc_esn_free
,
486 err
= aead_register_instance(tmpl
, inst
);
491 crypto_mod_put(auth_base
);
495 crypto_drop_skcipher(&ctx
->enc
);
497 crypto_drop_ahash(&ctx
->auth
);
504 static struct crypto_template crypto_authenc_esn_tmpl
= {
505 .name
= "authencesn",
506 .create
= crypto_authenc_esn_create
,
507 .module
= THIS_MODULE
,
510 static int __init
crypto_authenc_esn_module_init(void)
512 return crypto_register_template(&crypto_authenc_esn_tmpl
);
515 static void __exit
crypto_authenc_esn_module_exit(void)
517 crypto_unregister_template(&crypto_authenc_esn_tmpl
);
520 module_init(crypto_authenc_esn_module_init
);
521 module_exit(crypto_authenc_esn_module_exit
);
523 MODULE_LICENSE("GPL");
524 MODULE_AUTHOR("Steffen Klassert <steffen.klassert@secunet.com>");
525 MODULE_DESCRIPTION("AEAD wrapper for IPsec with extended sequence numbers");
526 MODULE_ALIAS_CRYPTO("authencesn");