2 * authencesn.c - AEAD wrapper for IPsec with extended sequence numbers,
3 * derived from authenc.c
5 * Copyright (C) 2010 secunet Security Networks AG
6 * Copyright (C) 2010 Steffen Klassert <steffen.klassert@secunet.com>
7 * Copyright (c) 2015 Herbert Xu <herbert@gondor.apana.org.au>
9 * This program is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by the Free
11 * Software Foundation; either version 2 of the License, or (at your option)
16 #include <crypto/internal/aead.h>
17 #include <crypto/internal/hash.h>
18 #include <crypto/internal/skcipher.h>
19 #include <crypto/authenc.h>
20 #include <crypto/null.h>
21 #include <crypto/scatterwalk.h>
22 #include <linux/err.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/module.h>
26 #include <linux/rtnetlink.h>
27 #include <linux/slab.h>
28 #include <linux/spinlock.h>
30 struct authenc_esn_instance_ctx
{
31 struct crypto_ahash_spawn auth
;
32 struct crypto_skcipher_spawn enc
;
35 struct crypto_authenc_esn_ctx
{
37 struct crypto_ahash
*auth
;
38 struct crypto_ablkcipher
*enc
;
39 struct crypto_blkcipher
*null
;
42 struct authenc_esn_request_ctx
{
43 struct scatterlist src
[2];
44 struct scatterlist dst
[2];
48 static void authenc_esn_request_complete(struct aead_request
*req
, int err
)
50 if (err
!= -EINPROGRESS
)
51 aead_request_complete(req
, err
);
54 static int crypto_authenc_esn_setauthsize(struct crypto_aead
*authenc_esn
,
55 unsigned int authsize
)
57 if (authsize
> 0 && authsize
< 4)
63 static int crypto_authenc_esn_setkey(struct crypto_aead
*authenc_esn
, const u8
*key
,
66 struct crypto_authenc_esn_ctx
*ctx
= crypto_aead_ctx(authenc_esn
);
67 struct crypto_ahash
*auth
= ctx
->auth
;
68 struct crypto_ablkcipher
*enc
= ctx
->enc
;
69 struct crypto_authenc_keys keys
;
72 if (crypto_authenc_extractkeys(&keys
, key
, keylen
) != 0)
75 crypto_ahash_clear_flags(auth
, CRYPTO_TFM_REQ_MASK
);
76 crypto_ahash_set_flags(auth
, crypto_aead_get_flags(authenc_esn
) &
78 err
= crypto_ahash_setkey(auth
, keys
.authkey
, keys
.authkeylen
);
79 crypto_aead_set_flags(authenc_esn
, crypto_ahash_get_flags(auth
) &
85 crypto_ablkcipher_clear_flags(enc
, CRYPTO_TFM_REQ_MASK
);
86 crypto_ablkcipher_set_flags(enc
, crypto_aead_get_flags(authenc_esn
) &
88 err
= crypto_ablkcipher_setkey(enc
, keys
.enckey
, keys
.enckeylen
);
89 crypto_aead_set_flags(authenc_esn
, crypto_ablkcipher_get_flags(enc
) &
96 crypto_aead_set_flags(authenc_esn
, CRYPTO_TFM_RES_BAD_KEY_LEN
);
100 static int crypto_authenc_esn_genicv_tail(struct aead_request
*req
,
103 struct crypto_aead
*authenc_esn
= crypto_aead_reqtfm(req
);
104 struct crypto_authenc_esn_ctx
*ctx
= crypto_aead_ctx(authenc_esn
);
105 struct authenc_esn_request_ctx
*areq_ctx
= aead_request_ctx(req
);
106 struct crypto_ahash
*auth
= ctx
->auth
;
107 u8
*hash
= PTR_ALIGN((u8
*)areq_ctx
->tail
,
108 crypto_ahash_alignmask(auth
) + 1);
109 unsigned int authsize
= crypto_aead_authsize(authenc_esn
);
110 unsigned int assoclen
= req
->assoclen
;
111 unsigned int cryptlen
= req
->cryptlen
;
112 struct scatterlist
*dst
= req
->dst
;
115 /* Move high-order bits of sequence number back. */
116 scatterwalk_map_and_copy(tmp
, dst
, 4, 4, 0);
117 scatterwalk_map_and_copy(tmp
+ 1, dst
, assoclen
+ cryptlen
, 4, 0);
118 scatterwalk_map_and_copy(tmp
, dst
, 0, 8, 1);
120 scatterwalk_map_and_copy(hash
, dst
, assoclen
+ cryptlen
, authsize
, 1);
124 static void authenc_esn_geniv_ahash_done(struct crypto_async_request
*areq
,
127 struct aead_request
*req
= areq
->data
;
129 err
= err
?: crypto_authenc_esn_genicv_tail(req
, 0);
130 aead_request_complete(req
, err
);
133 static int crypto_authenc_esn_genicv(struct aead_request
*req
,
136 struct crypto_aead
*authenc_esn
= crypto_aead_reqtfm(req
);
137 struct authenc_esn_request_ctx
*areq_ctx
= aead_request_ctx(req
);
138 struct crypto_authenc_esn_ctx
*ctx
= crypto_aead_ctx(authenc_esn
);
139 struct crypto_ahash
*auth
= ctx
->auth
;
140 u8
*hash
= PTR_ALIGN((u8
*)areq_ctx
->tail
,
141 crypto_ahash_alignmask(auth
) + 1);
142 struct ahash_request
*ahreq
= (void *)(areq_ctx
->tail
+ ctx
->reqoff
);
143 unsigned int authsize
= crypto_aead_authsize(authenc_esn
);
144 unsigned int assoclen
= req
->assoclen
;
145 unsigned int cryptlen
= req
->cryptlen
;
146 struct scatterlist
*dst
= req
->dst
;
152 /* Move high-order bits of sequence number to the end. */
153 scatterwalk_map_and_copy(tmp
, dst
, 0, 8, 0);
154 scatterwalk_map_and_copy(tmp
, dst
, 4, 4, 1);
155 scatterwalk_map_and_copy(tmp
+ 1, dst
, assoclen
+ cryptlen
, 4, 1);
157 sg_init_table(areq_ctx
->dst
, 2);
158 dst
= scatterwalk_ffwd(areq_ctx
->dst
, dst
, 4);
160 ahash_request_set_tfm(ahreq
, auth
);
161 ahash_request_set_crypt(ahreq
, dst
, hash
, assoclen
+ cryptlen
);
162 ahash_request_set_callback(ahreq
, flags
,
163 authenc_esn_geniv_ahash_done
, req
);
165 return crypto_ahash_digest(ahreq
) ?:
166 crypto_authenc_esn_genicv_tail(req
, aead_request_flags(req
));
170 static void crypto_authenc_esn_encrypt_done(struct crypto_async_request
*req
,
173 struct aead_request
*areq
= req
->data
;
176 err
= crypto_authenc_esn_genicv(areq
, 0);
178 authenc_esn_request_complete(areq
, err
);
181 static int crypto_authenc_esn_copy(struct aead_request
*req
, unsigned int len
)
183 struct crypto_aead
*authenc_esn
= crypto_aead_reqtfm(req
);
184 struct crypto_authenc_esn_ctx
*ctx
= crypto_aead_ctx(authenc_esn
);
185 struct blkcipher_desc desc
= {
189 return crypto_blkcipher_encrypt(&desc
, req
->dst
, req
->src
, len
);
192 static int crypto_authenc_esn_encrypt(struct aead_request
*req
)
194 struct crypto_aead
*authenc_esn
= crypto_aead_reqtfm(req
);
195 struct authenc_esn_request_ctx
*areq_ctx
= aead_request_ctx(req
);
196 struct crypto_authenc_esn_ctx
*ctx
= crypto_aead_ctx(authenc_esn
);
197 struct ablkcipher_request
*abreq
= (void *)(areq_ctx
->tail
199 struct crypto_ablkcipher
*enc
= ctx
->enc
;
200 unsigned int assoclen
= req
->assoclen
;
201 unsigned int cryptlen
= req
->cryptlen
;
202 struct scatterlist
*src
, *dst
;
205 sg_init_table(areq_ctx
->src
, 2);
206 src
= scatterwalk_ffwd(areq_ctx
->src
, req
->src
, assoclen
);
209 if (req
->src
!= req
->dst
) {
210 err
= crypto_authenc_esn_copy(req
, assoclen
);
214 sg_init_table(areq_ctx
->dst
, 2);
215 dst
= scatterwalk_ffwd(areq_ctx
->dst
, req
->dst
, assoclen
);
218 ablkcipher_request_set_tfm(abreq
, enc
);
219 ablkcipher_request_set_callback(abreq
, aead_request_flags(req
),
220 crypto_authenc_esn_encrypt_done
, req
);
221 ablkcipher_request_set_crypt(abreq
, src
, dst
, cryptlen
, req
->iv
);
223 err
= crypto_ablkcipher_encrypt(abreq
);
227 return crypto_authenc_esn_genicv(req
, aead_request_flags(req
));
230 static int crypto_authenc_esn_decrypt_tail(struct aead_request
*req
,
233 struct crypto_aead
*authenc_esn
= crypto_aead_reqtfm(req
);
234 unsigned int authsize
= crypto_aead_authsize(authenc_esn
);
235 struct authenc_esn_request_ctx
*areq_ctx
= aead_request_ctx(req
);
236 struct crypto_authenc_esn_ctx
*ctx
= crypto_aead_ctx(authenc_esn
);
237 struct ablkcipher_request
*abreq
= (void *)(areq_ctx
->tail
239 struct crypto_ahash
*auth
= ctx
->auth
;
240 u8
*ohash
= PTR_ALIGN((u8
*)areq_ctx
->tail
,
241 crypto_ahash_alignmask(auth
) + 1);
242 unsigned int cryptlen
= req
->cryptlen
- authsize
;
243 unsigned int assoclen
= req
->assoclen
;
244 struct scatterlist
*dst
= req
->dst
;
245 u8
*ihash
= ohash
+ crypto_ahash_digestsize(auth
);
251 /* Move high-order bits of sequence number back. */
252 scatterwalk_map_and_copy(tmp
, dst
, 4, 4, 0);
253 scatterwalk_map_and_copy(tmp
+ 1, dst
, assoclen
+ cryptlen
, 4, 0);
254 scatterwalk_map_and_copy(tmp
, dst
, 0, 8, 1);
256 if (crypto_memneq(ihash
, ohash
, authsize
))
261 sg_init_table(areq_ctx
->dst
, 2);
262 dst
= scatterwalk_ffwd(areq_ctx
->dst
, dst
, assoclen
);
264 ablkcipher_request_set_tfm(abreq
, ctx
->enc
);
265 ablkcipher_request_set_callback(abreq
, flags
,
266 req
->base
.complete
, req
->base
.data
);
267 ablkcipher_request_set_crypt(abreq
, dst
, dst
, cryptlen
, req
->iv
);
269 return crypto_ablkcipher_decrypt(abreq
);
272 static void authenc_esn_verify_ahash_done(struct crypto_async_request
*areq
,
275 struct aead_request
*req
= areq
->data
;
277 err
= err
?: crypto_authenc_esn_decrypt_tail(req
, 0);
278 aead_request_complete(req
, err
);
281 static int crypto_authenc_esn_decrypt(struct aead_request
*req
)
283 struct crypto_aead
*authenc_esn
= crypto_aead_reqtfm(req
);
284 struct authenc_esn_request_ctx
*areq_ctx
= aead_request_ctx(req
);
285 struct crypto_authenc_esn_ctx
*ctx
= crypto_aead_ctx(authenc_esn
);
286 struct ahash_request
*ahreq
= (void *)(areq_ctx
->tail
+ ctx
->reqoff
);
287 unsigned int authsize
= crypto_aead_authsize(authenc_esn
);
288 struct crypto_ahash
*auth
= ctx
->auth
;
289 u8
*ohash
= PTR_ALIGN((u8
*)areq_ctx
->tail
,
290 crypto_ahash_alignmask(auth
) + 1);
291 unsigned int assoclen
= req
->assoclen
;
292 unsigned int cryptlen
= req
->cryptlen
;
293 u8
*ihash
= ohash
+ crypto_ahash_digestsize(auth
);
294 struct scatterlist
*dst
= req
->dst
;
298 cryptlen
-= authsize
;
300 if (req
->src
!= dst
) {
301 err
= crypto_authenc_esn_copy(req
, assoclen
+ cryptlen
);
306 scatterwalk_map_and_copy(ihash
, req
->src
, assoclen
+ cryptlen
,
312 /* Move high-order bits of sequence number to the end. */
313 scatterwalk_map_and_copy(tmp
, dst
, 0, 8, 0);
314 scatterwalk_map_and_copy(tmp
, dst
, 4, 4, 1);
315 scatterwalk_map_and_copy(tmp
+ 1, dst
, assoclen
+ cryptlen
, 4, 1);
317 sg_init_table(areq_ctx
->dst
, 2);
318 dst
= scatterwalk_ffwd(areq_ctx
->dst
, dst
, 4);
320 ahash_request_set_tfm(ahreq
, auth
);
321 ahash_request_set_crypt(ahreq
, dst
, ohash
, assoclen
+ cryptlen
);
322 ahash_request_set_callback(ahreq
, aead_request_flags(req
),
323 authenc_esn_verify_ahash_done
, req
);
325 err
= crypto_ahash_digest(ahreq
);
330 return crypto_authenc_esn_decrypt_tail(req
, aead_request_flags(req
));
333 static int crypto_authenc_esn_init_tfm(struct crypto_aead
*tfm
)
335 struct aead_instance
*inst
= aead_alg_instance(tfm
);
336 struct authenc_esn_instance_ctx
*ictx
= aead_instance_ctx(inst
);
337 struct crypto_authenc_esn_ctx
*ctx
= crypto_aead_ctx(tfm
);
338 struct crypto_ahash
*auth
;
339 struct crypto_ablkcipher
*enc
;
340 struct crypto_blkcipher
*null
;
343 auth
= crypto_spawn_ahash(&ictx
->auth
);
345 return PTR_ERR(auth
);
347 enc
= crypto_spawn_skcipher(&ictx
->enc
);
352 null
= crypto_get_default_null_skcipher();
355 goto err_free_skcipher
;
361 ctx
->reqoff
= ALIGN(2 * crypto_ahash_digestsize(auth
),
362 crypto_ahash_alignmask(auth
) + 1);
364 crypto_aead_set_reqsize(
366 sizeof(struct authenc_esn_request_ctx
) +
369 crypto_ahash_reqsize(auth
) +
370 sizeof(struct ahash_request
),
371 sizeof(struct skcipher_givcrypt_request
) +
372 crypto_ablkcipher_reqsize(enc
)));
377 crypto_free_ablkcipher(enc
);
379 crypto_free_ahash(auth
);
383 static void crypto_authenc_esn_exit_tfm(struct crypto_aead
*tfm
)
385 struct crypto_authenc_esn_ctx
*ctx
= crypto_aead_ctx(tfm
);
387 crypto_free_ahash(ctx
->auth
);
388 crypto_free_ablkcipher(ctx
->enc
);
389 crypto_put_default_null_skcipher();
392 static void crypto_authenc_esn_free(struct aead_instance
*inst
)
394 struct authenc_esn_instance_ctx
*ctx
= aead_instance_ctx(inst
);
396 crypto_drop_skcipher(&ctx
->enc
);
397 crypto_drop_ahash(&ctx
->auth
);
401 static int crypto_authenc_esn_create(struct crypto_template
*tmpl
,
404 struct crypto_attr_type
*algt
;
405 struct aead_instance
*inst
;
406 struct hash_alg_common
*auth
;
407 struct crypto_alg
*auth_base
;
408 struct crypto_alg
*enc
;
409 struct authenc_esn_instance_ctx
*ctx
;
410 const char *enc_name
;
413 algt
= crypto_get_attr_type(tb
);
415 return PTR_ERR(algt
);
417 if ((algt
->type
^ CRYPTO_ALG_TYPE_AEAD
) & algt
->mask
)
420 auth
= ahash_attr_alg(tb
[1], CRYPTO_ALG_TYPE_HASH
,
421 CRYPTO_ALG_TYPE_AHASH_MASK
);
423 return PTR_ERR(auth
);
425 auth_base
= &auth
->base
;
427 enc_name
= crypto_attr_alg_name(tb
[2]);
428 err
= PTR_ERR(enc_name
);
429 if (IS_ERR(enc_name
))
432 inst
= kzalloc(sizeof(*inst
) + sizeof(*ctx
), GFP_KERNEL
);
437 ctx
= aead_instance_ctx(inst
);
439 err
= crypto_init_ahash_spawn(&ctx
->auth
, auth
,
440 aead_crypto_instance(inst
));
444 crypto_set_skcipher_spawn(&ctx
->enc
, aead_crypto_instance(inst
));
445 err
= crypto_grab_skcipher(&ctx
->enc
, enc_name
, 0,
446 crypto_requires_sync(algt
->type
,
451 enc
= crypto_skcipher_spawn_alg(&ctx
->enc
);
454 if (snprintf(inst
->alg
.base
.cra_name
, CRYPTO_MAX_ALG_NAME
,
455 "authencesn(%s,%s)", auth_base
->cra_name
,
456 enc
->cra_name
) >= CRYPTO_MAX_ALG_NAME
)
459 if (snprintf(inst
->alg
.base
.cra_driver_name
, CRYPTO_MAX_ALG_NAME
,
460 "authencesn(%s,%s)", auth_base
->cra_driver_name
,
461 enc
->cra_driver_name
) >= CRYPTO_MAX_ALG_NAME
)
464 inst
->alg
.base
.cra_flags
= enc
->cra_flags
& CRYPTO_ALG_ASYNC
;
465 inst
->alg
.base
.cra_priority
= enc
->cra_priority
* 10 +
466 auth_base
->cra_priority
;
467 inst
->alg
.base
.cra_blocksize
= enc
->cra_blocksize
;
468 inst
->alg
.base
.cra_alignmask
= auth_base
->cra_alignmask
|
470 inst
->alg
.base
.cra_ctxsize
= sizeof(struct crypto_authenc_esn_ctx
);
472 inst
->alg
.ivsize
= enc
->cra_ablkcipher
.ivsize
;
473 inst
->alg
.maxauthsize
= auth
->digestsize
;
475 inst
->alg
.init
= crypto_authenc_esn_init_tfm
;
476 inst
->alg
.exit
= crypto_authenc_esn_exit_tfm
;
478 inst
->alg
.setkey
= crypto_authenc_esn_setkey
;
479 inst
->alg
.setauthsize
= crypto_authenc_esn_setauthsize
;
480 inst
->alg
.encrypt
= crypto_authenc_esn_encrypt
;
481 inst
->alg
.decrypt
= crypto_authenc_esn_decrypt
;
483 inst
->free
= crypto_authenc_esn_free
,
485 err
= aead_register_instance(tmpl
, inst
);
490 crypto_mod_put(auth_base
);
494 crypto_drop_skcipher(&ctx
->enc
);
496 crypto_drop_ahash(&ctx
->auth
);
503 static struct crypto_template crypto_authenc_esn_tmpl
= {
504 .name
= "authencesn",
505 .create
= crypto_authenc_esn_create
,
506 .module
= THIS_MODULE
,
509 static int __init
crypto_authenc_esn_module_init(void)
511 return crypto_register_template(&crypto_authenc_esn_tmpl
);
514 static void __exit
crypto_authenc_esn_module_exit(void)
516 crypto_unregister_template(&crypto_authenc_esn_tmpl
);
519 module_init(crypto_authenc_esn_module_init
);
520 module_exit(crypto_authenc_esn_module_exit
);
522 MODULE_LICENSE("GPL");
523 MODULE_AUTHOR("Steffen Klassert <steffen.klassert@secunet.com>");
524 MODULE_DESCRIPTION("AEAD wrapper for IPsec with extended sequence numbers");
525 MODULE_ALIAS_CRYPTO("authencesn");