1 | /* |
2 | * Key Wrapping: RFC3394 / NIST SP800-38F |
3 | * |
4 | * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de> |
5 | * |
6 | * Redistribution and use in source and binary forms, with or without |
7 | * modification, are permitted provided that the following conditions |
8 | * are met: |
9 | * 1. Redistributions of source code must retain the above copyright |
10 | * notice, and the entire permission notice in its entirety, |
11 | * including the disclaimer of warranties. |
12 | * 2. Redistributions in binary form must reproduce the above copyright |
13 | * notice, this list of conditions and the following disclaimer in the |
14 | * documentation and/or other materials provided with the distribution. |
15 | * 3. The name of the author may not be used to endorse or promote |
16 | * products derived from this software without specific prior |
17 | * written permission. |
18 | * |
19 | * ALTERNATIVELY, this product may be distributed under the terms of |
20 | * the GNU General Public License, in which case the provisions of the GPL2 |
21 | * are required INSTEAD OF the above restrictions. (This clause is |
22 | * necessary due to a potential bad interaction between the GPL and |
23 | * the restrictions contained in a BSD-style copyright.) |
24 | * |
25 | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED |
26 | * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
27 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF |
28 | * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE |
29 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
30 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT |
31 | * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR |
32 | * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF |
33 | * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
34 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE |
35 | * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH |
36 | * DAMAGE. |
37 | */ |
38 | |
39 | /* |
40 | * Note for using key wrapping: |
41 | * |
42 | * * The result of the encryption operation is the ciphertext starting |
43 | * with the 2nd semiblock. The first semiblock is provided as the IV. |
44 | * The IV used to start the encryption operation is the default IV. |
45 | * |
46 | * * The input for the decryption is the first semiblock handed in as an |
47 | * IV. The ciphertext is the data starting with the 2nd semiblock. The |
48 | * return code of the decryption operation will be EBADMSG in case an |
49 | * integrity error occurs. |
50 | * |
51 | * To obtain the full result of an encryption as expected by SP800-38F, the |
52 | * caller must allocate a buffer of plaintext + 8 bytes: |
53 | * |
54 | * unsigned int datalen = ptlen + crypto_skcipher_ivsize(tfm); |
55 | * u8 data[datalen]; |
56 | * u8 *iv = data; |
57 | * u8 *pt = data + crypto_skcipher_ivsize(tfm); |
58 | * <ensure that pt contains the plaintext of size ptlen> |
59 | * sg_init_one(&sg, pt, ptlen); |
60 | * skcipher_request_set_crypt(req, &sg, &sg, ptlen, iv); |
61 | * |
62 | * ==> After encryption, data now contains full KW result as per SP800-38F. |
63 | * |
64 | * In case of decryption, ciphertext now already has the expected length |
65 | * and must be segmented appropriately: |
66 | * |
67 | * unsigned int datalen = CTLEN; |
68 | * u8 data[datalen]; |
69 | * <ensure that data contains full ciphertext> |
70 | * u8 *iv = data; |
71 | * u8 *ct = data + crypto_skcipher_ivsize(tfm); |
72 | * unsigned int ctlen = datalen - crypto_skcipher_ivsize(tfm); |
73 | * sg_init_one(&sg, ct, ctlen); |
74 | * skcipher_request_set_crypt(req, &sg, &sg, ctlen, iv); |
75 | * |
76 | * ==> After decryption (which hopefully does not return EBADMSG), the ct |
77 | * pointer now points to the plaintext of size ctlen. |
78 | * |
79 | * Note 2: KWP is not implemented as this would defy in-place operation. |
80 | * If somebody wants to wrap non-aligned data, he should simply pad |
81 | * the input with zeros to fill it up to the 8 byte boundary. |
82 | */ |
83 | |
84 | #include <linux/module.h> |
85 | #include <linux/crypto.h> |
86 | #include <linux/scatterlist.h> |
87 | #include <crypto/scatterwalk.h> |
88 | #include <crypto/internal/cipher.h> |
89 | #include <crypto/internal/skcipher.h> |
90 | |
91 | struct crypto_kw_block { |
92 | #define SEMIBSIZE 8 |
93 | __be64 A; |
94 | __be64 R; |
95 | }; |
96 | |
97 | /* |
98 | * Fast forward the SGL to the "end" length minus SEMIBSIZE. |
99 | * The start in the SGL defined by the fast-forward is returned with |
100 | * the walk variable |
101 | */ |
102 | static void crypto_kw_scatterlist_ff(struct scatter_walk *walk, |
103 | struct scatterlist *sg, |
104 | unsigned int end) |
105 | { |
106 | unsigned int skip = 0; |
107 | |
108 | /* The caller should only operate on full SEMIBLOCKs. */ |
109 | BUG_ON(end < SEMIBSIZE); |
110 | |
111 | skip = end - SEMIBSIZE; |
112 | while (sg) { |
113 | if (sg->length > skip) { |
114 | scatterwalk_start(walk, sg); |
115 | scatterwalk_advance(walk, nbytes: skip); |
116 | break; |
117 | } |
118 | |
119 | skip -= sg->length; |
120 | sg = sg_next(sg); |
121 | } |
122 | } |
123 | |
124 | static int crypto_kw_decrypt(struct skcipher_request *req) |
125 | { |
126 | struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); |
127 | struct crypto_cipher *cipher = skcipher_cipher_simple(tfm); |
128 | struct crypto_kw_block block; |
129 | struct scatterlist *src, *dst; |
130 | u64 t = 6 * ((req->cryptlen) >> 3); |
131 | unsigned int i; |
132 | int ret = 0; |
133 | |
134 | /* |
135 | * Require at least 2 semiblocks (note, the 3rd semiblock that is |
136 | * required by SP800-38F is the IV. |
137 | */ |
138 | if (req->cryptlen < (2 * SEMIBSIZE) || req->cryptlen % SEMIBSIZE) |
139 | return -EINVAL; |
140 | |
141 | /* Place the IV into block A */ |
142 | memcpy(&block.A, req->iv, SEMIBSIZE); |
143 | |
144 | /* |
145 | * src scatterlist is read-only. dst scatterlist is r/w. During the |
146 | * first loop, src points to req->src and dst to req->dst. For any |
147 | * subsequent round, the code operates on req->dst only. |
148 | */ |
149 | src = req->src; |
150 | dst = req->dst; |
151 | |
152 | for (i = 0; i < 6; i++) { |
153 | struct scatter_walk src_walk, dst_walk; |
154 | unsigned int nbytes = req->cryptlen; |
155 | |
156 | while (nbytes) { |
157 | /* move pointer by nbytes in the SGL */ |
158 | crypto_kw_scatterlist_ff(walk: &src_walk, sg: src, end: nbytes); |
159 | /* get the source block */ |
160 | scatterwalk_copychunks(buf: &block.R, walk: &src_walk, SEMIBSIZE, |
161 | out: false); |
162 | |
163 | /* perform KW operation: modify IV with counter */ |
164 | block.A ^= cpu_to_be64(t); |
165 | t--; |
166 | /* perform KW operation: decrypt block */ |
167 | crypto_cipher_decrypt_one(tfm: cipher, dst: (u8 *)&block, |
168 | src: (u8 *)&block); |
169 | |
170 | /* move pointer by nbytes in the SGL */ |
171 | crypto_kw_scatterlist_ff(walk: &dst_walk, sg: dst, end: nbytes); |
172 | /* Copy block->R into place */ |
173 | scatterwalk_copychunks(buf: &block.R, walk: &dst_walk, SEMIBSIZE, |
174 | out: true); |
175 | |
176 | nbytes -= SEMIBSIZE; |
177 | } |
178 | |
179 | /* we now start to operate on the dst SGL only */ |
180 | src = req->dst; |
181 | dst = req->dst; |
182 | } |
183 | |
184 | /* Perform authentication check */ |
185 | if (block.A != cpu_to_be64(0xa6a6a6a6a6a6a6a6ULL)) |
186 | ret = -EBADMSG; |
187 | |
188 | memzero_explicit(s: &block, count: sizeof(struct crypto_kw_block)); |
189 | |
190 | return ret; |
191 | } |
192 | |
193 | static int crypto_kw_encrypt(struct skcipher_request *req) |
194 | { |
195 | struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); |
196 | struct crypto_cipher *cipher = skcipher_cipher_simple(tfm); |
197 | struct crypto_kw_block block; |
198 | struct scatterlist *src, *dst; |
199 | u64 t = 1; |
200 | unsigned int i; |
201 | |
202 | /* |
203 | * Require at least 2 semiblocks (note, the 3rd semiblock that is |
204 | * required by SP800-38F is the IV that occupies the first semiblock. |
205 | * This means that the dst memory must be one semiblock larger than src. |
206 | * Also ensure that the given data is aligned to semiblock. |
207 | */ |
208 | if (req->cryptlen < (2 * SEMIBSIZE) || req->cryptlen % SEMIBSIZE) |
209 | return -EINVAL; |
210 | |
211 | /* |
212 | * Place the predefined IV into block A -- for encrypt, the caller |
213 | * does not need to provide an IV, but he needs to fetch the final IV. |
214 | */ |
215 | block.A = cpu_to_be64(0xa6a6a6a6a6a6a6a6ULL); |
216 | |
217 | /* |
218 | * src scatterlist is read-only. dst scatterlist is r/w. During the |
219 | * first loop, src points to req->src and dst to req->dst. For any |
220 | * subsequent round, the code operates on req->dst only. |
221 | */ |
222 | src = req->src; |
223 | dst = req->dst; |
224 | |
225 | for (i = 0; i < 6; i++) { |
226 | struct scatter_walk src_walk, dst_walk; |
227 | unsigned int nbytes = req->cryptlen; |
228 | |
229 | scatterwalk_start(walk: &src_walk, sg: src); |
230 | scatterwalk_start(walk: &dst_walk, sg: dst); |
231 | |
232 | while (nbytes) { |
233 | /* get the source block */ |
234 | scatterwalk_copychunks(buf: &block.R, walk: &src_walk, SEMIBSIZE, |
235 | out: false); |
236 | |
237 | /* perform KW operation: encrypt block */ |
238 | crypto_cipher_encrypt_one(tfm: cipher, dst: (u8 *)&block, |
239 | src: (u8 *)&block); |
240 | /* perform KW operation: modify IV with counter */ |
241 | block.A ^= cpu_to_be64(t); |
242 | t++; |
243 | |
244 | /* Copy block->R into place */ |
245 | scatterwalk_copychunks(buf: &block.R, walk: &dst_walk, SEMIBSIZE, |
246 | out: true); |
247 | |
248 | nbytes -= SEMIBSIZE; |
249 | } |
250 | |
251 | /* we now start to operate on the dst SGL only */ |
252 | src = req->dst; |
253 | dst = req->dst; |
254 | } |
255 | |
256 | /* establish the IV for the caller to pick up */ |
257 | memcpy(req->iv, &block.A, SEMIBSIZE); |
258 | |
259 | memzero_explicit(s: &block, count: sizeof(struct crypto_kw_block)); |
260 | |
261 | return 0; |
262 | } |
263 | |
264 | static int crypto_kw_create(struct crypto_template *tmpl, struct rtattr **tb) |
265 | { |
266 | struct skcipher_instance *inst; |
267 | struct crypto_alg *alg; |
268 | int err; |
269 | |
270 | inst = skcipher_alloc_instance_simple(tmpl, tb); |
271 | if (IS_ERR(ptr: inst)) |
272 | return PTR_ERR(ptr: inst); |
273 | |
274 | alg = skcipher_ialg_simple(inst); |
275 | |
276 | err = -EINVAL; |
277 | /* Section 5.1 requirement for KW */ |
278 | if (alg->cra_blocksize != sizeof(struct crypto_kw_block)) |
279 | goto out_free_inst; |
280 | |
281 | inst->alg.base.cra_blocksize = SEMIBSIZE; |
282 | inst->alg.base.cra_alignmask = 0; |
283 | inst->alg.ivsize = SEMIBSIZE; |
284 | |
285 | inst->alg.encrypt = crypto_kw_encrypt; |
286 | inst->alg.decrypt = crypto_kw_decrypt; |
287 | |
288 | err = skcipher_register_instance(tmpl, inst); |
289 | if (err) { |
290 | out_free_inst: |
291 | inst->free(inst); |
292 | } |
293 | |
294 | return err; |
295 | } |
296 | |
297 | static struct crypto_template crypto_kw_tmpl = { |
298 | .name = "kw" , |
299 | .create = crypto_kw_create, |
300 | .module = THIS_MODULE, |
301 | }; |
302 | |
303 | static int __init crypto_kw_init(void) |
304 | { |
305 | return crypto_register_template(tmpl: &crypto_kw_tmpl); |
306 | } |
307 | |
308 | static void __exit crypto_kw_exit(void) |
309 | { |
310 | crypto_unregister_template(tmpl: &crypto_kw_tmpl); |
311 | } |
312 | |
313 | subsys_initcall(crypto_kw_init); |
314 | module_exit(crypto_kw_exit); |
315 | |
316 | MODULE_LICENSE("Dual BSD/GPL" ); |
317 | MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>" ); |
318 | MODULE_DESCRIPTION("Key Wrapping (RFC3394 / NIST SP800-38F)" ); |
319 | MODULE_ALIAS_CRYPTO("kw" ); |
320 | MODULE_IMPORT_NS(CRYPTO_INTERNAL); |
321 | |