1 /*
2  * Key Wrapping: RFC3394 / NIST SP800-38F
3  *
4  * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, and the entire permission notice in its entirety,
11  *    including the disclaimer of warranties.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  * 3. The name of the author may not be used to endorse or promote
16  *    products derived from this software without specific prior
17  *    written permission.
18  *
19  * ALTERNATIVELY, this product may be distributed under the terms of
20  * the GNU General Public License, in which case the provisions of the GPL2
21  * are required INSTEAD OF the above restrictions.  (This clause is
22  * necessary due to a potential bad interaction between the GPL and
23  * the restrictions contained in a BSD-style copyright.)
24  *
25  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
26  * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
28  * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE
29  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
30  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
31  * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
32  * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
33  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
35  * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
36  * DAMAGE.
37  */
38 
39 /*
40  * Note for using key wrapping:
41  *
42  *	* The result of the encryption operation is the ciphertext starting
43  *	  with the 2nd semiblock. The first semiblock is provided as the IV.
44  *	  The IV used to start the encryption operation is the default IV.
45  *
46  *	* The input for the decryption is the first semiblock handed in as an
47  *	  IV. The ciphertext is the data starting with the 2nd semiblock. The
48  *	  return code of the decryption operation will be EBADMSG in case an
49  *	  integrity error occurs.
50  *
51  * To obtain the full result of an encryption as expected by SP800-38F, the
52  * caller must allocate a buffer of plaintext + 8 bytes:
53  *
54  *	unsigned int datalen = ptlen + crypto_skcipher_ivsize(tfm);
55  *	u8 data[datalen];
56  *	u8 *iv = data;
57  *	u8 *pt = data + crypto_skcipher_ivsize(tfm);
58  *		<ensure that pt contains the plaintext of size ptlen>
59  *	sg_init_one(&sg, pt, ptlen);
60  *	skcipher_request_set_crypt(req, &sg, &sg, ptlen, iv);
61  *
62  *	==> After encryption, data now contains full KW result as per SP800-38F.
63  *
64  * In case of decryption, ciphertext now already has the expected length
65  * and must be segmented appropriately:
66  *
67  *	unsigned int datalen = CTLEN;
68  *	u8 data[datalen];
69  *		<ensure that data contains full ciphertext>
70  *	u8 *iv = data;
71  *	u8 *ct = data + crypto_skcipher_ivsize(tfm);
72  *	unsigned int ctlen = datalen - crypto_skcipher_ivsize(tfm);
73  *	sg_init_one(&sg, ct, ctlen);
74  *	skcipher_request_set_crypt(req, &sg, &sg, ctlen, iv);
75  *
76  *	==> After decryption (which hopefully does not return EBADMSG), the ct
77  *	pointer now points to the plaintext of size ctlen.
78  *
79  * Note 2: KWP is not implemented as this would defy in-place operation.
80  *	   If somebody wants to wrap non-aligned data, he should simply pad
81  *	   the input with zeros to fill it up to the 8 byte boundary.
82  */
83 
84 #include <linux/module.h>
85 #include <linux/crypto.h>
86 #include <linux/scatterlist.h>
87 #include <crypto/scatterwalk.h>
88 #include <crypto/internal/skcipher.h>
89 
90 struct crypto_kw_block {
91 #define SEMIBSIZE 8
92 	__be64 A;
93 	__be64 R;
94 };
95 
96 /*
97  * Fast forward the SGL to the "end" length minus SEMIBSIZE.
98  * The start in the SGL defined by the fast-forward is returned with
99  * the walk variable
100  */
crypto_kw_scatterlist_ff(struct scatter_walk * walk,struct scatterlist * sg,unsigned int end)101 static void crypto_kw_scatterlist_ff(struct scatter_walk *walk,
102 				     struct scatterlist *sg,
103 				     unsigned int end)
104 {
105 	unsigned int skip = 0;
106 
107 	/* The caller should only operate on full SEMIBLOCKs. */
108 	BUG_ON(end < SEMIBSIZE);
109 
110 	skip = end - SEMIBSIZE;
111 	while (sg) {
112 		if (sg->length > skip) {
113 			scatterwalk_start(walk, sg);
114 			scatterwalk_advance(walk, skip);
115 			break;
116 		} else
117 			skip -= sg->length;
118 
119 		sg = sg_next(sg);
120 	}
121 }
122 
crypto_kw_decrypt(struct skcipher_request * req)123 static int crypto_kw_decrypt(struct skcipher_request *req)
124 {
125 	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
126 	struct crypto_cipher *cipher = skcipher_cipher_simple(tfm);
127 	struct crypto_kw_block block;
128 	struct scatterlist *src, *dst;
129 	u64 t = 6 * ((req->cryptlen) >> 3);
130 	unsigned int i;
131 	int ret = 0;
132 
133 	/*
134 	 * Require at least 2 semiblocks (note, the 3rd semiblock that is
135 	 * required by SP800-38F is the IV.
136 	 */
137 	if (req->cryptlen < (2 * SEMIBSIZE) || req->cryptlen % SEMIBSIZE)
138 		return -EINVAL;
139 
140 	/* Place the IV into block A */
141 	memcpy(&block.A, req->iv, SEMIBSIZE);
142 
143 	/*
144 	 * src scatterlist is read-only. dst scatterlist is r/w. During the
145 	 * first loop, src points to req->src and dst to req->dst. For any
146 	 * subsequent round, the code operates on req->dst only.
147 	 */
148 	src = req->src;
149 	dst = req->dst;
150 
151 	for (i = 0; i < 6; i++) {
152 		struct scatter_walk src_walk, dst_walk;
153 		unsigned int nbytes = req->cryptlen;
154 
155 		while (nbytes) {
156 			/* move pointer by nbytes in the SGL */
157 			crypto_kw_scatterlist_ff(&src_walk, src, nbytes);
158 			/* get the source block */
159 			scatterwalk_copychunks(&block.R, &src_walk, SEMIBSIZE,
160 					       false);
161 
162 			/* perform KW operation: modify IV with counter */
163 			block.A ^= cpu_to_be64(t);
164 			t--;
165 			/* perform KW operation: decrypt block */
166 			crypto_cipher_decrypt_one(cipher, (u8 *)&block,
167 						  (u8 *)&block);
168 
169 			/* move pointer by nbytes in the SGL */
170 			crypto_kw_scatterlist_ff(&dst_walk, dst, nbytes);
171 			/* Copy block->R into place */
172 			scatterwalk_copychunks(&block.R, &dst_walk, SEMIBSIZE,
173 					       true);
174 
175 			nbytes -= SEMIBSIZE;
176 		}
177 
178 		/* we now start to operate on the dst SGL only */
179 		src = req->dst;
180 		dst = req->dst;
181 	}
182 
183 	/* Perform authentication check */
184 	if (block.A != cpu_to_be64(0xa6a6a6a6a6a6a6a6ULL))
185 		ret = -EBADMSG;
186 
187 	memzero_explicit(&block, sizeof(struct crypto_kw_block));
188 
189 	return ret;
190 }
191 
crypto_kw_encrypt(struct skcipher_request * req)192 static int crypto_kw_encrypt(struct skcipher_request *req)
193 {
194 	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
195 	struct crypto_cipher *cipher = skcipher_cipher_simple(tfm);
196 	struct crypto_kw_block block;
197 	struct scatterlist *src, *dst;
198 	u64 t = 1;
199 	unsigned int i;
200 
201 	/*
202 	 * Require at least 2 semiblocks (note, the 3rd semiblock that is
203 	 * required by SP800-38F is the IV that occupies the first semiblock.
204 	 * This means that the dst memory must be one semiblock larger than src.
205 	 * Also ensure that the given data is aligned to semiblock.
206 	 */
207 	if (req->cryptlen < (2 * SEMIBSIZE) || req->cryptlen % SEMIBSIZE)
208 		return -EINVAL;
209 
210 	/*
211 	 * Place the predefined IV into block A -- for encrypt, the caller
212 	 * does not need to provide an IV, but he needs to fetch the final IV.
213 	 */
214 	block.A = cpu_to_be64(0xa6a6a6a6a6a6a6a6ULL);
215 
216 	/*
217 	 * src scatterlist is read-only. dst scatterlist is r/w. During the
218 	 * first loop, src points to req->src and dst to req->dst. For any
219 	 * subsequent round, the code operates on req->dst only.
220 	 */
221 	src = req->src;
222 	dst = req->dst;
223 
224 	for (i = 0; i < 6; i++) {
225 		struct scatter_walk src_walk, dst_walk;
226 		unsigned int nbytes = req->cryptlen;
227 
228 		scatterwalk_start(&src_walk, src);
229 		scatterwalk_start(&dst_walk, dst);
230 
231 		while (nbytes) {
232 			/* get the source block */
233 			scatterwalk_copychunks(&block.R, &src_walk, SEMIBSIZE,
234 					       false);
235 
236 			/* perform KW operation: encrypt block */
237 			crypto_cipher_encrypt_one(cipher, (u8 *)&block,
238 						  (u8 *)&block);
239 			/* perform KW operation: modify IV with counter */
240 			block.A ^= cpu_to_be64(t);
241 			t++;
242 
243 			/* Copy block->R into place */
244 			scatterwalk_copychunks(&block.R, &dst_walk, SEMIBSIZE,
245 					       true);
246 
247 			nbytes -= SEMIBSIZE;
248 		}
249 
250 		/* we now start to operate on the dst SGL only */
251 		src = req->dst;
252 		dst = req->dst;
253 	}
254 
255 	/* establish the IV for the caller to pick up */
256 	memcpy(req->iv, &block.A, SEMIBSIZE);
257 
258 	memzero_explicit(&block, sizeof(struct crypto_kw_block));
259 
260 	return 0;
261 }
262 
crypto_kw_create(struct crypto_template * tmpl,struct rtattr ** tb)263 static int crypto_kw_create(struct crypto_template *tmpl, struct rtattr **tb)
264 {
265 	struct skcipher_instance *inst;
266 	struct crypto_alg *alg;
267 	int err;
268 
269 	inst = skcipher_alloc_instance_simple(tmpl, tb);
270 	if (IS_ERR(inst))
271 		return PTR_ERR(inst);
272 
273 	alg = skcipher_ialg_simple(inst);
274 
275 	err = -EINVAL;
276 	/* Section 5.1 requirement for KW */
277 	if (alg->cra_blocksize != sizeof(struct crypto_kw_block))
278 		goto out_free_inst;
279 
280 	inst->alg.base.cra_blocksize = SEMIBSIZE;
281 	inst->alg.base.cra_alignmask = 0;
282 	inst->alg.ivsize = SEMIBSIZE;
283 
284 	inst->alg.encrypt = crypto_kw_encrypt;
285 	inst->alg.decrypt = crypto_kw_decrypt;
286 
287 	err = skcipher_register_instance(tmpl, inst);
288 	if (err) {
289 out_free_inst:
290 		inst->free(inst);
291 	}
292 
293 	return err;
294 }
295 
296 static struct crypto_template crypto_kw_tmpl = {
297 	.name = "kw",
298 	.create = crypto_kw_create,
299 	.module = THIS_MODULE,
300 };
301 
crypto_kw_init(void)302 static int __init crypto_kw_init(void)
303 {
304 	return crypto_register_template(&crypto_kw_tmpl);
305 }
306 
crypto_kw_exit(void)307 static void __exit crypto_kw_exit(void)
308 {
309 	crypto_unregister_template(&crypto_kw_tmpl);
310 }
311 
312 subsys_initcall(crypto_kw_init);
313 module_exit(crypto_kw_exit);
314 
315 MODULE_LICENSE("Dual BSD/GPL");
316 MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
317 MODULE_DESCRIPTION("Key Wrapping (RFC3394 / NIST SP800-38F)");
318 MODULE_ALIAS_CRYPTO("kw");
319