xref: /openbmc/linux/crypto/algif_aead.c (revision 48c926cd)
1 /*
2  * algif_aead: User-space interface for AEAD algorithms
3  *
4  * Copyright (C) 2014, Stephan Mueller <smueller@chronox.de>
5  *
6  * This file provides the user-space API for AEAD ciphers.
7  *
8  * This program is free software; you can redistribute it and/or modify it
9  * under the terms of the GNU General Public License as published by the Free
10  * Software Foundation; either version 2 of the License, or (at your option)
11  * any later version.
12  *
13  * The following concept of the memory management is used:
14  *
15  * The kernel maintains two SGLs, the TX SGL and the RX SGL. The TX SGL is
16  * filled by user space with the data submitted via sendpage/sendmsg. Filling
17  * up the TX SGL does not cause a crypto operation -- the data will only be
18  * tracked by the kernel. Upon receipt of one recvmsg call, the caller must
19  * provide a buffer which is tracked with the RX SGL.
20  *
21  * During the processing of the recvmsg operation, the cipher request is
22  * allocated and prepared. As part of the recvmsg operation, the processed
23  * TX buffers are extracted from the TX SGL into a separate SGL.
24  *
25  * After the completion of the crypto operation, the RX SGL and the cipher
26  * request is released. The extracted TX SGL parts are released together with
27  * the RX SGL release.
28  */
29 
30 #include <crypto/internal/aead.h>
31 #include <crypto/scatterwalk.h>
32 #include <crypto/if_alg.h>
33 #include <crypto/skcipher.h>
34 #include <crypto/null.h>
35 #include <linux/init.h>
36 #include <linux/list.h>
37 #include <linux/kernel.h>
38 #include <linux/mm.h>
39 #include <linux/module.h>
40 #include <linux/net.h>
41 #include <net/sock.h>
42 
43 struct aead_tfm {
44 	struct crypto_aead *aead;
45 	bool has_key;
46 	struct crypto_skcipher *null_tfm;
47 };
48 
49 static inline bool aead_sufficient_data(struct sock *sk)
50 {
51 	struct alg_sock *ask = alg_sk(sk);
52 	struct sock *psk = ask->parent;
53 	struct alg_sock *pask = alg_sk(psk);
54 	struct af_alg_ctx *ctx = ask->private;
55 	struct aead_tfm *aeadc = pask->private;
56 	struct crypto_aead *tfm = aeadc->aead;
57 	unsigned int as = crypto_aead_authsize(tfm);
58 
59 	/*
60 	 * The minimum amount of memory needed for an AEAD cipher is
61 	 * the AAD and in case of decryption the tag.
62 	 */
63 	return ctx->used >= ctx->aead_assoclen + (ctx->enc ? 0 : as);
64 }
65 
66 static int aead_sendmsg(struct socket *sock, struct msghdr *msg, size_t size)
67 {
68 	struct sock *sk = sock->sk;
69 	struct alg_sock *ask = alg_sk(sk);
70 	struct sock *psk = ask->parent;
71 	struct alg_sock *pask = alg_sk(psk);
72 	struct aead_tfm *aeadc = pask->private;
73 	struct crypto_aead *tfm = aeadc->aead;
74 	unsigned int ivsize = crypto_aead_ivsize(tfm);
75 
76 	return af_alg_sendmsg(sock, msg, size, ivsize);
77 }
78 
79 static int crypto_aead_copy_sgl(struct crypto_skcipher *null_tfm,
80 				struct scatterlist *src,
81 				struct scatterlist *dst, unsigned int len)
82 {
83 	SKCIPHER_REQUEST_ON_STACK(skreq, null_tfm);
84 
85 	skcipher_request_set_tfm(skreq, null_tfm);
86 	skcipher_request_set_callback(skreq, CRYPTO_TFM_REQ_MAY_BACKLOG,
87 				      NULL, NULL);
88 	skcipher_request_set_crypt(skreq, src, dst, len, NULL);
89 
90 	return crypto_skcipher_encrypt(skreq);
91 }
92 
93 static int _aead_recvmsg(struct socket *sock, struct msghdr *msg,
94 			 size_t ignored, int flags)
95 {
96 	struct sock *sk = sock->sk;
97 	struct alg_sock *ask = alg_sk(sk);
98 	struct sock *psk = ask->parent;
99 	struct alg_sock *pask = alg_sk(psk);
100 	struct af_alg_ctx *ctx = ask->private;
101 	struct aead_tfm *aeadc = pask->private;
102 	struct crypto_aead *tfm = aeadc->aead;
103 	struct crypto_skcipher *null_tfm = aeadc->null_tfm;
104 	unsigned int as = crypto_aead_authsize(tfm);
105 	struct af_alg_async_req *areq;
106 	struct af_alg_tsgl *tsgl;
107 	struct scatterlist *src;
108 	int err = 0;
109 	size_t used = 0;		/* [in]  TX bufs to be en/decrypted */
110 	size_t outlen = 0;		/* [out] RX bufs produced by kernel */
111 	size_t usedpages = 0;		/* [in]  RX bufs to be used from user */
112 	size_t processed = 0;		/* [in]  TX bufs to be consumed */
113 
114 	/*
115 	 * Data length provided by caller via sendmsg/sendpage that has not
116 	 * yet been processed.
117 	 */
118 	used = ctx->used;
119 
120 	/*
121 	 * Make sure sufficient data is present -- note, the same check is
122 	 * is also present in sendmsg/sendpage. The checks in sendpage/sendmsg
123 	 * shall provide an information to the data sender that something is
124 	 * wrong, but they are irrelevant to maintain the kernel integrity.
125 	 * We need this check here too in case user space decides to not honor
126 	 * the error message in sendmsg/sendpage and still call recvmsg. This
127 	 * check here protects the kernel integrity.
128 	 */
129 	if (!aead_sufficient_data(sk))
130 		return -EINVAL;
131 
132 	/*
133 	 * Calculate the minimum output buffer size holding the result of the
134 	 * cipher operation. When encrypting data, the receiving buffer is
135 	 * larger by the tag length compared to the input buffer as the
136 	 * encryption operation generates the tag. For decryption, the input
137 	 * buffer provides the tag which is consumed resulting in only the
138 	 * plaintext without a buffer for the tag returned to the caller.
139 	 */
140 	if (ctx->enc)
141 		outlen = used + as;
142 	else
143 		outlen = used - as;
144 
145 	/*
146 	 * The cipher operation input data is reduced by the associated data
147 	 * length as this data is processed separately later on.
148 	 */
149 	used -= ctx->aead_assoclen;
150 
151 	/* Allocate cipher request for current operation. */
152 	areq = af_alg_alloc_areq(sk, sizeof(struct af_alg_async_req) +
153 				     crypto_aead_reqsize(tfm));
154 	if (IS_ERR(areq))
155 		return PTR_ERR(areq);
156 
157 	/* convert iovecs of output buffers into RX SGL */
158 	err = af_alg_get_rsgl(sk, msg, flags, areq, outlen, &usedpages);
159 	if (err)
160 		goto free;
161 
162 	/*
163 	 * Ensure output buffer is sufficiently large. If the caller provides
164 	 * less buffer space, only use the relative required input size. This
165 	 * allows AIO operation where the caller sent all data to be processed
166 	 * and the AIO operation performs the operation on the different chunks
167 	 * of the input data.
168 	 */
169 	if (usedpages < outlen) {
170 		size_t less = outlen - usedpages;
171 
172 		if (used < less) {
173 			err = -EINVAL;
174 			goto free;
175 		}
176 		used -= less;
177 		outlen -= less;
178 	}
179 
180 	processed = used + ctx->aead_assoclen;
181 	tsgl = list_first_entry(&ctx->tsgl_list, struct af_alg_tsgl, list);
182 
183 	/*
184 	 * Copy of AAD from source to destination
185 	 *
186 	 * The AAD is copied to the destination buffer without change. Even
187 	 * when user space uses an in-place cipher operation, the kernel
188 	 * will copy the data as it does not see whether such in-place operation
189 	 * is initiated.
190 	 *
191 	 * To ensure efficiency, the following implementation ensure that the
192 	 * ciphers are invoked to perform a crypto operation in-place. This
193 	 * is achieved by memory management specified as follows.
194 	 */
195 
196 	/* Use the RX SGL as source (and destination) for crypto op. */
197 	src = areq->first_rsgl.sgl.sg;
198 
199 	if (ctx->enc) {
200 		/*
201 		 * Encryption operation - The in-place cipher operation is
202 		 * achieved by the following operation:
203 		 *
204 		 * TX SGL: AAD || PT
205 		 *	    |	   |
206 		 *	    | copy |
207 		 *	    v	   v
208 		 * RX SGL: AAD || PT || Tag
209 		 */
210 		err = crypto_aead_copy_sgl(null_tfm, tsgl->sg,
211 					   areq->first_rsgl.sgl.sg, processed);
212 		if (err)
213 			goto free;
214 		af_alg_pull_tsgl(sk, processed, NULL, 0);
215 	} else {
216 		/*
217 		 * Decryption operation - To achieve an in-place cipher
218 		 * operation, the following  SGL structure is used:
219 		 *
220 		 * TX SGL: AAD || CT || Tag
221 		 *	    |	   |	 ^
222 		 *	    | copy |	 | Create SGL link.
223 		 *	    v	   v	 |
224 		 * RX SGL: AAD || CT ----+
225 		 */
226 
227 		 /* Copy AAD || CT to RX SGL buffer for in-place operation. */
228 		err = crypto_aead_copy_sgl(null_tfm, tsgl->sg,
229 					   areq->first_rsgl.sgl.sg, outlen);
230 		if (err)
231 			goto free;
232 
233 		/* Create TX SGL for tag and chain it to RX SGL. */
234 		areq->tsgl_entries = af_alg_count_tsgl(sk, processed,
235 						       processed - as);
236 		if (!areq->tsgl_entries)
237 			areq->tsgl_entries = 1;
238 		areq->tsgl = sock_kmalloc(sk, sizeof(*areq->tsgl) *
239 					      areq->tsgl_entries,
240 					  GFP_KERNEL);
241 		if (!areq->tsgl) {
242 			err = -ENOMEM;
243 			goto free;
244 		}
245 		sg_init_table(areq->tsgl, areq->tsgl_entries);
246 
247 		/* Release TX SGL, except for tag data and reassign tag data. */
248 		af_alg_pull_tsgl(sk, processed, areq->tsgl, processed - as);
249 
250 		/* chain the areq TX SGL holding the tag with RX SGL */
251 		if (usedpages) {
252 			/* RX SGL present */
253 			struct af_alg_sgl *sgl_prev = &areq->last_rsgl->sgl;
254 
255 			sg_unmark_end(sgl_prev->sg + sgl_prev->npages - 1);
256 			sg_chain(sgl_prev->sg, sgl_prev->npages + 1,
257 				 areq->tsgl);
258 		} else
259 			/* no RX SGL present (e.g. authentication only) */
260 			src = areq->tsgl;
261 	}
262 
263 	/* Initialize the crypto operation */
264 	aead_request_set_crypt(&areq->cra_u.aead_req, src,
265 			       areq->first_rsgl.sgl.sg, used, ctx->iv);
266 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
267 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);
268 
269 	if (msg->msg_iocb && !is_sync_kiocb(msg->msg_iocb)) {
270 		/* AIO operation */
271 		areq->iocb = msg->msg_iocb;
272 		aead_request_set_callback(&areq->cra_u.aead_req,
273 					  CRYPTO_TFM_REQ_MAY_BACKLOG,
274 					  af_alg_async_cb, areq);
275 		err = ctx->enc ? crypto_aead_encrypt(&areq->cra_u.aead_req) :
276 				 crypto_aead_decrypt(&areq->cra_u.aead_req);
277 	} else {
278 		/* Synchronous operation */
279 		aead_request_set_callback(&areq->cra_u.aead_req,
280 					  CRYPTO_TFM_REQ_MAY_BACKLOG,
281 					  af_alg_complete, &ctx->completion);
282 		err = af_alg_wait_for_completion(ctx->enc ?
283 				crypto_aead_encrypt(&areq->cra_u.aead_req) :
284 				crypto_aead_decrypt(&areq->cra_u.aead_req),
285 						 &ctx->completion);
286 	}
287 
288 	/* AIO operation in progress */
289 	if (err == -EINPROGRESS) {
290 		sock_hold(sk);
291 
292 		/* Remember output size that will be generated. */
293 		areq->outlen = outlen;
294 
295 		return -EIOCBQUEUED;
296 	}
297 
298 free:
299 	af_alg_free_areq_sgls(areq);
300 	sock_kfree_s(sk, areq, areq->areqlen);
301 
302 	return err ? err : outlen;
303 }
304 
305 static int aead_recvmsg(struct socket *sock, struct msghdr *msg,
306 			size_t ignored, int flags)
307 {
308 	struct sock *sk = sock->sk;
309 	int ret = 0;
310 
311 	lock_sock(sk);
312 	while (msg_data_left(msg)) {
313 		int err = _aead_recvmsg(sock, msg, ignored, flags);
314 
315 		/*
316 		 * This error covers -EIOCBQUEUED which implies that we can
317 		 * only handle one AIO request. If the caller wants to have
318 		 * multiple AIO requests in parallel, he must make multiple
319 		 * separate AIO calls.
320 		 *
321 		 * Also return the error if no data has been processed so far.
322 		 */
323 		if (err <= 0) {
324 			if (err == -EIOCBQUEUED || err == -EBADMSG || !ret)
325 				ret = err;
326 			goto out;
327 		}
328 
329 		ret += err;
330 	}
331 
332 out:
333 	af_alg_wmem_wakeup(sk);
334 	release_sock(sk);
335 	return ret;
336 }
337 
338 static struct proto_ops algif_aead_ops = {
339 	.family		=	PF_ALG,
340 
341 	.connect	=	sock_no_connect,
342 	.socketpair	=	sock_no_socketpair,
343 	.getname	=	sock_no_getname,
344 	.ioctl		=	sock_no_ioctl,
345 	.listen		=	sock_no_listen,
346 	.shutdown	=	sock_no_shutdown,
347 	.getsockopt	=	sock_no_getsockopt,
348 	.mmap		=	sock_no_mmap,
349 	.bind		=	sock_no_bind,
350 	.accept		=	sock_no_accept,
351 	.setsockopt	=	sock_no_setsockopt,
352 
353 	.release	=	af_alg_release,
354 	.sendmsg	=	aead_sendmsg,
355 	.sendpage	=	af_alg_sendpage,
356 	.recvmsg	=	aead_recvmsg,
357 	.poll		=	af_alg_poll,
358 };
359 
360 static int aead_check_key(struct socket *sock)
361 {
362 	int err = 0;
363 	struct sock *psk;
364 	struct alg_sock *pask;
365 	struct aead_tfm *tfm;
366 	struct sock *sk = sock->sk;
367 	struct alg_sock *ask = alg_sk(sk);
368 
369 	lock_sock(sk);
370 	if (ask->refcnt)
371 		goto unlock_child;
372 
373 	psk = ask->parent;
374 	pask = alg_sk(ask->parent);
375 	tfm = pask->private;
376 
377 	err = -ENOKEY;
378 	lock_sock_nested(psk, SINGLE_DEPTH_NESTING);
379 	if (!tfm->has_key)
380 		goto unlock;
381 
382 	if (!pask->refcnt++)
383 		sock_hold(psk);
384 
385 	ask->refcnt = 1;
386 	sock_put(psk);
387 
388 	err = 0;
389 
390 unlock:
391 	release_sock(psk);
392 unlock_child:
393 	release_sock(sk);
394 
395 	return err;
396 }
397 
398 static int aead_sendmsg_nokey(struct socket *sock, struct msghdr *msg,
399 				  size_t size)
400 {
401 	int err;
402 
403 	err = aead_check_key(sock);
404 	if (err)
405 		return err;
406 
407 	return aead_sendmsg(sock, msg, size);
408 }
409 
410 static ssize_t aead_sendpage_nokey(struct socket *sock, struct page *page,
411 				       int offset, size_t size, int flags)
412 {
413 	int err;
414 
415 	err = aead_check_key(sock);
416 	if (err)
417 		return err;
418 
419 	return af_alg_sendpage(sock, page, offset, size, flags);
420 }
421 
422 static int aead_recvmsg_nokey(struct socket *sock, struct msghdr *msg,
423 				  size_t ignored, int flags)
424 {
425 	int err;
426 
427 	err = aead_check_key(sock);
428 	if (err)
429 		return err;
430 
431 	return aead_recvmsg(sock, msg, ignored, flags);
432 }
433 
434 static struct proto_ops algif_aead_ops_nokey = {
435 	.family		=	PF_ALG,
436 
437 	.connect	=	sock_no_connect,
438 	.socketpair	=	sock_no_socketpair,
439 	.getname	=	sock_no_getname,
440 	.ioctl		=	sock_no_ioctl,
441 	.listen		=	sock_no_listen,
442 	.shutdown	=	sock_no_shutdown,
443 	.getsockopt	=	sock_no_getsockopt,
444 	.mmap		=	sock_no_mmap,
445 	.bind		=	sock_no_bind,
446 	.accept		=	sock_no_accept,
447 	.setsockopt	=	sock_no_setsockopt,
448 
449 	.release	=	af_alg_release,
450 	.sendmsg	=	aead_sendmsg_nokey,
451 	.sendpage	=	aead_sendpage_nokey,
452 	.recvmsg	=	aead_recvmsg_nokey,
453 	.poll		=	af_alg_poll,
454 };
455 
456 static void *aead_bind(const char *name, u32 type, u32 mask)
457 {
458 	struct aead_tfm *tfm;
459 	struct crypto_aead *aead;
460 	struct crypto_skcipher *null_tfm;
461 
462 	tfm = kzalloc(sizeof(*tfm), GFP_KERNEL);
463 	if (!tfm)
464 		return ERR_PTR(-ENOMEM);
465 
466 	aead = crypto_alloc_aead(name, type, mask);
467 	if (IS_ERR(aead)) {
468 		kfree(tfm);
469 		return ERR_CAST(aead);
470 	}
471 
472 	null_tfm = crypto_get_default_null_skcipher2();
473 	if (IS_ERR(null_tfm)) {
474 		crypto_free_aead(aead);
475 		kfree(tfm);
476 		return ERR_CAST(null_tfm);
477 	}
478 
479 	tfm->aead = aead;
480 	tfm->null_tfm = null_tfm;
481 
482 	return tfm;
483 }
484 
485 static void aead_release(void *private)
486 {
487 	struct aead_tfm *tfm = private;
488 
489 	crypto_free_aead(tfm->aead);
490 	kfree(tfm);
491 }
492 
493 static int aead_setauthsize(void *private, unsigned int authsize)
494 {
495 	struct aead_tfm *tfm = private;
496 
497 	return crypto_aead_setauthsize(tfm->aead, authsize);
498 }
499 
500 static int aead_setkey(void *private, const u8 *key, unsigned int keylen)
501 {
502 	struct aead_tfm *tfm = private;
503 	int err;
504 
505 	err = crypto_aead_setkey(tfm->aead, key, keylen);
506 	tfm->has_key = !err;
507 
508 	return err;
509 }
510 
511 static void aead_sock_destruct(struct sock *sk)
512 {
513 	struct alg_sock *ask = alg_sk(sk);
514 	struct af_alg_ctx *ctx = ask->private;
515 	struct sock *psk = ask->parent;
516 	struct alg_sock *pask = alg_sk(psk);
517 	struct aead_tfm *aeadc = pask->private;
518 	struct crypto_aead *tfm = aeadc->aead;
519 	unsigned int ivlen = crypto_aead_ivsize(tfm);
520 
521 	af_alg_pull_tsgl(sk, ctx->used, NULL, 0);
522 	crypto_put_default_null_skcipher2();
523 	sock_kzfree_s(sk, ctx->iv, ivlen);
524 	sock_kfree_s(sk, ctx, ctx->len);
525 	af_alg_release_parent(sk);
526 }
527 
528 static int aead_accept_parent_nokey(void *private, struct sock *sk)
529 {
530 	struct af_alg_ctx *ctx;
531 	struct alg_sock *ask = alg_sk(sk);
532 	struct aead_tfm *tfm = private;
533 	struct crypto_aead *aead = tfm->aead;
534 	unsigned int len = sizeof(*ctx);
535 	unsigned int ivlen = crypto_aead_ivsize(aead);
536 
537 	ctx = sock_kmalloc(sk, len, GFP_KERNEL);
538 	if (!ctx)
539 		return -ENOMEM;
540 	memset(ctx, 0, len);
541 
542 	ctx->iv = sock_kmalloc(sk, ivlen, GFP_KERNEL);
543 	if (!ctx->iv) {
544 		sock_kfree_s(sk, ctx, len);
545 		return -ENOMEM;
546 	}
547 	memset(ctx->iv, 0, ivlen);
548 
549 	INIT_LIST_HEAD(&ctx->tsgl_list);
550 	ctx->len = len;
551 	ctx->used = 0;
552 	ctx->rcvused = 0;
553 	ctx->more = 0;
554 	ctx->merge = 0;
555 	ctx->enc = 0;
556 	ctx->aead_assoclen = 0;
557 	af_alg_init_completion(&ctx->completion);
558 
559 	ask->private = ctx;
560 
561 	sk->sk_destruct = aead_sock_destruct;
562 
563 	return 0;
564 }
565 
566 static int aead_accept_parent(void *private, struct sock *sk)
567 {
568 	struct aead_tfm *tfm = private;
569 
570 	if (!tfm->has_key)
571 		return -ENOKEY;
572 
573 	return aead_accept_parent_nokey(private, sk);
574 }
575 
576 static const struct af_alg_type algif_type_aead = {
577 	.bind		=	aead_bind,
578 	.release	=	aead_release,
579 	.setkey		=	aead_setkey,
580 	.setauthsize	=	aead_setauthsize,
581 	.accept		=	aead_accept_parent,
582 	.accept_nokey	=	aead_accept_parent_nokey,
583 	.ops		=	&algif_aead_ops,
584 	.ops_nokey	=	&algif_aead_ops_nokey,
585 	.name		=	"aead",
586 	.owner		=	THIS_MODULE
587 };
588 
589 static int __init algif_aead_init(void)
590 {
591 	return af_alg_register_type(&algif_type_aead);
592 }
593 
594 static void __exit algif_aead_exit(void)
595 {
596 	int err = af_alg_unregister_type(&algif_type_aead);
597 	BUG_ON(err);
598 }
599 
600 module_init(algif_aead_init);
601 module_exit(algif_aead_exit);
602 MODULE_LICENSE("GPL");
603 MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
604 MODULE_DESCRIPTION("AEAD kernel crypto API user space interface");
605