xref: /openbmc/linux/crypto/keywrap.c (revision a48c7709)
1  /*
2   * Key Wrapping: RFC3394 / NIST SP800-38F
3   *
4   * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
5   *
6   * Redistribution and use in source and binary forms, with or without
7   * modification, are permitted provided that the following conditions
8   * are met:
9   * 1. Redistributions of source code must retain the above copyright
10   *    notice, and the entire permission notice in its entirety,
11   *    including the disclaimer of warranties.
12   * 2. Redistributions in binary form must reproduce the above copyright
13   *    notice, this list of conditions and the following disclaimer in the
14   *    documentation and/or other materials provided with the distribution.
15   * 3. The name of the author may not be used to endorse or promote
16   *    products derived from this software without specific prior
17   *    written permission.
18   *
19   * ALTERNATIVELY, this product may be distributed under the terms of
20   * the GNU General Public License, in which case the provisions of the GPL2
21   * are required INSTEAD OF the above restrictions.  (This clause is
22   * necessary due to a potential bad interaction between the GPL and
23   * the restrictions contained in a BSD-style copyright.)
24   *
25   * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
26   * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27   * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
28   * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE
29   * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
30   * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
31   * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
32   * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
33   * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34   * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
35   * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
36   * DAMAGE.
37   */
38  
39  /*
40   * Note for using key wrapping:
41   *
42   *	* The result of the encryption operation is the ciphertext starting
43   *	  with the 2nd semiblock. The first semiblock is provided as the IV.
44   *	  The IV used to start the encryption operation is the default IV.
45   *
46   *	* The input for the decryption is the first semiblock handed in as an
47   *	  IV. The ciphertext is the data starting with the 2nd semiblock. The
48   *	  return code of the decryption operation will be EBADMSG in case an
49   *	  integrity error occurs.
50   *
51   * To obtain the full result of an encryption as expected by SP800-38F, the
52   * caller must allocate a buffer of plaintext + 8 bytes:
53   *
54   *	unsigned int datalen = ptlen + crypto_skcipher_ivsize(tfm);
55   *	u8 data[datalen];
56   *	u8 *iv = data;
57   *	u8 *pt = data + crypto_skcipher_ivsize(tfm);
58   *		<ensure that pt contains the plaintext of size ptlen>
59   *	sg_init_one(&sg, ptdata, ptlen);
60   *	skcipher_request_set_crypt(req, &sg, &sg, ptlen, iv);
61   *
62   *	==> After encryption, data now contains full KW result as per SP800-38F.
63   *
64   * In case of decryption, ciphertext now already has the expected length
65   * and must be segmented appropriately:
66   *
67   *	unsigned int datalen = CTLEN;
68   *	u8 data[datalen];
69   *		<ensure that data contains full ciphertext>
70   *	u8 *iv = data;
71   *	u8 *ct = data + crypto_skcipher_ivsize(tfm);
72   *	unsigned int ctlen = datalen - crypto_skcipher_ivsize(tfm);
73   *	sg_init_one(&sg, ctdata, ctlen);
74   *	skcipher_request_set_crypt(req, &sg, &sg, ptlen, iv);
75   *
76   *	==> After decryption (which hopefully does not return EBADMSG), the ct
77   *	pointer now points to the plaintext of size ctlen.
78   *
79   * Note 2: KWP is not implemented as this would defy in-place operation.
80   *	   If somebody wants to wrap non-aligned data, he should simply pad
81   *	   the input with zeros to fill it up to the 8 byte boundary.
82   */
83  
84  #include <linux/module.h>
85  #include <linux/crypto.h>
86  #include <linux/scatterlist.h>
87  #include <crypto/scatterwalk.h>
88  #include <crypto/internal/skcipher.h>
89  
90  struct crypto_kw_ctx {
91  	struct crypto_cipher *child;
92  };
93  
94  struct crypto_kw_block {
95  #define SEMIBSIZE 8
96  	__be64 A;
97  	__be64 R;
98  };
99  
100  /*
101   * Fast forward the SGL to the "end" length minus SEMIBSIZE.
102   * The start in the SGL defined by the fast-forward is returned with
103   * the walk variable
104   */
105  static void crypto_kw_scatterlist_ff(struct scatter_walk *walk,
106  				     struct scatterlist *sg,
107  				     unsigned int end)
108  {
109  	unsigned int skip = 0;
110  
111  	/* The caller should only operate on full SEMIBLOCKs. */
112  	BUG_ON(end < SEMIBSIZE);
113  
114  	skip = end - SEMIBSIZE;
115  	while (sg) {
116  		if (sg->length > skip) {
117  			scatterwalk_start(walk, sg);
118  			scatterwalk_advance(walk, skip);
119  			break;
120  		} else
121  			skip -= sg->length;
122  
123  		sg = sg_next(sg);
124  	}
125  }
126  
127  static int crypto_kw_decrypt(struct blkcipher_desc *desc,
128  			     struct scatterlist *dst, struct scatterlist *src,
129  			     unsigned int nbytes)
130  {
131  	struct crypto_blkcipher *tfm = desc->tfm;
132  	struct crypto_kw_ctx *ctx = crypto_blkcipher_ctx(tfm);
133  	struct crypto_cipher *child = ctx->child;
134  	struct crypto_kw_block block;
135  	struct scatterlist *lsrc, *ldst;
136  	u64 t = 6 * ((nbytes) >> 3);
137  	unsigned int i;
138  	int ret = 0;
139  
140  	/*
141  	 * Require at least 2 semiblocks (note, the 3rd semiblock that is
142  	 * required by SP800-38F is the IV.
143  	 */
144  	if (nbytes < (2 * SEMIBSIZE) || nbytes % SEMIBSIZE)
145  		return -EINVAL;
146  
147  	/* Place the IV into block A */
148  	memcpy(&block.A, desc->info, SEMIBSIZE);
149  
150  	/*
151  	 * src scatterlist is read-only. dst scatterlist is r/w. During the
152  	 * first loop, lsrc points to src and ldst to dst. For any
153  	 * subsequent round, the code operates on dst only.
154  	 */
155  	lsrc = src;
156  	ldst = dst;
157  
158  	for (i = 0; i < 6; i++) {
159  		struct scatter_walk src_walk, dst_walk;
160  		unsigned int tmp_nbytes = nbytes;
161  
162  		while (tmp_nbytes) {
163  			/* move pointer by tmp_nbytes in the SGL */
164  			crypto_kw_scatterlist_ff(&src_walk, lsrc, tmp_nbytes);
165  			/* get the source block */
166  			scatterwalk_copychunks(&block.R, &src_walk, SEMIBSIZE,
167  					       false);
168  
169  			/* perform KW operation: modify IV with counter */
170  			block.A ^= cpu_to_be64(t);
171  			t--;
172  			/* perform KW operation: decrypt block */
173  			crypto_cipher_decrypt_one(child, (u8*)&block,
174  						  (u8*)&block);
175  
176  			/* move pointer by tmp_nbytes in the SGL */
177  			crypto_kw_scatterlist_ff(&dst_walk, ldst, tmp_nbytes);
178  			/* Copy block->R into place */
179  			scatterwalk_copychunks(&block.R, &dst_walk, SEMIBSIZE,
180  					       true);
181  
182  			tmp_nbytes -= SEMIBSIZE;
183  		}
184  
185  		/* we now start to operate on the dst SGL only */
186  		lsrc = dst;
187  		ldst = dst;
188  	}
189  
190  	/* Perform authentication check */
191  	if (block.A != cpu_to_be64(0xa6a6a6a6a6a6a6a6ULL))
192  		ret = -EBADMSG;
193  
194  	memzero_explicit(&block, sizeof(struct crypto_kw_block));
195  
196  	return ret;
197  }
198  
199  static int crypto_kw_encrypt(struct blkcipher_desc *desc,
200  			     struct scatterlist *dst, struct scatterlist *src,
201  			     unsigned int nbytes)
202  {
203  	struct crypto_blkcipher *tfm = desc->tfm;
204  	struct crypto_kw_ctx *ctx = crypto_blkcipher_ctx(tfm);
205  	struct crypto_cipher *child = ctx->child;
206  	struct crypto_kw_block block;
207  	struct scatterlist *lsrc, *ldst;
208  	u64 t = 1;
209  	unsigned int i;
210  
211  	/*
212  	 * Require at least 2 semiblocks (note, the 3rd semiblock that is
213  	 * required by SP800-38F is the IV that occupies the first semiblock.
214  	 * This means that the dst memory must be one semiblock larger than src.
215  	 * Also ensure that the given data is aligned to semiblock.
216  	 */
217  	if (nbytes < (2 * SEMIBSIZE) || nbytes % SEMIBSIZE)
218  		return -EINVAL;
219  
220  	/*
221  	 * Place the predefined IV into block A -- for encrypt, the caller
222  	 * does not need to provide an IV, but he needs to fetch the final IV.
223  	 */
224  	block.A = cpu_to_be64(0xa6a6a6a6a6a6a6a6ULL);
225  
226  	/*
227  	 * src scatterlist is read-only. dst scatterlist is r/w. During the
228  	 * first loop, lsrc points to src and ldst to dst. For any
229  	 * subsequent round, the code operates on dst only.
230  	 */
231  	lsrc = src;
232  	ldst = dst;
233  
234  	for (i = 0; i < 6; i++) {
235  		struct scatter_walk src_walk, dst_walk;
236  		unsigned int tmp_nbytes = nbytes;
237  
238  		scatterwalk_start(&src_walk, lsrc);
239  		scatterwalk_start(&dst_walk, ldst);
240  
241  		while (tmp_nbytes) {
242  			/* get the source block */
243  			scatterwalk_copychunks(&block.R, &src_walk, SEMIBSIZE,
244  					       false);
245  
246  			/* perform KW operation: encrypt block */
247  			crypto_cipher_encrypt_one(child, (u8 *)&block,
248  						  (u8 *)&block);
249  			/* perform KW operation: modify IV with counter */
250  			block.A ^= cpu_to_be64(t);
251  			t++;
252  
253  			/* Copy block->R into place */
254  			scatterwalk_copychunks(&block.R, &dst_walk, SEMIBSIZE,
255  					       true);
256  
257  			tmp_nbytes -= SEMIBSIZE;
258  		}
259  
260  		/* we now start to operate on the dst SGL only */
261  		lsrc = dst;
262  		ldst = dst;
263  	}
264  
265  	/* establish the IV for the caller to pick up */
266  	memcpy(desc->info, &block.A, SEMIBSIZE);
267  
268  	memzero_explicit(&block, sizeof(struct crypto_kw_block));
269  
270  	return 0;
271  }
272  
273  static int crypto_kw_setkey(struct crypto_tfm *parent, const u8 *key,
274  			    unsigned int keylen)
275  {
276  	struct crypto_kw_ctx *ctx = crypto_tfm_ctx(parent);
277  	struct crypto_cipher *child = ctx->child;
278  	int err;
279  
280  	crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
281  	crypto_cipher_set_flags(child, crypto_tfm_get_flags(parent) &
282  				       CRYPTO_TFM_REQ_MASK);
283  	err = crypto_cipher_setkey(child, key, keylen);
284  	crypto_tfm_set_flags(parent, crypto_cipher_get_flags(child) &
285  				     CRYPTO_TFM_RES_MASK);
286  	return err;
287  }
288  
289  static int crypto_kw_init_tfm(struct crypto_tfm *tfm)
290  {
291  	struct crypto_instance *inst = crypto_tfm_alg_instance(tfm);
292  	struct crypto_spawn *spawn = crypto_instance_ctx(inst);
293  	struct crypto_kw_ctx *ctx = crypto_tfm_ctx(tfm);
294  	struct crypto_cipher *cipher;
295  
296  	cipher = crypto_spawn_cipher(spawn);
297  	if (IS_ERR(cipher))
298  		return PTR_ERR(cipher);
299  
300  	ctx->child = cipher;
301  	return 0;
302  }
303  
304  static void crypto_kw_exit_tfm(struct crypto_tfm *tfm)
305  {
306  	struct crypto_kw_ctx *ctx = crypto_tfm_ctx(tfm);
307  
308  	crypto_free_cipher(ctx->child);
309  }
310  
311  static struct crypto_instance *crypto_kw_alloc(struct rtattr **tb)
312  {
313  	struct crypto_instance *inst = NULL;
314  	struct crypto_alg *alg = NULL;
315  	int err;
316  
317  	err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_BLKCIPHER);
318  	if (err)
319  		return ERR_PTR(err);
320  
321  	alg = crypto_get_attr_alg(tb, CRYPTO_ALG_TYPE_CIPHER,
322  				  CRYPTO_ALG_TYPE_MASK);
323  	if (IS_ERR(alg))
324  		return ERR_CAST(alg);
325  
326  	inst = ERR_PTR(-EINVAL);
327  	/* Section 5.1 requirement for KW */
328  	if (alg->cra_blocksize != sizeof(struct crypto_kw_block))
329  		goto err;
330  
331  	inst = crypto_alloc_instance("kw", alg);
332  	if (IS_ERR(inst))
333  		goto err;
334  
335  	inst->alg.cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER;
336  	inst->alg.cra_priority = alg->cra_priority;
337  	inst->alg.cra_blocksize = SEMIBSIZE;
338  	inst->alg.cra_alignmask = 0;
339  	inst->alg.cra_type = &crypto_blkcipher_type;
340  	inst->alg.cra_blkcipher.ivsize = SEMIBSIZE;
341  	inst->alg.cra_blkcipher.min_keysize = alg->cra_cipher.cia_min_keysize;
342  	inst->alg.cra_blkcipher.max_keysize = alg->cra_cipher.cia_max_keysize;
343  
344  	inst->alg.cra_ctxsize = sizeof(struct crypto_kw_ctx);
345  
346  	inst->alg.cra_init = crypto_kw_init_tfm;
347  	inst->alg.cra_exit = crypto_kw_exit_tfm;
348  
349  	inst->alg.cra_blkcipher.setkey = crypto_kw_setkey;
350  	inst->alg.cra_blkcipher.encrypt = crypto_kw_encrypt;
351  	inst->alg.cra_blkcipher.decrypt = crypto_kw_decrypt;
352  
353  err:
354  	crypto_mod_put(alg);
355  	return inst;
356  }
357  
358  static void crypto_kw_free(struct crypto_instance *inst)
359  {
360  	crypto_drop_spawn(crypto_instance_ctx(inst));
361  	kfree(inst);
362  }
363  
364  static struct crypto_template crypto_kw_tmpl = {
365  	.name = "kw",
366  	.alloc = crypto_kw_alloc,
367  	.free = crypto_kw_free,
368  	.module = THIS_MODULE,
369  };
370  
371  static int __init crypto_kw_init(void)
372  {
373  	return crypto_register_template(&crypto_kw_tmpl);
374  }
375  
376  static void __exit crypto_kw_exit(void)
377  {
378  	crypto_unregister_template(&crypto_kw_tmpl);
379  }
380  
381  module_init(crypto_kw_init);
382  module_exit(crypto_kw_exit);
383  
384  MODULE_LICENSE("Dual BSD/GPL");
385  MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
386  MODULE_DESCRIPTION("Key Wrapping (RFC3394 / NIST SP800-38F)");
387  MODULE_ALIAS_CRYPTO("kw");
388