xref: /linux/crypto/keywrap.c (revision 24bce201d79807b668bf9d9e0aca801c5c0d5f78)
1 /*
2  * Key Wrapping: RFC3394 / NIST SP800-38F
3  *
4  * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, and the entire permission notice in its entirety,
11  *    including the disclaimer of warranties.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  * 3. The name of the author may not be used to endorse or promote
16  *    products derived from this software without specific prior
17  *    written permission.
18  *
19  * ALTERNATIVELY, this product may be distributed under the terms of
20  * the GNU General Public License, in which case the provisions of the GPL2
21  * are required INSTEAD OF the above restrictions.  (This clause is
22  * necessary due to a potential bad interaction between the GPL and
23  * the restrictions contained in a BSD-style copyright.)
24  *
25  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
26  * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
28  * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE
29  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
30  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
31  * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
32  * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
33  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
35  * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
36  * DAMAGE.
37  */
38 
39 /*
40  * Note for using key wrapping:
41  *
42  *	* The result of the encryption operation is the ciphertext starting
43  *	  with the 2nd semiblock. The first semiblock is provided as the IV.
44  *	  The IV used to start the encryption operation is the default IV.
45  *
46  *	* The input for the decryption is the first semiblock handed in as an
47  *	  IV. The ciphertext is the data starting with the 2nd semiblock. The
48  *	  return code of the decryption operation will be EBADMSG in case an
49  *	  integrity error occurs.
50  *
51  * To obtain the full result of an encryption as expected by SP800-38F, the
52  * caller must allocate a buffer of plaintext + 8 bytes:
53  *
54  *	unsigned int datalen = ptlen + crypto_skcipher_ivsize(tfm);
55  *	u8 data[datalen];
56  *	u8 *iv = data;
57  *	u8 *pt = data + crypto_skcipher_ivsize(tfm);
58  *		<ensure that pt contains the plaintext of size ptlen>
59  *	sg_init_one(&sg, pt, ptlen);
60  *	skcipher_request_set_crypt(req, &sg, &sg, ptlen, iv);
61  *
62  *	==> After encryption, data now contains full KW result as per SP800-38F.
63  *
64  * In case of decryption, ciphertext now already has the expected length
65  * and must be segmented appropriately:
66  *
67  *	unsigned int datalen = CTLEN;
68  *	u8 data[datalen];
69  *		<ensure that data contains full ciphertext>
70  *	u8 *iv = data;
71  *	u8 *ct = data + crypto_skcipher_ivsize(tfm);
72  *	unsigned int ctlen = datalen - crypto_skcipher_ivsize(tfm);
73  *	sg_init_one(&sg, ct, ctlen);
74  *	skcipher_request_set_crypt(req, &sg, &sg, ctlen, iv);
75  *
76  *	==> After decryption (which hopefully does not return EBADMSG), the ct
77  *	pointer now points to the plaintext of size ctlen.
78  *
79  * Note 2: KWP is not implemented as this would defy in-place operation.
80  *	   If somebody wants to wrap non-aligned data, he should simply pad
81  *	   the input with zeros to fill it up to the 8 byte boundary.
82  */
83 
84 #include <linux/module.h>
85 #include <linux/crypto.h>
86 #include <linux/scatterlist.h>
87 #include <crypto/scatterwalk.h>
88 #include <crypto/internal/cipher.h>
89 #include <crypto/internal/skcipher.h>
90 
91 struct crypto_kw_block {
92 #define SEMIBSIZE 8
93 	__be64 A;
94 	__be64 R;
95 };
96 
97 /*
98  * Fast forward the SGL to the "end" length minus SEMIBSIZE.
99  * The start in the SGL defined by the fast-forward is returned with
100  * the walk variable
101  */
102 static void crypto_kw_scatterlist_ff(struct scatter_walk *walk,
103 				     struct scatterlist *sg,
104 				     unsigned int end)
105 {
106 	unsigned int skip = 0;
107 
108 	/* The caller should only operate on full SEMIBLOCKs. */
109 	BUG_ON(end < SEMIBSIZE);
110 
111 	skip = end - SEMIBSIZE;
112 	while (sg) {
113 		if (sg->length > skip) {
114 			scatterwalk_start(walk, sg);
115 			scatterwalk_advance(walk, skip);
116 			break;
117 		}
118 
119 		skip -= sg->length;
120 		sg = sg_next(sg);
121 	}
122 }
123 
124 static int crypto_kw_decrypt(struct skcipher_request *req)
125 {
126 	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
127 	struct crypto_cipher *cipher = skcipher_cipher_simple(tfm);
128 	struct crypto_kw_block block;
129 	struct scatterlist *src, *dst;
130 	u64 t = 6 * ((req->cryptlen) >> 3);
131 	unsigned int i;
132 	int ret = 0;
133 
134 	/*
135 	 * Require at least 2 semiblocks (note, the 3rd semiblock that is
136 	 * required by SP800-38F is the IV.
137 	 */
138 	if (req->cryptlen < (2 * SEMIBSIZE) || req->cryptlen % SEMIBSIZE)
139 		return -EINVAL;
140 
141 	/* Place the IV into block A */
142 	memcpy(&block.A, req->iv, SEMIBSIZE);
143 
144 	/*
145 	 * src scatterlist is read-only. dst scatterlist is r/w. During the
146 	 * first loop, src points to req->src and dst to req->dst. For any
147 	 * subsequent round, the code operates on req->dst only.
148 	 */
149 	src = req->src;
150 	dst = req->dst;
151 
152 	for (i = 0; i < 6; i++) {
153 		struct scatter_walk src_walk, dst_walk;
154 		unsigned int nbytes = req->cryptlen;
155 
156 		while (nbytes) {
157 			/* move pointer by nbytes in the SGL */
158 			crypto_kw_scatterlist_ff(&src_walk, src, nbytes);
159 			/* get the source block */
160 			scatterwalk_copychunks(&block.R, &src_walk, SEMIBSIZE,
161 					       false);
162 
163 			/* perform KW operation: modify IV with counter */
164 			block.A ^= cpu_to_be64(t);
165 			t--;
166 			/* perform KW operation: decrypt block */
167 			crypto_cipher_decrypt_one(cipher, (u8 *)&block,
168 						  (u8 *)&block);
169 
170 			/* move pointer by nbytes in the SGL */
171 			crypto_kw_scatterlist_ff(&dst_walk, dst, nbytes);
172 			/* Copy block->R into place */
173 			scatterwalk_copychunks(&block.R, &dst_walk, SEMIBSIZE,
174 					       true);
175 
176 			nbytes -= SEMIBSIZE;
177 		}
178 
179 		/* we now start to operate on the dst SGL only */
180 		src = req->dst;
181 		dst = req->dst;
182 	}
183 
184 	/* Perform authentication check */
185 	if (block.A != cpu_to_be64(0xa6a6a6a6a6a6a6a6ULL))
186 		ret = -EBADMSG;
187 
188 	memzero_explicit(&block, sizeof(struct crypto_kw_block));
189 
190 	return ret;
191 }
192 
193 static int crypto_kw_encrypt(struct skcipher_request *req)
194 {
195 	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
196 	struct crypto_cipher *cipher = skcipher_cipher_simple(tfm);
197 	struct crypto_kw_block block;
198 	struct scatterlist *src, *dst;
199 	u64 t = 1;
200 	unsigned int i;
201 
202 	/*
203 	 * Require at least 2 semiblocks (note, the 3rd semiblock that is
204 	 * required by SP800-38F is the IV that occupies the first semiblock.
205 	 * This means that the dst memory must be one semiblock larger than src.
206 	 * Also ensure that the given data is aligned to semiblock.
207 	 */
208 	if (req->cryptlen < (2 * SEMIBSIZE) || req->cryptlen % SEMIBSIZE)
209 		return -EINVAL;
210 
211 	/*
212 	 * Place the predefined IV into block A -- for encrypt, the caller
213 	 * does not need to provide an IV, but he needs to fetch the final IV.
214 	 */
215 	block.A = cpu_to_be64(0xa6a6a6a6a6a6a6a6ULL);
216 
217 	/*
218 	 * src scatterlist is read-only. dst scatterlist is r/w. During the
219 	 * first loop, src points to req->src and dst to req->dst. For any
220 	 * subsequent round, the code operates on req->dst only.
221 	 */
222 	src = req->src;
223 	dst = req->dst;
224 
225 	for (i = 0; i < 6; i++) {
226 		struct scatter_walk src_walk, dst_walk;
227 		unsigned int nbytes = req->cryptlen;
228 
229 		scatterwalk_start(&src_walk, src);
230 		scatterwalk_start(&dst_walk, dst);
231 
232 		while (nbytes) {
233 			/* get the source block */
234 			scatterwalk_copychunks(&block.R, &src_walk, SEMIBSIZE,
235 					       false);
236 
237 			/* perform KW operation: encrypt block */
238 			crypto_cipher_encrypt_one(cipher, (u8 *)&block,
239 						  (u8 *)&block);
240 			/* perform KW operation: modify IV with counter */
241 			block.A ^= cpu_to_be64(t);
242 			t++;
243 
244 			/* Copy block->R into place */
245 			scatterwalk_copychunks(&block.R, &dst_walk, SEMIBSIZE,
246 					       true);
247 
248 			nbytes -= SEMIBSIZE;
249 		}
250 
251 		/* we now start to operate on the dst SGL only */
252 		src = req->dst;
253 		dst = req->dst;
254 	}
255 
256 	/* establish the IV for the caller to pick up */
257 	memcpy(req->iv, &block.A, SEMIBSIZE);
258 
259 	memzero_explicit(&block, sizeof(struct crypto_kw_block));
260 
261 	return 0;
262 }
263 
264 static int crypto_kw_create(struct crypto_template *tmpl, struct rtattr **tb)
265 {
266 	struct skcipher_instance *inst;
267 	struct crypto_alg *alg;
268 	int err;
269 
270 	inst = skcipher_alloc_instance_simple(tmpl, tb);
271 	if (IS_ERR(inst))
272 		return PTR_ERR(inst);
273 
274 	alg = skcipher_ialg_simple(inst);
275 
276 	err = -EINVAL;
277 	/* Section 5.1 requirement for KW */
278 	if (alg->cra_blocksize != sizeof(struct crypto_kw_block))
279 		goto out_free_inst;
280 
281 	inst->alg.base.cra_blocksize = SEMIBSIZE;
282 	inst->alg.base.cra_alignmask = 0;
283 	inst->alg.ivsize = SEMIBSIZE;
284 
285 	inst->alg.encrypt = crypto_kw_encrypt;
286 	inst->alg.decrypt = crypto_kw_decrypt;
287 
288 	err = skcipher_register_instance(tmpl, inst);
289 	if (err) {
290 out_free_inst:
291 		inst->free(inst);
292 	}
293 
294 	return err;
295 }
296 
297 static struct crypto_template crypto_kw_tmpl = {
298 	.name = "kw",
299 	.create = crypto_kw_create,
300 	.module = THIS_MODULE,
301 };
302 
303 static int __init crypto_kw_init(void)
304 {
305 	return crypto_register_template(&crypto_kw_tmpl);
306 }
307 
308 static void __exit crypto_kw_exit(void)
309 {
310 	crypto_unregister_template(&crypto_kw_tmpl);
311 }
312 
313 subsys_initcall(crypto_kw_init);
314 module_exit(crypto_kw_exit);
315 
316 MODULE_LICENSE("Dual BSD/GPL");
317 MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
318 MODULE_DESCRIPTION("Key Wrapping (RFC3394 / NIST SP800-38F)");
319 MODULE_ALIAS_CRYPTO("kw");
320 MODULE_IMPORT_NS(CRYPTO_INTERNAL);
321