crypto/crypto_user.c

   1 /*
   2  * Crypto user configuration API.
   3  *
   4  * Copyright (C) 2011 secunet Security Networks AG
   5  * Copyright (C) 2011 Steffen Klassert <steffen.klassert@secunet.com>
   6  *
   7  * This program is free software; you can redistribute it and/or modify it
   8  * under the terms and conditions of the GNU General Public License,
   9  * version 2, as published by the Free Software Foundation.
  10  *
  11  * This program is distributed in the hope it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
  14  * more details.
  15  *
  16  * You should have received a copy of the GNU General Public License along with
  17  * this program; if not, write to the Free Software Foundation, Inc.,
  18  * 51 Franklin St - Fifth Floor, Boston, MA 02110-1301 USA.
  19  */
  20
  21 #include <linux/module.h>
  22 #include <linux/crypto.h>
  23 #include <linux/cryptouser.h>
  24 #include <linux/sched.h>
  25 #include <net/netlink.h>
  26 #include <linux/security.h>
  27 #include <net/net_namespace.h>
  28 #include <crypto/internal/skcipher.h>
  29 #include <crypto/internal/rng.h>
  30 #include <crypto/akcipher.h>
  31
  32 #include "internal.h"
  33
  34 #define null_terminated(x)      (strnlen(x, sizeof(x)) < sizeof(x))
  35
  36 static DEFINE_MUTEX(crypto_cfg_mutex);
  37
  38 /* The crypto netlink socket */
  39 static struct sock *crypto_nlsk;
  40
  41 struct crypto_dump_info {
  42         struct sk_buff *in_skb;
  43         struct sk_buff *out_skb;
  44         u32 nlmsg_seq;
  45         u16 nlmsg_flags;
  46 };
  47
  48 static struct crypto_alg *crypto_alg_match(struct crypto_user_alg *p, int exact)
  49 {
  50         struct crypto_alg *q, *alg = NULL;
  51
  52         down_read(&crypto_alg_sem);
  53
  54         list_for_each_entry(q, &crypto_alg_list, cra_list) {
  55                 int match = 0;
  56
  57                 if ((q->cra_flags ^ p->cru_type) & p->cru_mask)
  58                         continue;
  59
  60                 if (strlen(p->cru_driver_name))
  61                         match = !strcmp(q->cra_driver_name,
  62                                         p->cru_driver_name);
  63                 else if (!exact)
  64                         match = !strcmp(q->cra_name, p->cru_name);
  65
  66                 if (!match)
  67                         continue;
  68
  69                 if (unlikely(!crypto_mod_get(q)))
  70                         continue;
  71
  72                 alg = q;
  73                 break;
  74         }
  75
  76         up_read(&crypto_alg_sem);
  77
  78         return alg;
  79 }
  80
  81 static int crypto_report_cipher(struct sk_buff *skb, struct crypto_alg *alg)
  82 {
  83         struct crypto_report_cipher rcipher;
  84
  85         strncpy(rcipher.type, "cipher", sizeof(rcipher.type));
  86
  87         rcipher.blocksize = alg->cra_blocksize;
  88         rcipher.min_keysize = alg->cra_cipher.cia_min_keysize;
  89         rcipher.max_keysize = alg->cra_cipher.cia_max_keysize;
  90
  91         if (nla_put(skb, CRYPTOCFGA_REPORT_CIPHER,
  92                     sizeof(struct crypto_report_cipher), &rcipher))
  93                 goto nla_put_failure;
  94         return 0;
  95
  96 nla_put_failure:
  97         return -EMSGSIZE;
  98 }
  99
 100 static int crypto_report_comp(struct sk_buff *skb, struct crypto_alg *alg)
 101 {
 102         struct crypto_report_comp rcomp;
 103
 104         strncpy(rcomp.type, "compression", sizeof(rcomp.type));
 105         if (nla_put(skb, CRYPTOCFGA_REPORT_COMPRESS,
 106                     sizeof(struct crypto_report_comp), &rcomp))
 107                 goto nla_put_failure;
 108         return 0;
 109
 110 nla_put_failure:
 111         return -EMSGSIZE;
 112 }
 113
 114 static int crypto_report_akcipher(struct sk_buff *skb, struct crypto_alg *alg)
 115 {
 116         struct crypto_report_akcipher rakcipher;
 117
 118         strncpy(rakcipher.type, "akcipher", sizeof(rakcipher.type));
 119
 120         if (nla_put(skb, CRYPTOCFGA_REPORT_AKCIPHER,
 121                     sizeof(struct crypto_report_akcipher), &rakcipher))
 122                 goto nla_put_failure;
 123         return 0;
 124
 125 nla_put_failure:
 126         return -EMSGSIZE;
 127 }
 128
 129 static int crypto_report_one(struct crypto_alg *alg,
 130                              struct crypto_user_alg *ualg, struct sk_buff *skb)
 131 {
 132         strncpy(ualg->cru_name, alg->cra_name, sizeof(ualg->cru_name));
 133         strncpy(ualg->cru_driver_name, alg->cra_driver_name,
 134                 sizeof(ualg->cru_driver_name));
 135         strncpy(ualg->cru_module_name, module_name(alg->cra_module),
 136                 sizeof(ualg->cru_module_name));
 137
 138         ualg->cru_type = 0;
 139         ualg->cru_mask = 0;
 140         ualg->cru_flags = alg->cra_flags;
 141         ualg->cru_refcnt = atomic_read(&alg->cra_refcnt);
 142
 143         if (nla_put_u32(skb, CRYPTOCFGA_PRIORITY_VAL, alg->cra_priority))
 144                 goto nla_put_failure;
 145         if (alg->cra_flags & CRYPTO_ALG_LARVAL) {
 146                 struct crypto_report_larval rl;
 147
 148                 strncpy(rl.type, "larval", sizeof(rl.type));
 149                 if (nla_put(skb, CRYPTOCFGA_REPORT_LARVAL,
 150                             sizeof(struct crypto_report_larval), &rl))
 151                         goto nla_put_failure;
 152                 goto out;
 153         }
 154
 155         if (alg->cra_type && alg->cra_type->report) {
 156                 if (alg->cra_type->report(skb, alg))
 157                         goto nla_put_failure;
 158
 159                 goto out;
 160         }
 161
 162         switch (alg->cra_flags & (CRYPTO_ALG_TYPE_MASK | CRYPTO_ALG_LARVAL)) {
 163         case CRYPTO_ALG_TYPE_CIPHER:
 164                 if (crypto_report_cipher(skb, alg))
 165                         goto nla_put_failure;
 166
 167                 break;
 168         case CRYPTO_ALG_TYPE_COMPRESS:
 169                 if (crypto_report_comp(skb, alg))
 170                         goto nla_put_failure;
 171
 172                 break;
 173
 174         case CRYPTO_ALG_TYPE_AKCIPHER:
 175                 if (crypto_report_akcipher(skb, alg))
 176                         goto nla_put_failure;
 177
 178                 break;
 179         }
 180
 181 out:
 182         return 0;
 183
 184 nla_put_failure:
 185         return -EMSGSIZE;
 186 }
 187
 188 static int crypto_report_alg(struct crypto_alg *alg,
 189                              struct crypto_dump_info *info)
 190 {
 191         struct sk_buff *in_skb = info->in_skb;
 192         struct sk_buff *skb = info->out_skb;
 193         struct nlmsghdr *nlh;
 194         struct crypto_user_alg *ualg;
 195         int err = 0;
 196
 197         nlh = nlmsg_put(skb, NETLINK_CB(in_skb).portid, info->nlmsg_seq,
 198                         CRYPTO_MSG_GETALG, sizeof(*ualg), info->nlmsg_flags);
 199         if (!nlh) {
 200                 err = -EMSGSIZE;
 201                 goto out;
 202         }
 203
 204         ualg = nlmsg_data(nlh);
 205
 206         err = crypto_report_one(alg, ualg, skb);
 207         if (err) {
 208                 nlmsg_cancel(skb, nlh);
 209                 goto out;
 210         }
 211
 212         nlmsg_end(skb, nlh);
 213
 214 out:
 215         return err;
 216 }
 217
 218 static int crypto_report(struct sk_buff *in_skb, struct nlmsghdr *in_nlh,
 219                          struct nlattr **attrs)
 220 {
 221         struct crypto_user_alg *p = nlmsg_data(in_nlh);
 222         struct crypto_alg *alg;
 223         struct sk_buff *skb;
 224         struct crypto_dump_info info;
 225         int err;
 226
 227         if (!null_terminated(p->cru_name) || !null_terminated(p->cru_driver_name))
 228                 return -EINVAL;
 229
 230         alg = crypto_alg_match(p, 0);
 231         if (!alg)
 232                 return -ENOENT;
 233
 234         err = -ENOMEM;
 235         skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
 236         if (!skb)
 237                 goto drop_alg;
 238
 239         info.in_skb = in_skb;
 240         info.out_skb = skb;
 241         info.nlmsg_seq = in_nlh->nlmsg_seq;
 242         info.nlmsg_flags = 0;
 243
 244         err = crypto_report_alg(alg, &info);
 245
 246 drop_alg:
 247         crypto_mod_put(alg);
 248
 249         if (err)
 250                 return err;
 251
 252         return nlmsg_unicast(crypto_nlsk, skb, NETLINK_CB(in_skb).portid);
 253 }
 254
 255 static int crypto_dump_report(struct sk_buff *skb, struct netlink_callback *cb)
 256 {
 257         struct crypto_alg *alg;
 258         struct crypto_dump_info info;
 259         int err;
 260
 261         if (cb->args[0])
 262                 goto out;
 263
 264         cb->args[0] = 1;
 265
 266         info.in_skb = cb->skb;
 267         info.out_skb = skb;
 268         info.nlmsg_seq = cb->nlh->nlmsg_seq;
 269         info.nlmsg_flags = NLM_F_MULTI;
 270
 271         list_for_each_entry(alg, &crypto_alg_list, cra_list) {
 272                 err = crypto_report_alg(alg, &info);
 273                 if (err)
 274                         goto out_err;
 275         }
 276
 277 out:
 278         return skb->len;
 279 out_err:
 280         return err;
 281 }
 282
 283 static int crypto_dump_report_done(struct netlink_callback *cb)
 284 {
 285         return 0;
 286 }
 287
 288 static int crypto_update_alg(struct sk_buff *skb, struct nlmsghdr *nlh,
 289                              struct nlattr **attrs)
 290 {
 291         struct crypto_alg *alg;
 292         struct crypto_user_alg *p = nlmsg_data(nlh);
 293         struct nlattr *priority = attrs[CRYPTOCFGA_PRIORITY_VAL];
 294         LIST_HEAD(list);
 295
 296         if (!netlink_capable(skb, CAP_NET_ADMIN))
 297                 return -EPERM;
 298
 299         if (!null_terminated(p->cru_name) || !null_terminated(p->cru_driver_name))
 300                 return -EINVAL;
 301
 302         if (priority && !strlen(p->cru_driver_name))
 303                 return -EINVAL;
 304
 305         alg = crypto_alg_match(p, 1);
 306         if (!alg)
 307                 return -ENOENT;
 308
 309         down_write(&crypto_alg_sem);
 310
 311         crypto_remove_spawns(alg, &list, NULL);
 312
 313         if (priority)
 314                 alg->cra_priority = nla_get_u32(priority);
 315
 316         up_write(&crypto_alg_sem);
 317
 318         crypto_mod_put(alg);
 319         crypto_remove_final(&list);
 320
 321         return 0;
 322 }
 323
 324 static int crypto_del_alg(struct sk_buff *skb, struct nlmsghdr *nlh,
 325                           struct nlattr **attrs)
 326 {
 327         struct crypto_alg *alg;
 328         struct crypto_user_alg *p = nlmsg_data(nlh);
 329         int err;
 330
 331         if (!netlink_capable(skb, CAP_NET_ADMIN))
 332                 return -EPERM;
 333
 334         if (!null_terminated(p->cru_name) || !null_terminated(p->cru_driver_name))
 335                 return -EINVAL;
 336
 337         alg = crypto_alg_match(p, 1);
 338         if (!alg)
 339                 return -ENOENT;
 340
 341         /* We can not unregister core algorithms such as aes-generic.
 342          * We would loose the reference in the crypto_alg_list to this algorithm
 343          * if we try to unregister. Unregistering such an algorithm without
 344          * removing the module is not possible, so we restrict to crypto
 345          * instances that are build from templates. */
 346         err = -EINVAL;
 347         if (!(alg->cra_flags & CRYPTO_ALG_INSTANCE))
 348                 goto drop_alg;
 349
 350         err = -EBUSY;
 351         if (atomic_read(&alg->cra_refcnt) > 2)
 352                 goto drop_alg;
 353
 354         err = crypto_unregister_instance((struct crypto_instance *)alg);
 355
 356 drop_alg:
 357         crypto_mod_put(alg);
 358         return err;
 359 }
 360
 361 static struct crypto_alg *crypto_user_skcipher_alg(const char *name, u32 type,
 362                                                    u32 mask)
 363 {
 364         int err;
 365         struct crypto_alg *alg;
 366
 367         type = crypto_skcipher_type(type);
 368         mask = crypto_skcipher_mask(mask);
 369
 370         for (;;) {
 371                 alg = crypto_lookup_skcipher(name,  type, mask);
 372                 if (!IS_ERR(alg))
 373                         return alg;
 374
 375                 err = PTR_ERR(alg);
 376                 if (err != -EAGAIN)
 377                         break;
 378                 if (signal_pending(current)) {
 379                         err = -EINTR;
 380                         break;
 381                 }
 382         }
 383
 384         return ERR_PTR(err);
 385 }
 386
 387 static int crypto_add_alg(struct sk_buff *skb, struct nlmsghdr *nlh,
 388                           struct nlattr **attrs)
 389 {
 390         int exact = 0;
 391         const char *name;
 392         struct crypto_alg *alg;
 393         struct crypto_user_alg *p = nlmsg_data(nlh);
 394         struct nlattr *priority = attrs[CRYPTOCFGA_PRIORITY_VAL];
 395
 396         if (!netlink_capable(skb, CAP_NET_ADMIN))
 397                 return -EPERM;
 398
 399         if (!null_terminated(p->cru_name) || !null_terminated(p->cru_driver_name))
 400                 return -EINVAL;
 401
 402         if (strlen(p->cru_driver_name))
 403                 exact = 1;
 404
 405         if (priority && !exact)
 406                 return -EINVAL;
 407
 408         alg = crypto_alg_match(p, exact);
 409         if (alg) {
 410                 crypto_mod_put(alg);
 411                 return -EEXIST;
 412         }
 413
 414         if (strlen(p->cru_driver_name))
 415                 name = p->cru_driver_name;
 416         else
 417                 name = p->cru_name;
 418
 419         switch (p->cru_type & p->cru_mask & CRYPTO_ALG_TYPE_MASK) {
 420         case CRYPTO_ALG_TYPE_GIVCIPHER:
 421         case CRYPTO_ALG_TYPE_BLKCIPHER:
 422         case CRYPTO_ALG_TYPE_ABLKCIPHER:
 423                 alg = crypto_user_skcipher_alg(name, p->cru_type, p->cru_mask);
 424                 break;
 425         default:
 426                 alg = crypto_alg_mod_lookup(name, p->cru_type, p->cru_mask);
 427         }
 428
 429         if (IS_ERR(alg))
 430                 return PTR_ERR(alg);
 431
 432         down_write(&crypto_alg_sem);
 433
 434         if (priority)
 435                 alg->cra_priority = nla_get_u32(priority);
 436
 437         up_write(&crypto_alg_sem);
 438
 439         crypto_mod_put(alg);
 440
 441         return 0;
 442 }
 443
 444 static int crypto_del_rng(struct sk_buff *skb, struct nlmsghdr *nlh,
 445                           struct nlattr **attrs)
 446 {
 447         if (!netlink_capable(skb, CAP_NET_ADMIN))
 448                 return -EPERM;
 449         return crypto_del_default_rng();
 450 }
 451
 452 #define MSGSIZE(type) sizeof(struct type)
 453
 454 static const int crypto_msg_min[CRYPTO_NR_MSGTYPES] = {
 455         [CRYPTO_MSG_NEWALG      - CRYPTO_MSG_BASE] = MSGSIZE(crypto_user_alg),
 456         [CRYPTO_MSG_DELALG      - CRYPTO_MSG_BASE] = MSGSIZE(crypto_user_alg),
 457         [CRYPTO_MSG_UPDATEALG   - CRYPTO_MSG_BASE] = MSGSIZE(crypto_user_alg),
 458         [CRYPTO_MSG_DELRNG      - CRYPTO_MSG_BASE] = 0,
 459 };
 460
 461 static const struct nla_policy crypto_policy[CRYPTOCFGA_MAX+1] = {
 462         [CRYPTOCFGA_PRIORITY_VAL]   = { .type = NLA_U32},
 463 };
 464
 465 #undef MSGSIZE
 466
 467 static const struct crypto_link {
 468         int (*doit)(struct sk_buff *, struct nlmsghdr *, struct nlattr **);
 469         int (*dump)(struct sk_buff *, struct netlink_callback *);
 470         int (*done)(struct netlink_callback *);
 471 } crypto_dispatch[CRYPTO_NR_MSGTYPES] = {
 472         [CRYPTO_MSG_NEWALG      - CRYPTO_MSG_BASE] = { .doit = crypto_add_alg},
 473         [CRYPTO_MSG_DELALG      - CRYPTO_MSG_BASE] = { .doit = crypto_del_alg},
 474         [CRYPTO_MSG_UPDATEALG   - CRYPTO_MSG_BASE] = { .doit = crypto_update_alg},
 475         [CRYPTO_MSG_GETALG      - CRYPTO_MSG_BASE] = { .doit = crypto_report,
 476                                                        .dump = crypto_dump_report,
 477                                                        .done = crypto_dump_report_done},
 478         [CRYPTO_MSG_DELRNG      - CRYPTO_MSG_BASE] = { .doit = crypto_del_rng },
 479 };
 480
 481 static int crypto_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 482 {
 483         struct nlattr *attrs[CRYPTOCFGA_MAX+1];
 484         const struct crypto_link *link;
 485         int type, err;
 486
 487         type = nlh->nlmsg_type;
 488         if (type > CRYPTO_MSG_MAX)
 489                 return -EINVAL;
 490
 491         type -= CRYPTO_MSG_BASE;
 492         link = &crypto_dispatch[type];
 493
 494         if ((type == (CRYPTO_MSG_GETALG - CRYPTO_MSG_BASE) &&
 495             (nlh->nlmsg_flags & NLM_F_DUMP))) {
 496                 struct crypto_alg *alg;
 497                 u16 dump_alloc = 0;
 498
 499                 if (link->dump == NULL)
 500                         return -EINVAL;
 501
 502                 list_for_each_entry(alg, &crypto_alg_list, cra_list)
 503                         dump_alloc += CRYPTO_REPORT_MAXSIZE;
 504
 505                 {
 506                         struct netlink_dump_control c = {
 507                                 .dump = link->dump,
 508                                 .done = link->done,
 509                                 .min_dump_alloc = dump_alloc,
 510                         };
 511                         return netlink_dump_start(crypto_nlsk, skb, nlh, &c);
 512                 }
 513         }
 514
 515         err = nlmsg_parse(nlh, crypto_msg_min[type], attrs, CRYPTOCFGA_MAX,
 516                           crypto_policy);
 517         if (err < 0)
 518                 return err;
 519
 520         if (link->doit == NULL)
 521                 return -EINVAL;
 522
 523         return link->doit(skb, nlh, attrs);
 524 }
 525
 526 static void crypto_netlink_rcv(struct sk_buff *skb)
 527 {
 528         mutex_lock(&crypto_cfg_mutex);
 529         netlink_rcv_skb(skb, &crypto_user_rcv_msg);
 530         mutex_unlock(&crypto_cfg_mutex);
 531 }
 532
 533 static int __init crypto_user_init(void)
 534 {
 535         struct netlink_kernel_cfg cfg = {
 536                 .input  = crypto_netlink_rcv,
 537         };
 538
 539         crypto_nlsk = netlink_kernel_create(&init_net, NETLINK_CRYPTO, &cfg);
 540         if (!crypto_nlsk)
 541                 return -ENOMEM;
 542
 543         return 0;
 544 }
 545
 546 static void __exit crypto_user_exit(void)
 547 {
 548         netlink_kernel_release(crypto_nlsk);
 549 }
 550
 551 module_init(crypto_user_init);
 552 module_exit(crypto_user_exit);
 553 MODULE_LICENSE("GPL");
 554 MODULE_AUTHOR("Steffen Klassert <steffen.klassert@secunet.com>");
 555 MODULE_DESCRIPTION("Crypto userspace configuration API");
 556 MODULE_ALIAS("net-pf-16-proto-21");