Commit | Line | Data |
---|---|---|
79c0949e PK |
1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* Multipath TCP cryptographic functions | |
3 | * Copyright (c) 2017 - 2019, Intel Corporation. | |
4 | * | |
5 | * Note: This code is based on mptcp_ctrl.c, mptcp_ipv4.c, and | |
6 | * mptcp_ipv6 from multipath-tcp.org, authored by: | |
7 | * | |
8 | * Sébastien Barré <sebastien.barre@uclouvain.be> | |
9 | * Christoph Paasch <christoph.paasch@uclouvain.be> | |
10 | * Jaakko Korkeaniemi <jaakko.korkeaniemi@aalto.fi> | |
11 | * Gregory Detal <gregory.detal@uclouvain.be> | |
12 | * Fabien Duchêne <fabien.duchene@uclouvain.be> | |
13 | * Andreas Seelinger <Andreas.Seelinger@rwth-aachen.de> | |
14 | * Lavkesh Lahngir <lavkesh51@gmail.com> | |
15 | * Andreas Ripke <ripke@neclab.eu> | |
16 | * Vlad Dogaru <vlad.dogaru@intel.com> | |
17 | * Octavian Purdila <octavian.purdila@intel.com> | |
18 | * John Ronan <jronan@tssg.org> | |
19 | * Catalin Nicutar <catalin.nicutar@gmail.com> | |
20 | * Brandon Heller <brandonh@stanford.edu> | |
21 | */ | |
22 | ||
23 | #include <linux/kernel.h> | |
65492c5a | 24 | #include <crypto/sha.h> |
79c0949e PK |
25 | #include <asm/unaligned.h> |
26 | ||
27 | #include "protocol.h" | |
28 | ||
65492c5a | 29 | #define SHA256_DIGEST_WORDS (SHA256_DIGEST_SIZE / 4) |
79c0949e PK |
30 | |
31 | void mptcp_crypto_key_sha(u64 key, u32 *token, u64 *idsn) | |
32 | { | |
65492c5a PA |
33 | __be32 mptcp_hashed_key[SHA256_DIGEST_WORDS]; |
34 | __be64 input = cpu_to_be64(key); | |
35 | struct sha256_state state; | |
79c0949e | 36 | |
65492c5a PA |
37 | sha256_init(&state); |
38 | sha256_update(&state, (__force u8 *)&input, sizeof(input)); | |
39 | sha256_final(&state, (u8 *)mptcp_hashed_key); | |
79c0949e PK |
40 | |
41 | if (token) | |
42 | *token = be32_to_cpu(mptcp_hashed_key[0]); | |
43 | if (idsn) | |
65492c5a | 44 | *idsn = be64_to_cpu(*((__be64 *)&mptcp_hashed_key[6])); |
79c0949e PK |
45 | } |
46 | ||
3df523ab | 47 | void mptcp_crypto_hmac_sha(u64 key1, u64 key2, u8 *msg, int len, void *hmac) |
79c0949e | 48 | { |
65492c5a PA |
49 | u8 input[SHA256_BLOCK_SIZE + SHA256_DIGEST_SIZE]; |
50 | __be32 mptcp_hashed_key[SHA256_DIGEST_WORDS]; | |
51 | __be32 *hash_out = (__force __be32 *)hmac; | |
52 | struct sha256_state state; | |
79c0949e PK |
53 | u8 key1be[8]; |
54 | u8 key2be[8]; | |
55 | int i; | |
56 | ||
3df523ab PK |
57 | if (WARN_ON_ONCE(len > SHA256_DIGEST_SIZE)) |
58 | len = SHA256_DIGEST_SIZE; | |
59 | ||
79c0949e PK |
60 | put_unaligned_be64(key1, key1be); |
61 | put_unaligned_be64(key2, key2be); | |
62 | ||
63 | /* Generate key xored with ipad */ | |
64 | memset(input, 0x36, SHA_MESSAGE_BYTES); | |
65 | for (i = 0; i < 8; i++) | |
66 | input[i] ^= key1be[i]; | |
67 | for (i = 0; i < 8; i++) | |
68 | input[i + 8] ^= key2be[i]; | |
69 | ||
3df523ab | 70 | memcpy(&input[SHA256_BLOCK_SIZE], msg, len); |
79c0949e | 71 | |
65492c5a | 72 | sha256_init(&state); |
3df523ab | 73 | sha256_update(&state, input, SHA256_BLOCK_SIZE + len); |
79c0949e PK |
74 | |
75 | /* emit sha256(K1 || msg) on the second input block, so we can | |
76 | * reuse 'input' for the last hashing | |
77 | */ | |
65492c5a | 78 | sha256_final(&state, &input[SHA256_BLOCK_SIZE]); |
79c0949e PK |
79 | |
80 | /* Prepare second part of hmac */ | |
81 | memset(input, 0x5C, SHA_MESSAGE_BYTES); | |
82 | for (i = 0; i < 8; i++) | |
83 | input[i] ^= key1be[i]; | |
84 | for (i = 0; i < 8; i++) | |
85 | input[i + 8] ^= key2be[i]; | |
86 | ||
65492c5a PA |
87 | sha256_init(&state); |
88 | sha256_update(&state, input, SHA256_BLOCK_SIZE + SHA256_DIGEST_SIZE); | |
89 | sha256_final(&state, (u8 *)mptcp_hashed_key); | |
90 | ||
91 | /* takes only first 160 bits */ | |
92 | for (i = 0; i < 5; i++) | |
93 | hash_out[i] = mptcp_hashed_key[i]; | |
94 | } | |
95 | ||
96 | #ifdef CONFIG_MPTCP_HMAC_TEST | |
97 | struct test_cast { | |
98 | char *key; | |
99 | char *msg; | |
100 | char *result; | |
101 | }; | |
102 | ||
103 | /* we can't reuse RFC 4231 test vectors, as we have constraint on the | |
104 | * input and key size, and we truncate the output. | |
105 | */ | |
106 | static struct test_cast tests[] = { | |
107 | { | |
108 | .key = "0b0b0b0b0b0b0b0b", | |
109 | .msg = "48692054", | |
110 | .result = "8385e24fb4235ac37556b6b886db106284a1da67", | |
111 | }, | |
112 | { | |
113 | .key = "aaaaaaaaaaaaaaaa", | |
114 | .msg = "dddddddd", | |
115 | .result = "2c5e219164ff1dca1c4a92318d847bb6b9d44492", | |
116 | }, | |
117 | { | |
118 | .key = "0102030405060708", | |
119 | .msg = "cdcdcdcd", | |
120 | .result = "e73b9ba9969969cefb04aa0d6df18ec2fcc075b6", | |
121 | }, | |
122 | }; | |
123 | ||
124 | static int __init test_mptcp_crypto(void) | |
125 | { | |
126 | char hmac[20], hmac_hex[41]; | |
127 | u32 nonce1, nonce2; | |
128 | u64 key1, key2; | |
3df523ab | 129 | u8 msg[8]; |
65492c5a PA |
130 | int i, j; |
131 | ||
132 | for (i = 0; i < ARRAY_SIZE(tests); ++i) { | |
133 | /* mptcp hmap will convert to be before computing the hmac */ | |
134 | key1 = be64_to_cpu(*((__be64 *)&tests[i].key[0])); | |
135 | key2 = be64_to_cpu(*((__be64 *)&tests[i].key[8])); | |
136 | nonce1 = be32_to_cpu(*((__be32 *)&tests[i].msg[0])); | |
137 | nonce2 = be32_to_cpu(*((__be32 *)&tests[i].msg[4])); | |
138 | ||
3df523ab PK |
139 | put_unaligned_be32(nonce1, &msg[0]); |
140 | put_unaligned_be32(nonce2, &msg[4]); | |
141 | ||
142 | mptcp_crypto_hmac_sha(key1, key2, msg, 8, hmac); | |
65492c5a PA |
143 | for (j = 0; j < 20; ++j) |
144 | sprintf(&hmac_hex[j << 1], "%02x", hmac[j] & 0xff); | |
145 | hmac_hex[40] = 0; | |
146 | ||
147 | if (memcmp(hmac_hex, tests[i].result, 40)) | |
148 | pr_err("test %d failed, got %s expected %s", i, | |
149 | hmac_hex, tests[i].result); | |
150 | else | |
151 | pr_info("test %d [ ok ]", i); | |
152 | } | |
153 | return 0; | |
79c0949e | 154 | } |
65492c5a PA |
155 | |
156 | late_initcall(test_mptcp_crypto); | |
157 | #endif |