2007-09-19 20:23:13 +08:00
/* XTS: as defined in IEEE1619/D16
* http : //grouper.ieee.org/groups/1619/email/pdf00086.pdf
* ( sector sizes which are not a multiple of 16 bytes are ,
* however currently unsupported )
*
* Copyright ( c ) 2007 Rik Snel < rsnel @ cube . dyndns . org >
*
2016-08-10 11:29:33 +02:00
* Based on ecb . c
2007-09-19 20:23:13 +08:00
* Copyright ( c ) 2006 Herbert Xu < herbert @ gondor . apana . org . au >
*
* This program is free software ; you can redistribute it and / or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation ; either version 2 of the License , or ( at your option )
* any later version .
*/
2016-11-22 20:08:19 +08:00
# include <crypto/internal/skcipher.h>
# include <crypto/scatterwalk.h>
2007-09-19 20:23:13 +08:00
# include <linux/err.h>
# include <linux/init.h>
# include <linux/kernel.h>
# include <linux/module.h>
# include <linux/scatterlist.h>
# include <linux/slab.h>
2011-11-09 11:56:06 +08:00
# include <crypto/xts.h>
2007-09-19 20:23:13 +08:00
# include <crypto/b128ops.h>
# include <crypto/gf128mul.h>
struct priv {
2016-11-22 20:08:19 +08:00
struct crypto_skcipher * child ;
2007-09-19 20:23:13 +08:00
struct crypto_cipher * tweak ;
} ;
2016-11-22 20:08:19 +08:00
struct xts_instance_ctx {
struct crypto_skcipher_spawn spawn ;
char name [ CRYPTO_MAX_ALG_NAME ] ;
} ;
struct rctx {
2017-04-02 21:19:14 +02:00
le128 t ;
2016-11-22 20:08:19 +08:00
struct skcipher_request subreq ;
} ;
static int setkey ( struct crypto_skcipher * parent , const u8 * key ,
2007-09-19 20:23:13 +08:00
unsigned int keylen )
{
2016-11-22 20:08:19 +08:00
struct priv * ctx = crypto_skcipher_ctx ( parent ) ;
struct crypto_skcipher * child ;
struct crypto_cipher * tweak ;
2007-09-19 20:23:13 +08:00
int err ;
2016-11-22 20:08:19 +08:00
err = xts_verify_key ( parent , key , keylen ) ;
2016-02-09 15:37:47 +01:00
if ( err )
return err ;
2007-09-19 20:23:13 +08:00
2016-11-22 20:08:19 +08:00
keylen / = 2 ;
2011-03-30 22:57:33 -03:00
/* we need two cipher instances: one to compute the initial 'tweak'
2007-09-19 20:23:13 +08:00
* by encrypting the IV ( usually the ' plain ' iv ) and the other
* one to encrypt and decrypt the data */
/* tweak cipher, uses Key2 i.e. the second half of *key */
2016-11-22 20:08:19 +08:00
tweak = ctx - > tweak ;
crypto_cipher_clear_flags ( tweak , CRYPTO_TFM_REQ_MASK ) ;
crypto_cipher_set_flags ( tweak , crypto_skcipher_get_flags ( parent ) &
2007-09-19 20:23:13 +08:00
CRYPTO_TFM_REQ_MASK ) ;
2016-11-22 20:08:19 +08:00
err = crypto_cipher_setkey ( tweak , key + keylen , keylen ) ;
crypto_skcipher_set_flags ( parent , crypto_cipher_get_flags ( tweak ) &
CRYPTO_TFM_RES_MASK ) ;
2007-09-19 20:23:13 +08:00
if ( err )
return err ;
2016-11-22 20:08:19 +08:00
/* data cipher, uses Key1 i.e. the first half of *key */
2007-09-19 20:23:13 +08:00
child = ctx - > child ;
2016-11-22 20:08:19 +08:00
crypto_skcipher_clear_flags ( child , CRYPTO_TFM_REQ_MASK ) ;
crypto_skcipher_set_flags ( child , crypto_skcipher_get_flags ( parent ) &
CRYPTO_TFM_REQ_MASK ) ;
err = crypto_skcipher_setkey ( child , key , keylen ) ;
crypto_skcipher_set_flags ( parent , crypto_skcipher_get_flags ( child ) &
CRYPTO_TFM_RES_MASK ) ;
2007-09-19 20:23:13 +08:00
2016-11-22 20:08:19 +08:00
return err ;
}
2007-09-19 20:23:13 +08:00
2018-09-11 09:40:08 +02:00
/*
* We compute the tweak masks twice ( both before and after the ECB encryption or
* decryption ) to avoid having to allocate a temporary buffer and / or make
* mutliple calls to the ' ecb ( . . ) ' instance , which usually would be slower than
* just doing the gf128mul_x_ble ( ) calls again .
*/
static int xor_tweak ( struct skcipher_request * req , bool second_pass )
2016-11-22 20:08:19 +08:00
{
struct rctx * rctx = skcipher_request_ctx ( req ) ;
2018-09-11 09:40:08 +02:00
struct crypto_skcipher * tfm = crypto_skcipher_reqtfm ( req ) ;
2016-11-22 20:08:19 +08:00
const int bs = XTS_BLOCK_SIZE ;
struct skcipher_walk w ;
2018-09-11 09:40:08 +02:00
le128 t = rctx - > t ;
2016-11-22 20:08:19 +08:00
int err ;
2007-09-19 20:23:13 +08:00
2018-09-11 09:40:08 +02:00
if ( second_pass ) {
req = & rctx - > subreq ;
/* set to our TFM to enforce correct alignment: */
skcipher_request_set_tfm ( req , tfm ) ;
2016-11-22 20:08:19 +08:00
}
2018-09-11 09:40:08 +02:00
err = skcipher_walk_virt ( & w , req , false ) ;
2007-09-19 20:23:13 +08:00
2016-11-22 20:08:19 +08:00
while ( w . nbytes ) {
unsigned int avail = w . nbytes ;
2017-04-02 21:19:14 +02:00
le128 * wsrc ;
le128 * wdst ;
2007-09-19 20:23:13 +08:00
2016-11-22 20:08:19 +08:00
wsrc = w . src . virt . addr ;
wdst = w . dst . virt . addr ;
2007-09-19 20:23:13 +08:00
2016-11-22 20:08:19 +08:00
do {
2018-09-11 09:40:08 +02:00
le128_xor ( wdst + + , & t , wsrc + + ) ;
gf128mul_x_ble ( & t , & t ) ;
2007-09-19 20:23:13 +08:00
} while ( ( avail - = bs ) > = bs ) ;
2016-11-22 20:08:19 +08:00
err = skcipher_walk_done ( & w , avail ) ;
}
2007-09-19 20:23:13 +08:00
return err ;
}
2018-09-11 09:40:08 +02:00
static int xor_tweak_pre ( struct skcipher_request * req )
2007-09-19 20:23:13 +08:00
{
2018-09-11 09:40:08 +02:00
return xor_tweak ( req , false ) ;
2016-11-22 20:08:19 +08:00
}
2018-09-11 09:40:08 +02:00
static int xor_tweak_post ( struct skcipher_request * req )
2016-11-22 20:08:19 +08:00
{
2018-09-11 09:40:08 +02:00
return xor_tweak ( req , true ) ;
2016-11-22 20:08:19 +08:00
}
2018-09-11 09:40:08 +02:00
static void crypt_done ( struct crypto_async_request * areq , int err )
2016-11-22 20:08:19 +08:00
{
struct skcipher_request * req = areq - > data ;
2017-04-08 10:02:46 +08:00
2018-09-11 09:40:08 +02:00
if ( ! err )
err = xor_tweak_post ( req ) ;
2016-11-22 20:08:19 +08:00
skcipher_request_complete ( req , err ) ;
}
2018-09-11 09:40:08 +02:00
static void init_crypt ( struct skcipher_request * req )
2016-11-22 20:08:19 +08:00
{
2018-09-11 09:40:08 +02:00
struct priv * ctx = crypto_skcipher_ctx ( crypto_skcipher_reqtfm ( req ) ) ;
2016-11-22 20:08:19 +08:00
struct rctx * rctx = skcipher_request_ctx ( req ) ;
2018-09-11 09:40:08 +02:00
struct skcipher_request * subreq = & rctx - > subreq ;
2016-11-22 20:08:19 +08:00
2018-09-11 09:40:08 +02:00
skcipher_request_set_tfm ( subreq , ctx - > child ) ;
skcipher_request_set_callback ( subreq , req - > base . flags , crypt_done , req ) ;
skcipher_request_set_crypt ( subreq , req - > dst , req - > dst ,
req - > cryptlen , NULL ) ;
2016-11-22 20:08:19 +08:00
2018-09-11 09:40:08 +02:00
/* calculate first value of T */
crypto_cipher_encrypt_one ( ctx - > tweak , ( u8 * ) & rctx - > t , req - > iv ) ;
2016-11-22 20:08:19 +08:00
}
2018-09-11 09:40:08 +02:00
static int encrypt ( struct skcipher_request * req )
2016-11-22 20:08:19 +08:00
{
2018-09-11 09:40:08 +02:00
struct rctx * rctx = skcipher_request_ctx ( req ) ;
struct skcipher_request * subreq = & rctx - > subreq ;
2016-11-22 20:08:19 +08:00
2018-09-11 09:40:08 +02:00
init_crypt ( req ) ;
return xor_tweak_pre ( req ) ? :
crypto_skcipher_encrypt ( subreq ) ? :
xor_tweak_post ( req ) ;
2016-11-22 20:08:19 +08:00
}
static int decrypt ( struct skcipher_request * req )
{
2018-09-11 09:40:08 +02:00
struct rctx * rctx = skcipher_request_ctx ( req ) ;
struct skcipher_request * subreq = & rctx - > subreq ;
init_crypt ( req ) ;
return xor_tweak_pre ( req ) ? :
crypto_skcipher_decrypt ( subreq ) ? :
xor_tweak_post ( req ) ;
2007-09-19 20:23:13 +08:00
}
2016-11-22 20:08:19 +08:00
static int init_tfm ( struct crypto_skcipher * tfm )
2007-09-19 20:23:13 +08:00
{
2016-11-22 20:08:19 +08:00
struct skcipher_instance * inst = skcipher_alg_instance ( tfm ) ;
struct xts_instance_ctx * ictx = skcipher_instance_ctx ( inst ) ;
struct priv * ctx = crypto_skcipher_ctx ( tfm ) ;
struct crypto_skcipher * child ;
struct crypto_cipher * tweak ;
2007-09-19 20:23:13 +08:00
2016-11-22 20:08:19 +08:00
child = crypto_spawn_skcipher ( & ictx - > spawn ) ;
if ( IS_ERR ( child ) )
return PTR_ERR ( child ) ;
2007-09-19 20:23:13 +08:00
2016-11-22 20:08:19 +08:00
ctx - > child = child ;
2007-09-19 20:23:13 +08:00
2016-11-22 20:08:19 +08:00
tweak = crypto_alloc_cipher ( ictx - > name , 0 , 0 ) ;
if ( IS_ERR ( tweak ) ) {
crypto_free_skcipher ( ctx - > child ) ;
return PTR_ERR ( tweak ) ;
2007-09-19 20:23:13 +08:00
}
2016-11-22 20:08:19 +08:00
ctx - > tweak = tweak ;
crypto_skcipher_set_reqsize ( tfm , crypto_skcipher_reqsize ( child ) +
sizeof ( struct rctx ) ) ;
2007-09-19 20:23:13 +08:00
return 0 ;
}
2016-11-22 20:08:19 +08:00
static void exit_tfm ( struct crypto_skcipher * tfm )
2007-09-19 20:23:13 +08:00
{
2016-11-22 20:08:19 +08:00
struct priv * ctx = crypto_skcipher_ctx ( tfm ) ;
crypto_free_skcipher ( ctx - > child ) ;
2007-09-19 20:23:13 +08:00
crypto_free_cipher ( ctx - > tweak ) ;
}
2016-11-22 20:08:19 +08:00
static void free ( struct skcipher_instance * inst )
{
crypto_drop_skcipher ( skcipher_instance_ctx ( inst ) ) ;
kfree ( inst ) ;
}
static int create ( struct crypto_template * tmpl , struct rtattr * * tb )
2007-09-19 20:23:13 +08:00
{
2016-11-22 20:08:19 +08:00
struct skcipher_instance * inst ;
struct crypto_attr_type * algt ;
struct xts_instance_ctx * ctx ;
struct skcipher_alg * alg ;
const char * cipher_name ;
2017-02-26 12:24:10 +08:00
u32 mask ;
2007-09-19 20:23:13 +08:00
int err ;
2016-11-22 20:08:19 +08:00
algt = crypto_get_attr_type ( tb ) ;
if ( IS_ERR ( algt ) )
return PTR_ERR ( algt ) ;
if ( ( algt - > type ^ CRYPTO_ALG_TYPE_SKCIPHER ) & algt - > mask )
return - EINVAL ;
cipher_name = crypto_attr_alg_name ( tb [ 1 ] ) ;
if ( IS_ERR ( cipher_name ) )
return PTR_ERR ( cipher_name ) ;
inst = kzalloc ( sizeof ( * inst ) + sizeof ( * ctx ) , GFP_KERNEL ) ;
if ( ! inst )
return - ENOMEM ;
ctx = skcipher_instance_ctx ( inst ) ;
crypto_set_skcipher_spawn ( & ctx - > spawn , skcipher_crypto_instance ( inst ) ) ;
2017-02-26 12:24:10 +08:00
mask = crypto_requires_off ( algt - > type , algt - > mask ,
CRYPTO_ALG_NEED_FALLBACK |
CRYPTO_ALG_ASYNC ) ;
err = crypto_grab_skcipher ( & ctx - > spawn , cipher_name , 0 , mask ) ;
2016-11-22 20:08:19 +08:00
if ( err = = - ENOENT ) {
err = - ENAMETOOLONG ;
if ( snprintf ( ctx - > name , CRYPTO_MAX_ALG_NAME , " ecb(%s) " ,
cipher_name ) > = CRYPTO_MAX_ALG_NAME )
goto err_free_inst ;
2017-02-26 12:24:10 +08:00
err = crypto_grab_skcipher ( & ctx - > spawn , ctx - > name , 0 , mask ) ;
2016-11-22 20:08:19 +08:00
}
2007-09-19 20:23:13 +08:00
if ( err )
2016-11-22 20:08:19 +08:00
goto err_free_inst ;
2007-09-19 20:23:13 +08:00
2016-11-22 20:08:19 +08:00
alg = crypto_skcipher_spawn_alg ( & ctx - > spawn ) ;
2007-09-19 20:23:13 +08:00
2016-11-22 20:08:19 +08:00
err = - EINVAL ;
if ( alg - > base . cra_blocksize ! = XTS_BLOCK_SIZE )
goto err_drop_spawn ;
2007-09-19 20:23:13 +08:00
2016-11-22 20:08:19 +08:00
if ( crypto_skcipher_alg_ivsize ( alg ) )
goto err_drop_spawn ;
2007-09-19 20:23:13 +08:00
2016-11-22 20:08:19 +08:00
err = crypto_inst_setname ( skcipher_crypto_instance ( inst ) , " xts " ,
& alg - > base ) ;
if ( err )
goto err_drop_spawn ;
2007-09-19 20:23:13 +08:00
2016-11-22 20:08:19 +08:00
err = - EINVAL ;
cipher_name = alg - > base . cra_name ;
2007-09-19 20:23:13 +08:00
2016-11-22 20:08:19 +08:00
/* Alas we screwed up the naming so we have to mangle the
* cipher name .
*/
if ( ! strncmp ( cipher_name , " ecb( " , 4 ) ) {
unsigned len ;
2007-09-19 20:23:13 +08:00
2016-11-22 20:08:19 +08:00
len = strlcpy ( ctx - > name , cipher_name + 4 , sizeof ( ctx - > name ) ) ;
if ( len < 2 | | len > = sizeof ( ctx - > name ) )
goto err_drop_spawn ;
2007-09-19 20:23:13 +08:00
2016-11-22 20:08:19 +08:00
if ( ctx - > name [ len - 1 ] ! = ' ) ' )
goto err_drop_spawn ;
2007-09-19 20:23:13 +08:00
2016-11-22 20:08:19 +08:00
ctx - > name [ len - 1 ] = 0 ;
2007-09-19 20:23:13 +08:00
2016-11-22 20:08:19 +08:00
if ( snprintf ( inst - > alg . base . cra_name , CRYPTO_MAX_ALG_NAME ,
2017-09-26 08:17:44 +02:00
" xts(%s) " , ctx - > name ) > = CRYPTO_MAX_ALG_NAME ) {
err = - ENAMETOOLONG ;
goto err_drop_spawn ;
}
2016-11-22 20:08:19 +08:00
} else
goto err_drop_spawn ;
2007-09-19 20:23:13 +08:00
2016-11-22 20:08:19 +08:00
inst - > alg . base . cra_flags = alg - > base . cra_flags & CRYPTO_ALG_ASYNC ;
inst - > alg . base . cra_priority = alg - > base . cra_priority ;
inst - > alg . base . cra_blocksize = XTS_BLOCK_SIZE ;
inst - > alg . base . cra_alignmask = alg - > base . cra_alignmask |
( __alignof__ ( u64 ) - 1 ) ;
inst - > alg . ivsize = XTS_BLOCK_SIZE ;
inst - > alg . min_keysize = crypto_skcipher_alg_min_keysize ( alg ) * 2 ;
inst - > alg . max_keysize = crypto_skcipher_alg_max_keysize ( alg ) * 2 ;
inst - > alg . base . cra_ctxsize = sizeof ( struct priv ) ;
inst - > alg . init = init_tfm ;
inst - > alg . exit = exit_tfm ;
inst - > alg . setkey = setkey ;
inst - > alg . encrypt = encrypt ;
inst - > alg . decrypt = decrypt ;
inst - > free = free ;
err = skcipher_register_instance ( tmpl , inst ) ;
if ( err )
goto err_drop_spawn ;
out :
return err ;
err_drop_spawn :
crypto_drop_skcipher ( & ctx - > spawn ) ;
err_free_inst :
2007-09-19 20:23:13 +08:00
kfree ( inst ) ;
2016-11-22 20:08:19 +08:00
goto out ;
2007-09-19 20:23:13 +08:00
}
static struct crypto_template crypto_tmpl = {
. name = " xts " ,
2016-11-22 20:08:19 +08:00
. create = create ,
2007-09-19 20:23:13 +08:00
. module = THIS_MODULE ,
} ;
static int __init crypto_module_init ( void )
{
return crypto_register_template ( & crypto_tmpl ) ;
}
static void __exit crypto_module_exit ( void )
{
crypto_unregister_template ( & crypto_tmpl ) ;
}
module_init ( crypto_module_init ) ;
module_exit ( crypto_module_exit ) ;
MODULE_LICENSE ( " GPL " ) ;
MODULE_DESCRIPTION ( " XTS block cipher mode " ) ;
2014-11-24 16:32:38 -08:00
MODULE_ALIAS_CRYPTO ( " xts " ) ;