Commit | Line | Data |
---|---|---|
f19f5111 RS |
1 | /* XTS: as defined in IEEE1619/D16 |
2 | * http://grouper.ieee.org/groups/1619/email/pdf00086.pdf | |
3 | * (sector sizes which are not a multiple of 16 bytes are, | |
4 | * however currently unsupported) | |
5 | * | |
6 | * Copyright (c) 2007 Rik Snel <rsnel@cube.dyndns.org> | |
7 | * | |
8 | * Based om ecb.c | |
9 | * Copyright (c) 2006 Herbert Xu <herbert@gondor.apana.org.au> | |
10 | * | |
11 | * This program is free software; you can redistribute it and/or modify it | |
12 | * under the terms of the GNU General Public License as published by the Free | |
13 | * Software Foundation; either version 2 of the License, or (at your option) | |
14 | * any later version. | |
15 | */ | |
16 | #include <crypto/algapi.h> | |
17 | #include <linux/err.h> | |
18 | #include <linux/init.h> | |
19 | #include <linux/kernel.h> | |
20 | #include <linux/module.h> | |
21 | #include <linux/scatterlist.h> | |
22 | #include <linux/slab.h> | |
23 | ||
24 | #include <crypto/b128ops.h> | |
25 | #include <crypto/gf128mul.h> | |
26 | ||
27 | struct priv { | |
28 | struct crypto_cipher *child; | |
29 | struct crypto_cipher *tweak; | |
30 | }; | |
31 | ||
32 | static int setkey(struct crypto_tfm *parent, const u8 *key, | |
33 | unsigned int keylen) | |
34 | { | |
35 | struct priv *ctx = crypto_tfm_ctx(parent); | |
36 | struct crypto_cipher *child = ctx->tweak; | |
37 | u32 *flags = &parent->crt_flags; | |
38 | int err; | |
39 | ||
40 | /* key consists of keys of equal size concatenated, therefore | |
41 | * the length must be even */ | |
42 | if (keylen % 2) { | |
43 | /* tell the user why there was an error */ | |
44 | *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN; | |
45 | return -EINVAL; | |
46 | } | |
47 | ||
48 | /* we need two cipher instances: one to compute the inital 'tweak' | |
49 | * by encrypting the IV (usually the 'plain' iv) and the other | |
50 | * one to encrypt and decrypt the data */ | |
51 | ||
52 | /* tweak cipher, uses Key2 i.e. the second half of *key */ | |
53 | crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK); | |
54 | crypto_cipher_set_flags(child, crypto_tfm_get_flags(parent) & | |
55 | CRYPTO_TFM_REQ_MASK); | |
56 | err = crypto_cipher_setkey(child, key + keylen/2, keylen/2); | |
57 | if (err) | |
58 | return err; | |
59 | ||
60 | crypto_tfm_set_flags(parent, crypto_cipher_get_flags(child) & | |
61 | CRYPTO_TFM_RES_MASK); | |
62 | ||
63 | child = ctx->child; | |
64 | ||
65 | /* data cipher, uses Key1 i.e. the first half of *key */ | |
66 | crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK); | |
67 | crypto_cipher_set_flags(child, crypto_tfm_get_flags(parent) & | |
68 | CRYPTO_TFM_REQ_MASK); | |
69 | err = crypto_cipher_setkey(child, key, keylen/2); | |
70 | if (err) | |
71 | return err; | |
72 | ||
73 | crypto_tfm_set_flags(parent, crypto_cipher_get_flags(child) & | |
74 | CRYPTO_TFM_RES_MASK); | |
75 | ||
76 | return 0; | |
77 | } | |
78 | ||
79 | struct sinfo { | |
80 | be128 t; | |
81 | struct crypto_tfm *tfm; | |
82 | void (*fn)(struct crypto_tfm *, u8 *, const u8 *); | |
83 | }; | |
84 | ||
85 | static inline void xts_round(struct sinfo *s, void *dst, const void *src) | |
86 | { | |
87 | be128_xor(dst, &s->t, src); /* PP <- T xor P */ | |
88 | s->fn(s->tfm, dst, dst); /* CC <- E(Key1,PP) */ | |
89 | be128_xor(dst, dst, &s->t); /* C <- T xor CC */ | |
90 | } | |
91 | ||
92 | static int crypt(struct blkcipher_desc *d, | |
93 | struct blkcipher_walk *w, struct priv *ctx, | |
94 | void (*tw)(struct crypto_tfm *, u8 *, const u8 *), | |
95 | void (*fn)(struct crypto_tfm *, u8 *, const u8 *)) | |
96 | { | |
97 | int err; | |
98 | unsigned int avail; | |
99 | const int bs = crypto_cipher_blocksize(ctx->child); | |
100 | struct sinfo s = { | |
101 | .tfm = crypto_cipher_tfm(ctx->child), | |
102 | .fn = fn | |
103 | }; | |
104 | be128 *iv; | |
105 | u8 *wsrc; | |
106 | u8 *wdst; | |
107 | ||
108 | err = blkcipher_walk_virt(d, w); | |
109 | if (!w->nbytes) | |
110 | return err; | |
111 | ||
112 | avail = w->nbytes; | |
113 | ||
114 | wsrc = w->src.virt.addr; | |
115 | wdst = w->dst.virt.addr; | |
116 | ||
117 | /* calculate first value of T */ | |
118 | iv = (be128 *)w->iv; | |
119 | tw(crypto_cipher_tfm(ctx->tweak), (void *)&s.t, w->iv); | |
120 | ||
121 | goto first; | |
122 | ||
123 | for (;;) { | |
124 | do { | |
125 | gf128mul_x_ble(&s.t, &s.t); | |
126 | ||
127 | first: | |
128 | xts_round(&s, wdst, wsrc); | |
129 | ||
130 | wsrc += bs; | |
131 | wdst += bs; | |
132 | } while ((avail -= bs) >= bs); | |
133 | ||
134 | err = blkcipher_walk_done(d, w, avail); | |
135 | if (!w->nbytes) | |
136 | break; | |
137 | ||
138 | avail = w->nbytes; | |
139 | ||
140 | wsrc = w->src.virt.addr; | |
141 | wdst = w->dst.virt.addr; | |
142 | } | |
143 | ||
144 | return err; | |
145 | } | |
146 | ||
147 | static int encrypt(struct blkcipher_desc *desc, struct scatterlist *dst, | |
148 | struct scatterlist *src, unsigned int nbytes) | |
149 | { | |
150 | struct priv *ctx = crypto_blkcipher_ctx(desc->tfm); | |
151 | struct blkcipher_walk w; | |
152 | ||
153 | blkcipher_walk_init(&w, dst, src, nbytes); | |
154 | return crypt(desc, &w, ctx, crypto_cipher_alg(ctx->tweak)->cia_encrypt, | |
155 | crypto_cipher_alg(ctx->child)->cia_encrypt); | |
156 | } | |
157 | ||
158 | static int decrypt(struct blkcipher_desc *desc, struct scatterlist *dst, | |
159 | struct scatterlist *src, unsigned int nbytes) | |
160 | { | |
161 | struct priv *ctx = crypto_blkcipher_ctx(desc->tfm); | |
162 | struct blkcipher_walk w; | |
163 | ||
164 | blkcipher_walk_init(&w, dst, src, nbytes); | |
165 | return crypt(desc, &w, ctx, crypto_cipher_alg(ctx->tweak)->cia_encrypt, | |
166 | crypto_cipher_alg(ctx->child)->cia_decrypt); | |
167 | } | |
168 | ||
169 | static int init_tfm(struct crypto_tfm *tfm) | |
170 | { | |
171 | struct crypto_cipher *cipher; | |
172 | struct crypto_instance *inst = (void *)tfm->__crt_alg; | |
173 | struct crypto_spawn *spawn = crypto_instance_ctx(inst); | |
174 | struct priv *ctx = crypto_tfm_ctx(tfm); | |
175 | u32 *flags = &tfm->crt_flags; | |
176 | ||
177 | cipher = crypto_spawn_cipher(spawn); | |
178 | if (IS_ERR(cipher)) | |
179 | return PTR_ERR(cipher); | |
180 | ||
181 | if (crypto_cipher_blocksize(cipher) != 16) { | |
182 | *flags |= CRYPTO_TFM_RES_BAD_BLOCK_LEN; | |
183 | crypto_free_cipher(cipher); | |
184 | return -EINVAL; | |
185 | } | |
186 | ||
187 | ctx->child = cipher; | |
188 | ||
189 | cipher = crypto_spawn_cipher(spawn); | |
190 | if (IS_ERR(cipher)) { | |
191 | crypto_free_cipher(ctx->child); | |
192 | return PTR_ERR(cipher); | |
193 | } | |
194 | ||
195 | /* this check isn't really needed, leave it here just in case */ | |
196 | if (crypto_cipher_blocksize(cipher) != 16) { | |
197 | crypto_free_cipher(cipher); | |
198 | crypto_free_cipher(ctx->child); | |
199 | *flags |= CRYPTO_TFM_RES_BAD_BLOCK_LEN; | |
200 | return -EINVAL; | |
201 | } | |
202 | ||
203 | ctx->tweak = cipher; | |
204 | ||
205 | return 0; | |
206 | } | |
207 | ||
208 | static void exit_tfm(struct crypto_tfm *tfm) | |
209 | { | |
210 | struct priv *ctx = crypto_tfm_ctx(tfm); | |
211 | crypto_free_cipher(ctx->child); | |
212 | crypto_free_cipher(ctx->tweak); | |
213 | } | |
214 | ||
215 | static struct crypto_instance *alloc(struct rtattr **tb) | |
216 | { | |
217 | struct crypto_instance *inst; | |
218 | struct crypto_alg *alg; | |
219 | int err; | |
220 | ||
221 | err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_BLKCIPHER); | |
222 | if (err) | |
223 | return ERR_PTR(err); | |
224 | ||
225 | alg = crypto_get_attr_alg(tb, CRYPTO_ALG_TYPE_CIPHER, | |
226 | CRYPTO_ALG_TYPE_MASK); | |
227 | if (IS_ERR(alg)) | |
228 | return ERR_PTR(PTR_ERR(alg)); | |
229 | ||
230 | inst = crypto_alloc_instance("xts", alg); | |
231 | if (IS_ERR(inst)) | |
232 | goto out_put_alg; | |
233 | ||
234 | inst->alg.cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER; | |
235 | inst->alg.cra_priority = alg->cra_priority; | |
236 | inst->alg.cra_blocksize = alg->cra_blocksize; | |
237 | ||
238 | if (alg->cra_alignmask < 7) | |
239 | inst->alg.cra_alignmask = 7; | |
240 | else | |
241 | inst->alg.cra_alignmask = alg->cra_alignmask; | |
242 | ||
243 | inst->alg.cra_type = &crypto_blkcipher_type; | |
244 | ||
245 | inst->alg.cra_blkcipher.ivsize = alg->cra_blocksize; | |
246 | inst->alg.cra_blkcipher.min_keysize = | |
247 | 2 * alg->cra_cipher.cia_min_keysize; | |
248 | inst->alg.cra_blkcipher.max_keysize = | |
249 | 2 * alg->cra_cipher.cia_max_keysize; | |
250 | ||
251 | inst->alg.cra_ctxsize = sizeof(struct priv); | |
252 | ||
253 | inst->alg.cra_init = init_tfm; | |
254 | inst->alg.cra_exit = exit_tfm; | |
255 | ||
256 | inst->alg.cra_blkcipher.setkey = setkey; | |
257 | inst->alg.cra_blkcipher.encrypt = encrypt; | |
258 | inst->alg.cra_blkcipher.decrypt = decrypt; | |
259 | ||
260 | out_put_alg: | |
261 | crypto_mod_put(alg); | |
262 | return inst; | |
263 | } | |
264 | ||
265 | static void free(struct crypto_instance *inst) | |
266 | { | |
267 | crypto_drop_spawn(crypto_instance_ctx(inst)); | |
268 | kfree(inst); | |
269 | } | |
270 | ||
271 | static struct crypto_template crypto_tmpl = { | |
272 | .name = "xts", | |
273 | .alloc = alloc, | |
274 | .free = free, | |
275 | .module = THIS_MODULE, | |
276 | }; | |
277 | ||
278 | static int __init crypto_module_init(void) | |
279 | { | |
280 | return crypto_register_template(&crypto_tmpl); | |
281 | } | |
282 | ||
283 | static void __exit crypto_module_exit(void) | |
284 | { | |
285 | crypto_unregister_template(&crypto_tmpl); | |
286 | } | |
287 | ||
288 | module_init(crypto_module_init); | |
289 | module_exit(crypto_module_exit); | |
290 | ||
291 | MODULE_LICENSE("GPL"); | |
292 | MODULE_DESCRIPTION("XTS block cipher mode"); |