| Rik Snel | f19f511 | 2007-09-19 20:23:13 +0800 | [diff] [blame] | 1 | /* XTS: as defined in IEEE1619/D16 |
| 2 | * http://grouper.ieee.org/groups/1619/email/pdf00086.pdf |
| 3 | * (sector sizes which are not a multiple of 16 bytes are, |
| 4 | * however currently unsupported) |
| 5 | * |
| 6 | * Copyright (c) 2007 Rik Snel <rsnel@cube.dyndns.org> |
| 7 | * |
| 8 | * Based om ecb.c |
| 9 | * Copyright (c) 2006 Herbert Xu <herbert@gondor.apana.org.au> |
| 10 | * |
| 11 | * This program is free software; you can redistribute it and/or modify it |
| 12 | * under the terms of the GNU General Public License as published by the Free |
| 13 | * Software Foundation; either version 2 of the License, or (at your option) |
| 14 | * any later version. |
| 15 | */ |
| 16 | #include <crypto/algapi.h> |
| 17 | #include <linux/err.h> |
| 18 | #include <linux/init.h> |
| 19 | #include <linux/kernel.h> |
| 20 | #include <linux/module.h> |
| 21 | #include <linux/scatterlist.h> |
| 22 | #include <linux/slab.h> |
| 23 | |
| 24 | #include <crypto/b128ops.h> |
| 25 | #include <crypto/gf128mul.h> |
| 26 | |
| 27 | struct priv { |
| 28 | struct crypto_cipher *child; |
| 29 | struct crypto_cipher *tweak; |
| 30 | }; |
| 31 | |
| 32 | static int setkey(struct crypto_tfm *parent, const u8 *key, |
| 33 | unsigned int keylen) |
| 34 | { |
| 35 | struct priv *ctx = crypto_tfm_ctx(parent); |
| 36 | struct crypto_cipher *child = ctx->tweak; |
| 37 | u32 *flags = &parent->crt_flags; |
| 38 | int err; |
| 39 | |
| 40 | /* key consists of keys of equal size concatenated, therefore |
| 41 | * the length must be even */ |
| 42 | if (keylen % 2) { |
| 43 | /* tell the user why there was an error */ |
| 44 | *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN; |
| 45 | return -EINVAL; |
| 46 | } |
| 47 | |
| 48 | /* we need two cipher instances: one to compute the inital 'tweak' |
| 49 | * by encrypting the IV (usually the 'plain' iv) and the other |
| 50 | * one to encrypt and decrypt the data */ |
| 51 | |
| 52 | /* tweak cipher, uses Key2 i.e. the second half of *key */ |
| 53 | crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK); |
| 54 | crypto_cipher_set_flags(child, crypto_tfm_get_flags(parent) & |
| 55 | CRYPTO_TFM_REQ_MASK); |
| 56 | err = crypto_cipher_setkey(child, key + keylen/2, keylen/2); |
| 57 | if (err) |
| 58 | return err; |
| 59 | |
| 60 | crypto_tfm_set_flags(parent, crypto_cipher_get_flags(child) & |
| 61 | CRYPTO_TFM_RES_MASK); |
| 62 | |
| 63 | child = ctx->child; |
| 64 | |
| 65 | /* data cipher, uses Key1 i.e. the first half of *key */ |
| 66 | crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK); |
| 67 | crypto_cipher_set_flags(child, crypto_tfm_get_flags(parent) & |
| 68 | CRYPTO_TFM_REQ_MASK); |
| 69 | err = crypto_cipher_setkey(child, key, keylen/2); |
| 70 | if (err) |
| 71 | return err; |
| 72 | |
| 73 | crypto_tfm_set_flags(parent, crypto_cipher_get_flags(child) & |
| 74 | CRYPTO_TFM_RES_MASK); |
| 75 | |
| 76 | return 0; |
| 77 | } |
| 78 | |
| 79 | struct sinfo { |
| 80 | be128 t; |
| 81 | struct crypto_tfm *tfm; |
| 82 | void (*fn)(struct crypto_tfm *, u8 *, const u8 *); |
| 83 | }; |
| 84 | |
| 85 | static inline void xts_round(struct sinfo *s, void *dst, const void *src) |
| 86 | { |
| 87 | be128_xor(dst, &s->t, src); /* PP <- T xor P */ |
| 88 | s->fn(s->tfm, dst, dst); /* CC <- E(Key1,PP) */ |
| 89 | be128_xor(dst, dst, &s->t); /* C <- T xor CC */ |
| 90 | } |
| 91 | |
| 92 | static int crypt(struct blkcipher_desc *d, |
| 93 | struct blkcipher_walk *w, struct priv *ctx, |
| 94 | void (*tw)(struct crypto_tfm *, u8 *, const u8 *), |
| 95 | void (*fn)(struct crypto_tfm *, u8 *, const u8 *)) |
| 96 | { |
| 97 | int err; |
| 98 | unsigned int avail; |
| 99 | const int bs = crypto_cipher_blocksize(ctx->child); |
| 100 | struct sinfo s = { |
| 101 | .tfm = crypto_cipher_tfm(ctx->child), |
| 102 | .fn = fn |
| 103 | }; |
| 104 | be128 *iv; |
| 105 | u8 *wsrc; |
| 106 | u8 *wdst; |
| 107 | |
| 108 | err = blkcipher_walk_virt(d, w); |
| 109 | if (!w->nbytes) |
| 110 | return err; |
| 111 | |
| 112 | avail = w->nbytes; |
| 113 | |
| 114 | wsrc = w->src.virt.addr; |
| 115 | wdst = w->dst.virt.addr; |
| 116 | |
| 117 | /* calculate first value of T */ |
| 118 | iv = (be128 *)w->iv; |
| 119 | tw(crypto_cipher_tfm(ctx->tweak), (void *)&s.t, w->iv); |
| 120 | |
| 121 | goto first; |
| 122 | |
| 123 | for (;;) { |
| 124 | do { |
| 125 | gf128mul_x_ble(&s.t, &s.t); |
| 126 | |
| 127 | first: |
| 128 | xts_round(&s, wdst, wsrc); |
| 129 | |
| 130 | wsrc += bs; |
| 131 | wdst += bs; |
| 132 | } while ((avail -= bs) >= bs); |
| 133 | |
| 134 | err = blkcipher_walk_done(d, w, avail); |
| 135 | if (!w->nbytes) |
| 136 | break; |
| 137 | |
| 138 | avail = w->nbytes; |
| 139 | |
| 140 | wsrc = w->src.virt.addr; |
| 141 | wdst = w->dst.virt.addr; |
| 142 | } |
| 143 | |
| 144 | return err; |
| 145 | } |
| 146 | |
| 147 | static int encrypt(struct blkcipher_desc *desc, struct scatterlist *dst, |
| 148 | struct scatterlist *src, unsigned int nbytes) |
| 149 | { |
| 150 | struct priv *ctx = crypto_blkcipher_ctx(desc->tfm); |
| 151 | struct blkcipher_walk w; |
| 152 | |
| 153 | blkcipher_walk_init(&w, dst, src, nbytes); |
| 154 | return crypt(desc, &w, ctx, crypto_cipher_alg(ctx->tweak)->cia_encrypt, |
| 155 | crypto_cipher_alg(ctx->child)->cia_encrypt); |
| 156 | } |
| 157 | |
| 158 | static int decrypt(struct blkcipher_desc *desc, struct scatterlist *dst, |
| 159 | struct scatterlist *src, unsigned int nbytes) |
| 160 | { |
| 161 | struct priv *ctx = crypto_blkcipher_ctx(desc->tfm); |
| 162 | struct blkcipher_walk w; |
| 163 | |
| 164 | blkcipher_walk_init(&w, dst, src, nbytes); |
| 165 | return crypt(desc, &w, ctx, crypto_cipher_alg(ctx->tweak)->cia_encrypt, |
| 166 | crypto_cipher_alg(ctx->child)->cia_decrypt); |
| 167 | } |
| 168 | |
| 169 | static int init_tfm(struct crypto_tfm *tfm) |
| 170 | { |
| 171 | struct crypto_cipher *cipher; |
| 172 | struct crypto_instance *inst = (void *)tfm->__crt_alg; |
| 173 | struct crypto_spawn *spawn = crypto_instance_ctx(inst); |
| 174 | struct priv *ctx = crypto_tfm_ctx(tfm); |
| 175 | u32 *flags = &tfm->crt_flags; |
| 176 | |
| 177 | cipher = crypto_spawn_cipher(spawn); |
| 178 | if (IS_ERR(cipher)) |
| 179 | return PTR_ERR(cipher); |
| 180 | |
| 181 | if (crypto_cipher_blocksize(cipher) != 16) { |
| 182 | *flags |= CRYPTO_TFM_RES_BAD_BLOCK_LEN; |
| 183 | crypto_free_cipher(cipher); |
| 184 | return -EINVAL; |
| 185 | } |
| 186 | |
| 187 | ctx->child = cipher; |
| 188 | |
| 189 | cipher = crypto_spawn_cipher(spawn); |
| 190 | if (IS_ERR(cipher)) { |
| 191 | crypto_free_cipher(ctx->child); |
| 192 | return PTR_ERR(cipher); |
| 193 | } |
| 194 | |
| 195 | /* this check isn't really needed, leave it here just in case */ |
| 196 | if (crypto_cipher_blocksize(cipher) != 16) { |
| 197 | crypto_free_cipher(cipher); |
| 198 | crypto_free_cipher(ctx->child); |
| 199 | *flags |= CRYPTO_TFM_RES_BAD_BLOCK_LEN; |
| 200 | return -EINVAL; |
| 201 | } |
| 202 | |
| 203 | ctx->tweak = cipher; |
| 204 | |
| 205 | return 0; |
| 206 | } |
| 207 | |
| 208 | static void exit_tfm(struct crypto_tfm *tfm) |
| 209 | { |
| 210 | struct priv *ctx = crypto_tfm_ctx(tfm); |
| 211 | crypto_free_cipher(ctx->child); |
| 212 | crypto_free_cipher(ctx->tweak); |
| 213 | } |
| 214 | |
| 215 | static struct crypto_instance *alloc(struct rtattr **tb) |
| 216 | { |
| 217 | struct crypto_instance *inst; |
| 218 | struct crypto_alg *alg; |
| 219 | int err; |
| 220 | |
| 221 | err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_BLKCIPHER); |
| 222 | if (err) |
| 223 | return ERR_PTR(err); |
| 224 | |
| 225 | alg = crypto_get_attr_alg(tb, CRYPTO_ALG_TYPE_CIPHER, |
| 226 | CRYPTO_ALG_TYPE_MASK); |
| 227 | if (IS_ERR(alg)) |
| 228 | return ERR_PTR(PTR_ERR(alg)); |
| 229 | |
| 230 | inst = crypto_alloc_instance("xts", alg); |
| 231 | if (IS_ERR(inst)) |
| 232 | goto out_put_alg; |
| 233 | |
| 234 | inst->alg.cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER; |
| 235 | inst->alg.cra_priority = alg->cra_priority; |
| 236 | inst->alg.cra_blocksize = alg->cra_blocksize; |
| 237 | |
| 238 | if (alg->cra_alignmask < 7) |
| 239 | inst->alg.cra_alignmask = 7; |
| 240 | else |
| 241 | inst->alg.cra_alignmask = alg->cra_alignmask; |
| 242 | |
| 243 | inst->alg.cra_type = &crypto_blkcipher_type; |
| 244 | |
| 245 | inst->alg.cra_blkcipher.ivsize = alg->cra_blocksize; |
| 246 | inst->alg.cra_blkcipher.min_keysize = |
| 247 | 2 * alg->cra_cipher.cia_min_keysize; |
| 248 | inst->alg.cra_blkcipher.max_keysize = |
| 249 | 2 * alg->cra_cipher.cia_max_keysize; |
| 250 | |
| 251 | inst->alg.cra_ctxsize = sizeof(struct priv); |
| 252 | |
| 253 | inst->alg.cra_init = init_tfm; |
| 254 | inst->alg.cra_exit = exit_tfm; |
| 255 | |
| 256 | inst->alg.cra_blkcipher.setkey = setkey; |
| 257 | inst->alg.cra_blkcipher.encrypt = encrypt; |
| 258 | inst->alg.cra_blkcipher.decrypt = decrypt; |
| 259 | |
| 260 | out_put_alg: |
| 261 | crypto_mod_put(alg); |
| 262 | return inst; |
| 263 | } |
| 264 | |
| 265 | static void free(struct crypto_instance *inst) |
| 266 | { |
| 267 | crypto_drop_spawn(crypto_instance_ctx(inst)); |
| 268 | kfree(inst); |
| 269 | } |
| 270 | |
| 271 | static struct crypto_template crypto_tmpl = { |
| 272 | .name = "xts", |
| 273 | .alloc = alloc, |
| 274 | .free = free, |
| 275 | .module = THIS_MODULE, |
| 276 | }; |
| 277 | |
| 278 | static int __init crypto_module_init(void) |
| 279 | { |
| 280 | return crypto_register_template(&crypto_tmpl); |
| 281 | } |
| 282 | |
| 283 | static void __exit crypto_module_exit(void) |
| 284 | { |
| 285 | crypto_unregister_template(&crypto_tmpl); |
| 286 | } |
| 287 | |
| 288 | module_init(crypto_module_init); |
| 289 | module_exit(crypto_module_exit); |
| 290 | |
| 291 | MODULE_LICENSE("GPL"); |
| 292 | MODULE_DESCRIPTION("XTS block cipher mode"); |