]>
Commit | Line | Data |
---|---|---|
76cb9521 KC |
1 | /* |
2 | * CTS: Cipher Text Stealing mode | |
3 | * | |
4 | * COPYRIGHT (c) 2008 | |
5 | * The Regents of the University of Michigan | |
6 | * ALL RIGHTS RESERVED | |
7 | * | |
8 | * Permission is granted to use, copy, create derivative works | |
9 | * and redistribute this software and such derivative works | |
10 | * for any purpose, so long as the name of The University of | |
11 | * Michigan is not used in any advertising or publicity | |
12 | * pertaining to the use of distribution of this software | |
13 | * without specific, written prior authorization. If the | |
14 | * above copyright notice or any other identification of the | |
15 | * University of Michigan is included in any copy of any | |
16 | * portion of this software, then the disclaimer below must | |
17 | * also be included. | |
18 | * | |
19 | * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION | |
20 | * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY | |
21 | * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF | |
22 | * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING | |
23 | * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF | |
24 | * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE | |
25 | * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE | |
26 | * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR | |
27 | * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING | |
28 | * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN | |
29 | * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF | |
30 | * SUCH DAMAGES. | |
31 | */ | |
32 | ||
33 | /* Derived from various: | |
34 | * Copyright (c) 2006 Herbert Xu <herbert@gondor.apana.org.au> | |
35 | */ | |
36 | ||
37 | /* | |
38 | * This is the Cipher Text Stealing mode as described by | |
39 | * Section 8 of rfc2040 and referenced by rfc3962. | |
40 | * rfc3962 includes errata information in its Appendix A. | |
41 | */ | |
42 | ||
43 | #include <crypto/algapi.h> | |
44 | #include <linux/err.h> | |
45 | #include <linux/init.h> | |
46 | #include <linux/kernel.h> | |
47 | #include <linux/log2.h> | |
48 | #include <linux/module.h> | |
49 | #include <linux/scatterlist.h> | |
50 | #include <crypto/scatterwalk.h> | |
51 | #include <linux/slab.h> | |
52 | ||
53 | struct crypto_cts_ctx { | |
54 | struct crypto_blkcipher *child; | |
55 | }; | |
56 | ||
57 | static int crypto_cts_setkey(struct crypto_tfm *parent, const u8 *key, | |
58 | unsigned int keylen) | |
59 | { | |
60 | struct crypto_cts_ctx *ctx = crypto_tfm_ctx(parent); | |
61 | struct crypto_blkcipher *child = ctx->child; | |
62 | int err; | |
63 | ||
64 | crypto_blkcipher_clear_flags(child, CRYPTO_TFM_REQ_MASK); | |
65 | crypto_blkcipher_set_flags(child, crypto_tfm_get_flags(parent) & | |
66 | CRYPTO_TFM_REQ_MASK); | |
67 | err = crypto_blkcipher_setkey(child, key, keylen); | |
68 | crypto_tfm_set_flags(parent, crypto_blkcipher_get_flags(child) & | |
69 | CRYPTO_TFM_RES_MASK); | |
70 | return err; | |
71 | } | |
72 | ||
73 | static int cts_cbc_encrypt(struct crypto_cts_ctx *ctx, | |
74 | struct blkcipher_desc *desc, | |
75 | struct scatterlist *dst, | |
76 | struct scatterlist *src, | |
77 | unsigned int offset, | |
78 | unsigned int nbytes) | |
79 | { | |
80 | int bsize = crypto_blkcipher_blocksize(desc->tfm); | |
81 | u8 tmp[bsize], tmp2[bsize]; | |
82 | struct blkcipher_desc lcldesc; | |
83 | struct scatterlist sgsrc[1], sgdst[1]; | |
84 | int lastn = nbytes - bsize; | |
85 | u8 iv[bsize]; | |
86 | u8 s[bsize * 2], d[bsize * 2]; | |
87 | int err; | |
88 | ||
89 | if (lastn < 0) | |
90 | return -EINVAL; | |
91 | ||
c4913c7b AD |
92 | sg_init_table(sgsrc, 1); |
93 | sg_init_table(sgdst, 1); | |
94 | ||
76cb9521 KC |
95 | memset(s, 0, sizeof(s)); |
96 | scatterwalk_map_and_copy(s, src, offset, nbytes, 0); | |
97 | ||
98 | memcpy(iv, desc->info, bsize); | |
99 | ||
100 | lcldesc.tfm = ctx->child; | |
101 | lcldesc.info = iv; | |
102 | lcldesc.flags = desc->flags; | |
103 | ||
104 | sg_set_buf(&sgsrc[0], s, bsize); | |
105 | sg_set_buf(&sgdst[0], tmp, bsize); | |
106 | err = crypto_blkcipher_encrypt_iv(&lcldesc, sgdst, sgsrc, bsize); | |
107 | ||
108 | memcpy(d + bsize, tmp, lastn); | |
109 | ||
110 | lcldesc.info = tmp; | |
111 | ||
112 | sg_set_buf(&sgsrc[0], s + bsize, bsize); | |
113 | sg_set_buf(&sgdst[0], tmp2, bsize); | |
114 | err = crypto_blkcipher_encrypt_iv(&lcldesc, sgdst, sgsrc, bsize); | |
115 | ||
116 | memcpy(d, tmp2, bsize); | |
117 | ||
118 | scatterwalk_map_and_copy(d, dst, offset, nbytes, 1); | |
119 | ||
120 | memcpy(desc->info, tmp2, bsize); | |
121 | ||
122 | return err; | |
123 | } | |
124 | ||
125 | static int crypto_cts_encrypt(struct blkcipher_desc *desc, | |
126 | struct scatterlist *dst, struct scatterlist *src, | |
127 | unsigned int nbytes) | |
128 | { | |
129 | struct crypto_cts_ctx *ctx = crypto_blkcipher_ctx(desc->tfm); | |
130 | int bsize = crypto_blkcipher_blocksize(desc->tfm); | |
131 | int tot_blocks = (nbytes + bsize - 1) / bsize; | |
132 | int cbc_blocks = tot_blocks > 2 ? tot_blocks - 2 : 0; | |
133 | struct blkcipher_desc lcldesc; | |
134 | int err; | |
135 | ||
136 | lcldesc.tfm = ctx->child; | |
137 | lcldesc.info = desc->info; | |
138 | lcldesc.flags = desc->flags; | |
139 | ||
140 | if (tot_blocks == 1) { | |
141 | err = crypto_blkcipher_encrypt_iv(&lcldesc, dst, src, bsize); | |
142 | } else if (nbytes <= bsize * 2) { | |
143 | err = cts_cbc_encrypt(ctx, desc, dst, src, 0, nbytes); | |
144 | } else { | |
145 | /* do normal function for tot_blocks - 2 */ | |
146 | err = crypto_blkcipher_encrypt_iv(&lcldesc, dst, src, | |
147 | cbc_blocks * bsize); | |
148 | if (err == 0) { | |
149 | /* do cts for final two blocks */ | |
150 | err = cts_cbc_encrypt(ctx, desc, dst, src, | |
151 | cbc_blocks * bsize, | |
152 | nbytes - (cbc_blocks * bsize)); | |
153 | } | |
154 | } | |
155 | ||
156 | return err; | |
157 | } | |
158 | ||
159 | static int cts_cbc_decrypt(struct crypto_cts_ctx *ctx, | |
160 | struct blkcipher_desc *desc, | |
161 | struct scatterlist *dst, | |
162 | struct scatterlist *src, | |
163 | unsigned int offset, | |
164 | unsigned int nbytes) | |
165 | { | |
166 | int bsize = crypto_blkcipher_blocksize(desc->tfm); | |
167 | u8 tmp[bsize]; | |
168 | struct blkcipher_desc lcldesc; | |
169 | struct scatterlist sgsrc[1], sgdst[1]; | |
170 | int lastn = nbytes - bsize; | |
171 | u8 iv[bsize]; | |
172 | u8 s[bsize * 2], d[bsize * 2]; | |
173 | int err; | |
174 | ||
175 | if (lastn < 0) | |
176 | return -EINVAL; | |
177 | ||
c4913c7b AD |
178 | sg_init_table(sgsrc, 1); |
179 | sg_init_table(sgdst, 1); | |
180 | ||
76cb9521 KC |
181 | scatterwalk_map_and_copy(s, src, offset, nbytes, 0); |
182 | ||
183 | lcldesc.tfm = ctx->child; | |
184 | lcldesc.info = iv; | |
185 | lcldesc.flags = desc->flags; | |
186 | ||
187 | /* 1. Decrypt Cn-1 (s) to create Dn (tmp)*/ | |
188 | memset(iv, 0, sizeof(iv)); | |
189 | sg_set_buf(&sgsrc[0], s, bsize); | |
190 | sg_set_buf(&sgdst[0], tmp, bsize); | |
191 | err = crypto_blkcipher_decrypt_iv(&lcldesc, sgdst, sgsrc, bsize); | |
192 | if (err) | |
193 | return err; | |
194 | /* 2. Pad Cn with zeros at the end to create C of length BB */ | |
195 | memset(iv, 0, sizeof(iv)); | |
196 | memcpy(iv, s + bsize, lastn); | |
197 | /* 3. Exclusive-or Dn (tmp) with C (iv) to create Xn (tmp) */ | |
198 | crypto_xor(tmp, iv, bsize); | |
199 | /* 4. Select the first Ln bytes of Xn (tmp) to create Pn */ | |
200 | memcpy(d + bsize, tmp, lastn); | |
201 | ||
202 | /* 5. Append the tail (BB - Ln) bytes of Xn (tmp) to Cn to create En */ | |
203 | memcpy(s + bsize + lastn, tmp + lastn, bsize - lastn); | |
204 | /* 6. Decrypt En to create Pn-1 */ | |
205 | memset(iv, 0, sizeof(iv)); | |
206 | sg_set_buf(&sgsrc[0], s + bsize, bsize); | |
207 | sg_set_buf(&sgdst[0], d, bsize); | |
208 | err = crypto_blkcipher_decrypt_iv(&lcldesc, sgdst, sgsrc, bsize); | |
209 | ||
210 | /* XOR with previous block */ | |
211 | crypto_xor(d, desc->info, bsize); | |
212 | ||
213 | scatterwalk_map_and_copy(d, dst, offset, nbytes, 1); | |
214 | ||
215 | memcpy(desc->info, s, bsize); | |
216 | return err; | |
217 | } | |
218 | ||
219 | static int crypto_cts_decrypt(struct blkcipher_desc *desc, | |
220 | struct scatterlist *dst, struct scatterlist *src, | |
221 | unsigned int nbytes) | |
222 | { | |
223 | struct crypto_cts_ctx *ctx = crypto_blkcipher_ctx(desc->tfm); | |
224 | int bsize = crypto_blkcipher_blocksize(desc->tfm); | |
225 | int tot_blocks = (nbytes + bsize - 1) / bsize; | |
226 | int cbc_blocks = tot_blocks > 2 ? tot_blocks - 2 : 0; | |
227 | struct blkcipher_desc lcldesc; | |
228 | int err; | |
229 | ||
230 | lcldesc.tfm = ctx->child; | |
231 | lcldesc.info = desc->info; | |
232 | lcldesc.flags = desc->flags; | |
233 | ||
234 | if (tot_blocks == 1) { | |
235 | err = crypto_blkcipher_decrypt_iv(&lcldesc, dst, src, bsize); | |
236 | } else if (nbytes <= bsize * 2) { | |
237 | err = cts_cbc_decrypt(ctx, desc, dst, src, 0, nbytes); | |
238 | } else { | |
239 | /* do normal function for tot_blocks - 2 */ | |
240 | err = crypto_blkcipher_decrypt_iv(&lcldesc, dst, src, | |
241 | cbc_blocks * bsize); | |
242 | if (err == 0) { | |
243 | /* do cts for final two blocks */ | |
244 | err = cts_cbc_decrypt(ctx, desc, dst, src, | |
245 | cbc_blocks * bsize, | |
246 | nbytes - (cbc_blocks * bsize)); | |
247 | } | |
248 | } | |
249 | return err; | |
250 | } | |
251 | ||
252 | static int crypto_cts_init_tfm(struct crypto_tfm *tfm) | |
253 | { | |
254 | struct crypto_instance *inst = (void *)tfm->__crt_alg; | |
255 | struct crypto_spawn *spawn = crypto_instance_ctx(inst); | |
256 | struct crypto_cts_ctx *ctx = crypto_tfm_ctx(tfm); | |
257 | struct crypto_blkcipher *cipher; | |
258 | ||
259 | cipher = crypto_spawn_blkcipher(spawn); | |
260 | if (IS_ERR(cipher)) | |
261 | return PTR_ERR(cipher); | |
262 | ||
263 | ctx->child = cipher; | |
264 | return 0; | |
265 | } | |
266 | ||
267 | static void crypto_cts_exit_tfm(struct crypto_tfm *tfm) | |
268 | { | |
269 | struct crypto_cts_ctx *ctx = crypto_tfm_ctx(tfm); | |
270 | crypto_free_blkcipher(ctx->child); | |
271 | } | |
272 | ||
273 | static struct crypto_instance *crypto_cts_alloc(struct rtattr **tb) | |
274 | { | |
275 | struct crypto_instance *inst; | |
276 | struct crypto_alg *alg; | |
277 | int err; | |
278 | ||
279 | err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_BLKCIPHER); | |
280 | if (err) | |
281 | return ERR_PTR(err); | |
282 | ||
283 | alg = crypto_attr_alg(tb[1], CRYPTO_ALG_TYPE_BLKCIPHER, | |
284 | CRYPTO_ALG_TYPE_MASK); | |
285 | err = PTR_ERR(alg); | |
286 | if (IS_ERR(alg)) | |
287 | return ERR_PTR(err); | |
288 | ||
289 | inst = ERR_PTR(-EINVAL); | |
290 | if (!is_power_of_2(alg->cra_blocksize)) | |
291 | goto out_put_alg; | |
292 | ||
293 | inst = crypto_alloc_instance("cts", alg); | |
294 | if (IS_ERR(inst)) | |
295 | goto out_put_alg; | |
296 | ||
297 | inst->alg.cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER; | |
298 | inst->alg.cra_priority = alg->cra_priority; | |
299 | inst->alg.cra_blocksize = alg->cra_blocksize; | |
300 | inst->alg.cra_alignmask = alg->cra_alignmask; | |
301 | inst->alg.cra_type = &crypto_blkcipher_type; | |
302 | ||
303 | /* We access the data as u32s when xoring. */ | |
304 | inst->alg.cra_alignmask |= __alignof__(u32) - 1; | |
305 | ||
306 | inst->alg.cra_blkcipher.ivsize = alg->cra_blocksize; | |
307 | inst->alg.cra_blkcipher.min_keysize = alg->cra_blkcipher.min_keysize; | |
308 | inst->alg.cra_blkcipher.max_keysize = alg->cra_blkcipher.max_keysize; | |
309 | ||
310 | inst->alg.cra_blkcipher.geniv = "seqiv"; | |
311 | ||
312 | inst->alg.cra_ctxsize = sizeof(struct crypto_cts_ctx); | |
313 | ||
314 | inst->alg.cra_init = crypto_cts_init_tfm; | |
315 | inst->alg.cra_exit = crypto_cts_exit_tfm; | |
316 | ||
317 | inst->alg.cra_blkcipher.setkey = crypto_cts_setkey; | |
318 | inst->alg.cra_blkcipher.encrypt = crypto_cts_encrypt; | |
319 | inst->alg.cra_blkcipher.decrypt = crypto_cts_decrypt; | |
320 | ||
321 | out_put_alg: | |
322 | crypto_mod_put(alg); | |
323 | return inst; | |
324 | } | |
325 | ||
326 | static void crypto_cts_free(struct crypto_instance *inst) | |
327 | { | |
328 | crypto_drop_spawn(crypto_instance_ctx(inst)); | |
329 | kfree(inst); | |
330 | } | |
331 | ||
332 | static struct crypto_template crypto_cts_tmpl = { | |
333 | .name = "cts", | |
334 | .alloc = crypto_cts_alloc, | |
335 | .free = crypto_cts_free, | |
336 | .module = THIS_MODULE, | |
337 | }; | |
338 | ||
339 | static int __init crypto_cts_module_init(void) | |
340 | { | |
341 | return crypto_register_template(&crypto_cts_tmpl); | |
342 | } | |
343 | ||
344 | static void __exit crypto_cts_module_exit(void) | |
345 | { | |
346 | crypto_unregister_template(&crypto_cts_tmpl); | |
347 | } | |
348 | ||
349 | module_init(crypto_cts_module_init); | |
350 | module_exit(crypto_cts_module_exit); | |
351 | ||
352 | MODULE_LICENSE("Dual BSD/GPL"); | |
353 | MODULE_DESCRIPTION("CTS-CBC CipherText Stealing for CBC"); |