]>
Commit | Line | Data |
---|---|---|
1 | /* | |
2 | * CTS: Cipher Text Stealing mode | |
3 | * | |
4 | * COPYRIGHT (c) 2008 | |
5 | * The Regents of the University of Michigan | |
6 | * ALL RIGHTS RESERVED | |
7 | * | |
8 | * Permission is granted to use, copy, create derivative works | |
9 | * and redistribute this software and such derivative works | |
10 | * for any purpose, so long as the name of The University of | |
11 | * Michigan is not used in any advertising or publicity | |
12 | * pertaining to the use of distribution of this software | |
13 | * without specific, written prior authorization. If the | |
14 | * above copyright notice or any other identification of the | |
15 | * University of Michigan is included in any copy of any | |
16 | * portion of this software, then the disclaimer below must | |
17 | * also be included. | |
18 | * | |
19 | * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION | |
20 | * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY | |
21 | * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF | |
22 | * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING | |
23 | * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF | |
24 | * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE | |
25 | * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE | |
26 | * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR | |
27 | * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING | |
28 | * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN | |
29 | * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF | |
30 | * SUCH DAMAGES. | |
31 | */ | |
32 | ||
33 | /* Derived from various: | |
34 | * Copyright (c) 2006 Herbert Xu <herbert@gondor.apana.org.au> | |
35 | */ | |
36 | ||
37 | /* | |
38 | * This is the Cipher Text Stealing mode as described by | |
39 | * Section 8 of rfc2040 and referenced by rfc3962. | |
40 | * rfc3962 includes errata information in its Appendix A. | |
41 | */ | |
42 | ||
43 | #include <crypto/internal/skcipher.h> | |
44 | #include <linux/err.h> | |
45 | #include <linux/init.h> | |
46 | #include <linux/kernel.h> | |
47 | #include <linux/log2.h> | |
48 | #include <linux/module.h> | |
49 | #include <linux/scatterlist.h> | |
50 | #include <crypto/scatterwalk.h> | |
51 | #include <linux/slab.h> | |
52 | #include <linux/compiler.h> | |
53 | ||
54 | struct crypto_cts_ctx { | |
55 | struct crypto_skcipher *child; | |
56 | }; | |
57 | ||
58 | struct crypto_cts_reqctx { | |
59 | struct scatterlist sg[2]; | |
60 | unsigned offset; | |
61 | struct skcipher_request subreq; | |
62 | }; | |
63 | ||
64 | static inline u8 *crypto_cts_reqctx_space(struct skcipher_request *req) | |
65 | { | |
66 | struct crypto_cts_reqctx *rctx = skcipher_request_ctx(req); | |
67 | struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); | |
68 | struct crypto_cts_ctx *ctx = crypto_skcipher_ctx(tfm); | |
69 | struct crypto_skcipher *child = ctx->child; | |
70 | ||
71 | return PTR_ALIGN((u8 *)(rctx + 1) + crypto_skcipher_reqsize(child), | |
72 | crypto_skcipher_alignmask(tfm) + 1); | |
73 | } | |
74 | ||
75 | static int crypto_cts_setkey(struct crypto_skcipher *parent, const u8 *key, | |
76 | unsigned int keylen) | |
77 | { | |
78 | struct crypto_cts_ctx *ctx = crypto_skcipher_ctx(parent); | |
79 | struct crypto_skcipher *child = ctx->child; | |
80 | int err; | |
81 | ||
82 | crypto_skcipher_clear_flags(child, CRYPTO_TFM_REQ_MASK); | |
83 | crypto_skcipher_set_flags(child, crypto_skcipher_get_flags(parent) & | |
84 | CRYPTO_TFM_REQ_MASK); | |
85 | err = crypto_skcipher_setkey(child, key, keylen); | |
86 | crypto_skcipher_set_flags(parent, crypto_skcipher_get_flags(child) & | |
87 | CRYPTO_TFM_RES_MASK); | |
88 | return err; | |
89 | } | |
90 | ||
91 | static void cts_cbc_crypt_done(struct crypto_async_request *areq, int err) | |
92 | { | |
93 | struct skcipher_request *req = areq->data; | |
94 | ||
95 | if (err == -EINPROGRESS) | |
96 | return; | |
97 | ||
98 | skcipher_request_complete(req, err); | |
99 | } | |
100 | ||
101 | static int cts_cbc_encrypt(struct skcipher_request *req) | |
102 | { | |
103 | struct crypto_cts_reqctx *rctx = skcipher_request_ctx(req); | |
104 | struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); | |
105 | struct skcipher_request *subreq = &rctx->subreq; | |
106 | int bsize = crypto_skcipher_blocksize(tfm); | |
107 | u8 d[bsize * 2] __aligned(__alignof__(u32)); | |
108 | struct scatterlist *sg; | |
109 | unsigned int offset; | |
110 | int lastn; | |
111 | ||
112 | offset = rctx->offset; | |
113 | lastn = req->cryptlen - offset; | |
114 | ||
115 | sg = scatterwalk_ffwd(rctx->sg, req->dst, offset - bsize); | |
116 | scatterwalk_map_and_copy(d + bsize, sg, 0, bsize, 0); | |
117 | ||
118 | memset(d, 0, bsize); | |
119 | scatterwalk_map_and_copy(d, req->src, offset, lastn, 0); | |
120 | ||
121 | scatterwalk_map_and_copy(d, sg, 0, bsize + lastn, 1); | |
122 | memzero_explicit(d, sizeof(d)); | |
123 | ||
124 | skcipher_request_set_callback(subreq, req->base.flags & | |
125 | CRYPTO_TFM_REQ_MAY_BACKLOG, | |
126 | cts_cbc_crypt_done, req); | |
127 | skcipher_request_set_crypt(subreq, sg, sg, bsize, req->iv); | |
128 | return crypto_skcipher_encrypt(subreq); | |
129 | } | |
130 | ||
131 | static void crypto_cts_encrypt_done(struct crypto_async_request *areq, int err) | |
132 | { | |
133 | struct skcipher_request *req = areq->data; | |
134 | ||
135 | if (err) | |
136 | goto out; | |
137 | ||
138 | err = cts_cbc_encrypt(req); | |
139 | if (err == -EINPROGRESS || err == -EBUSY) | |
140 | return; | |
141 | ||
142 | out: | |
143 | skcipher_request_complete(req, err); | |
144 | } | |
145 | ||
146 | static int crypto_cts_encrypt(struct skcipher_request *req) | |
147 | { | |
148 | struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); | |
149 | struct crypto_cts_reqctx *rctx = skcipher_request_ctx(req); | |
150 | struct crypto_cts_ctx *ctx = crypto_skcipher_ctx(tfm); | |
151 | struct skcipher_request *subreq = &rctx->subreq; | |
152 | int bsize = crypto_skcipher_blocksize(tfm); | |
153 | unsigned int nbytes = req->cryptlen; | |
154 | int cbc_blocks = (nbytes + bsize - 1) / bsize - 1; | |
155 | unsigned int offset; | |
156 | ||
157 | skcipher_request_set_tfm(subreq, ctx->child); | |
158 | ||
159 | if (cbc_blocks <= 0) { | |
160 | skcipher_request_set_callback(subreq, req->base.flags, | |
161 | req->base.complete, | |
162 | req->base.data); | |
163 | skcipher_request_set_crypt(subreq, req->src, req->dst, nbytes, | |
164 | req->iv); | |
165 | return crypto_skcipher_encrypt(subreq); | |
166 | } | |
167 | ||
168 | offset = cbc_blocks * bsize; | |
169 | rctx->offset = offset; | |
170 | ||
171 | skcipher_request_set_callback(subreq, req->base.flags, | |
172 | crypto_cts_encrypt_done, req); | |
173 | skcipher_request_set_crypt(subreq, req->src, req->dst, | |
174 | offset, req->iv); | |
175 | ||
176 | return crypto_skcipher_encrypt(subreq) ?: | |
177 | cts_cbc_encrypt(req); | |
178 | } | |
179 | ||
180 | static int cts_cbc_decrypt(struct skcipher_request *req) | |
181 | { | |
182 | struct crypto_cts_reqctx *rctx = skcipher_request_ctx(req); | |
183 | struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); | |
184 | struct skcipher_request *subreq = &rctx->subreq; | |
185 | int bsize = crypto_skcipher_blocksize(tfm); | |
186 | u8 d[bsize * 2] __aligned(__alignof__(u32)); | |
187 | struct scatterlist *sg; | |
188 | unsigned int offset; | |
189 | u8 *space; | |
190 | int lastn; | |
191 | ||
192 | offset = rctx->offset; | |
193 | lastn = req->cryptlen - offset; | |
194 | ||
195 | sg = scatterwalk_ffwd(rctx->sg, req->dst, offset - bsize); | |
196 | ||
197 | /* 1. Decrypt Cn-1 (s) to create Dn */ | |
198 | scatterwalk_map_and_copy(d + bsize, sg, 0, bsize, 0); | |
199 | space = crypto_cts_reqctx_space(req); | |
200 | crypto_xor(d + bsize, space, bsize); | |
201 | /* 2. Pad Cn with zeros at the end to create C of length BB */ | |
202 | memset(d, 0, bsize); | |
203 | scatterwalk_map_and_copy(d, req->src, offset, lastn, 0); | |
204 | /* 3. Exclusive-or Dn with C to create Xn */ | |
205 | /* 4. Select the first Ln bytes of Xn to create Pn */ | |
206 | crypto_xor(d + bsize, d, lastn); | |
207 | ||
208 | /* 5. Append the tail (BB - Ln) bytes of Xn to Cn to create En */ | |
209 | memcpy(d + lastn, d + bsize + lastn, bsize - lastn); | |
210 | /* 6. Decrypt En to create Pn-1 */ | |
211 | ||
212 | scatterwalk_map_and_copy(d, sg, 0, bsize + lastn, 1); | |
213 | memzero_explicit(d, sizeof(d)); | |
214 | ||
215 | skcipher_request_set_callback(subreq, req->base.flags & | |
216 | CRYPTO_TFM_REQ_MAY_BACKLOG, | |
217 | cts_cbc_crypt_done, req); | |
218 | ||
219 | skcipher_request_set_crypt(subreq, sg, sg, bsize, space); | |
220 | return crypto_skcipher_decrypt(subreq); | |
221 | } | |
222 | ||
223 | static void crypto_cts_decrypt_done(struct crypto_async_request *areq, int err) | |
224 | { | |
225 | struct skcipher_request *req = areq->data; | |
226 | ||
227 | if (err) | |
228 | goto out; | |
229 | ||
230 | err = cts_cbc_decrypt(req); | |
231 | if (err == -EINPROGRESS || err == -EBUSY) | |
232 | return; | |
233 | ||
234 | out: | |
235 | skcipher_request_complete(req, err); | |
236 | } | |
237 | ||
238 | static int crypto_cts_decrypt(struct skcipher_request *req) | |
239 | { | |
240 | struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); | |
241 | struct crypto_cts_reqctx *rctx = skcipher_request_ctx(req); | |
242 | struct crypto_cts_ctx *ctx = crypto_skcipher_ctx(tfm); | |
243 | struct skcipher_request *subreq = &rctx->subreq; | |
244 | int bsize = crypto_skcipher_blocksize(tfm); | |
245 | unsigned int nbytes = req->cryptlen; | |
246 | int cbc_blocks = (nbytes + bsize - 1) / bsize - 1; | |
247 | unsigned int offset; | |
248 | u8 *space; | |
249 | ||
250 | skcipher_request_set_tfm(subreq, ctx->child); | |
251 | ||
252 | if (cbc_blocks <= 0) { | |
253 | skcipher_request_set_callback(subreq, req->base.flags, | |
254 | req->base.complete, | |
255 | req->base.data); | |
256 | skcipher_request_set_crypt(subreq, req->src, req->dst, nbytes, | |
257 | req->iv); | |
258 | return crypto_skcipher_decrypt(subreq); | |
259 | } | |
260 | ||
261 | skcipher_request_set_callback(subreq, req->base.flags, | |
262 | crypto_cts_decrypt_done, req); | |
263 | ||
264 | space = crypto_cts_reqctx_space(req); | |
265 | ||
266 | offset = cbc_blocks * bsize; | |
267 | rctx->offset = offset; | |
268 | ||
269 | if (cbc_blocks <= 1) | |
270 | memcpy(space, req->iv, bsize); | |
271 | else | |
272 | scatterwalk_map_and_copy(space, req->src, offset - 2 * bsize, | |
273 | bsize, 0); | |
274 | ||
275 | skcipher_request_set_crypt(subreq, req->src, req->dst, | |
276 | offset, req->iv); | |
277 | ||
278 | return crypto_skcipher_decrypt(subreq) ?: | |
279 | cts_cbc_decrypt(req); | |
280 | } | |
281 | ||
282 | static int crypto_cts_init_tfm(struct crypto_skcipher *tfm) | |
283 | { | |
284 | struct skcipher_instance *inst = skcipher_alg_instance(tfm); | |
285 | struct crypto_skcipher_spawn *spawn = skcipher_instance_ctx(inst); | |
286 | struct crypto_cts_ctx *ctx = crypto_skcipher_ctx(tfm); | |
287 | struct crypto_skcipher *cipher; | |
288 | unsigned reqsize; | |
289 | unsigned bsize; | |
290 | unsigned align; | |
291 | ||
292 | cipher = crypto_spawn_skcipher(spawn); | |
293 | if (IS_ERR(cipher)) | |
294 | return PTR_ERR(cipher); | |
295 | ||
296 | ctx->child = cipher; | |
297 | ||
298 | align = crypto_skcipher_alignmask(tfm); | |
299 | bsize = crypto_skcipher_blocksize(cipher); | |
300 | reqsize = ALIGN(sizeof(struct crypto_cts_reqctx) + | |
301 | crypto_skcipher_reqsize(cipher), | |
302 | crypto_tfm_ctx_alignment()) + | |
303 | (align & ~(crypto_tfm_ctx_alignment() - 1)) + bsize; | |
304 | ||
305 | crypto_skcipher_set_reqsize(tfm, reqsize); | |
306 | ||
307 | return 0; | |
308 | } | |
309 | ||
310 | static void crypto_cts_exit_tfm(struct crypto_skcipher *tfm) | |
311 | { | |
312 | struct crypto_cts_ctx *ctx = crypto_skcipher_ctx(tfm); | |
313 | ||
314 | crypto_free_skcipher(ctx->child); | |
315 | } | |
316 | ||
317 | static void crypto_cts_free(struct skcipher_instance *inst) | |
318 | { | |
319 | crypto_drop_skcipher(skcipher_instance_ctx(inst)); | |
320 | kfree(inst); | |
321 | } | |
322 | ||
323 | static int crypto_cts_create(struct crypto_template *tmpl, struct rtattr **tb) | |
324 | { | |
325 | struct crypto_skcipher_spawn *spawn; | |
326 | struct skcipher_instance *inst; | |
327 | struct crypto_attr_type *algt; | |
328 | struct skcipher_alg *alg; | |
329 | const char *cipher_name; | |
330 | int err; | |
331 | ||
332 | algt = crypto_get_attr_type(tb); | |
333 | if (IS_ERR(algt)) | |
334 | return PTR_ERR(algt); | |
335 | ||
336 | if ((algt->type ^ CRYPTO_ALG_TYPE_SKCIPHER) & algt->mask) | |
337 | return -EINVAL; | |
338 | ||
339 | cipher_name = crypto_attr_alg_name(tb[1]); | |
340 | if (IS_ERR(cipher_name)) | |
341 | return PTR_ERR(cipher_name); | |
342 | ||
343 | inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL); | |
344 | if (!inst) | |
345 | return -ENOMEM; | |
346 | ||
347 | spawn = skcipher_instance_ctx(inst); | |
348 | ||
349 | crypto_set_skcipher_spawn(spawn, skcipher_crypto_instance(inst)); | |
350 | err = crypto_grab_skcipher(spawn, cipher_name, 0, | |
351 | crypto_requires_sync(algt->type, | |
352 | algt->mask)); | |
353 | if (err) | |
354 | goto err_free_inst; | |
355 | ||
356 | alg = crypto_spawn_skcipher_alg(spawn); | |
357 | ||
358 | err = -EINVAL; | |
359 | if (crypto_skcipher_alg_ivsize(alg) != alg->base.cra_blocksize) | |
360 | goto err_drop_spawn; | |
361 | ||
362 | if (strncmp(alg->base.cra_name, "cbc(", 4)) | |
363 | goto err_drop_spawn; | |
364 | ||
365 | err = crypto_inst_setname(skcipher_crypto_instance(inst), "cts", | |
366 | &alg->base); | |
367 | if (err) | |
368 | goto err_drop_spawn; | |
369 | ||
370 | inst->alg.base.cra_flags = alg->base.cra_flags & CRYPTO_ALG_ASYNC; | |
371 | inst->alg.base.cra_priority = alg->base.cra_priority; | |
372 | inst->alg.base.cra_blocksize = alg->base.cra_blocksize; | |
373 | inst->alg.base.cra_alignmask = alg->base.cra_alignmask; | |
374 | ||
375 | inst->alg.ivsize = alg->base.cra_blocksize; | |
376 | inst->alg.chunksize = crypto_skcipher_alg_chunksize(alg); | |
377 | inst->alg.min_keysize = crypto_skcipher_alg_min_keysize(alg); | |
378 | inst->alg.max_keysize = crypto_skcipher_alg_max_keysize(alg); | |
379 | ||
380 | inst->alg.base.cra_ctxsize = sizeof(struct crypto_cts_ctx); | |
381 | ||
382 | inst->alg.init = crypto_cts_init_tfm; | |
383 | inst->alg.exit = crypto_cts_exit_tfm; | |
384 | ||
385 | inst->alg.setkey = crypto_cts_setkey; | |
386 | inst->alg.encrypt = crypto_cts_encrypt; | |
387 | inst->alg.decrypt = crypto_cts_decrypt; | |
388 | ||
389 | inst->free = crypto_cts_free; | |
390 | ||
391 | err = skcipher_register_instance(tmpl, inst); | |
392 | if (err) | |
393 | goto err_drop_spawn; | |
394 | ||
395 | out: | |
396 | return err; | |
397 | ||
398 | err_drop_spawn: | |
399 | crypto_drop_skcipher(spawn); | |
400 | err_free_inst: | |
401 | kfree(inst); | |
402 | goto out; | |
403 | } | |
404 | ||
405 | static struct crypto_template crypto_cts_tmpl = { | |
406 | .name = "cts", | |
407 | .create = crypto_cts_create, | |
408 | .module = THIS_MODULE, | |
409 | }; | |
410 | ||
411 | static int __init crypto_cts_module_init(void) | |
412 | { | |
413 | return crypto_register_template(&crypto_cts_tmpl); | |
414 | } | |
415 | ||
416 | static void __exit crypto_cts_module_exit(void) | |
417 | { | |
418 | crypto_unregister_template(&crypto_cts_tmpl); | |
419 | } | |
420 | ||
421 | module_init(crypto_cts_module_init); | |
422 | module_exit(crypto_cts_module_exit); | |
423 | ||
424 | MODULE_LICENSE("Dual BSD/GPL"); | |
425 | MODULE_DESCRIPTION("CTS-CBC CipherText Stealing for CBC"); | |
426 | MODULE_ALIAS_CRYPTO("cts"); |