[mirror_ubuntu-bionic-kernel.git] / crypto / keywrap.c

/*
 * Key Wrapping: RFC3394 / NIST SP800-38F
 *
 * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, and the entire permission notice in its entirety,
 *    including the disclaimer of warranties.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote
 *    products derived from this software without specific prior
 *    written permission.
 *
 * ALTERNATIVELY, this product may be distributed under the terms of
 * the GNU General Public License, in which case the provisions of the GPL2
 * are required INSTEAD OF the above restrictions.  (This clause is
 * necessary due to a potential bad interaction between the GPL and
 * the restrictions contained in a BSD-style copyright.)
 *
 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
 * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
 * DAMAGE.
 */

/*
 * Note for using key wrapping:
 *
 *	* The result of the encryption operation is the ciphertext starting
 *	  with the 2nd semiblock. The first semiblock is provided as the IV.
 *	  The IV used to start the encryption operation is the default IV.
 *
 *	* The input for the decryption is the first semiblock handed in as an
 *	  IV. The ciphertext is the data starting with the 2nd semiblock. The
 *	  return code of the decryption operation will be EBADMSG in case an
 *	  integrity error occurs.
 *
 * To obtain the full result of an encryption as expected by SP800-38F, the
 * caller must allocate a buffer of plaintext + 8 bytes:
 *
 *	unsigned int datalen = ptlen + crypto_skcipher_ivsize(tfm);
 *	u8 data[datalen];
 *	u8 *iv = data;
 *	u8 *pt = data + crypto_skcipher_ivsize(tfm);
 *		<ensure that pt contains the plaintext of size ptlen>
 *	sg_init_one(&sg, ptdata, ptlen);
 *	skcipher_request_set_crypt(req, &sg, &sg, ptlen, iv);
 *
 *	==> After encryption, data now contains full KW result as per SP800-38F.
 *
 * In case of decryption, ciphertext now already has the expected length
 * and must be segmented appropriately:
 *
 *	unsigned int datalen = CTLEN;
 *	u8 data[datalen];
 *		<ensure that data contains full ciphertext>
 *	u8 *iv = data;
 *	u8 *ct = data + crypto_skcipher_ivsize(tfm);
 *	unsigned int ctlen = datalen - crypto_skcipher_ivsize(tfm);
 *	sg_init_one(&sg, ctdata, ctlen);
 *	skcipher_request_set_crypt(req, &sg, &sg, ptlen, iv);
 *
 *	==> After decryption (which hopefully does not return EBADMSG), the ct
 *	pointer now points to the plaintext of size ctlen.
 *
 * Note 2: KWP is not implemented as this would defy in-place operation.
 *	   If somebody wants to wrap non-aligned data, he should simply pad
 *	   the input with zeros to fill it up to the 8 byte boundary.
 */

#include <linux/module.h>
#include <linux/crypto.h>
#include <linux/scatterlist.h>
#include <crypto/scatterwalk.h>
#include <crypto/internal/skcipher.h>

struct crypto_kw_ctx {
	struct crypto_cipher *child;
};

struct crypto_kw_block {
#define SEMIBSIZE 8
	__be64 A;
	__be64 R;
};

/*
 * Fast forward the SGL to the "end" length minus SEMIBSIZE.
 * The start in the SGL defined by the fast-forward is returned with
 * the walk variable
 */
static void crypto_kw_scatterlist_ff(struct scatter_walk *walk,
				     struct scatterlist *sg,
				     unsigned int end)
{
	unsigned int skip = 0;

	/* The caller should only operate on full SEMIBLOCKs. */
	BUG_ON(end < SEMIBSIZE);

	skip = end - SEMIBSIZE;
	while (sg) {
		if (sg->length > skip) {
			scatterwalk_start(walk, sg);
			scatterwalk_advance(walk, skip);
			break;
		} else
			skip -= sg->length;

		sg = sg_next(sg);
	}
}

static int crypto_kw_decrypt(struct blkcipher_desc *desc,
			     struct scatterlist *dst, struct scatterlist *src,
			     unsigned int nbytes)
{
	struct crypto_blkcipher *tfm = desc->tfm;
	struct crypto_kw_ctx *ctx = crypto_blkcipher_ctx(tfm);
	struct crypto_cipher *child = ctx->child;
	struct crypto_kw_block block;
	struct scatterlist *lsrc, *ldst;
	u64 t = 6 * ((nbytes) >> 3);
	unsigned int i;
	int ret = 0;

	/*
	 * Require at least 2 semiblocks (note, the 3rd semiblock that is
	 * required by SP800-38F is the IV.
	 */
	if (nbytes < (2 * SEMIBSIZE) || nbytes % SEMIBSIZE)
		return -EINVAL;

	/* Place the IV into block A */
	memcpy(&block.A, desc->info, SEMIBSIZE);

	/*
	 * src scatterlist is read-only. dst scatterlist is r/w. During the
	 * first loop, lsrc points to src and ldst to dst. For any
	 * subsequent round, the code operates on dst only.
	 */
	lsrc = src;
	ldst = dst;

	for (i = 0; i < 6; i++) {
		struct scatter_walk src_walk, dst_walk;
		unsigned int tmp_nbytes = nbytes;

		while (tmp_nbytes) {
			/* move pointer by tmp_nbytes in the SGL */
			crypto_kw_scatterlist_ff(&src_walk, lsrc, tmp_nbytes);
			/* get the source block */
			scatterwalk_copychunks(&block.R, &src_walk, SEMIBSIZE,
					       false);

			/* perform KW operation: modify IV with counter */
			block.A ^= cpu_to_be64(t);
			t--;
			/* perform KW operation: decrypt block */
			crypto_cipher_decrypt_one(child, (u8*)&block,
						  (u8*)&block);

			/* move pointer by tmp_nbytes in the SGL */
			crypto_kw_scatterlist_ff(&dst_walk, ldst, tmp_nbytes);
			/* Copy block->R into place */
			scatterwalk_copychunks(&block.R, &dst_walk, SEMIBSIZE,
					       true);

			tmp_nbytes -= SEMIBSIZE;
		}

		/* we now start to operate on the dst SGL only */
		lsrc = dst;
		ldst = dst;
	}

	/* Perform authentication check */
	if (block.A != cpu_to_be64(0xa6a6a6a6a6a6a6a6ULL))
		ret = -EBADMSG;

	memzero_explicit(&block, sizeof(struct crypto_kw_block));

	return ret;
}

static int crypto_kw_encrypt(struct blkcipher_desc *desc,
			     struct scatterlist *dst, struct scatterlist *src,
			     unsigned int nbytes)
{
	struct crypto_blkcipher *tfm = desc->tfm;
	struct crypto_kw_ctx *ctx = crypto_blkcipher_ctx(tfm);
	struct crypto_cipher *child = ctx->child;
	struct crypto_kw_block block;
	struct scatterlist *lsrc, *ldst;
	u64 t = 1;
	unsigned int i;

	/*
	 * Require at least 2 semiblocks (note, the 3rd semiblock that is
	 * required by SP800-38F is the IV that occupies the first semiblock.
	 * This means that the dst memory must be one semiblock larger than src.
	 * Also ensure that the given data is aligned to semiblock.
	 */
	if (nbytes < (2 * SEMIBSIZE) || nbytes % SEMIBSIZE)
		return -EINVAL;

	/*
	 * Place the predefined IV into block A -- for encrypt, the caller
	 * does not need to provide an IV, but he needs to fetch the final IV.
	 */
	block.A = cpu_to_be64(0xa6a6a6a6a6a6a6a6ULL);

	/*
	 * src scatterlist is read-only. dst scatterlist is r/w. During the
	 * first loop, lsrc points to src and ldst to dst. For any
	 * subsequent round, the code operates on dst only.
	 */
	lsrc = src;
	ldst = dst;

	for (i = 0; i < 6; i++) {
		struct scatter_walk src_walk, dst_walk;
		unsigned int tmp_nbytes = nbytes;

		scatterwalk_start(&src_walk, lsrc);
		scatterwalk_start(&dst_walk, ldst);

		while (tmp_nbytes) {
			/* get the source block */
			scatterwalk_copychunks(&block.R, &src_walk, SEMIBSIZE,
					       false);

			/* perform KW operation: encrypt block */
			crypto_cipher_encrypt_one(child, (u8 *)&block,
						  (u8 *)&block);
			/* perform KW operation: modify IV with counter */
			block.A ^= cpu_to_be64(t);
			t++;

			/* Copy block->R into place */
			scatterwalk_copychunks(&block.R, &dst_walk, SEMIBSIZE,
					       true);

			tmp_nbytes -= SEMIBSIZE;
		}

		/* we now start to operate on the dst SGL only */
		lsrc = dst;
		ldst = dst;
	}

	/* establish the IV for the caller to pick up */
	memcpy(desc->info, &block.A, SEMIBSIZE);

	memzero_explicit(&block, sizeof(struct crypto_kw_block));

	return 0;
}

static int crypto_kw_setkey(struct crypto_tfm *parent, const u8 *key,
			    unsigned int keylen)
{
	struct crypto_kw_ctx *ctx = crypto_tfm_ctx(parent);
	struct crypto_cipher *child = ctx->child;
	int err;

	crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
	crypto_cipher_set_flags(child, crypto_tfm_get_flags(parent) &
				       CRYPTO_TFM_REQ_MASK);
	err = crypto_cipher_setkey(child, key, keylen);
	crypto_tfm_set_flags(parent, crypto_cipher_get_flags(child) &
				     CRYPTO_TFM_RES_MASK);
	return err;
}

static int crypto_kw_init_tfm(struct crypto_tfm *tfm)
{
	struct crypto_instance *inst = crypto_tfm_alg_instance(tfm);
	struct crypto_spawn *spawn = crypto_instance_ctx(inst);
	struct crypto_kw_ctx *ctx = crypto_tfm_ctx(tfm);
	struct crypto_cipher *cipher;

	cipher = crypto_spawn_cipher(spawn);
	if (IS_ERR(cipher))
		return PTR_ERR(cipher);

	ctx->child = cipher;
	return 0;
}

static void crypto_kw_exit_tfm(struct crypto_tfm *tfm)
{
	struct crypto_kw_ctx *ctx = crypto_tfm_ctx(tfm);

	crypto_free_cipher(ctx->child);
}

static struct crypto_instance *crypto_kw_alloc(struct rtattr **tb)
{
	struct crypto_instance *inst = NULL;
	struct crypto_alg *alg = NULL;
	int err;

	err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_BLKCIPHER);
	if (err)
		return ERR_PTR(err);

	alg = crypto_get_attr_alg(tb, CRYPTO_ALG_TYPE_CIPHER,
				  CRYPTO_ALG_TYPE_MASK);
	if (IS_ERR(alg))
		return ERR_CAST(alg);

	inst = ERR_PTR(-EINVAL);
	/* Section 5.1 requirement for KW */
	if (alg->cra_blocksize != sizeof(struct crypto_kw_block))
		goto err;

	inst = crypto_alloc_instance("kw", alg);
	if (IS_ERR(inst))
		goto err;

	inst->alg.cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER;
	inst->alg.cra_priority = alg->cra_priority;
	inst->alg.cra_blocksize = SEMIBSIZE;
	inst->alg.cra_alignmask = 0;
	inst->alg.cra_type = &crypto_blkcipher_type;
	inst->alg.cra_blkcipher.ivsize = SEMIBSIZE;
	inst->alg.cra_blkcipher.min_keysize = alg->cra_cipher.cia_min_keysize;
	inst->alg.cra_blkcipher.max_keysize = alg->cra_cipher.cia_max_keysize;

	inst->alg.cra_ctxsize = sizeof(struct crypto_kw_ctx);

	inst->alg.cra_init = crypto_kw_init_tfm;
	inst->alg.cra_exit = crypto_kw_exit_tfm;

	inst->alg.cra_blkcipher.setkey = crypto_kw_setkey;
	inst->alg.cra_blkcipher.encrypt = crypto_kw_encrypt;
	inst->alg.cra_blkcipher.decrypt = crypto_kw_decrypt;

err:
	crypto_mod_put(alg);
	return inst;
}

static void crypto_kw_free(struct crypto_instance *inst)
{
	crypto_drop_spawn(crypto_instance_ctx(inst));
	kfree(inst);
}

static struct crypto_template crypto_kw_tmpl = {
	.name = "kw",
	.alloc = crypto_kw_alloc,
	.free = crypto_kw_free,
	.module = THIS_MODULE,
};

static int __init crypto_kw_init(void)
{
	return crypto_register_template(&crypto_kw_tmpl);
}

static void __exit crypto_kw_exit(void)
{
	crypto_unregister_template(&crypto_kw_tmpl);
}

module_init(crypto_kw_init);
module_exit(crypto_kw_exit);

MODULE_LICENSE("Dual BSD/GPL");
MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
MODULE_DESCRIPTION("Key Wrapping (RFC3394 / NIST SP800-38F)");
MODULE_ALIAS_CRYPTO("kw");
Commit	Line	Data
e28facde SM	1	/*
	2	* Key Wrapping: RFC3394 / NIST SP800-38F
	3	*
	4	* Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
	5	*
	6	* Redistribution and use in source and binary forms, with or without
	7	* modification, are permitted provided that the following conditions
	8	* are met:
	9	* 1. Redistributions of source code must retain the above copyright
	10	* notice, and the entire permission notice in its entirety,
	11	* including the disclaimer of warranties.
	12	* 2. Redistributions in binary form must reproduce the above copyright
	13	* notice, this list of conditions and the following disclaimer in the
	14	* documentation and/or other materials provided with the distribution.
	15	* 3. The name of the author may not be used to endorse or promote
	16	* products derived from this software without specific prior
	17	* written permission.
	18	*
	19	* ALTERNATIVELY, this product may be distributed under the terms of
	20	* the GNU General Public License, in which case the provisions of the GPL2
	21	* are required INSTEAD OF the above restrictions. (This clause is
	22	* necessary due to a potential bad interaction between the GPL and
	23	* the restrictions contained in a BSD-style copyright.)
	24	*
	25	* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
	26	* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	27	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
	28	* WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
	29	* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
	30	* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
	31	* OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
	32	* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
	33	* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	34	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
	35	* USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
	36	* DAMAGE.
	37	*/
	38
	39	/*
	40	* Note for using key wrapping:
	41	*
	42	* * The result of the encryption operation is the ciphertext starting
	43	* with the 2nd semiblock. The first semiblock is provided as the IV.
	44	* The IV used to start the encryption operation is the default IV.
	45	*
	46	* * The input for the decryption is the first semiblock handed in as an
	47	* IV. The ciphertext is the data starting with the 2nd semiblock. The
	48	* return code of the decryption operation will be EBADMSG in case an
	49	* integrity error occurs.
	50	*
	51	* To obtain the full result of an encryption as expected by SP800-38F, the
	52	* caller must allocate a buffer of plaintext + 8 bytes:
	53	*
	54	* unsigned int datalen = ptlen + crypto_skcipher_ivsize(tfm);
	55	* u8 data[datalen];
	56	* u8 *iv = data;
	57	* u8 *pt = data + crypto_skcipher_ivsize(tfm);
	58	* <ensure that pt contains the plaintext of size ptlen>
	59	* sg_init_one(&sg, ptdata, ptlen);
	60	* skcipher_request_set_crypt(req, &sg, &sg, ptlen, iv);
	61	*
	62	* ==> After encryption, data now contains full KW result as per SP800-38F.
	63	*
	64	* In case of decryption, ciphertext now already has the expected length
65	* and must be segmented appropriately:
66	*
67	* unsigned int datalen = CTLEN;
68	* u8 data[datalen];
69	* <ensure that data contains full ciphertext>
70	* u8 *iv = data;
71	* u8 *ct = data + crypto_skcipher_ivsize(tfm);
72	* unsigned int ctlen = datalen - crypto_skcipher_ivsize(tfm);
73	* sg_init_one(&sg, ctdata, ctlen);
74	* skcipher_request_set_crypt(req, &sg, &sg, ptlen, iv);
75	*
76	* ==> After decryption (which hopefully does not return EBADMSG), the ct
77	* pointer now points to the plaintext of size ctlen.
78	*
79	* Note 2: KWP is not implemented as this would defy in-place operation.
80	* If somebody wants to wrap non-aligned data, he should simply pad
81	* the input with zeros to fill it up to the 8 byte boundary.
82	*/
83
84	#include <linux/module.h>
85	#include <linux/crypto.h>
86	#include <linux/scatterlist.h>
87	#include <crypto/scatterwalk.h>
88	#include <crypto/internal/skcipher.h>
89
90	struct crypto_kw_ctx {
91	struct crypto_cipher *child;
92	};
93
94	struct crypto_kw_block {
95	#define SEMIBSIZE 8
9e49451d SM	96	__be64 A;
9e49451d SM	97	__be64 R;
e28facde SM	98	};
e28facde SM	99
e28facde SM	100	/*
	101	* Fast forward the SGL to the "end" length minus SEMIBSIZE.
	102	* The start in the SGL defined by the fast-forward is returned with
	103	* the walk variable
	104	*/
	105	static void crypto_kw_scatterlist_ff(struct scatter_walk *walk,
	106	struct scatterlist *sg,
	107	unsigned int end)
	108	{
	109	unsigned int skip = 0;
	110
	111	/* The caller should only operate on full SEMIBLOCKs. */
	112	BUG_ON(end < SEMIBSIZE);
	113
	114	skip = end - SEMIBSIZE;
	115	while (sg) {
	116	if (sg->length > skip) {
	117	scatterwalk_start(walk, sg);
	118	scatterwalk_advance(walk, skip);
	119	break;
	120	} else
	121	skip -= sg->length;
	122
	123	sg = sg_next(sg);
	124	}
	125	}
	126
	127	static int crypto_kw_decrypt(struct blkcipher_desc *desc,
	128	struct scatterlist dst, struct scatterlist src,
	129	unsigned int nbytes)
	130	{
	131	struct crypto_blkcipher *tfm = desc->tfm;
	132	struct crypto_kw_ctx *ctx = crypto_blkcipher_ctx(tfm);
	133	struct crypto_cipher *child = ctx->child;
9e49451d	134	struct crypto_kw_block block;
e28facde	135	struct scatterlist lsrc, ldst;
9e49451d SM	136	u64 t = 6 * ((nbytes) >> 3);
9e49451d SM	137	unsigned int i;
e28facde SM	138	int ret = 0;
	139
	140	/*
	141	* Require at least 2 semiblocks (note, the 3rd semiblock that is
	142	* required by SP800-38F is the IV.
	143	*/
	144	if (nbytes < (2 * SEMIBSIZE) \|\| nbytes % SEMIBSIZE)
	145	return -EINVAL;
	146
	147	/* Place the IV into block A */
9e49451d	148	memcpy(&block.A, desc->info, SEMIBSIZE);
e28facde SM	149
	150	/*
	151	* src scatterlist is read-only. dst scatterlist is r/w. During the
	152	* first loop, lsrc points to src and ldst to dst. For any
	153	* subsequent round, the code operates on dst only.
	154	*/
	155	lsrc = src;
	156	ldst = dst;
	157
	158	for (i = 0; i < 6; i++) {
e28facde	159	struct scatter_walk src_walk, dst_walk;
9e49451d	160	unsigned int tmp_nbytes = nbytes;
e28facde SM	161
	162	while (tmp_nbytes) {
	163	/* move pointer by tmp_nbytes in the SGL */
	164	crypto_kw_scatterlist_ff(&src_walk, lsrc, tmp_nbytes);
	165	/* get the source block */
9e49451d	166	scatterwalk_copychunks(&block.R, &src_walk, SEMIBSIZE,
e28facde SM	167	false);
e28facde SM	168
e28facde	169	/* perform KW operation: modify IV with counter */
9e49451d	170	block.A ^= cpu_to_be64(t);
e28facde SM	171	t--;
e28facde SM	172	/* perform KW operation: decrypt block */
9e49451d SM	173	crypto_cipher_decrypt_one(child, (u8*)&block,
9e49451d SM	174	(u8*)&block);
e28facde SM	175
	176	/* move pointer by tmp_nbytes in the SGL */
	177	crypto_kw_scatterlist_ff(&dst_walk, ldst, tmp_nbytes);
	178	/* Copy block->R into place */
9e49451d	179	scatterwalk_copychunks(&block.R, &dst_walk, SEMIBSIZE,
e28facde SM	180	true);
	181
	182	tmp_nbytes -= SEMIBSIZE;
	183	}
	184
	185	/* we now start to operate on the dst SGL only */
	186	lsrc = dst;
	187	ldst = dst;
	188	}
	189
	190	/* Perform authentication check */
2d0ebde6	191	if (block.A != cpu_to_be64(0xa6a6a6a6a6a6a6a6ULL))
e28facde SM	192	ret = -EBADMSG;
e28facde SM	193
9e49451d	194	memzero_explicit(&block, sizeof(struct crypto_kw_block));
e28facde SM	195
	196	return ret;
	197	}
	198
	199	static int crypto_kw_encrypt(struct blkcipher_desc *desc,
	200	struct scatterlist dst, struct scatterlist src,
	201	unsigned int nbytes)
	202	{
	203	struct crypto_blkcipher *tfm = desc->tfm;
	204	struct crypto_kw_ctx *ctx = crypto_blkcipher_ctx(tfm);
	205	struct crypto_cipher *child = ctx->child;
9e49451d	206	struct crypto_kw_block block;
e28facde	207	struct scatterlist lsrc, ldst;
9e49451d SM	208	u64 t = 1;
9e49451d SM	209	unsigned int i;
e28facde SM	210
	211	/*
	212	* Require at least 2 semiblocks (note, the 3rd semiblock that is
	213	* required by SP800-38F is the IV that occupies the first semiblock.
	214	* This means that the dst memory must be one semiblock larger than src.
	215	* Also ensure that the given data is aligned to semiblock.
	216	*/
	217	if (nbytes < (2 * SEMIBSIZE) \|\| nbytes % SEMIBSIZE)
	218	return -EINVAL;
	219
	220	/*
	221	* Place the predefined IV into block A -- for encrypt, the caller
	222	* does not need to provide an IV, but he needs to fetch the final IV.
	223	*/
2d0ebde6	224	block.A = cpu_to_be64(0xa6a6a6a6a6a6a6a6ULL);
e28facde SM	225
	226	/*
	227	* src scatterlist is read-only. dst scatterlist is r/w. During the
	228	* first loop, lsrc points to src and ldst to dst. For any
	229	* subsequent round, the code operates on dst only.
	230	*/
	231	lsrc = src;
	232	ldst = dst;
	233
	234	for (i = 0; i < 6; i++) {
e28facde	235	struct scatter_walk src_walk, dst_walk;
9e49451d	236	unsigned int tmp_nbytes = nbytes;
e28facde SM	237
	238	scatterwalk_start(&src_walk, lsrc);
	239	scatterwalk_start(&dst_walk, ldst);
	240
	241	while (tmp_nbytes) {
	242	/* get the source block */
9e49451d	243	scatterwalk_copychunks(&block.R, &src_walk, SEMIBSIZE,
e28facde SM	244	false);
	245
	246	/* perform KW operation: encrypt block */
9e49451d SM	247	crypto_cipher_encrypt_one(child, (u8 *)&block,
9e49451d SM	248	(u8 *)&block);
e28facde	249	/* perform KW operation: modify IV with counter */
9e49451d	250	block.A ^= cpu_to_be64(t);
e28facde SM	251	t++;
	252
	253	/* Copy block->R into place */
9e49451d	254	scatterwalk_copychunks(&block.R, &dst_walk, SEMIBSIZE,
e28facde SM	255	true);
	256
	257	tmp_nbytes -= SEMIBSIZE;
	258	}
	259
	260	/* we now start to operate on the dst SGL only */
	261	lsrc = dst;
	262	ldst = dst;
	263	}
	264
	265	/* establish the IV for the caller to pick up */
9e49451d	266	memcpy(desc->info, &block.A, SEMIBSIZE);
e28facde	267
9e49451d	268	memzero_explicit(&block, sizeof(struct crypto_kw_block));
e28facde SM	269
	270	return 0;
	271	}
	272
	273	static int crypto_kw_setkey(struct crypto_tfm parent, const u8 key,
	274	unsigned int keylen)
	275	{
	276	struct crypto_kw_ctx *ctx = crypto_tfm_ctx(parent);
	277	struct crypto_cipher *child = ctx->child;
	278	int err;
	279
	280	crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
	281	crypto_cipher_set_flags(child, crypto_tfm_get_flags(parent) &
	282	CRYPTO_TFM_REQ_MASK);
	283	err = crypto_cipher_setkey(child, key, keylen);
	284	crypto_tfm_set_flags(parent, crypto_cipher_get_flags(child) &
	285	CRYPTO_TFM_RES_MASK);
	286	return err;
	287	}
	288
	289	static int crypto_kw_init_tfm(struct crypto_tfm *tfm)
	290	{
	291	struct crypto_instance *inst = crypto_tfm_alg_instance(tfm);
	292	struct crypto_spawn *spawn = crypto_instance_ctx(inst);
	293	struct crypto_kw_ctx *ctx = crypto_tfm_ctx(tfm);
	294	struct crypto_cipher *cipher;
	295
	296	cipher = crypto_spawn_cipher(spawn);
	297	if (IS_ERR(cipher))
	298	return PTR_ERR(cipher);
	299
	300	ctx->child = cipher;
	301	return 0;
	302	}
	303
	304	static void crypto_kw_exit_tfm(struct crypto_tfm *tfm)
	305	{
	306	struct crypto_kw_ctx *ctx = crypto_tfm_ctx(tfm);
	307
	308	crypto_free_cipher(ctx->child);
	309	}
	310
	311	static struct crypto_instance crypto_kw_alloc(struct rtattr *tb)
	312	{
	313	struct crypto_instance *inst = NULL;
	314	struct crypto_alg *alg = NULL;
	315	int err;
	316
	317	err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_BLKCIPHER);
	318	if (err)
	319	return ERR_PTR(err);
	320
	321	alg = crypto_get_attr_alg(tb, CRYPTO_ALG_TYPE_CIPHER,
	322	CRYPTO_ALG_TYPE_MASK);
	323	if (IS_ERR(alg))
	324	return ERR_CAST(alg);
	325
	326	inst = ERR_PTR(-EINVAL);
	327	/* Section 5.1 requirement for KW */
	328	if (alg->cra_blocksize != sizeof(struct crypto_kw_block))
	329	goto err;
	330
	331	inst = crypto_alloc_instance("kw", alg);
	332	if (IS_ERR(inst))
333	goto err;
334
335	inst->alg.cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER;
336	inst->alg.cra_priority = alg->cra_priority;
337	inst->alg.cra_blocksize = SEMIBSIZE;
338	inst->alg.cra_alignmask = 0;
339	inst->alg.cra_type = &crypto_blkcipher_type;
340	inst->alg.cra_blkcipher.ivsize = SEMIBSIZE;
341	inst->alg.cra_blkcipher.min_keysize = alg->cra_cipher.cia_min_keysize;
342	inst->alg.cra_blkcipher.max_keysize = alg->cra_cipher.cia_max_keysize;
343
344	inst->alg.cra_ctxsize = sizeof(struct crypto_kw_ctx);
345
346	inst->alg.cra_init = crypto_kw_init_tfm;
347	inst->alg.cra_exit = crypto_kw_exit_tfm;
348
349	inst->alg.cra_blkcipher.setkey = crypto_kw_setkey;
350	inst->alg.cra_blkcipher.encrypt = crypto_kw_encrypt;
351	inst->alg.cra_blkcipher.decrypt = crypto_kw_decrypt;
352
353	err:
354	crypto_mod_put(alg);
355	return inst;
356	}
357
358	static void crypto_kw_free(struct crypto_instance *inst)
359	{
360	crypto_drop_spawn(crypto_instance_ctx(inst));
361	kfree(inst);
362	}
363
364	static struct crypto_template crypto_kw_tmpl = {
365	.name = "kw",
366	.alloc = crypto_kw_alloc,
367	.free = crypto_kw_free,
368	.module = THIS_MODULE,
369	};
370
371	static int __init crypto_kw_init(void)
372	{
373	return crypto_register_template(&crypto_kw_tmpl);
374	}
375
376	static void __exit crypto_kw_exit(void)
377	{
378	crypto_unregister_template(&crypto_kw_tmpl);
379	}
380
381	module_init(crypto_kw_init);
382	module_exit(crypto_kw_exit);
383
384	MODULE_LICENSE("Dual BSD/GPL");
385	MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
386	MODULE_DESCRIPTION("Key Wrapping (RFC3394 / NIST SP800-38F)");
387	MODULE_ALIAS_CRYPTO("kw");