lrw.c 10.8 KB
Newer Older
1 2 3 4 5
/* LRW: as defined by Cyril Guyot in
 *	http://grouper.ieee.org/groups/1619/email/pdf00017.pdf
 *
 * Copyright (c) 2006 Rik Snel <rsnel@cube.dyndns.org>
 *
6
 * Based on ecb.c
7 8 9 10 11 12 13 14 15 16 17 18
 * Copyright (c) 2006 Herbert Xu <herbert@gondor.apana.org.au>
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the Free
 * Software Foundation; either version 2 of the License, or (at your option)
 * any later version.
 */
/* This implementation is checked against the test vectors in the above
 * document and by a test vector provided by Ken Buchanan at
 * http://www.mail-archive.com/stds-p1619@listserv.ieee.org/msg00173.html
 *
 * The test vectors are included in the testing module tcrypt.[ch] */
19

20 21
#include <crypto/internal/skcipher.h>
#include <crypto/scatterwalk.h>
22 23 24 25 26 27 28 29 30 31
#include <linux/err.h>
#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/scatterlist.h>
#include <linux/slab.h>

#include <crypto/b128ops.h>
#include <crypto/gf128mul.h>

32 33
#define LRW_BLOCK_SIZE 16

34
struct priv {
35
	struct crypto_skcipher *child;
36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53

	/*
	 * optimizes multiplying a random (non incrementing, as at the
	 * start of a new sector) value with key2, we could also have
	 * used 4k optimization tables or no optimization at all. In the
	 * latter case we would have to store key2 here
	 */
	struct gf128mul_64k *table;

	/*
	 * stores:
	 *  key2*{ 0,0,...0,0,0,0,1 }, key2*{ 0,0,...0,0,0,1,1 },
	 *  key2*{ 0,0,...0,0,1,1,1 }, key2*{ 0,0,...0,1,1,1,1 }
	 *  key2*{ 0,0,...1,1,1,1,1 }, etc
	 * needed for optimized multiplication of incrementing values
	 * with key2
	 */
	be128 mulinc[128];
54 55
};

56 57 58 59 60
struct rctx {
	be128 t;
	struct skcipher_request subreq;
};

61 62
static inline void setbit128_bbe(void *b, int bit)
{
63 64 65 66 67 68 69
	__set_bit(bit ^ (0x80 -
#ifdef __BIG_ENDIAN
			 BITS_PER_LONG
#else
			 BITS_PER_BYTE
#endif
			), b);
70 71
}

72 73
static int setkey(struct crypto_skcipher *parent, const u8 *key,
		  unsigned int keylen)
74
{
75 76 77 78
	struct priv *ctx = crypto_skcipher_ctx(parent);
	struct crypto_skcipher *child = ctx->child;
	int err, bsize = LRW_BLOCK_SIZE;
	const u8 *tweak = key + keylen - bsize;
79
	be128 tmp = { 0 };
80
	int i;
81

82 83 84 85 86 87 88 89 90
	crypto_skcipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
	crypto_skcipher_set_flags(child, crypto_skcipher_get_flags(parent) &
					 CRYPTO_TFM_REQ_MASK);
	err = crypto_skcipher_setkey(child, key, keylen - bsize);
	crypto_skcipher_set_flags(parent, crypto_skcipher_get_flags(child) &
					  CRYPTO_TFM_RES_MASK);
	if (err)
		return err;

91 92 93 94
	if (ctx->table)
		gf128mul_free_64k(ctx->table);

	/* initialize multiplication table for Key2 */
95
	ctx->table = gf128mul_init_64k_bbe((be128 *)tweak);
96 97 98 99 100 101 102 103 104 105 106 107
	if (!ctx->table)
		return -ENOMEM;

	/* initialize optimization table */
	for (i = 0; i < 128; i++) {
		setbit128_bbe(&tmp, i);
		ctx->mulinc[i] = tmp;
		gf128mul_64k_bbe(&ctx->mulinc[i], ctx->table);
	}

	return 0;
}
108

109 110 111 112 113 114 115 116 117 118 119 120
/*
 * Returns the number of trailing '1' bits in the words of the counter, which is
 * represented by 4 32-bit words, arranged from least to most significant.
 * At the same time, increments the counter by one.
 *
 * For example:
 *
 * u32 counter[4] = { 0xFFFFFFFF, 0x1, 0x0, 0x0 };
 * int i = next_index(&counter);
 * // i == 33, counter == { 0x0, 0x2, 0x0, 0x0 }
 */
static int next_index(u32 *counter)
121
{
122
	int i, res = 0;
123

124
	for (i = 0; i < 4; i++) {
125 126 127
		if (counter[i] + 1 != 0)
			return res + ffz(counter[i]++);

128 129
		counter[i] = 0;
		res += 32;
130 131
	}

132 133 134 135 136 137
	/*
	 * If we get here, then x == 128 and we are incrementing the counter
	 * from all ones to all zeros. This means we must return index 127, i.e.
	 * the one corresponding to key2*{ 1,...,1 }.
	 */
	return 127;
138 139
}

140 141 142 143 144 145 146
/*
 * We compute the tweak masks twice (both before and after the ECB encryption or
 * decryption) to avoid having to allocate a temporary buffer and/or make
 * mutliple calls to the 'ecb(..)' instance, which usually would be slower than
 * just doing the next_index() calls again.
 */
static int xor_tweak(struct skcipher_request *req, bool second_pass)
147
{
148 149 150
	const int bs = LRW_BLOCK_SIZE;
	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
	struct priv *ctx = crypto_skcipher_ctx(tfm);
151 152
	struct rctx *rctx = skcipher_request_ctx(req);
	be128 t = rctx->t;
153
	struct skcipher_walk w;
154 155
	__be32 *iv;
	u32 counter[4];
156
	int err;
157

158 159 160 161 162
	if (second_pass) {
		req = &rctx->subreq;
		/* set to our TFM to enforce correct alignment: */
		skcipher_request_set_tfm(req, tfm);
	}
163

164
	err = skcipher_walk_virt(&w, req, false);
165 166 167 168 169 170
	iv = (__be32 *)w.iv;

	counter[0] = be32_to_cpu(iv[3]);
	counter[1] = be32_to_cpu(iv[2]);
	counter[2] = be32_to_cpu(iv[1]);
	counter[3] = be32_to_cpu(iv[0]);
171

172 173 174 175 176 177 178
	while (w.nbytes) {
		unsigned int avail = w.nbytes;
		be128 *wsrc;
		be128 *wdst;

		wsrc = w.src.virt.addr;
		wdst = w.dst.virt.addr;
179 180

		do {
181
			be128_xor(wdst++, &t, wsrc++);
182

183 184
			/* T <- I*Key2, using the optimization
			 * discussed in the specification */
185
			be128_xor(&t, &t, &ctx->mulinc[next_index(counter)]);
186
		} while ((avail -= bs) >= bs);
187

188
		if (second_pass && w.nbytes == w.total) {
189 190 191 192 193 194
			iv[0] = cpu_to_be32(counter[3]);
			iv[1] = cpu_to_be32(counter[2]);
			iv[2] = cpu_to_be32(counter[1]);
			iv[3] = cpu_to_be32(counter[0]);
		}

195 196
		err = skcipher_walk_done(&w, avail);
	}
197

198 199 200
	return err;
}

201
static int xor_tweak_pre(struct skcipher_request *req)
202
{
203
	return xor_tweak(req, false);
204 205
}

206
static int xor_tweak_post(struct skcipher_request *req)
207
{
208
	return xor_tweak(req, true);
209 210
}

211
static void crypt_done(struct crypto_async_request *areq, int err)
212 213 214
{
	struct skcipher_request *req = areq->data;

215 216
	if (!err)
		err = xor_tweak_post(req);
217 218 219 220

	skcipher_request_complete(req, err);
}

221
static void init_crypt(struct skcipher_request *req)
222
{
223
	struct priv *ctx = crypto_skcipher_ctx(crypto_skcipher_reqtfm(req));
224
	struct rctx *rctx = skcipher_request_ctx(req);
225
	struct skcipher_request *subreq = &rctx->subreq;
226

227 228 229 230 231
	skcipher_request_set_tfm(subreq, ctx->child);
	skcipher_request_set_callback(subreq, req->base.flags, crypt_done, req);
	/* pass req->iv as IV (will be used by xor_tweak, ECB will ignore it) */
	skcipher_request_set_crypt(subreq, req->dst, req->dst,
				   req->cryptlen, req->iv);
232

233 234
	/* calculate first value of T */
	memcpy(&rctx->t, req->iv, sizeof(rctx->t));
235

236 237
	/* T <- I*Key2 */
	gf128mul_64k_bbe(&rctx->t, ctx->table);
238 239
}

240
static int encrypt(struct skcipher_request *req)
241
{
242 243
	struct rctx *rctx = skcipher_request_ctx(req);
	struct skcipher_request *subreq = &rctx->subreq;
244

245 246 247 248
	init_crypt(req);
	return xor_tweak_pre(req) ?:
		crypto_skcipher_encrypt(subreq) ?:
		xor_tweak_post(req);
249 250 251 252
}

static int decrypt(struct skcipher_request *req)
{
253 254 255 256 257 258 259
	struct rctx *rctx = skcipher_request_ctx(req);
	struct skcipher_request *subreq = &rctx->subreq;

	init_crypt(req);
	return xor_tweak_pre(req) ?:
		crypto_skcipher_decrypt(subreq) ?:
		xor_tweak_post(req);
260 261
}

262
static int init_tfm(struct crypto_skcipher *tfm)
263
{
264 265 266 267
	struct skcipher_instance *inst = skcipher_alg_instance(tfm);
	struct crypto_skcipher_spawn *spawn = skcipher_instance_ctx(inst);
	struct priv *ctx = crypto_skcipher_ctx(tfm);
	struct crypto_skcipher *cipher;
268

269
	cipher = crypto_spawn_skcipher(spawn);
270 271
	if (IS_ERR(cipher))
		return PTR_ERR(cipher);
272

273
	ctx->child = cipher;
274 275 276 277

	crypto_skcipher_set_reqsize(tfm, crypto_skcipher_reqsize(cipher) +
					 sizeof(struct rctx));

278 279 280
	return 0;
}

281
static void exit_tfm(struct crypto_skcipher *tfm)
282
{
283
	struct priv *ctx = crypto_skcipher_ctx(tfm);
284

285 286
	if (ctx->table)
		gf128mul_free_64k(ctx->table);
287 288 289 290 291 292 293
	crypto_free_skcipher(ctx->child);
}

static void free(struct skcipher_instance *inst)
{
	crypto_drop_skcipher(skcipher_instance_ctx(inst));
	kfree(inst);
294 295
}

296
static int create(struct crypto_template *tmpl, struct rtattr **tb)
297
{
298 299 300 301 302 303
	struct crypto_skcipher_spawn *spawn;
	struct skcipher_instance *inst;
	struct crypto_attr_type *algt;
	struct skcipher_alg *alg;
	const char *cipher_name;
	char ecb_name[CRYPTO_MAX_ALG_NAME];
304 305
	int err;

306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337
	algt = crypto_get_attr_type(tb);
	if (IS_ERR(algt))
		return PTR_ERR(algt);

	if ((algt->type ^ CRYPTO_ALG_TYPE_SKCIPHER) & algt->mask)
		return -EINVAL;

	cipher_name = crypto_attr_alg_name(tb[1]);
	if (IS_ERR(cipher_name))
		return PTR_ERR(cipher_name);

	inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL);
	if (!inst)
		return -ENOMEM;

	spawn = skcipher_instance_ctx(inst);

	crypto_set_skcipher_spawn(spawn, skcipher_crypto_instance(inst));
	err = crypto_grab_skcipher(spawn, cipher_name, 0,
				   crypto_requires_sync(algt->type,
							algt->mask));
	if (err == -ENOENT) {
		err = -ENAMETOOLONG;
		if (snprintf(ecb_name, CRYPTO_MAX_ALG_NAME, "ecb(%s)",
			     cipher_name) >= CRYPTO_MAX_ALG_NAME)
			goto err_free_inst;

		err = crypto_grab_skcipher(spawn, ecb_name, 0,
					   crypto_requires_sync(algt->type,
								algt->mask));
	}

338
	if (err)
339
		goto err_free_inst;
340

341
	alg = crypto_skcipher_spawn_alg(spawn);
342

343 344 345
	err = -EINVAL;
	if (alg->base.cra_blocksize != LRW_BLOCK_SIZE)
		goto err_drop_spawn;
346

347 348
	if (crypto_skcipher_alg_ivsize(alg))
		goto err_drop_spawn;
349

350 351 352 353
	err = crypto_inst_setname(skcipher_crypto_instance(inst), "lrw",
				  &alg->base);
	if (err)
		goto err_drop_spawn;
354

355 356
	err = -EINVAL;
	cipher_name = alg->base.cra_name;
357

358 359 360 361 362
	/* Alas we screwed up the naming so we have to mangle the
	 * cipher name.
	 */
	if (!strncmp(cipher_name, "ecb(", 4)) {
		unsigned len;
363

364 365 366
		len = strlcpy(ecb_name, cipher_name + 4, sizeof(ecb_name));
		if (len < 2 || len >= sizeof(ecb_name))
			goto err_drop_spawn;
367

368 369
		if (ecb_name[len - 1] != ')')
			goto err_drop_spawn;
370

371
		ecb_name[len - 1] = 0;
372

373
		if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
374 375 376 377
			     "lrw(%s)", ecb_name) >= CRYPTO_MAX_ALG_NAME) {
			err = -ENAMETOOLONG;
			goto err_drop_spawn;
		}
378 379
	} else
		goto err_drop_spawn;
380 381 382 383 384

	inst->alg.base.cra_flags = alg->base.cra_flags & CRYPTO_ALG_ASYNC;
	inst->alg.base.cra_priority = alg->base.cra_priority;
	inst->alg.base.cra_blocksize = LRW_BLOCK_SIZE;
	inst->alg.base.cra_alignmask = alg->base.cra_alignmask |
385
				       (__alignof__(__be32) - 1);
386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413

	inst->alg.ivsize = LRW_BLOCK_SIZE;
	inst->alg.min_keysize = crypto_skcipher_alg_min_keysize(alg) +
				LRW_BLOCK_SIZE;
	inst->alg.max_keysize = crypto_skcipher_alg_max_keysize(alg) +
				LRW_BLOCK_SIZE;

	inst->alg.base.cra_ctxsize = sizeof(struct priv);

	inst->alg.init = init_tfm;
	inst->alg.exit = exit_tfm;

	inst->alg.setkey = setkey;
	inst->alg.encrypt = encrypt;
	inst->alg.decrypt = decrypt;

	inst->free = free;

	err = skcipher_register_instance(tmpl, inst);
	if (err)
		goto err_drop_spawn;

out:
	return err;

err_drop_spawn:
	crypto_drop_skcipher(spawn);
err_free_inst:
414
	kfree(inst);
415
	goto out;
416 417 418 419
}

static struct crypto_template crypto_tmpl = {
	.name = "lrw",
420
	.create = create,
421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438
	.module = THIS_MODULE,
};

static int __init crypto_module_init(void)
{
	return crypto_register_template(&crypto_tmpl);
}

static void __exit crypto_module_exit(void)
{
	crypto_unregister_template(&crypto_tmpl);
}

module_init(crypto_module_init);
module_exit(crypto_module_exit);

MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("LRW block cipher mode");
439
MODULE_ALIAS_CRYPTO("lrw");