1059c2a4dSEric Biggers // SPDX-License-Identifier: GPL-2.0 2059c2a4dSEric Biggers /* 3059c2a4dSEric Biggers * Adiantum length-preserving encryption mode 4059c2a4dSEric Biggers * 5059c2a4dSEric Biggers * Copyright 2018 Google LLC 6059c2a4dSEric Biggers */ 7059c2a4dSEric Biggers 8059c2a4dSEric Biggers /* 9059c2a4dSEric Biggers * Adiantum is a tweakable, length-preserving encryption mode designed for fast 10059c2a4dSEric Biggers * and secure disk encryption, especially on CPUs without dedicated crypto 11059c2a4dSEric Biggers * instructions. Adiantum encrypts each sector using the XChaCha12 stream 12c6018e1aSEric Biggers * cipher, two passes of an ε-almost-∆-universal (ε-∆U) hash function based on 13059c2a4dSEric Biggers * NH and Poly1305, and an invocation of the AES-256 block cipher on a single 14059c2a4dSEric Biggers * 16-byte block. See the paper for details: 15059c2a4dSEric Biggers * 16059c2a4dSEric Biggers * Adiantum: length-preserving encryption for entry-level processors 17059c2a4dSEric Biggers * (https://eprint.iacr.org/2018/720.pdf) 18059c2a4dSEric Biggers * 19059c2a4dSEric Biggers * For flexibility, this implementation also allows other ciphers: 20059c2a4dSEric Biggers * 21059c2a4dSEric Biggers * - Stream cipher: XChaCha12 or XChaCha20 22059c2a4dSEric Biggers * - Block cipher: any with a 128-bit block size and 256-bit key 23059c2a4dSEric Biggers * 24c6018e1aSEric Biggers * This implementation doesn't currently allow other ε-∆U hash functions, i.e. 25059c2a4dSEric Biggers * HPolyC is not supported. This is because Adiantum is ~20% faster than HPolyC 26c6018e1aSEric Biggers * but still provably as secure, and also the ε-∆U hash function of HBSH is 27059c2a4dSEric Biggers * formally defined to take two inputs (tweak, message) which makes it difficult 28059c2a4dSEric Biggers * to wrap with the crypto_shash API. Rather, some details need to be handled 29c6018e1aSEric Biggers * here. Nevertheless, if needed in the future, support for other ε-∆U hash 30059c2a4dSEric Biggers * functions could be added here. 31059c2a4dSEric Biggers */ 32059c2a4dSEric Biggers 33059c2a4dSEric Biggers #include <crypto/b128ops.h> 34059c2a4dSEric Biggers #include <crypto/chacha.h> 35059c2a4dSEric Biggers #include <crypto/internal/hash.h> 36059c2a4dSEric Biggers #include <crypto/internal/skcipher.h> 37059c2a4dSEric Biggers #include <crypto/nhpoly1305.h> 38059c2a4dSEric Biggers #include <crypto/scatterwalk.h> 39059c2a4dSEric Biggers #include <linux/module.h> 40059c2a4dSEric Biggers 41059c2a4dSEric Biggers #include "internal.h" 42059c2a4dSEric Biggers 43059c2a4dSEric Biggers /* 44c6018e1aSEric Biggers * Size of right-hand part of input data, in bytes; also the size of the block 45059c2a4dSEric Biggers * cipher's block size and the hash function's output. 46059c2a4dSEric Biggers */ 47059c2a4dSEric Biggers #define BLOCKCIPHER_BLOCK_SIZE 16 48059c2a4dSEric Biggers 49059c2a4dSEric Biggers /* Size of the block cipher key (K_E) in bytes */ 50059c2a4dSEric Biggers #define BLOCKCIPHER_KEY_SIZE 32 51059c2a4dSEric Biggers 52059c2a4dSEric Biggers /* Size of the hash key (K_H) in bytes */ 53059c2a4dSEric Biggers #define HASH_KEY_SIZE (POLY1305_BLOCK_SIZE + NHPOLY1305_KEY_SIZE) 54059c2a4dSEric Biggers 55059c2a4dSEric Biggers /* 56059c2a4dSEric Biggers * The specification allows variable-length tweaks, but Linux's crypto API 57059c2a4dSEric Biggers * currently only allows algorithms to support a single length. The "natural" 58059c2a4dSEric Biggers * tweak length for Adiantum is 16, since that fits into one Poly1305 block for 59059c2a4dSEric Biggers * the best performance. But longer tweaks are useful for fscrypt, to avoid 60059c2a4dSEric Biggers * needing to derive per-file keys. So instead we use two blocks, or 32 bytes. 61059c2a4dSEric Biggers */ 62059c2a4dSEric Biggers #define TWEAK_SIZE 32 63059c2a4dSEric Biggers 64059c2a4dSEric Biggers struct adiantum_instance_ctx { 65059c2a4dSEric Biggers struct crypto_skcipher_spawn streamcipher_spawn; 66059c2a4dSEric Biggers struct crypto_spawn blockcipher_spawn; 67059c2a4dSEric Biggers struct crypto_shash_spawn hash_spawn; 68059c2a4dSEric Biggers }; 69059c2a4dSEric Biggers 70059c2a4dSEric Biggers struct adiantum_tfm_ctx { 71059c2a4dSEric Biggers struct crypto_skcipher *streamcipher; 72059c2a4dSEric Biggers struct crypto_cipher *blockcipher; 73059c2a4dSEric Biggers struct crypto_shash *hash; 74059c2a4dSEric Biggers struct poly1305_key header_hash_key; 75059c2a4dSEric Biggers }; 76059c2a4dSEric Biggers 77059c2a4dSEric Biggers struct adiantum_request_ctx { 78059c2a4dSEric Biggers 79059c2a4dSEric Biggers /* 80c6018e1aSEric Biggers * Buffer for right-hand part of data, i.e. 81059c2a4dSEric Biggers * 82059c2a4dSEric Biggers * P_L => P_M => C_M => C_R when encrypting, or 83059c2a4dSEric Biggers * C_R => C_M => P_M => P_L when decrypting. 84059c2a4dSEric Biggers * 85059c2a4dSEric Biggers * Also used to build the IV for the stream cipher. 86059c2a4dSEric Biggers */ 87059c2a4dSEric Biggers union { 88059c2a4dSEric Biggers u8 bytes[XCHACHA_IV_SIZE]; 89059c2a4dSEric Biggers __le32 words[XCHACHA_IV_SIZE / sizeof(__le32)]; 90059c2a4dSEric Biggers le128 bignum; /* interpret as element of Z/(2^{128}Z) */ 91059c2a4dSEric Biggers } rbuf; 92059c2a4dSEric Biggers 93059c2a4dSEric Biggers bool enc; /* true if encrypting, false if decrypting */ 94059c2a4dSEric Biggers 95059c2a4dSEric Biggers /* 96c6018e1aSEric Biggers * The result of the Poly1305 ε-∆U hash function applied to 97c6018e1aSEric Biggers * (bulk length, tweak) 98059c2a4dSEric Biggers */ 99059c2a4dSEric Biggers le128 header_hash; 100059c2a4dSEric Biggers 101059c2a4dSEric Biggers /* Sub-requests, must be last */ 102059c2a4dSEric Biggers union { 103059c2a4dSEric Biggers struct shash_desc hash_desc; 104059c2a4dSEric Biggers struct skcipher_request streamcipher_req; 105059c2a4dSEric Biggers } u; 106059c2a4dSEric Biggers }; 107059c2a4dSEric Biggers 108059c2a4dSEric Biggers /* 109059c2a4dSEric Biggers * Given the XChaCha stream key K_S, derive the block cipher key K_E and the 110059c2a4dSEric Biggers * hash key K_H as follows: 111059c2a4dSEric Biggers * 112059c2a4dSEric Biggers * K_E || K_H || ... = XChaCha(key=K_S, nonce=1||0^191) 113059c2a4dSEric Biggers * 114059c2a4dSEric Biggers * Note that this denotes using bits from the XChaCha keystream, which here we 115059c2a4dSEric Biggers * get indirectly by encrypting a buffer containing all 0's. 116059c2a4dSEric Biggers */ 117059c2a4dSEric Biggers static int adiantum_setkey(struct crypto_skcipher *tfm, const u8 *key, 118059c2a4dSEric Biggers unsigned int keylen) 119059c2a4dSEric Biggers { 120059c2a4dSEric Biggers struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm); 121059c2a4dSEric Biggers struct { 122059c2a4dSEric Biggers u8 iv[XCHACHA_IV_SIZE]; 123059c2a4dSEric Biggers u8 derived_keys[BLOCKCIPHER_KEY_SIZE + HASH_KEY_SIZE]; 124059c2a4dSEric Biggers struct scatterlist sg; 125059c2a4dSEric Biggers struct crypto_wait wait; 126059c2a4dSEric Biggers struct skcipher_request req; /* must be last */ 127059c2a4dSEric Biggers } *data; 128059c2a4dSEric Biggers u8 *keyp; 129059c2a4dSEric Biggers int err; 130059c2a4dSEric Biggers 131059c2a4dSEric Biggers /* Set the stream cipher key (K_S) */ 132059c2a4dSEric Biggers crypto_skcipher_clear_flags(tctx->streamcipher, CRYPTO_TFM_REQ_MASK); 133059c2a4dSEric Biggers crypto_skcipher_set_flags(tctx->streamcipher, 134059c2a4dSEric Biggers crypto_skcipher_get_flags(tfm) & 135059c2a4dSEric Biggers CRYPTO_TFM_REQ_MASK); 136059c2a4dSEric Biggers err = crypto_skcipher_setkey(tctx->streamcipher, key, keylen); 137059c2a4dSEric Biggers crypto_skcipher_set_flags(tfm, 138059c2a4dSEric Biggers crypto_skcipher_get_flags(tctx->streamcipher) & 139059c2a4dSEric Biggers CRYPTO_TFM_RES_MASK); 140059c2a4dSEric Biggers if (err) 141059c2a4dSEric Biggers return err; 142059c2a4dSEric Biggers 143059c2a4dSEric Biggers /* Derive the subkeys */ 144059c2a4dSEric Biggers data = kzalloc(sizeof(*data) + 145059c2a4dSEric Biggers crypto_skcipher_reqsize(tctx->streamcipher), GFP_KERNEL); 146059c2a4dSEric Biggers if (!data) 147059c2a4dSEric Biggers return -ENOMEM; 148059c2a4dSEric Biggers data->iv[0] = 1; 149059c2a4dSEric Biggers sg_init_one(&data->sg, data->derived_keys, sizeof(data->derived_keys)); 150059c2a4dSEric Biggers crypto_init_wait(&data->wait); 151059c2a4dSEric Biggers skcipher_request_set_tfm(&data->req, tctx->streamcipher); 152059c2a4dSEric Biggers skcipher_request_set_callback(&data->req, CRYPTO_TFM_REQ_MAY_SLEEP | 153059c2a4dSEric Biggers CRYPTO_TFM_REQ_MAY_BACKLOG, 154059c2a4dSEric Biggers crypto_req_done, &data->wait); 155059c2a4dSEric Biggers skcipher_request_set_crypt(&data->req, &data->sg, &data->sg, 156059c2a4dSEric Biggers sizeof(data->derived_keys), data->iv); 157059c2a4dSEric Biggers err = crypto_wait_req(crypto_skcipher_encrypt(&data->req), &data->wait); 158059c2a4dSEric Biggers if (err) 159059c2a4dSEric Biggers goto out; 160059c2a4dSEric Biggers keyp = data->derived_keys; 161059c2a4dSEric Biggers 162059c2a4dSEric Biggers /* Set the block cipher key (K_E) */ 163059c2a4dSEric Biggers crypto_cipher_clear_flags(tctx->blockcipher, CRYPTO_TFM_REQ_MASK); 164059c2a4dSEric Biggers crypto_cipher_set_flags(tctx->blockcipher, 165059c2a4dSEric Biggers crypto_skcipher_get_flags(tfm) & 166059c2a4dSEric Biggers CRYPTO_TFM_REQ_MASK); 167059c2a4dSEric Biggers err = crypto_cipher_setkey(tctx->blockcipher, keyp, 168059c2a4dSEric Biggers BLOCKCIPHER_KEY_SIZE); 169059c2a4dSEric Biggers crypto_skcipher_set_flags(tfm, 170059c2a4dSEric Biggers crypto_cipher_get_flags(tctx->blockcipher) & 171059c2a4dSEric Biggers CRYPTO_TFM_RES_MASK); 172059c2a4dSEric Biggers if (err) 173059c2a4dSEric Biggers goto out; 174059c2a4dSEric Biggers keyp += BLOCKCIPHER_KEY_SIZE; 175059c2a4dSEric Biggers 176059c2a4dSEric Biggers /* Set the hash key (K_H) */ 177059c2a4dSEric Biggers poly1305_core_setkey(&tctx->header_hash_key, keyp); 178059c2a4dSEric Biggers keyp += POLY1305_BLOCK_SIZE; 179059c2a4dSEric Biggers 180059c2a4dSEric Biggers crypto_shash_clear_flags(tctx->hash, CRYPTO_TFM_REQ_MASK); 181059c2a4dSEric Biggers crypto_shash_set_flags(tctx->hash, crypto_skcipher_get_flags(tfm) & 182059c2a4dSEric Biggers CRYPTO_TFM_REQ_MASK); 183059c2a4dSEric Biggers err = crypto_shash_setkey(tctx->hash, keyp, NHPOLY1305_KEY_SIZE); 184059c2a4dSEric Biggers crypto_skcipher_set_flags(tfm, crypto_shash_get_flags(tctx->hash) & 185059c2a4dSEric Biggers CRYPTO_TFM_RES_MASK); 186059c2a4dSEric Biggers keyp += NHPOLY1305_KEY_SIZE; 187059c2a4dSEric Biggers WARN_ON(keyp != &data->derived_keys[ARRAY_SIZE(data->derived_keys)]); 188059c2a4dSEric Biggers out: 189059c2a4dSEric Biggers kzfree(data); 190059c2a4dSEric Biggers return err; 191059c2a4dSEric Biggers } 192059c2a4dSEric Biggers 193059c2a4dSEric Biggers /* Addition in Z/(2^{128}Z) */ 194059c2a4dSEric Biggers static inline void le128_add(le128 *r, const le128 *v1, const le128 *v2) 195059c2a4dSEric Biggers { 196059c2a4dSEric Biggers u64 x = le64_to_cpu(v1->b); 197059c2a4dSEric Biggers u64 y = le64_to_cpu(v2->b); 198059c2a4dSEric Biggers 199059c2a4dSEric Biggers r->b = cpu_to_le64(x + y); 200059c2a4dSEric Biggers r->a = cpu_to_le64(le64_to_cpu(v1->a) + le64_to_cpu(v2->a) + 201059c2a4dSEric Biggers (x + y < x)); 202059c2a4dSEric Biggers } 203059c2a4dSEric Biggers 204059c2a4dSEric Biggers /* Subtraction in Z/(2^{128}Z) */ 205059c2a4dSEric Biggers static inline void le128_sub(le128 *r, const le128 *v1, const le128 *v2) 206059c2a4dSEric Biggers { 207059c2a4dSEric Biggers u64 x = le64_to_cpu(v1->b); 208059c2a4dSEric Biggers u64 y = le64_to_cpu(v2->b); 209059c2a4dSEric Biggers 210059c2a4dSEric Biggers r->b = cpu_to_le64(x - y); 211059c2a4dSEric Biggers r->a = cpu_to_le64(le64_to_cpu(v1->a) - le64_to_cpu(v2->a) - 212059c2a4dSEric Biggers (x - y > x)); 213059c2a4dSEric Biggers } 214059c2a4dSEric Biggers 215059c2a4dSEric Biggers /* 216c6018e1aSEric Biggers * Apply the Poly1305 ε-∆U hash function to (bulk length, tweak) and save the 217c6018e1aSEric Biggers * result to rctx->header_hash. This is the calculation 218059c2a4dSEric Biggers * 219c6018e1aSEric Biggers * H_T ← Poly1305_{K_T}(bin_{128}(|L|) || T) 220c6018e1aSEric Biggers * 221c6018e1aSEric Biggers * from the procedure in section 6.4 of the Adiantum paper. The resulting value 222c6018e1aSEric Biggers * is reused in both the first and second hash steps. Specifically, it's added 223c6018e1aSEric Biggers * to the result of an independently keyed ε-∆U hash function (for equal length 224c6018e1aSEric Biggers * inputs only) taken over the left-hand part (the "bulk") of the message, to 225c6018e1aSEric Biggers * give the overall Adiantum hash of the (tweak, left-hand part) pair. 226059c2a4dSEric Biggers */ 227059c2a4dSEric Biggers static void adiantum_hash_header(struct skcipher_request *req) 228059c2a4dSEric Biggers { 229059c2a4dSEric Biggers struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 230059c2a4dSEric Biggers const struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm); 231059c2a4dSEric Biggers struct adiantum_request_ctx *rctx = skcipher_request_ctx(req); 232059c2a4dSEric Biggers const unsigned int bulk_len = req->cryptlen - BLOCKCIPHER_BLOCK_SIZE; 233059c2a4dSEric Biggers struct { 234059c2a4dSEric Biggers __le64 message_bits; 235059c2a4dSEric Biggers __le64 padding; 236059c2a4dSEric Biggers } header = { 237059c2a4dSEric Biggers .message_bits = cpu_to_le64((u64)bulk_len * 8) 238059c2a4dSEric Biggers }; 239059c2a4dSEric Biggers struct poly1305_state state; 240059c2a4dSEric Biggers 241059c2a4dSEric Biggers poly1305_core_init(&state); 242059c2a4dSEric Biggers 243059c2a4dSEric Biggers BUILD_BUG_ON(sizeof(header) % POLY1305_BLOCK_SIZE != 0); 244059c2a4dSEric Biggers poly1305_core_blocks(&state, &tctx->header_hash_key, 245059c2a4dSEric Biggers &header, sizeof(header) / POLY1305_BLOCK_SIZE); 246059c2a4dSEric Biggers 247059c2a4dSEric Biggers BUILD_BUG_ON(TWEAK_SIZE % POLY1305_BLOCK_SIZE != 0); 248059c2a4dSEric Biggers poly1305_core_blocks(&state, &tctx->header_hash_key, req->iv, 249059c2a4dSEric Biggers TWEAK_SIZE / POLY1305_BLOCK_SIZE); 250059c2a4dSEric Biggers 251059c2a4dSEric Biggers poly1305_core_emit(&state, &rctx->header_hash); 252059c2a4dSEric Biggers } 253059c2a4dSEric Biggers 254c6018e1aSEric Biggers /* Hash the left-hand part (the "bulk") of the message using NHPoly1305 */ 255059c2a4dSEric Biggers static int adiantum_hash_message(struct skcipher_request *req, 256059c2a4dSEric Biggers struct scatterlist *sgl, le128 *digest) 257059c2a4dSEric Biggers { 258059c2a4dSEric Biggers struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 259059c2a4dSEric Biggers const struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm); 260059c2a4dSEric Biggers struct adiantum_request_ctx *rctx = skcipher_request_ctx(req); 261059c2a4dSEric Biggers const unsigned int bulk_len = req->cryptlen - BLOCKCIPHER_BLOCK_SIZE; 262059c2a4dSEric Biggers struct shash_desc *hash_desc = &rctx->u.hash_desc; 263059c2a4dSEric Biggers struct sg_mapping_iter miter; 264059c2a4dSEric Biggers unsigned int i, n; 265059c2a4dSEric Biggers int err; 266059c2a4dSEric Biggers 267059c2a4dSEric Biggers hash_desc->tfm = tctx->hash; 268059c2a4dSEric Biggers hash_desc->flags = 0; 269059c2a4dSEric Biggers 270059c2a4dSEric Biggers err = crypto_shash_init(hash_desc); 271059c2a4dSEric Biggers if (err) 272059c2a4dSEric Biggers return err; 273059c2a4dSEric Biggers 274059c2a4dSEric Biggers sg_miter_start(&miter, sgl, sg_nents(sgl), 275059c2a4dSEric Biggers SG_MITER_FROM_SG | SG_MITER_ATOMIC); 276059c2a4dSEric Biggers for (i = 0; i < bulk_len; i += n) { 277059c2a4dSEric Biggers sg_miter_next(&miter); 278059c2a4dSEric Biggers n = min_t(unsigned int, miter.length, bulk_len - i); 279059c2a4dSEric Biggers err = crypto_shash_update(hash_desc, miter.addr, n); 280059c2a4dSEric Biggers if (err) 281059c2a4dSEric Biggers break; 282059c2a4dSEric Biggers } 283059c2a4dSEric Biggers sg_miter_stop(&miter); 284059c2a4dSEric Biggers if (err) 285059c2a4dSEric Biggers return err; 286059c2a4dSEric Biggers 287059c2a4dSEric Biggers return crypto_shash_final(hash_desc, (u8 *)digest); 288059c2a4dSEric Biggers } 289059c2a4dSEric Biggers 290059c2a4dSEric Biggers /* Continue Adiantum encryption/decryption after the stream cipher step */ 291059c2a4dSEric Biggers static int adiantum_finish(struct skcipher_request *req) 292059c2a4dSEric Biggers { 293059c2a4dSEric Biggers struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 294059c2a4dSEric Biggers const struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm); 295059c2a4dSEric Biggers struct adiantum_request_ctx *rctx = skcipher_request_ctx(req); 296059c2a4dSEric Biggers const unsigned int bulk_len = req->cryptlen - BLOCKCIPHER_BLOCK_SIZE; 297059c2a4dSEric Biggers le128 digest; 298059c2a4dSEric Biggers int err; 299059c2a4dSEric Biggers 300059c2a4dSEric Biggers /* If decrypting, decrypt C_M with the block cipher to get P_M */ 301059c2a4dSEric Biggers if (!rctx->enc) 302059c2a4dSEric Biggers crypto_cipher_decrypt_one(tctx->blockcipher, rctx->rbuf.bytes, 303059c2a4dSEric Biggers rctx->rbuf.bytes); 304059c2a4dSEric Biggers 305059c2a4dSEric Biggers /* 306059c2a4dSEric Biggers * Second hash step 307059c2a4dSEric Biggers * enc: C_R = C_M - H_{K_H}(T, C_L) 308059c2a4dSEric Biggers * dec: P_R = P_M - H_{K_H}(T, P_L) 309059c2a4dSEric Biggers */ 310059c2a4dSEric Biggers err = adiantum_hash_message(req, req->dst, &digest); 311059c2a4dSEric Biggers if (err) 312059c2a4dSEric Biggers return err; 313059c2a4dSEric Biggers le128_add(&digest, &digest, &rctx->header_hash); 314059c2a4dSEric Biggers le128_sub(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &digest); 315059c2a4dSEric Biggers scatterwalk_map_and_copy(&rctx->rbuf.bignum, req->dst, 316059c2a4dSEric Biggers bulk_len, BLOCKCIPHER_BLOCK_SIZE, 1); 317059c2a4dSEric Biggers return 0; 318059c2a4dSEric Biggers } 319059c2a4dSEric Biggers 320059c2a4dSEric Biggers static void adiantum_streamcipher_done(struct crypto_async_request *areq, 321059c2a4dSEric Biggers int err) 322059c2a4dSEric Biggers { 323059c2a4dSEric Biggers struct skcipher_request *req = areq->data; 324059c2a4dSEric Biggers 325059c2a4dSEric Biggers if (!err) 326059c2a4dSEric Biggers err = adiantum_finish(req); 327059c2a4dSEric Biggers 328059c2a4dSEric Biggers skcipher_request_complete(req, err); 329059c2a4dSEric Biggers } 330059c2a4dSEric Biggers 331059c2a4dSEric Biggers static int adiantum_crypt(struct skcipher_request *req, bool enc) 332059c2a4dSEric Biggers { 333059c2a4dSEric Biggers struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 334059c2a4dSEric Biggers const struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm); 335059c2a4dSEric Biggers struct adiantum_request_ctx *rctx = skcipher_request_ctx(req); 336059c2a4dSEric Biggers const unsigned int bulk_len = req->cryptlen - BLOCKCIPHER_BLOCK_SIZE; 337059c2a4dSEric Biggers unsigned int stream_len; 338059c2a4dSEric Biggers le128 digest; 339059c2a4dSEric Biggers int err; 340059c2a4dSEric Biggers 341059c2a4dSEric Biggers if (req->cryptlen < BLOCKCIPHER_BLOCK_SIZE) 342059c2a4dSEric Biggers return -EINVAL; 343059c2a4dSEric Biggers 344059c2a4dSEric Biggers rctx->enc = enc; 345059c2a4dSEric Biggers 346059c2a4dSEric Biggers /* 347059c2a4dSEric Biggers * First hash step 348059c2a4dSEric Biggers * enc: P_M = P_R + H_{K_H}(T, P_L) 349059c2a4dSEric Biggers * dec: C_M = C_R + H_{K_H}(T, C_L) 350059c2a4dSEric Biggers */ 351059c2a4dSEric Biggers adiantum_hash_header(req); 352059c2a4dSEric Biggers err = adiantum_hash_message(req, req->src, &digest); 353059c2a4dSEric Biggers if (err) 354059c2a4dSEric Biggers return err; 355059c2a4dSEric Biggers le128_add(&digest, &digest, &rctx->header_hash); 356059c2a4dSEric Biggers scatterwalk_map_and_copy(&rctx->rbuf.bignum, req->src, 357059c2a4dSEric Biggers bulk_len, BLOCKCIPHER_BLOCK_SIZE, 0); 358059c2a4dSEric Biggers le128_add(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &digest); 359059c2a4dSEric Biggers 360059c2a4dSEric Biggers /* If encrypting, encrypt P_M with the block cipher to get C_M */ 361059c2a4dSEric Biggers if (enc) 362059c2a4dSEric Biggers crypto_cipher_encrypt_one(tctx->blockcipher, rctx->rbuf.bytes, 363059c2a4dSEric Biggers rctx->rbuf.bytes); 364059c2a4dSEric Biggers 365059c2a4dSEric Biggers /* Initialize the rest of the XChaCha IV (first part is C_M) */ 366059c2a4dSEric Biggers BUILD_BUG_ON(BLOCKCIPHER_BLOCK_SIZE != 16); 367059c2a4dSEric Biggers BUILD_BUG_ON(XCHACHA_IV_SIZE != 32); /* nonce || stream position */ 368059c2a4dSEric Biggers rctx->rbuf.words[4] = cpu_to_le32(1); 369059c2a4dSEric Biggers rctx->rbuf.words[5] = 0; 370059c2a4dSEric Biggers rctx->rbuf.words[6] = 0; 371059c2a4dSEric Biggers rctx->rbuf.words[7] = 0; 372059c2a4dSEric Biggers 373059c2a4dSEric Biggers /* 374059c2a4dSEric Biggers * XChaCha needs to be done on all the data except the last 16 bytes; 375059c2a4dSEric Biggers * for disk encryption that usually means 4080 or 496 bytes. But ChaCha 376059c2a4dSEric Biggers * implementations tend to be most efficient when passed a whole number 377059c2a4dSEric Biggers * of 64-byte ChaCha blocks, or sometimes even a multiple of 256 bytes. 378059c2a4dSEric Biggers * And here it doesn't matter whether the last 16 bytes are written to, 379059c2a4dSEric Biggers * as the second hash step will overwrite them. Thus, round the XChaCha 380059c2a4dSEric Biggers * length up to the next 64-byte boundary if possible. 381059c2a4dSEric Biggers */ 382059c2a4dSEric Biggers stream_len = bulk_len; 383059c2a4dSEric Biggers if (round_up(stream_len, CHACHA_BLOCK_SIZE) <= req->cryptlen) 384059c2a4dSEric Biggers stream_len = round_up(stream_len, CHACHA_BLOCK_SIZE); 385059c2a4dSEric Biggers 386059c2a4dSEric Biggers skcipher_request_set_tfm(&rctx->u.streamcipher_req, tctx->streamcipher); 387059c2a4dSEric Biggers skcipher_request_set_crypt(&rctx->u.streamcipher_req, req->src, 388059c2a4dSEric Biggers req->dst, stream_len, &rctx->rbuf); 389059c2a4dSEric Biggers skcipher_request_set_callback(&rctx->u.streamcipher_req, 390059c2a4dSEric Biggers req->base.flags, 391059c2a4dSEric Biggers adiantum_streamcipher_done, req); 392059c2a4dSEric Biggers return crypto_skcipher_encrypt(&rctx->u.streamcipher_req) ?: 393059c2a4dSEric Biggers adiantum_finish(req); 394059c2a4dSEric Biggers } 395059c2a4dSEric Biggers 396059c2a4dSEric Biggers static int adiantum_encrypt(struct skcipher_request *req) 397059c2a4dSEric Biggers { 398059c2a4dSEric Biggers return adiantum_crypt(req, true); 399059c2a4dSEric Biggers } 400059c2a4dSEric Biggers 401059c2a4dSEric Biggers static int adiantum_decrypt(struct skcipher_request *req) 402059c2a4dSEric Biggers { 403059c2a4dSEric Biggers return adiantum_crypt(req, false); 404059c2a4dSEric Biggers } 405059c2a4dSEric Biggers 406059c2a4dSEric Biggers static int adiantum_init_tfm(struct crypto_skcipher *tfm) 407059c2a4dSEric Biggers { 408059c2a4dSEric Biggers struct skcipher_instance *inst = skcipher_alg_instance(tfm); 409059c2a4dSEric Biggers struct adiantum_instance_ctx *ictx = skcipher_instance_ctx(inst); 410059c2a4dSEric Biggers struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm); 411059c2a4dSEric Biggers struct crypto_skcipher *streamcipher; 412059c2a4dSEric Biggers struct crypto_cipher *blockcipher; 413059c2a4dSEric Biggers struct crypto_shash *hash; 414059c2a4dSEric Biggers unsigned int subreq_size; 415059c2a4dSEric Biggers int err; 416059c2a4dSEric Biggers 417059c2a4dSEric Biggers streamcipher = crypto_spawn_skcipher(&ictx->streamcipher_spawn); 418059c2a4dSEric Biggers if (IS_ERR(streamcipher)) 419059c2a4dSEric Biggers return PTR_ERR(streamcipher); 420059c2a4dSEric Biggers 421059c2a4dSEric Biggers blockcipher = crypto_spawn_cipher(&ictx->blockcipher_spawn); 422059c2a4dSEric Biggers if (IS_ERR(blockcipher)) { 423059c2a4dSEric Biggers err = PTR_ERR(blockcipher); 424059c2a4dSEric Biggers goto err_free_streamcipher; 425059c2a4dSEric Biggers } 426059c2a4dSEric Biggers 427059c2a4dSEric Biggers hash = crypto_spawn_shash(&ictx->hash_spawn); 428059c2a4dSEric Biggers if (IS_ERR(hash)) { 429059c2a4dSEric Biggers err = PTR_ERR(hash); 430059c2a4dSEric Biggers goto err_free_blockcipher; 431059c2a4dSEric Biggers } 432059c2a4dSEric Biggers 433059c2a4dSEric Biggers tctx->streamcipher = streamcipher; 434059c2a4dSEric Biggers tctx->blockcipher = blockcipher; 435059c2a4dSEric Biggers tctx->hash = hash; 436059c2a4dSEric Biggers 437059c2a4dSEric Biggers BUILD_BUG_ON(offsetofend(struct adiantum_request_ctx, u) != 438059c2a4dSEric Biggers sizeof(struct adiantum_request_ctx)); 439059c2a4dSEric Biggers subreq_size = max(FIELD_SIZEOF(struct adiantum_request_ctx, 440059c2a4dSEric Biggers u.hash_desc) + 441059c2a4dSEric Biggers crypto_shash_descsize(hash), 442059c2a4dSEric Biggers FIELD_SIZEOF(struct adiantum_request_ctx, 443059c2a4dSEric Biggers u.streamcipher_req) + 444059c2a4dSEric Biggers crypto_skcipher_reqsize(streamcipher)); 445059c2a4dSEric Biggers 446059c2a4dSEric Biggers crypto_skcipher_set_reqsize(tfm, 447059c2a4dSEric Biggers offsetof(struct adiantum_request_ctx, u) + 448059c2a4dSEric Biggers subreq_size); 449059c2a4dSEric Biggers return 0; 450059c2a4dSEric Biggers 451059c2a4dSEric Biggers err_free_blockcipher: 452059c2a4dSEric Biggers crypto_free_cipher(blockcipher); 453059c2a4dSEric Biggers err_free_streamcipher: 454059c2a4dSEric Biggers crypto_free_skcipher(streamcipher); 455059c2a4dSEric Biggers return err; 456059c2a4dSEric Biggers } 457059c2a4dSEric Biggers 458059c2a4dSEric Biggers static void adiantum_exit_tfm(struct crypto_skcipher *tfm) 459059c2a4dSEric Biggers { 460059c2a4dSEric Biggers struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm); 461059c2a4dSEric Biggers 462059c2a4dSEric Biggers crypto_free_skcipher(tctx->streamcipher); 463059c2a4dSEric Biggers crypto_free_cipher(tctx->blockcipher); 464059c2a4dSEric Biggers crypto_free_shash(tctx->hash); 465059c2a4dSEric Biggers } 466059c2a4dSEric Biggers 467059c2a4dSEric Biggers static void adiantum_free_instance(struct skcipher_instance *inst) 468059c2a4dSEric Biggers { 469059c2a4dSEric Biggers struct adiantum_instance_ctx *ictx = skcipher_instance_ctx(inst); 470059c2a4dSEric Biggers 471059c2a4dSEric Biggers crypto_drop_skcipher(&ictx->streamcipher_spawn); 472059c2a4dSEric Biggers crypto_drop_spawn(&ictx->blockcipher_spawn); 473059c2a4dSEric Biggers crypto_drop_shash(&ictx->hash_spawn); 474059c2a4dSEric Biggers kfree(inst); 475059c2a4dSEric Biggers } 476059c2a4dSEric Biggers 477059c2a4dSEric Biggers /* 478059c2a4dSEric Biggers * Check for a supported set of inner algorithms. 479059c2a4dSEric Biggers * See the comment at the beginning of this file. 480059c2a4dSEric Biggers */ 481059c2a4dSEric Biggers static bool adiantum_supported_algorithms(struct skcipher_alg *streamcipher_alg, 482059c2a4dSEric Biggers struct crypto_alg *blockcipher_alg, 483059c2a4dSEric Biggers struct shash_alg *hash_alg) 484059c2a4dSEric Biggers { 485059c2a4dSEric Biggers if (strcmp(streamcipher_alg->base.cra_name, "xchacha12") != 0 && 486059c2a4dSEric Biggers strcmp(streamcipher_alg->base.cra_name, "xchacha20") != 0) 487059c2a4dSEric Biggers return false; 488059c2a4dSEric Biggers 489059c2a4dSEric Biggers if (blockcipher_alg->cra_cipher.cia_min_keysize > BLOCKCIPHER_KEY_SIZE || 490059c2a4dSEric Biggers blockcipher_alg->cra_cipher.cia_max_keysize < BLOCKCIPHER_KEY_SIZE) 491059c2a4dSEric Biggers return false; 492059c2a4dSEric Biggers if (blockcipher_alg->cra_blocksize != BLOCKCIPHER_BLOCK_SIZE) 493059c2a4dSEric Biggers return false; 494059c2a4dSEric Biggers 495059c2a4dSEric Biggers if (strcmp(hash_alg->base.cra_name, "nhpoly1305") != 0) 496059c2a4dSEric Biggers return false; 497059c2a4dSEric Biggers 498059c2a4dSEric Biggers return true; 499059c2a4dSEric Biggers } 500059c2a4dSEric Biggers 501059c2a4dSEric Biggers static int adiantum_create(struct crypto_template *tmpl, struct rtattr **tb) 502059c2a4dSEric Biggers { 503059c2a4dSEric Biggers struct crypto_attr_type *algt; 504059c2a4dSEric Biggers const char *streamcipher_name; 505059c2a4dSEric Biggers const char *blockcipher_name; 506059c2a4dSEric Biggers const char *nhpoly1305_name; 507059c2a4dSEric Biggers struct skcipher_instance *inst; 508059c2a4dSEric Biggers struct adiantum_instance_ctx *ictx; 509059c2a4dSEric Biggers struct skcipher_alg *streamcipher_alg; 510059c2a4dSEric Biggers struct crypto_alg *blockcipher_alg; 511059c2a4dSEric Biggers struct crypto_alg *_hash_alg; 512059c2a4dSEric Biggers struct shash_alg *hash_alg; 513059c2a4dSEric Biggers int err; 514059c2a4dSEric Biggers 515059c2a4dSEric Biggers algt = crypto_get_attr_type(tb); 516059c2a4dSEric Biggers if (IS_ERR(algt)) 517059c2a4dSEric Biggers return PTR_ERR(algt); 518059c2a4dSEric Biggers 519059c2a4dSEric Biggers if ((algt->type ^ CRYPTO_ALG_TYPE_SKCIPHER) & algt->mask) 520059c2a4dSEric Biggers return -EINVAL; 521059c2a4dSEric Biggers 522059c2a4dSEric Biggers streamcipher_name = crypto_attr_alg_name(tb[1]); 523059c2a4dSEric Biggers if (IS_ERR(streamcipher_name)) 524059c2a4dSEric Biggers return PTR_ERR(streamcipher_name); 525059c2a4dSEric Biggers 526059c2a4dSEric Biggers blockcipher_name = crypto_attr_alg_name(tb[2]); 527059c2a4dSEric Biggers if (IS_ERR(blockcipher_name)) 528059c2a4dSEric Biggers return PTR_ERR(blockcipher_name); 529059c2a4dSEric Biggers 530059c2a4dSEric Biggers nhpoly1305_name = crypto_attr_alg_name(tb[3]); 531059c2a4dSEric Biggers if (nhpoly1305_name == ERR_PTR(-ENOENT)) 532059c2a4dSEric Biggers nhpoly1305_name = "nhpoly1305"; 533059c2a4dSEric Biggers if (IS_ERR(nhpoly1305_name)) 534059c2a4dSEric Biggers return PTR_ERR(nhpoly1305_name); 535059c2a4dSEric Biggers 536059c2a4dSEric Biggers inst = kzalloc(sizeof(*inst) + sizeof(*ictx), GFP_KERNEL); 537059c2a4dSEric Biggers if (!inst) 538059c2a4dSEric Biggers return -ENOMEM; 539059c2a4dSEric Biggers ictx = skcipher_instance_ctx(inst); 540059c2a4dSEric Biggers 541059c2a4dSEric Biggers /* Stream cipher, e.g. "xchacha12" */ 5426db43410SEric Biggers crypto_set_skcipher_spawn(&ictx->streamcipher_spawn, 5436db43410SEric Biggers skcipher_crypto_instance(inst)); 544059c2a4dSEric Biggers err = crypto_grab_skcipher(&ictx->streamcipher_spawn, streamcipher_name, 545059c2a4dSEric Biggers 0, crypto_requires_sync(algt->type, 546059c2a4dSEric Biggers algt->mask)); 547059c2a4dSEric Biggers if (err) 548059c2a4dSEric Biggers goto out_free_inst; 549059c2a4dSEric Biggers streamcipher_alg = crypto_spawn_skcipher_alg(&ictx->streamcipher_spawn); 550059c2a4dSEric Biggers 551059c2a4dSEric Biggers /* Block cipher, e.g. "aes" */ 5526db43410SEric Biggers crypto_set_spawn(&ictx->blockcipher_spawn, 5536db43410SEric Biggers skcipher_crypto_instance(inst)); 554059c2a4dSEric Biggers err = crypto_grab_spawn(&ictx->blockcipher_spawn, blockcipher_name, 555059c2a4dSEric Biggers CRYPTO_ALG_TYPE_CIPHER, CRYPTO_ALG_TYPE_MASK); 556059c2a4dSEric Biggers if (err) 557059c2a4dSEric Biggers goto out_drop_streamcipher; 558059c2a4dSEric Biggers blockcipher_alg = ictx->blockcipher_spawn.alg; 559059c2a4dSEric Biggers 560c6018e1aSEric Biggers /* NHPoly1305 ε-∆U hash function */ 561059c2a4dSEric Biggers _hash_alg = crypto_alg_mod_lookup(nhpoly1305_name, 562059c2a4dSEric Biggers CRYPTO_ALG_TYPE_SHASH, 563059c2a4dSEric Biggers CRYPTO_ALG_TYPE_MASK); 564059c2a4dSEric Biggers if (IS_ERR(_hash_alg)) { 565059c2a4dSEric Biggers err = PTR_ERR(_hash_alg); 566059c2a4dSEric Biggers goto out_drop_blockcipher; 567059c2a4dSEric Biggers } 568059c2a4dSEric Biggers hash_alg = __crypto_shash_alg(_hash_alg); 569059c2a4dSEric Biggers err = crypto_init_shash_spawn(&ictx->hash_spawn, hash_alg, 570059c2a4dSEric Biggers skcipher_crypto_instance(inst)); 57100c9fe37SEric Biggers if (err) 57200c9fe37SEric Biggers goto out_put_hash; 573059c2a4dSEric Biggers 574059c2a4dSEric Biggers /* Check the set of algorithms */ 575059c2a4dSEric Biggers if (!adiantum_supported_algorithms(streamcipher_alg, blockcipher_alg, 576059c2a4dSEric Biggers hash_alg)) { 577059c2a4dSEric Biggers pr_warn("Unsupported Adiantum instantiation: (%s,%s,%s)\n", 578059c2a4dSEric Biggers streamcipher_alg->base.cra_name, 579059c2a4dSEric Biggers blockcipher_alg->cra_name, hash_alg->base.cra_name); 580059c2a4dSEric Biggers err = -EINVAL; 581059c2a4dSEric Biggers goto out_drop_hash; 582059c2a4dSEric Biggers } 583059c2a4dSEric Biggers 584059c2a4dSEric Biggers /* Instance fields */ 585059c2a4dSEric Biggers 586059c2a4dSEric Biggers err = -ENAMETOOLONG; 587059c2a4dSEric Biggers if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME, 588059c2a4dSEric Biggers "adiantum(%s,%s)", streamcipher_alg->base.cra_name, 589059c2a4dSEric Biggers blockcipher_alg->cra_name) >= CRYPTO_MAX_ALG_NAME) 590059c2a4dSEric Biggers goto out_drop_hash; 591059c2a4dSEric Biggers if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME, 592059c2a4dSEric Biggers "adiantum(%s,%s,%s)", 593059c2a4dSEric Biggers streamcipher_alg->base.cra_driver_name, 594059c2a4dSEric Biggers blockcipher_alg->cra_driver_name, 595059c2a4dSEric Biggers hash_alg->base.cra_driver_name) >= CRYPTO_MAX_ALG_NAME) 596059c2a4dSEric Biggers goto out_drop_hash; 597059c2a4dSEric Biggers 598b299362eSEric Biggers inst->alg.base.cra_flags = streamcipher_alg->base.cra_flags & 599b299362eSEric Biggers CRYPTO_ALG_ASYNC; 600059c2a4dSEric Biggers inst->alg.base.cra_blocksize = BLOCKCIPHER_BLOCK_SIZE; 601059c2a4dSEric Biggers inst->alg.base.cra_ctxsize = sizeof(struct adiantum_tfm_ctx); 602059c2a4dSEric Biggers inst->alg.base.cra_alignmask = streamcipher_alg->base.cra_alignmask | 603059c2a4dSEric Biggers hash_alg->base.cra_alignmask; 604059c2a4dSEric Biggers /* 605059c2a4dSEric Biggers * The block cipher is only invoked once per message, so for long 606059c2a4dSEric Biggers * messages (e.g. sectors for disk encryption) its performance doesn't 607059c2a4dSEric Biggers * matter as much as that of the stream cipher and hash function. Thus, 608059c2a4dSEric Biggers * weigh the block cipher's ->cra_priority less. 609059c2a4dSEric Biggers */ 610059c2a4dSEric Biggers inst->alg.base.cra_priority = (4 * streamcipher_alg->base.cra_priority + 611059c2a4dSEric Biggers 2 * hash_alg->base.cra_priority + 612059c2a4dSEric Biggers blockcipher_alg->cra_priority) / 7; 613059c2a4dSEric Biggers 614059c2a4dSEric Biggers inst->alg.setkey = adiantum_setkey; 615059c2a4dSEric Biggers inst->alg.encrypt = adiantum_encrypt; 616059c2a4dSEric Biggers inst->alg.decrypt = adiantum_decrypt; 617059c2a4dSEric Biggers inst->alg.init = adiantum_init_tfm; 618059c2a4dSEric Biggers inst->alg.exit = adiantum_exit_tfm; 619059c2a4dSEric Biggers inst->alg.min_keysize = crypto_skcipher_alg_min_keysize(streamcipher_alg); 620059c2a4dSEric Biggers inst->alg.max_keysize = crypto_skcipher_alg_max_keysize(streamcipher_alg); 621059c2a4dSEric Biggers inst->alg.ivsize = TWEAK_SIZE; 622059c2a4dSEric Biggers 623059c2a4dSEric Biggers inst->free = adiantum_free_instance; 624059c2a4dSEric Biggers 625059c2a4dSEric Biggers err = skcipher_register_instance(tmpl, inst); 626059c2a4dSEric Biggers if (err) 627059c2a4dSEric Biggers goto out_drop_hash; 628059c2a4dSEric Biggers 62900c9fe37SEric Biggers crypto_mod_put(_hash_alg); 630059c2a4dSEric Biggers return 0; 631059c2a4dSEric Biggers 632059c2a4dSEric Biggers out_drop_hash: 633059c2a4dSEric Biggers crypto_drop_shash(&ictx->hash_spawn); 63400c9fe37SEric Biggers out_put_hash: 63500c9fe37SEric Biggers crypto_mod_put(_hash_alg); 636059c2a4dSEric Biggers out_drop_blockcipher: 637059c2a4dSEric Biggers crypto_drop_spawn(&ictx->blockcipher_spawn); 638059c2a4dSEric Biggers out_drop_streamcipher: 639059c2a4dSEric Biggers crypto_drop_skcipher(&ictx->streamcipher_spawn); 640059c2a4dSEric Biggers out_free_inst: 641059c2a4dSEric Biggers kfree(inst); 642059c2a4dSEric Biggers return err; 643059c2a4dSEric Biggers } 644059c2a4dSEric Biggers 645059c2a4dSEric Biggers /* adiantum(streamcipher_name, blockcipher_name [, nhpoly1305_name]) */ 646059c2a4dSEric Biggers static struct crypto_template adiantum_tmpl = { 647059c2a4dSEric Biggers .name = "adiantum", 648059c2a4dSEric Biggers .create = adiantum_create, 649059c2a4dSEric Biggers .module = THIS_MODULE, 650059c2a4dSEric Biggers }; 651059c2a4dSEric Biggers 652059c2a4dSEric Biggers static int __init adiantum_module_init(void) 653059c2a4dSEric Biggers { 654059c2a4dSEric Biggers return crypto_register_template(&adiantum_tmpl); 655059c2a4dSEric Biggers } 656059c2a4dSEric Biggers 657059c2a4dSEric Biggers static void __exit adiantum_module_exit(void) 658059c2a4dSEric Biggers { 659059c2a4dSEric Biggers crypto_unregister_template(&adiantum_tmpl); 660059c2a4dSEric Biggers } 661059c2a4dSEric Biggers 662059c2a4dSEric Biggers module_init(adiantum_module_init); 663059c2a4dSEric Biggers module_exit(adiantum_module_exit); 664059c2a4dSEric Biggers 665059c2a4dSEric Biggers MODULE_DESCRIPTION("Adiantum length-preserving encryption mode"); 666059c2a4dSEric Biggers MODULE_LICENSE("GPL v2"); 667059c2a4dSEric Biggers MODULE_AUTHOR("Eric Biggers <ebiggers@google.com>"); 668059c2a4dSEric Biggers MODULE_ALIAS_CRYPTO("adiantum"); 669