xref: /openbmc/linux/crypto/ctr.c (revision 07c7c6bf)
1 /*
2  * CTR: Counter mode
3  *
4  * (C) Copyright IBM Corp. 2007 - Joy Latten <latten@us.ibm.com>
5  *
6  * This program is free software; you can redistribute it and/or modify it
7  * under the terms of the GNU General Public License as published by the Free
8  * Software Foundation; either version 2 of the License, or (at your option)
9  * any later version.
10  *
11  */
12 
13 #include <crypto/algapi.h>
14 #include <crypto/ctr.h>
15 #include <crypto/internal/skcipher.h>
16 #include <linux/err.h>
17 #include <linux/init.h>
18 #include <linux/kernel.h>
19 #include <linux/module.h>
20 #include <linux/slab.h>
21 
22 struct crypto_rfc3686_ctx {
23 	struct crypto_skcipher *child;
24 	u8 nonce[CTR_RFC3686_NONCE_SIZE];
25 };
26 
27 struct crypto_rfc3686_req_ctx {
28 	u8 iv[CTR_RFC3686_BLOCK_SIZE];
29 	struct skcipher_request subreq CRYPTO_MINALIGN_ATTR;
30 };
31 
32 static void crypto_ctr_crypt_final(struct skcipher_walk *walk,
33 				   struct crypto_cipher *tfm)
34 {
35 	unsigned int bsize = crypto_cipher_blocksize(tfm);
36 	unsigned long alignmask = crypto_cipher_alignmask(tfm);
37 	u8 *ctrblk = walk->iv;
38 	u8 tmp[MAX_CIPHER_BLOCKSIZE + MAX_CIPHER_ALIGNMASK];
39 	u8 *keystream = PTR_ALIGN(tmp + 0, alignmask + 1);
40 	u8 *src = walk->src.virt.addr;
41 	u8 *dst = walk->dst.virt.addr;
42 	unsigned int nbytes = walk->nbytes;
43 
44 	crypto_cipher_encrypt_one(tfm, keystream, ctrblk);
45 	crypto_xor_cpy(dst, keystream, src, nbytes);
46 
47 	crypto_inc(ctrblk, bsize);
48 }
49 
50 static int crypto_ctr_crypt_segment(struct skcipher_walk *walk,
51 				    struct crypto_cipher *tfm)
52 {
53 	void (*fn)(struct crypto_tfm *, u8 *, const u8 *) =
54 		   crypto_cipher_alg(tfm)->cia_encrypt;
55 	unsigned int bsize = crypto_cipher_blocksize(tfm);
56 	u8 *ctrblk = walk->iv;
57 	u8 *src = walk->src.virt.addr;
58 	u8 *dst = walk->dst.virt.addr;
59 	unsigned int nbytes = walk->nbytes;
60 
61 	do {
62 		/* create keystream */
63 		fn(crypto_cipher_tfm(tfm), dst, ctrblk);
64 		crypto_xor(dst, src, bsize);
65 
66 		/* increment counter in counterblock */
67 		crypto_inc(ctrblk, bsize);
68 
69 		src += bsize;
70 		dst += bsize;
71 	} while ((nbytes -= bsize) >= bsize);
72 
73 	return nbytes;
74 }
75 
76 static int crypto_ctr_crypt_inplace(struct skcipher_walk *walk,
77 				    struct crypto_cipher *tfm)
78 {
79 	void (*fn)(struct crypto_tfm *, u8 *, const u8 *) =
80 		   crypto_cipher_alg(tfm)->cia_encrypt;
81 	unsigned int bsize = crypto_cipher_blocksize(tfm);
82 	unsigned long alignmask = crypto_cipher_alignmask(tfm);
83 	unsigned int nbytes = walk->nbytes;
84 	u8 *ctrblk = walk->iv;
85 	u8 *src = walk->src.virt.addr;
86 	u8 tmp[MAX_CIPHER_BLOCKSIZE + MAX_CIPHER_ALIGNMASK];
87 	u8 *keystream = PTR_ALIGN(tmp + 0, alignmask + 1);
88 
89 	do {
90 		/* create keystream */
91 		fn(crypto_cipher_tfm(tfm), keystream, ctrblk);
92 		crypto_xor(src, keystream, bsize);
93 
94 		/* increment counter in counterblock */
95 		crypto_inc(ctrblk, bsize);
96 
97 		src += bsize;
98 	} while ((nbytes -= bsize) >= bsize);
99 
100 	return nbytes;
101 }
102 
103 static int crypto_ctr_crypt(struct skcipher_request *req)
104 {
105 	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
106 	struct crypto_cipher *cipher = skcipher_cipher_simple(tfm);
107 	const unsigned int bsize = crypto_cipher_blocksize(cipher);
108 	struct skcipher_walk walk;
109 	unsigned int nbytes;
110 	int err;
111 
112 	err = skcipher_walk_virt(&walk, req, false);
113 
114 	while (walk.nbytes >= bsize) {
115 		if (walk.src.virt.addr == walk.dst.virt.addr)
116 			nbytes = crypto_ctr_crypt_inplace(&walk, cipher);
117 		else
118 			nbytes = crypto_ctr_crypt_segment(&walk, cipher);
119 
120 		err = skcipher_walk_done(&walk, nbytes);
121 	}
122 
123 	if (walk.nbytes) {
124 		crypto_ctr_crypt_final(&walk, cipher);
125 		err = skcipher_walk_done(&walk, 0);
126 	}
127 
128 	return err;
129 }
130 
131 static int crypto_ctr_create(struct crypto_template *tmpl, struct rtattr **tb)
132 {
133 	struct skcipher_instance *inst;
134 	struct crypto_alg *alg;
135 	int err;
136 
137 	inst = skcipher_alloc_instance_simple(tmpl, tb, &alg);
138 	if (IS_ERR(inst))
139 		return PTR_ERR(inst);
140 
141 	/* Block size must be >= 4 bytes. */
142 	err = -EINVAL;
143 	if (alg->cra_blocksize < 4)
144 		goto out_free_inst;
145 
146 	/* If this is false we'd fail the alignment of crypto_inc. */
147 	if (alg->cra_blocksize % 4)
148 		goto out_free_inst;
149 
150 	/* CTR mode is a stream cipher. */
151 	inst->alg.base.cra_blocksize = 1;
152 
153 	/*
154 	 * To simplify the implementation, configure the skcipher walk to only
155 	 * give a partial block at the very end, never earlier.
156 	 */
157 	inst->alg.chunksize = alg->cra_blocksize;
158 
159 	inst->alg.encrypt = crypto_ctr_crypt;
160 	inst->alg.decrypt = crypto_ctr_crypt;
161 
162 	err = skcipher_register_instance(tmpl, inst);
163 	if (err)
164 		goto out_free_inst;
165 	goto out_put_alg;
166 
167 out_free_inst:
168 	inst->free(inst);
169 out_put_alg:
170 	crypto_mod_put(alg);
171 	return err;
172 }
173 
174 static int crypto_rfc3686_setkey(struct crypto_skcipher *parent,
175 				 const u8 *key, unsigned int keylen)
176 {
177 	struct crypto_rfc3686_ctx *ctx = crypto_skcipher_ctx(parent);
178 	struct crypto_skcipher *child = ctx->child;
179 	int err;
180 
181 	/* the nonce is stored in bytes at end of key */
182 	if (keylen < CTR_RFC3686_NONCE_SIZE)
183 		return -EINVAL;
184 
185 	memcpy(ctx->nonce, key + (keylen - CTR_RFC3686_NONCE_SIZE),
186 	       CTR_RFC3686_NONCE_SIZE);
187 
188 	keylen -= CTR_RFC3686_NONCE_SIZE;
189 
190 	crypto_skcipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
191 	crypto_skcipher_set_flags(child, crypto_skcipher_get_flags(parent) &
192 					 CRYPTO_TFM_REQ_MASK);
193 	err = crypto_skcipher_setkey(child, key, keylen);
194 	crypto_skcipher_set_flags(parent, crypto_skcipher_get_flags(child) &
195 					  CRYPTO_TFM_RES_MASK);
196 
197 	return err;
198 }
199 
200 static int crypto_rfc3686_crypt(struct skcipher_request *req)
201 {
202 	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
203 	struct crypto_rfc3686_ctx *ctx = crypto_skcipher_ctx(tfm);
204 	struct crypto_skcipher *child = ctx->child;
205 	unsigned long align = crypto_skcipher_alignmask(tfm);
206 	struct crypto_rfc3686_req_ctx *rctx =
207 		(void *)PTR_ALIGN((u8 *)skcipher_request_ctx(req), align + 1);
208 	struct skcipher_request *subreq = &rctx->subreq;
209 	u8 *iv = rctx->iv;
210 
211 	/* set up counter block */
212 	memcpy(iv, ctx->nonce, CTR_RFC3686_NONCE_SIZE);
213 	memcpy(iv + CTR_RFC3686_NONCE_SIZE, req->iv, CTR_RFC3686_IV_SIZE);
214 
215 	/* initialize counter portion of counter block */
216 	*(__be32 *)(iv + CTR_RFC3686_NONCE_SIZE + CTR_RFC3686_IV_SIZE) =
217 		cpu_to_be32(1);
218 
219 	skcipher_request_set_tfm(subreq, child);
220 	skcipher_request_set_callback(subreq, req->base.flags,
221 				      req->base.complete, req->base.data);
222 	skcipher_request_set_crypt(subreq, req->src, req->dst,
223 				   req->cryptlen, iv);
224 
225 	return crypto_skcipher_encrypt(subreq);
226 }
227 
228 static int crypto_rfc3686_init_tfm(struct crypto_skcipher *tfm)
229 {
230 	struct skcipher_instance *inst = skcipher_alg_instance(tfm);
231 	struct crypto_skcipher_spawn *spawn = skcipher_instance_ctx(inst);
232 	struct crypto_rfc3686_ctx *ctx = crypto_skcipher_ctx(tfm);
233 	struct crypto_skcipher *cipher;
234 	unsigned long align;
235 	unsigned int reqsize;
236 
237 	cipher = crypto_spawn_skcipher(spawn);
238 	if (IS_ERR(cipher))
239 		return PTR_ERR(cipher);
240 
241 	ctx->child = cipher;
242 
243 	align = crypto_skcipher_alignmask(tfm);
244 	align &= ~(crypto_tfm_ctx_alignment() - 1);
245 	reqsize = align + sizeof(struct crypto_rfc3686_req_ctx) +
246 		  crypto_skcipher_reqsize(cipher);
247 	crypto_skcipher_set_reqsize(tfm, reqsize);
248 
249 	return 0;
250 }
251 
252 static void crypto_rfc3686_exit_tfm(struct crypto_skcipher *tfm)
253 {
254 	struct crypto_rfc3686_ctx *ctx = crypto_skcipher_ctx(tfm);
255 
256 	crypto_free_skcipher(ctx->child);
257 }
258 
259 static void crypto_rfc3686_free(struct skcipher_instance *inst)
260 {
261 	struct crypto_skcipher_spawn *spawn = skcipher_instance_ctx(inst);
262 
263 	crypto_drop_skcipher(spawn);
264 	kfree(inst);
265 }
266 
267 static int crypto_rfc3686_create(struct crypto_template *tmpl,
268 				 struct rtattr **tb)
269 {
270 	struct crypto_attr_type *algt;
271 	struct skcipher_instance *inst;
272 	struct skcipher_alg *alg;
273 	struct crypto_skcipher_spawn *spawn;
274 	const char *cipher_name;
275 	u32 mask;
276 
277 	int err;
278 
279 	algt = crypto_get_attr_type(tb);
280 	if (IS_ERR(algt))
281 		return PTR_ERR(algt);
282 
283 	if ((algt->type ^ CRYPTO_ALG_TYPE_SKCIPHER) & algt->mask)
284 		return -EINVAL;
285 
286 	cipher_name = crypto_attr_alg_name(tb[1]);
287 	if (IS_ERR(cipher_name))
288 		return PTR_ERR(cipher_name);
289 
290 	inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL);
291 	if (!inst)
292 		return -ENOMEM;
293 
294 	mask = crypto_requires_sync(algt->type, algt->mask) |
295 		crypto_requires_off(algt->type, algt->mask,
296 				    CRYPTO_ALG_NEED_FALLBACK);
297 
298 	spawn = skcipher_instance_ctx(inst);
299 
300 	crypto_set_skcipher_spawn(spawn, skcipher_crypto_instance(inst));
301 	err = crypto_grab_skcipher(spawn, cipher_name, 0, mask);
302 	if (err)
303 		goto err_free_inst;
304 
305 	alg = crypto_spawn_skcipher_alg(spawn);
306 
307 	/* We only support 16-byte blocks. */
308 	err = -EINVAL;
309 	if (crypto_skcipher_alg_ivsize(alg) != CTR_RFC3686_BLOCK_SIZE)
310 		goto err_drop_spawn;
311 
312 	/* Not a stream cipher? */
313 	if (alg->base.cra_blocksize != 1)
314 		goto err_drop_spawn;
315 
316 	err = -ENAMETOOLONG;
317 	if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
318 		     "rfc3686(%s)", alg->base.cra_name) >= CRYPTO_MAX_ALG_NAME)
319 		goto err_drop_spawn;
320 	if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
321 		     "rfc3686(%s)", alg->base.cra_driver_name) >=
322 	    CRYPTO_MAX_ALG_NAME)
323 		goto err_drop_spawn;
324 
325 	inst->alg.base.cra_priority = alg->base.cra_priority;
326 	inst->alg.base.cra_blocksize = 1;
327 	inst->alg.base.cra_alignmask = alg->base.cra_alignmask;
328 
329 	inst->alg.base.cra_flags = alg->base.cra_flags & CRYPTO_ALG_ASYNC;
330 
331 	inst->alg.ivsize = CTR_RFC3686_IV_SIZE;
332 	inst->alg.chunksize = crypto_skcipher_alg_chunksize(alg);
333 	inst->alg.min_keysize = crypto_skcipher_alg_min_keysize(alg) +
334 				CTR_RFC3686_NONCE_SIZE;
335 	inst->alg.max_keysize = crypto_skcipher_alg_max_keysize(alg) +
336 				CTR_RFC3686_NONCE_SIZE;
337 
338 	inst->alg.setkey = crypto_rfc3686_setkey;
339 	inst->alg.encrypt = crypto_rfc3686_crypt;
340 	inst->alg.decrypt = crypto_rfc3686_crypt;
341 
342 	inst->alg.base.cra_ctxsize = sizeof(struct crypto_rfc3686_ctx);
343 
344 	inst->alg.init = crypto_rfc3686_init_tfm;
345 	inst->alg.exit = crypto_rfc3686_exit_tfm;
346 
347 	inst->free = crypto_rfc3686_free;
348 
349 	err = skcipher_register_instance(tmpl, inst);
350 	if (err)
351 		goto err_drop_spawn;
352 
353 out:
354 	return err;
355 
356 err_drop_spawn:
357 	crypto_drop_skcipher(spawn);
358 err_free_inst:
359 	kfree(inst);
360 	goto out;
361 }
362 
363 static struct crypto_template crypto_ctr_tmpls[] = {
364 	{
365 		.name = "ctr",
366 		.create = crypto_ctr_create,
367 		.module = THIS_MODULE,
368 	}, {
369 		.name = "rfc3686",
370 		.create = crypto_rfc3686_create,
371 		.module = THIS_MODULE,
372 	},
373 };
374 
375 static int __init crypto_ctr_module_init(void)
376 {
377 	return crypto_register_templates(crypto_ctr_tmpls,
378 					 ARRAY_SIZE(crypto_ctr_tmpls));
379 }
380 
381 static void __exit crypto_ctr_module_exit(void)
382 {
383 	crypto_unregister_templates(crypto_ctr_tmpls,
384 				    ARRAY_SIZE(crypto_ctr_tmpls));
385 }
386 
387 subsys_initcall(crypto_ctr_module_init);
388 module_exit(crypto_ctr_module_exit);
389 
390 MODULE_LICENSE("GPL");
391 MODULE_DESCRIPTION("CTR block cipher mode of operation");
392 MODULE_ALIAS_CRYPTO("rfc3686");
393 MODULE_ALIAS_CRYPTO("ctr");
394