1 /* 2 * CTS: Cipher Text Stealing mode 3 * 4 * COPYRIGHT (c) 2008 5 * The Regents of the University of Michigan 6 * ALL RIGHTS RESERVED 7 * 8 * Permission is granted to use, copy, create derivative works 9 * and redistribute this software and such derivative works 10 * for any purpose, so long as the name of The University of 11 * Michigan is not used in any advertising or publicity 12 * pertaining to the use of distribution of this software 13 * without specific, written prior authorization. If the 14 * above copyright notice or any other identification of the 15 * University of Michigan is included in any copy of any 16 * portion of this software, then the disclaimer below must 17 * also be included. 18 * 19 * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION 20 * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY 21 * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF 22 * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING 23 * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF 24 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE 25 * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE 26 * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR 27 * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING 28 * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN 29 * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGES. 31 */ 32 33 /* Derived from various: 34 * Copyright (c) 2006 Herbert Xu <herbert@gondor.apana.org.au> 35 */ 36 37 /* 38 * This is the Cipher Text Stealing mode as described by 39 * Section 8 of rfc2040 and referenced by rfc3962. 40 * rfc3962 includes errata information in its Appendix A. 41 */ 42 43 #include <crypto/algapi.h> 44 #include <crypto/internal/skcipher.h> 45 #include <linux/err.h> 46 #include <linux/init.h> 47 #include <linux/kernel.h> 48 #include <linux/log2.h> 49 #include <linux/module.h> 50 #include <linux/scatterlist.h> 51 #include <crypto/scatterwalk.h> 52 #include <linux/slab.h> 53 #include <linux/compiler.h> 54 55 struct crypto_cts_ctx { 56 struct crypto_skcipher *child; 57 }; 58 59 struct crypto_cts_reqctx { 60 struct scatterlist sg[2]; 61 unsigned offset; 62 struct skcipher_request subreq; 63 }; 64 65 static inline u8 *crypto_cts_reqctx_space(struct skcipher_request *req) 66 { 67 struct crypto_cts_reqctx *rctx = skcipher_request_ctx(req); 68 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 69 struct crypto_cts_ctx *ctx = crypto_skcipher_ctx(tfm); 70 struct crypto_skcipher *child = ctx->child; 71 72 return PTR_ALIGN((u8 *)(rctx + 1) + crypto_skcipher_reqsize(child), 73 crypto_skcipher_alignmask(tfm) + 1); 74 } 75 76 static int crypto_cts_setkey(struct crypto_skcipher *parent, const u8 *key, 77 unsigned int keylen) 78 { 79 struct crypto_cts_ctx *ctx = crypto_skcipher_ctx(parent); 80 struct crypto_skcipher *child = ctx->child; 81 int err; 82 83 crypto_skcipher_clear_flags(child, CRYPTO_TFM_REQ_MASK); 84 crypto_skcipher_set_flags(child, crypto_skcipher_get_flags(parent) & 85 CRYPTO_TFM_REQ_MASK); 86 err = crypto_skcipher_setkey(child, key, keylen); 87 crypto_skcipher_set_flags(parent, crypto_skcipher_get_flags(child) & 88 CRYPTO_TFM_RES_MASK); 89 return err; 90 } 91 92 static void cts_cbc_crypt_done(struct crypto_async_request *areq, int err) 93 { 94 struct skcipher_request *req = areq->data; 95 96 if (err == -EINPROGRESS) 97 return; 98 99 skcipher_request_complete(req, err); 100 } 101 102 static int cts_cbc_encrypt(struct skcipher_request *req) 103 { 104 struct crypto_cts_reqctx *rctx = skcipher_request_ctx(req); 105 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 106 struct skcipher_request *subreq = &rctx->subreq; 107 int bsize = crypto_skcipher_blocksize(tfm); 108 u8 d[MAX_CIPHER_BLOCKSIZE * 2] __aligned(__alignof__(u32)); 109 struct scatterlist *sg; 110 unsigned int offset; 111 int lastn; 112 113 offset = rctx->offset; 114 lastn = req->cryptlen - offset; 115 116 sg = scatterwalk_ffwd(rctx->sg, req->dst, offset - bsize); 117 scatterwalk_map_and_copy(d + bsize, sg, 0, bsize, 0); 118 119 memset(d, 0, bsize); 120 scatterwalk_map_and_copy(d, req->src, offset, lastn, 0); 121 122 scatterwalk_map_and_copy(d, sg, 0, bsize + lastn, 1); 123 memzero_explicit(d, sizeof(d)); 124 125 skcipher_request_set_callback(subreq, req->base.flags & 126 CRYPTO_TFM_REQ_MAY_BACKLOG, 127 cts_cbc_crypt_done, req); 128 skcipher_request_set_crypt(subreq, sg, sg, bsize, req->iv); 129 return crypto_skcipher_encrypt(subreq); 130 } 131 132 static void crypto_cts_encrypt_done(struct crypto_async_request *areq, int err) 133 { 134 struct skcipher_request *req = areq->data; 135 136 if (err) 137 goto out; 138 139 err = cts_cbc_encrypt(req); 140 if (err == -EINPROGRESS || err == -EBUSY) 141 return; 142 143 out: 144 skcipher_request_complete(req, err); 145 } 146 147 static int crypto_cts_encrypt(struct skcipher_request *req) 148 { 149 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 150 struct crypto_cts_reqctx *rctx = skcipher_request_ctx(req); 151 struct crypto_cts_ctx *ctx = crypto_skcipher_ctx(tfm); 152 struct skcipher_request *subreq = &rctx->subreq; 153 int bsize = crypto_skcipher_blocksize(tfm); 154 unsigned int nbytes = req->cryptlen; 155 unsigned int offset; 156 157 skcipher_request_set_tfm(subreq, ctx->child); 158 159 if (nbytes < bsize) 160 return -EINVAL; 161 162 if (nbytes == bsize) { 163 skcipher_request_set_callback(subreq, req->base.flags, 164 req->base.complete, 165 req->base.data); 166 skcipher_request_set_crypt(subreq, req->src, req->dst, nbytes, 167 req->iv); 168 return crypto_skcipher_encrypt(subreq); 169 } 170 171 offset = rounddown(nbytes - 1, bsize); 172 rctx->offset = offset; 173 174 skcipher_request_set_callback(subreq, req->base.flags, 175 crypto_cts_encrypt_done, req); 176 skcipher_request_set_crypt(subreq, req->src, req->dst, 177 offset, req->iv); 178 179 return crypto_skcipher_encrypt(subreq) ?: 180 cts_cbc_encrypt(req); 181 } 182 183 static int cts_cbc_decrypt(struct skcipher_request *req) 184 { 185 struct crypto_cts_reqctx *rctx = skcipher_request_ctx(req); 186 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 187 struct skcipher_request *subreq = &rctx->subreq; 188 int bsize = crypto_skcipher_blocksize(tfm); 189 u8 d[MAX_CIPHER_BLOCKSIZE * 2] __aligned(__alignof__(u32)); 190 struct scatterlist *sg; 191 unsigned int offset; 192 u8 *space; 193 int lastn; 194 195 offset = rctx->offset; 196 lastn = req->cryptlen - offset; 197 198 sg = scatterwalk_ffwd(rctx->sg, req->dst, offset - bsize); 199 200 /* 1. Decrypt Cn-1 (s) to create Dn */ 201 scatterwalk_map_and_copy(d + bsize, sg, 0, bsize, 0); 202 space = crypto_cts_reqctx_space(req); 203 crypto_xor(d + bsize, space, bsize); 204 /* 2. Pad Cn with zeros at the end to create C of length BB */ 205 memset(d, 0, bsize); 206 scatterwalk_map_and_copy(d, req->src, offset, lastn, 0); 207 /* 3. Exclusive-or Dn with C to create Xn */ 208 /* 4. Select the first Ln bytes of Xn to create Pn */ 209 crypto_xor(d + bsize, d, lastn); 210 211 /* 5. Append the tail (BB - Ln) bytes of Xn to Cn to create En */ 212 memcpy(d + lastn, d + bsize + lastn, bsize - lastn); 213 /* 6. Decrypt En to create Pn-1 */ 214 215 scatterwalk_map_and_copy(d, sg, 0, bsize + lastn, 1); 216 memzero_explicit(d, sizeof(d)); 217 218 skcipher_request_set_callback(subreq, req->base.flags & 219 CRYPTO_TFM_REQ_MAY_BACKLOG, 220 cts_cbc_crypt_done, req); 221 222 skcipher_request_set_crypt(subreq, sg, sg, bsize, space); 223 return crypto_skcipher_decrypt(subreq); 224 } 225 226 static void crypto_cts_decrypt_done(struct crypto_async_request *areq, int err) 227 { 228 struct skcipher_request *req = areq->data; 229 230 if (err) 231 goto out; 232 233 err = cts_cbc_decrypt(req); 234 if (err == -EINPROGRESS || err == -EBUSY) 235 return; 236 237 out: 238 skcipher_request_complete(req, err); 239 } 240 241 static int crypto_cts_decrypt(struct skcipher_request *req) 242 { 243 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 244 struct crypto_cts_reqctx *rctx = skcipher_request_ctx(req); 245 struct crypto_cts_ctx *ctx = crypto_skcipher_ctx(tfm); 246 struct skcipher_request *subreq = &rctx->subreq; 247 int bsize = crypto_skcipher_blocksize(tfm); 248 unsigned int nbytes = req->cryptlen; 249 unsigned int offset; 250 u8 *space; 251 252 skcipher_request_set_tfm(subreq, ctx->child); 253 254 if (nbytes < bsize) 255 return -EINVAL; 256 257 if (nbytes == bsize) { 258 skcipher_request_set_callback(subreq, req->base.flags, 259 req->base.complete, 260 req->base.data); 261 skcipher_request_set_crypt(subreq, req->src, req->dst, nbytes, 262 req->iv); 263 return crypto_skcipher_decrypt(subreq); 264 } 265 266 skcipher_request_set_callback(subreq, req->base.flags, 267 crypto_cts_decrypt_done, req); 268 269 space = crypto_cts_reqctx_space(req); 270 271 offset = rounddown(nbytes - 1, bsize); 272 rctx->offset = offset; 273 274 if (offset <= bsize) 275 memcpy(space, req->iv, bsize); 276 else 277 scatterwalk_map_and_copy(space, req->src, offset - 2 * bsize, 278 bsize, 0); 279 280 skcipher_request_set_crypt(subreq, req->src, req->dst, 281 offset, req->iv); 282 283 return crypto_skcipher_decrypt(subreq) ?: 284 cts_cbc_decrypt(req); 285 } 286 287 static int crypto_cts_init_tfm(struct crypto_skcipher *tfm) 288 { 289 struct skcipher_instance *inst = skcipher_alg_instance(tfm); 290 struct crypto_skcipher_spawn *spawn = skcipher_instance_ctx(inst); 291 struct crypto_cts_ctx *ctx = crypto_skcipher_ctx(tfm); 292 struct crypto_skcipher *cipher; 293 unsigned reqsize; 294 unsigned bsize; 295 unsigned align; 296 297 cipher = crypto_spawn_skcipher(spawn); 298 if (IS_ERR(cipher)) 299 return PTR_ERR(cipher); 300 301 ctx->child = cipher; 302 303 align = crypto_skcipher_alignmask(tfm); 304 bsize = crypto_skcipher_blocksize(cipher); 305 reqsize = ALIGN(sizeof(struct crypto_cts_reqctx) + 306 crypto_skcipher_reqsize(cipher), 307 crypto_tfm_ctx_alignment()) + 308 (align & ~(crypto_tfm_ctx_alignment() - 1)) + bsize; 309 310 crypto_skcipher_set_reqsize(tfm, reqsize); 311 312 return 0; 313 } 314 315 static void crypto_cts_exit_tfm(struct crypto_skcipher *tfm) 316 { 317 struct crypto_cts_ctx *ctx = crypto_skcipher_ctx(tfm); 318 319 crypto_free_skcipher(ctx->child); 320 } 321 322 static void crypto_cts_free(struct skcipher_instance *inst) 323 { 324 crypto_drop_skcipher(skcipher_instance_ctx(inst)); 325 kfree(inst); 326 } 327 328 static int crypto_cts_create(struct crypto_template *tmpl, struct rtattr **tb) 329 { 330 struct crypto_skcipher_spawn *spawn; 331 struct skcipher_instance *inst; 332 struct crypto_attr_type *algt; 333 struct skcipher_alg *alg; 334 const char *cipher_name; 335 int err; 336 337 algt = crypto_get_attr_type(tb); 338 if (IS_ERR(algt)) 339 return PTR_ERR(algt); 340 341 if ((algt->type ^ CRYPTO_ALG_TYPE_SKCIPHER) & algt->mask) 342 return -EINVAL; 343 344 cipher_name = crypto_attr_alg_name(tb[1]); 345 if (IS_ERR(cipher_name)) 346 return PTR_ERR(cipher_name); 347 348 inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL); 349 if (!inst) 350 return -ENOMEM; 351 352 spawn = skcipher_instance_ctx(inst); 353 354 crypto_set_skcipher_spawn(spawn, skcipher_crypto_instance(inst)); 355 err = crypto_grab_skcipher(spawn, cipher_name, 0, 356 crypto_requires_sync(algt->type, 357 algt->mask)); 358 if (err) 359 goto err_free_inst; 360 361 alg = crypto_spawn_skcipher_alg(spawn); 362 363 err = -EINVAL; 364 if (crypto_skcipher_alg_ivsize(alg) != alg->base.cra_blocksize) 365 goto err_drop_spawn; 366 367 if (strncmp(alg->base.cra_name, "cbc(", 4)) 368 goto err_drop_spawn; 369 370 err = crypto_inst_setname(skcipher_crypto_instance(inst), "cts", 371 &alg->base); 372 if (err) 373 goto err_drop_spawn; 374 375 inst->alg.base.cra_flags = alg->base.cra_flags & CRYPTO_ALG_ASYNC; 376 inst->alg.base.cra_priority = alg->base.cra_priority; 377 inst->alg.base.cra_blocksize = alg->base.cra_blocksize; 378 inst->alg.base.cra_alignmask = alg->base.cra_alignmask; 379 380 inst->alg.ivsize = alg->base.cra_blocksize; 381 inst->alg.chunksize = crypto_skcipher_alg_chunksize(alg); 382 inst->alg.min_keysize = crypto_skcipher_alg_min_keysize(alg); 383 inst->alg.max_keysize = crypto_skcipher_alg_max_keysize(alg); 384 385 inst->alg.base.cra_ctxsize = sizeof(struct crypto_cts_ctx); 386 387 inst->alg.init = crypto_cts_init_tfm; 388 inst->alg.exit = crypto_cts_exit_tfm; 389 390 inst->alg.setkey = crypto_cts_setkey; 391 inst->alg.encrypt = crypto_cts_encrypt; 392 inst->alg.decrypt = crypto_cts_decrypt; 393 394 inst->free = crypto_cts_free; 395 396 err = skcipher_register_instance(tmpl, inst); 397 if (err) 398 goto err_drop_spawn; 399 400 out: 401 return err; 402 403 err_drop_spawn: 404 crypto_drop_skcipher(spawn); 405 err_free_inst: 406 kfree(inst); 407 goto out; 408 } 409 410 static struct crypto_template crypto_cts_tmpl = { 411 .name = "cts", 412 .create = crypto_cts_create, 413 .module = THIS_MODULE, 414 }; 415 416 static int __init crypto_cts_module_init(void) 417 { 418 return crypto_register_template(&crypto_cts_tmpl); 419 } 420 421 static void __exit crypto_cts_module_exit(void) 422 { 423 crypto_unregister_template(&crypto_cts_tmpl); 424 } 425 426 subsys_initcall(crypto_cts_module_init); 427 module_exit(crypto_cts_module_exit); 428 429 MODULE_LICENSE("Dual BSD/GPL"); 430 MODULE_DESCRIPTION("CTS-CBC CipherText Stealing for CBC"); 431 MODULE_ALIAS_CRYPTO("cts"); 432