1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* LRW: as defined by Cyril Guyot in 3 * http://grouper.ieee.org/groups/1619/email/pdf00017.pdf 4 * 5 * Copyright (c) 2006 Rik Snel <rsnel@cube.dyndns.org> 6 * 7 * Based on ecb.c 8 * Copyright (c) 2006 Herbert Xu <herbert@gondor.apana.org.au> 9 */ 10 /* This implementation is checked against the test vectors in the above 11 * document and by a test vector provided by Ken Buchanan at 12 * http://www.mail-archive.com/stds-p1619@listserv.ieee.org/msg00173.html 13 * 14 * The test vectors are included in the testing module tcrypt.[ch] */ 15 16 #include <crypto/internal/skcipher.h> 17 #include <crypto/scatterwalk.h> 18 #include <linux/err.h> 19 #include <linux/init.h> 20 #include <linux/kernel.h> 21 #include <linux/module.h> 22 #include <linux/scatterlist.h> 23 #include <linux/slab.h> 24 25 #include <crypto/b128ops.h> 26 #include <crypto/gf128mul.h> 27 28 #define LRW_BLOCK_SIZE 16 29 30 struct priv { 31 struct crypto_skcipher *child; 32 33 /* 34 * optimizes multiplying a random (non incrementing, as at the 35 * start of a new sector) value with key2, we could also have 36 * used 4k optimization tables or no optimization at all. In the 37 * latter case we would have to store key2 here 38 */ 39 struct gf128mul_64k *table; 40 41 /* 42 * stores: 43 * key2*{ 0,0,...0,0,0,0,1 }, key2*{ 0,0,...0,0,0,1,1 }, 44 * key2*{ 0,0,...0,0,1,1,1 }, key2*{ 0,0,...0,1,1,1,1 } 45 * key2*{ 0,0,...1,1,1,1,1 }, etc 46 * needed for optimized multiplication of incrementing values 47 * with key2 48 */ 49 be128 mulinc[128]; 50 }; 51 52 struct rctx { 53 be128 t; 54 struct skcipher_request subreq; 55 }; 56 57 static inline void setbit128_bbe(void *b, int bit) 58 { 59 __set_bit(bit ^ (0x80 - 60 #ifdef __BIG_ENDIAN 61 BITS_PER_LONG 62 #else 63 BITS_PER_BYTE 64 #endif 65 ), b); 66 } 67 68 static int setkey(struct crypto_skcipher *parent, const u8 *key, 69 unsigned int keylen) 70 { 71 struct priv *ctx = crypto_skcipher_ctx(parent); 72 struct crypto_skcipher *child = ctx->child; 73 int err, bsize = LRW_BLOCK_SIZE; 74 const u8 *tweak = key + keylen - bsize; 75 be128 tmp = { 0 }; 76 int i; 77 78 crypto_skcipher_clear_flags(child, CRYPTO_TFM_REQ_MASK); 79 crypto_skcipher_set_flags(child, crypto_skcipher_get_flags(parent) & 80 CRYPTO_TFM_REQ_MASK); 81 err = crypto_skcipher_setkey(child, key, keylen - bsize); 82 if (err) 83 return err; 84 85 if (ctx->table) 86 gf128mul_free_64k(ctx->table); 87 88 /* initialize multiplication table for Key2 */ 89 ctx->table = gf128mul_init_64k_bbe((be128 *)tweak); 90 if (!ctx->table) 91 return -ENOMEM; 92 93 /* initialize optimization table */ 94 for (i = 0; i < 128; i++) { 95 setbit128_bbe(&tmp, i); 96 ctx->mulinc[i] = tmp; 97 gf128mul_64k_bbe(&ctx->mulinc[i], ctx->table); 98 } 99 100 return 0; 101 } 102 103 /* 104 * Returns the number of trailing '1' bits in the words of the counter, which is 105 * represented by 4 32-bit words, arranged from least to most significant. 106 * At the same time, increments the counter by one. 107 * 108 * For example: 109 * 110 * u32 counter[4] = { 0xFFFFFFFF, 0x1, 0x0, 0x0 }; 111 * int i = next_index(&counter); 112 * // i == 33, counter == { 0x0, 0x2, 0x0, 0x0 } 113 */ 114 static int next_index(u32 *counter) 115 { 116 int i, res = 0; 117 118 for (i = 0; i < 4; i++) { 119 if (counter[i] + 1 != 0) 120 return res + ffz(counter[i]++); 121 122 counter[i] = 0; 123 res += 32; 124 } 125 126 /* 127 * If we get here, then x == 128 and we are incrementing the counter 128 * from all ones to all zeros. This means we must return index 127, i.e. 129 * the one corresponding to key2*{ 1,...,1 }. 130 */ 131 return 127; 132 } 133 134 /* 135 * We compute the tweak masks twice (both before and after the ECB encryption or 136 * decryption) to avoid having to allocate a temporary buffer and/or make 137 * mutliple calls to the 'ecb(..)' instance, which usually would be slower than 138 * just doing the next_index() calls again. 139 */ 140 static int xor_tweak(struct skcipher_request *req, bool second_pass) 141 { 142 const int bs = LRW_BLOCK_SIZE; 143 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 144 struct priv *ctx = crypto_skcipher_ctx(tfm); 145 struct rctx *rctx = skcipher_request_ctx(req); 146 be128 t = rctx->t; 147 struct skcipher_walk w; 148 __be32 *iv; 149 u32 counter[4]; 150 int err; 151 152 if (second_pass) { 153 req = &rctx->subreq; 154 /* set to our TFM to enforce correct alignment: */ 155 skcipher_request_set_tfm(req, tfm); 156 } 157 158 err = skcipher_walk_virt(&w, req, false); 159 if (err) 160 return err; 161 162 iv = (__be32 *)w.iv; 163 counter[0] = be32_to_cpu(iv[3]); 164 counter[1] = be32_to_cpu(iv[2]); 165 counter[2] = be32_to_cpu(iv[1]); 166 counter[3] = be32_to_cpu(iv[0]); 167 168 while (w.nbytes) { 169 unsigned int avail = w.nbytes; 170 be128 *wsrc; 171 be128 *wdst; 172 173 wsrc = w.src.virt.addr; 174 wdst = w.dst.virt.addr; 175 176 do { 177 be128_xor(wdst++, &t, wsrc++); 178 179 /* T <- I*Key2, using the optimization 180 * discussed in the specification */ 181 be128_xor(&t, &t, &ctx->mulinc[next_index(counter)]); 182 } while ((avail -= bs) >= bs); 183 184 if (second_pass && w.nbytes == w.total) { 185 iv[0] = cpu_to_be32(counter[3]); 186 iv[1] = cpu_to_be32(counter[2]); 187 iv[2] = cpu_to_be32(counter[1]); 188 iv[3] = cpu_to_be32(counter[0]); 189 } 190 191 err = skcipher_walk_done(&w, avail); 192 } 193 194 return err; 195 } 196 197 static int xor_tweak_pre(struct skcipher_request *req) 198 { 199 return xor_tweak(req, false); 200 } 201 202 static int xor_tweak_post(struct skcipher_request *req) 203 { 204 return xor_tweak(req, true); 205 } 206 207 static void crypt_done(struct crypto_async_request *areq, int err) 208 { 209 struct skcipher_request *req = areq->data; 210 211 if (!err) { 212 struct rctx *rctx = skcipher_request_ctx(req); 213 214 rctx->subreq.base.flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP; 215 err = xor_tweak_post(req); 216 } 217 218 skcipher_request_complete(req, err); 219 } 220 221 static void init_crypt(struct skcipher_request *req) 222 { 223 struct priv *ctx = crypto_skcipher_ctx(crypto_skcipher_reqtfm(req)); 224 struct rctx *rctx = skcipher_request_ctx(req); 225 struct skcipher_request *subreq = &rctx->subreq; 226 227 skcipher_request_set_tfm(subreq, ctx->child); 228 skcipher_request_set_callback(subreq, req->base.flags, crypt_done, req); 229 /* pass req->iv as IV (will be used by xor_tweak, ECB will ignore it) */ 230 skcipher_request_set_crypt(subreq, req->dst, req->dst, 231 req->cryptlen, req->iv); 232 233 /* calculate first value of T */ 234 memcpy(&rctx->t, req->iv, sizeof(rctx->t)); 235 236 /* T <- I*Key2 */ 237 gf128mul_64k_bbe(&rctx->t, ctx->table); 238 } 239 240 static int encrypt(struct skcipher_request *req) 241 { 242 struct rctx *rctx = skcipher_request_ctx(req); 243 struct skcipher_request *subreq = &rctx->subreq; 244 245 init_crypt(req); 246 return xor_tweak_pre(req) ?: 247 crypto_skcipher_encrypt(subreq) ?: 248 xor_tweak_post(req); 249 } 250 251 static int decrypt(struct skcipher_request *req) 252 { 253 struct rctx *rctx = skcipher_request_ctx(req); 254 struct skcipher_request *subreq = &rctx->subreq; 255 256 init_crypt(req); 257 return xor_tweak_pre(req) ?: 258 crypto_skcipher_decrypt(subreq) ?: 259 xor_tweak_post(req); 260 } 261 262 static int init_tfm(struct crypto_skcipher *tfm) 263 { 264 struct skcipher_instance *inst = skcipher_alg_instance(tfm); 265 struct crypto_skcipher_spawn *spawn = skcipher_instance_ctx(inst); 266 struct priv *ctx = crypto_skcipher_ctx(tfm); 267 struct crypto_skcipher *cipher; 268 269 cipher = crypto_spawn_skcipher(spawn); 270 if (IS_ERR(cipher)) 271 return PTR_ERR(cipher); 272 273 ctx->child = cipher; 274 275 crypto_skcipher_set_reqsize(tfm, crypto_skcipher_reqsize(cipher) + 276 sizeof(struct rctx)); 277 278 return 0; 279 } 280 281 static void exit_tfm(struct crypto_skcipher *tfm) 282 { 283 struct priv *ctx = crypto_skcipher_ctx(tfm); 284 285 if (ctx->table) 286 gf128mul_free_64k(ctx->table); 287 crypto_free_skcipher(ctx->child); 288 } 289 290 static void crypto_lrw_free(struct skcipher_instance *inst) 291 { 292 crypto_drop_skcipher(skcipher_instance_ctx(inst)); 293 kfree(inst); 294 } 295 296 static int create(struct crypto_template *tmpl, struct rtattr **tb) 297 { 298 struct crypto_skcipher_spawn *spawn; 299 struct skcipher_instance *inst; 300 struct crypto_attr_type *algt; 301 struct skcipher_alg *alg; 302 const char *cipher_name; 303 char ecb_name[CRYPTO_MAX_ALG_NAME]; 304 u32 mask; 305 int err; 306 307 algt = crypto_get_attr_type(tb); 308 if (IS_ERR(algt)) 309 return PTR_ERR(algt); 310 311 if ((algt->type ^ CRYPTO_ALG_TYPE_SKCIPHER) & algt->mask) 312 return -EINVAL; 313 314 mask = crypto_requires_sync(algt->type, algt->mask); 315 316 cipher_name = crypto_attr_alg_name(tb[1]); 317 if (IS_ERR(cipher_name)) 318 return PTR_ERR(cipher_name); 319 320 inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL); 321 if (!inst) 322 return -ENOMEM; 323 324 spawn = skcipher_instance_ctx(inst); 325 326 err = crypto_grab_skcipher(spawn, skcipher_crypto_instance(inst), 327 cipher_name, 0, mask); 328 if (err == -ENOENT) { 329 err = -ENAMETOOLONG; 330 if (snprintf(ecb_name, CRYPTO_MAX_ALG_NAME, "ecb(%s)", 331 cipher_name) >= CRYPTO_MAX_ALG_NAME) 332 goto err_free_inst; 333 334 err = crypto_grab_skcipher(spawn, 335 skcipher_crypto_instance(inst), 336 ecb_name, 0, mask); 337 } 338 339 if (err) 340 goto err_free_inst; 341 342 alg = crypto_skcipher_spawn_alg(spawn); 343 344 err = -EINVAL; 345 if (alg->base.cra_blocksize != LRW_BLOCK_SIZE) 346 goto err_free_inst; 347 348 if (crypto_skcipher_alg_ivsize(alg)) 349 goto err_free_inst; 350 351 err = crypto_inst_setname(skcipher_crypto_instance(inst), "lrw", 352 &alg->base); 353 if (err) 354 goto err_free_inst; 355 356 err = -EINVAL; 357 cipher_name = alg->base.cra_name; 358 359 /* Alas we screwed up the naming so we have to mangle the 360 * cipher name. 361 */ 362 if (!strncmp(cipher_name, "ecb(", 4)) { 363 unsigned len; 364 365 len = strlcpy(ecb_name, cipher_name + 4, sizeof(ecb_name)); 366 if (len < 2 || len >= sizeof(ecb_name)) 367 goto err_free_inst; 368 369 if (ecb_name[len - 1] != ')') 370 goto err_free_inst; 371 372 ecb_name[len - 1] = 0; 373 374 if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME, 375 "lrw(%s)", ecb_name) >= CRYPTO_MAX_ALG_NAME) { 376 err = -ENAMETOOLONG; 377 goto err_free_inst; 378 } 379 } else 380 goto err_free_inst; 381 382 inst->alg.base.cra_flags = alg->base.cra_flags & CRYPTO_ALG_ASYNC; 383 inst->alg.base.cra_priority = alg->base.cra_priority; 384 inst->alg.base.cra_blocksize = LRW_BLOCK_SIZE; 385 inst->alg.base.cra_alignmask = alg->base.cra_alignmask | 386 (__alignof__(be128) - 1); 387 388 inst->alg.ivsize = LRW_BLOCK_SIZE; 389 inst->alg.min_keysize = crypto_skcipher_alg_min_keysize(alg) + 390 LRW_BLOCK_SIZE; 391 inst->alg.max_keysize = crypto_skcipher_alg_max_keysize(alg) + 392 LRW_BLOCK_SIZE; 393 394 inst->alg.base.cra_ctxsize = sizeof(struct priv); 395 396 inst->alg.init = init_tfm; 397 inst->alg.exit = exit_tfm; 398 399 inst->alg.setkey = setkey; 400 inst->alg.encrypt = encrypt; 401 inst->alg.decrypt = decrypt; 402 403 inst->free = crypto_lrw_free; 404 405 err = skcipher_register_instance(tmpl, inst); 406 if (err) { 407 err_free_inst: 408 crypto_lrw_free(inst); 409 } 410 return err; 411 } 412 413 static struct crypto_template crypto_tmpl = { 414 .name = "lrw", 415 .create = create, 416 .module = THIS_MODULE, 417 }; 418 419 static int __init crypto_module_init(void) 420 { 421 return crypto_register_template(&crypto_tmpl); 422 } 423 424 static void __exit crypto_module_exit(void) 425 { 426 crypto_unregister_template(&crypto_tmpl); 427 } 428 429 subsys_initcall(crypto_module_init); 430 module_exit(crypto_module_exit); 431 432 MODULE_LICENSE("GPL"); 433 MODULE_DESCRIPTION("LRW block cipher mode"); 434 MODULE_ALIAS_CRYPTO("lrw"); 435