Loading...
1/*
2 * CTS: Cipher Text Stealing mode
3 *
4 * COPYRIGHT (c) 2008
5 * The Regents of the University of Michigan
6 * ALL RIGHTS RESERVED
7 *
8 * Permission is granted to use, copy, create derivative works
9 * and redistribute this software and such derivative works
10 * for any purpose, so long as the name of The University of
11 * Michigan is not used in any advertising or publicity
12 * pertaining to the use of distribution of this software
13 * without specific, written prior authorization. If the
14 * above copyright notice or any other identification of the
15 * University of Michigan is included in any copy of any
16 * portion of this software, then the disclaimer below must
17 * also be included.
18 *
19 * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
20 * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
21 * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
22 * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
23 * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
24 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
25 * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
26 * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
27 * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
28 * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
29 * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGES.
31 */
32
33/* Derived from various:
34 * Copyright (c) 2006 Herbert Xu <herbert@gondor.apana.org.au>
35 */
36
37/*
38 * This is the Cipher Text Stealing mode as described by
39 * Section 8 of rfc2040 and referenced by rfc3962.
40 * rfc3962 includes errata information in its Appendix A.
41 */
42
43#include <crypto/algapi.h>
44#include <linux/err.h>
45#include <linux/init.h>
46#include <linux/kernel.h>
47#include <linux/log2.h>
48#include <linux/module.h>
49#include <linux/scatterlist.h>
50#include <crypto/scatterwalk.h>
51#include <linux/slab.h>
52
53struct crypto_cts_ctx {
54 struct crypto_blkcipher *child;
55};
56
57static int crypto_cts_setkey(struct crypto_tfm *parent, const u8 *key,
58 unsigned int keylen)
59{
60 struct crypto_cts_ctx *ctx = crypto_tfm_ctx(parent);
61 struct crypto_blkcipher *child = ctx->child;
62 int err;
63
64 crypto_blkcipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
65 crypto_blkcipher_set_flags(child, crypto_tfm_get_flags(parent) &
66 CRYPTO_TFM_REQ_MASK);
67 err = crypto_blkcipher_setkey(child, key, keylen);
68 crypto_tfm_set_flags(parent, crypto_blkcipher_get_flags(child) &
69 CRYPTO_TFM_RES_MASK);
70 return err;
71}
72
73static int cts_cbc_encrypt(struct crypto_cts_ctx *ctx,
74 struct blkcipher_desc *desc,
75 struct scatterlist *dst,
76 struct scatterlist *src,
77 unsigned int offset,
78 unsigned int nbytes)
79{
80 int bsize = crypto_blkcipher_blocksize(desc->tfm);
81 u8 tmp[bsize], tmp2[bsize];
82 struct blkcipher_desc lcldesc;
83 struct scatterlist sgsrc[1], sgdst[1];
84 int lastn = nbytes - bsize;
85 u8 iv[bsize];
86 u8 s[bsize * 2], d[bsize * 2];
87 int err;
88
89 if (lastn < 0)
90 return -EINVAL;
91
92 sg_init_table(sgsrc, 1);
93 sg_init_table(sgdst, 1);
94
95 memset(s, 0, sizeof(s));
96 scatterwalk_map_and_copy(s, src, offset, nbytes, 0);
97
98 memcpy(iv, desc->info, bsize);
99
100 lcldesc.tfm = ctx->child;
101 lcldesc.info = iv;
102 lcldesc.flags = desc->flags;
103
104 sg_set_buf(&sgsrc[0], s, bsize);
105 sg_set_buf(&sgdst[0], tmp, bsize);
106 err = crypto_blkcipher_encrypt_iv(&lcldesc, sgdst, sgsrc, bsize);
107
108 memcpy(d + bsize, tmp, lastn);
109
110 lcldesc.info = tmp;
111
112 sg_set_buf(&sgsrc[0], s + bsize, bsize);
113 sg_set_buf(&sgdst[0], tmp2, bsize);
114 err = crypto_blkcipher_encrypt_iv(&lcldesc, sgdst, sgsrc, bsize);
115
116 memcpy(d, tmp2, bsize);
117
118 scatterwalk_map_and_copy(d, dst, offset, nbytes, 1);
119
120 memcpy(desc->info, tmp2, bsize);
121
122 return err;
123}
124
125static int crypto_cts_encrypt(struct blkcipher_desc *desc,
126 struct scatterlist *dst, struct scatterlist *src,
127 unsigned int nbytes)
128{
129 struct crypto_cts_ctx *ctx = crypto_blkcipher_ctx(desc->tfm);
130 int bsize = crypto_blkcipher_blocksize(desc->tfm);
131 int tot_blocks = (nbytes + bsize - 1) / bsize;
132 int cbc_blocks = tot_blocks > 2 ? tot_blocks - 2 : 0;
133 struct blkcipher_desc lcldesc;
134 int err;
135
136 lcldesc.tfm = ctx->child;
137 lcldesc.info = desc->info;
138 lcldesc.flags = desc->flags;
139
140 if (tot_blocks == 1) {
141 err = crypto_blkcipher_encrypt_iv(&lcldesc, dst, src, bsize);
142 } else if (nbytes <= bsize * 2) {
143 err = cts_cbc_encrypt(ctx, desc, dst, src, 0, nbytes);
144 } else {
145 /* do normal function for tot_blocks - 2 */
146 err = crypto_blkcipher_encrypt_iv(&lcldesc, dst, src,
147 cbc_blocks * bsize);
148 if (err == 0) {
149 /* do cts for final two blocks */
150 err = cts_cbc_encrypt(ctx, desc, dst, src,
151 cbc_blocks * bsize,
152 nbytes - (cbc_blocks * bsize));
153 }
154 }
155
156 return err;
157}
158
159static int cts_cbc_decrypt(struct crypto_cts_ctx *ctx,
160 struct blkcipher_desc *desc,
161 struct scatterlist *dst,
162 struct scatterlist *src,
163 unsigned int offset,
164 unsigned int nbytes)
165{
166 int bsize = crypto_blkcipher_blocksize(desc->tfm);
167 u8 tmp[bsize];
168 struct blkcipher_desc lcldesc;
169 struct scatterlist sgsrc[1], sgdst[1];
170 int lastn = nbytes - bsize;
171 u8 iv[bsize];
172 u8 s[bsize * 2], d[bsize * 2];
173 int err;
174
175 if (lastn < 0)
176 return -EINVAL;
177
178 sg_init_table(sgsrc, 1);
179 sg_init_table(sgdst, 1);
180
181 scatterwalk_map_and_copy(s, src, offset, nbytes, 0);
182
183 lcldesc.tfm = ctx->child;
184 lcldesc.info = iv;
185 lcldesc.flags = desc->flags;
186
187 /* 1. Decrypt Cn-1 (s) to create Dn (tmp)*/
188 memset(iv, 0, sizeof(iv));
189 sg_set_buf(&sgsrc[0], s, bsize);
190 sg_set_buf(&sgdst[0], tmp, bsize);
191 err = crypto_blkcipher_decrypt_iv(&lcldesc, sgdst, sgsrc, bsize);
192 if (err)
193 return err;
194 /* 2. Pad Cn with zeros at the end to create C of length BB */
195 memset(iv, 0, sizeof(iv));
196 memcpy(iv, s + bsize, lastn);
197 /* 3. Exclusive-or Dn (tmp) with C (iv) to create Xn (tmp) */
198 crypto_xor(tmp, iv, bsize);
199 /* 4. Select the first Ln bytes of Xn (tmp) to create Pn */
200 memcpy(d + bsize, tmp, lastn);
201
202 /* 5. Append the tail (BB - Ln) bytes of Xn (tmp) to Cn to create En */
203 memcpy(s + bsize + lastn, tmp + lastn, bsize - lastn);
204 /* 6. Decrypt En to create Pn-1 */
205 memset(iv, 0, sizeof(iv));
206 sg_set_buf(&sgsrc[0], s + bsize, bsize);
207 sg_set_buf(&sgdst[0], d, bsize);
208 err = crypto_blkcipher_decrypt_iv(&lcldesc, sgdst, sgsrc, bsize);
209
210 /* XOR with previous block */
211 crypto_xor(d, desc->info, bsize);
212
213 scatterwalk_map_and_copy(d, dst, offset, nbytes, 1);
214
215 memcpy(desc->info, s, bsize);
216 return err;
217}
218
219static int crypto_cts_decrypt(struct blkcipher_desc *desc,
220 struct scatterlist *dst, struct scatterlist *src,
221 unsigned int nbytes)
222{
223 struct crypto_cts_ctx *ctx = crypto_blkcipher_ctx(desc->tfm);
224 int bsize = crypto_blkcipher_blocksize(desc->tfm);
225 int tot_blocks = (nbytes + bsize - 1) / bsize;
226 int cbc_blocks = tot_blocks > 2 ? tot_blocks - 2 : 0;
227 struct blkcipher_desc lcldesc;
228 int err;
229
230 lcldesc.tfm = ctx->child;
231 lcldesc.info = desc->info;
232 lcldesc.flags = desc->flags;
233
234 if (tot_blocks == 1) {
235 err = crypto_blkcipher_decrypt_iv(&lcldesc, dst, src, bsize);
236 } else if (nbytes <= bsize * 2) {
237 err = cts_cbc_decrypt(ctx, desc, dst, src, 0, nbytes);
238 } else {
239 /* do normal function for tot_blocks - 2 */
240 err = crypto_blkcipher_decrypt_iv(&lcldesc, dst, src,
241 cbc_blocks * bsize);
242 if (err == 0) {
243 /* do cts for final two blocks */
244 err = cts_cbc_decrypt(ctx, desc, dst, src,
245 cbc_blocks * bsize,
246 nbytes - (cbc_blocks * bsize));
247 }
248 }
249 return err;
250}
251
252static int crypto_cts_init_tfm(struct crypto_tfm *tfm)
253{
254 struct crypto_instance *inst = (void *)tfm->__crt_alg;
255 struct crypto_spawn *spawn = crypto_instance_ctx(inst);
256 struct crypto_cts_ctx *ctx = crypto_tfm_ctx(tfm);
257 struct crypto_blkcipher *cipher;
258
259 cipher = crypto_spawn_blkcipher(spawn);
260 if (IS_ERR(cipher))
261 return PTR_ERR(cipher);
262
263 ctx->child = cipher;
264 return 0;
265}
266
267static void crypto_cts_exit_tfm(struct crypto_tfm *tfm)
268{
269 struct crypto_cts_ctx *ctx = crypto_tfm_ctx(tfm);
270 crypto_free_blkcipher(ctx->child);
271}
272
273static struct crypto_instance *crypto_cts_alloc(struct rtattr **tb)
274{
275 struct crypto_instance *inst;
276 struct crypto_alg *alg;
277 int err;
278
279 err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_BLKCIPHER);
280 if (err)
281 return ERR_PTR(err);
282
283 alg = crypto_attr_alg(tb[1], CRYPTO_ALG_TYPE_BLKCIPHER,
284 CRYPTO_ALG_TYPE_MASK);
285 if (IS_ERR(alg))
286 return ERR_CAST(alg);
287
288 inst = ERR_PTR(-EINVAL);
289 if (!is_power_of_2(alg->cra_blocksize))
290 goto out_put_alg;
291
292 inst = crypto_alloc_instance("cts", alg);
293 if (IS_ERR(inst))
294 goto out_put_alg;
295
296 inst->alg.cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER;
297 inst->alg.cra_priority = alg->cra_priority;
298 inst->alg.cra_blocksize = alg->cra_blocksize;
299 inst->alg.cra_alignmask = alg->cra_alignmask;
300 inst->alg.cra_type = &crypto_blkcipher_type;
301
302 /* We access the data as u32s when xoring. */
303 inst->alg.cra_alignmask |= __alignof__(u32) - 1;
304
305 inst->alg.cra_blkcipher.ivsize = alg->cra_blocksize;
306 inst->alg.cra_blkcipher.min_keysize = alg->cra_blkcipher.min_keysize;
307 inst->alg.cra_blkcipher.max_keysize = alg->cra_blkcipher.max_keysize;
308
309 inst->alg.cra_blkcipher.geniv = "seqiv";
310
311 inst->alg.cra_ctxsize = sizeof(struct crypto_cts_ctx);
312
313 inst->alg.cra_init = crypto_cts_init_tfm;
314 inst->alg.cra_exit = crypto_cts_exit_tfm;
315
316 inst->alg.cra_blkcipher.setkey = crypto_cts_setkey;
317 inst->alg.cra_blkcipher.encrypt = crypto_cts_encrypt;
318 inst->alg.cra_blkcipher.decrypt = crypto_cts_decrypt;
319
320out_put_alg:
321 crypto_mod_put(alg);
322 return inst;
323}
324
325static void crypto_cts_free(struct crypto_instance *inst)
326{
327 crypto_drop_spawn(crypto_instance_ctx(inst));
328 kfree(inst);
329}
330
331static struct crypto_template crypto_cts_tmpl = {
332 .name = "cts",
333 .alloc = crypto_cts_alloc,
334 .free = crypto_cts_free,
335 .module = THIS_MODULE,
336};
337
338static int __init crypto_cts_module_init(void)
339{
340 return crypto_register_template(&crypto_cts_tmpl);
341}
342
343static void __exit crypto_cts_module_exit(void)
344{
345 crypto_unregister_template(&crypto_cts_tmpl);
346}
347
348module_init(crypto_cts_module_init);
349module_exit(crypto_cts_module_exit);
350
351MODULE_LICENSE("Dual BSD/GPL");
352MODULE_DESCRIPTION("CTS-CBC CipherText Stealing for CBC");
1/*
2 * CTS: Cipher Text Stealing mode
3 *
4 * COPYRIGHT (c) 2008
5 * The Regents of the University of Michigan
6 * ALL RIGHTS RESERVED
7 *
8 * Permission is granted to use, copy, create derivative works
9 * and redistribute this software and such derivative works
10 * for any purpose, so long as the name of The University of
11 * Michigan is not used in any advertising or publicity
12 * pertaining to the use of distribution of this software
13 * without specific, written prior authorization. If the
14 * above copyright notice or any other identification of the
15 * University of Michigan is included in any copy of any
16 * portion of this software, then the disclaimer below must
17 * also be included.
18 *
19 * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
20 * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
21 * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
22 * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
23 * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
24 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
25 * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
26 * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
27 * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
28 * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
29 * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGES.
31 */
32
33/* Derived from various:
34 * Copyright (c) 2006 Herbert Xu <herbert@gondor.apana.org.au>
35 */
36
37/*
38 * This is the Cipher Text Stealing mode as described by
39 * Section 8 of rfc2040 and referenced by rfc3962.
40 * rfc3962 includes errata information in its Appendix A.
41 */
42
43#include <crypto/internal/skcipher.h>
44#include <linux/err.h>
45#include <linux/init.h>
46#include <linux/kernel.h>
47#include <linux/log2.h>
48#include <linux/module.h>
49#include <linux/scatterlist.h>
50#include <crypto/scatterwalk.h>
51#include <linux/slab.h>
52
53struct crypto_cts_ctx {
54 struct crypto_skcipher *child;
55};
56
57struct crypto_cts_reqctx {
58 struct scatterlist sg[2];
59 unsigned offset;
60 struct skcipher_request subreq;
61};
62
63static inline u8 *crypto_cts_reqctx_space(struct skcipher_request *req)
64{
65 struct crypto_cts_reqctx *rctx = skcipher_request_ctx(req);
66 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
67 struct crypto_cts_ctx *ctx = crypto_skcipher_ctx(tfm);
68 struct crypto_skcipher *child = ctx->child;
69
70 return PTR_ALIGN((u8 *)(rctx + 1) + crypto_skcipher_reqsize(child),
71 crypto_skcipher_alignmask(tfm) + 1);
72}
73
74static int crypto_cts_setkey(struct crypto_skcipher *parent, const u8 *key,
75 unsigned int keylen)
76{
77 struct crypto_cts_ctx *ctx = crypto_skcipher_ctx(parent);
78 struct crypto_skcipher *child = ctx->child;
79 int err;
80
81 crypto_skcipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
82 crypto_skcipher_set_flags(child, crypto_skcipher_get_flags(parent) &
83 CRYPTO_TFM_REQ_MASK);
84 err = crypto_skcipher_setkey(child, key, keylen);
85 crypto_skcipher_set_flags(parent, crypto_skcipher_get_flags(child) &
86 CRYPTO_TFM_RES_MASK);
87 return err;
88}
89
90static void cts_cbc_crypt_done(struct crypto_async_request *areq, int err)
91{
92 struct skcipher_request *req = areq->data;
93
94 if (err == -EINPROGRESS)
95 return;
96
97 skcipher_request_complete(req, err);
98}
99
100static int cts_cbc_encrypt(struct skcipher_request *req)
101{
102 struct crypto_cts_reqctx *rctx = skcipher_request_ctx(req);
103 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
104 struct skcipher_request *subreq = &rctx->subreq;
105 int bsize = crypto_skcipher_blocksize(tfm);
106 u8 d[bsize * 2] __attribute__ ((aligned(__alignof__(u32))));
107 struct scatterlist *sg;
108 unsigned int offset;
109 int lastn;
110
111 offset = rctx->offset;
112 lastn = req->cryptlen - offset;
113
114 sg = scatterwalk_ffwd(rctx->sg, req->dst, offset - bsize);
115 scatterwalk_map_and_copy(d + bsize, sg, 0, bsize, 0);
116
117 memset(d, 0, bsize);
118 scatterwalk_map_and_copy(d, req->src, offset, lastn, 0);
119
120 scatterwalk_map_and_copy(d, sg, 0, bsize + lastn, 1);
121 memzero_explicit(d, sizeof(d));
122
123 skcipher_request_set_callback(subreq, req->base.flags &
124 CRYPTO_TFM_REQ_MAY_BACKLOG,
125 cts_cbc_crypt_done, req);
126 skcipher_request_set_crypt(subreq, sg, sg, bsize, req->iv);
127 return crypto_skcipher_encrypt(subreq);
128}
129
130static void crypto_cts_encrypt_done(struct crypto_async_request *areq, int err)
131{
132 struct skcipher_request *req = areq->data;
133
134 if (err)
135 goto out;
136
137 err = cts_cbc_encrypt(req);
138 if (err == -EINPROGRESS ||
139 (err == -EBUSY && req->base.flags & CRYPTO_TFM_REQ_MAY_BACKLOG))
140 return;
141
142out:
143 skcipher_request_complete(req, err);
144}
145
146static int crypto_cts_encrypt(struct skcipher_request *req)
147{
148 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
149 struct crypto_cts_reqctx *rctx = skcipher_request_ctx(req);
150 struct crypto_cts_ctx *ctx = crypto_skcipher_ctx(tfm);
151 struct skcipher_request *subreq = &rctx->subreq;
152 int bsize = crypto_skcipher_blocksize(tfm);
153 unsigned int nbytes = req->cryptlen;
154 int cbc_blocks = (nbytes + bsize - 1) / bsize - 1;
155 unsigned int offset;
156
157 skcipher_request_set_tfm(subreq, ctx->child);
158
159 if (cbc_blocks <= 0) {
160 skcipher_request_set_callback(subreq, req->base.flags,
161 req->base.complete,
162 req->base.data);
163 skcipher_request_set_crypt(subreq, req->src, req->dst, nbytes,
164 req->iv);
165 return crypto_skcipher_encrypt(subreq);
166 }
167
168 offset = cbc_blocks * bsize;
169 rctx->offset = offset;
170
171 skcipher_request_set_callback(subreq, req->base.flags,
172 crypto_cts_encrypt_done, req);
173 skcipher_request_set_crypt(subreq, req->src, req->dst,
174 offset, req->iv);
175
176 return crypto_skcipher_encrypt(subreq) ?:
177 cts_cbc_encrypt(req);
178}
179
180static int cts_cbc_decrypt(struct skcipher_request *req)
181{
182 struct crypto_cts_reqctx *rctx = skcipher_request_ctx(req);
183 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
184 struct skcipher_request *subreq = &rctx->subreq;
185 int bsize = crypto_skcipher_blocksize(tfm);
186 u8 d[bsize * 2] __attribute__ ((aligned(__alignof__(u32))));
187 struct scatterlist *sg;
188 unsigned int offset;
189 u8 *space;
190 int lastn;
191
192 offset = rctx->offset;
193 lastn = req->cryptlen - offset;
194
195 sg = scatterwalk_ffwd(rctx->sg, req->dst, offset - bsize);
196
197 /* 1. Decrypt Cn-1 (s) to create Dn */
198 scatterwalk_map_and_copy(d + bsize, sg, 0, bsize, 0);
199 space = crypto_cts_reqctx_space(req);
200 crypto_xor(d + bsize, space, bsize);
201 /* 2. Pad Cn with zeros at the end to create C of length BB */
202 memset(d, 0, bsize);
203 scatterwalk_map_and_copy(d, req->src, offset, lastn, 0);
204 /* 3. Exclusive-or Dn with C to create Xn */
205 /* 4. Select the first Ln bytes of Xn to create Pn */
206 crypto_xor(d + bsize, d, lastn);
207
208 /* 5. Append the tail (BB - Ln) bytes of Xn to Cn to create En */
209 memcpy(d + lastn, d + bsize + lastn, bsize - lastn);
210 /* 6. Decrypt En to create Pn-1 */
211
212 scatterwalk_map_and_copy(d, sg, 0, bsize + lastn, 1);
213 memzero_explicit(d, sizeof(d));
214
215 skcipher_request_set_callback(subreq, req->base.flags &
216 CRYPTO_TFM_REQ_MAY_BACKLOG,
217 cts_cbc_crypt_done, req);
218
219 skcipher_request_set_crypt(subreq, sg, sg, bsize, space);
220 return crypto_skcipher_decrypt(subreq);
221}
222
223static void crypto_cts_decrypt_done(struct crypto_async_request *areq, int err)
224{
225 struct skcipher_request *req = areq->data;
226
227 if (err)
228 goto out;
229
230 err = cts_cbc_decrypt(req);
231 if (err == -EINPROGRESS ||
232 (err == -EBUSY && req->base.flags & CRYPTO_TFM_REQ_MAY_BACKLOG))
233 return;
234
235out:
236 skcipher_request_complete(req, err);
237}
238
239static int crypto_cts_decrypt(struct skcipher_request *req)
240{
241 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
242 struct crypto_cts_reqctx *rctx = skcipher_request_ctx(req);
243 struct crypto_cts_ctx *ctx = crypto_skcipher_ctx(tfm);
244 struct skcipher_request *subreq = &rctx->subreq;
245 int bsize = crypto_skcipher_blocksize(tfm);
246 unsigned int nbytes = req->cryptlen;
247 int cbc_blocks = (nbytes + bsize - 1) / bsize - 1;
248 unsigned int offset;
249 u8 *space;
250
251 skcipher_request_set_tfm(subreq, ctx->child);
252
253 if (cbc_blocks <= 0) {
254 skcipher_request_set_callback(subreq, req->base.flags,
255 req->base.complete,
256 req->base.data);
257 skcipher_request_set_crypt(subreq, req->src, req->dst, nbytes,
258 req->iv);
259 return crypto_skcipher_decrypt(subreq);
260 }
261
262 skcipher_request_set_callback(subreq, req->base.flags,
263 crypto_cts_decrypt_done, req);
264
265 space = crypto_cts_reqctx_space(req);
266
267 offset = cbc_blocks * bsize;
268 rctx->offset = offset;
269
270 if (cbc_blocks <= 1)
271 memcpy(space, req->iv, bsize);
272 else
273 scatterwalk_map_and_copy(space, req->src, offset - 2 * bsize,
274 bsize, 0);
275
276 skcipher_request_set_crypt(subreq, req->src, req->dst,
277 offset, req->iv);
278
279 return crypto_skcipher_decrypt(subreq) ?:
280 cts_cbc_decrypt(req);
281}
282
283static int crypto_cts_init_tfm(struct crypto_skcipher *tfm)
284{
285 struct skcipher_instance *inst = skcipher_alg_instance(tfm);
286 struct crypto_skcipher_spawn *spawn = skcipher_instance_ctx(inst);
287 struct crypto_cts_ctx *ctx = crypto_skcipher_ctx(tfm);
288 struct crypto_skcipher *cipher;
289 unsigned reqsize;
290 unsigned bsize;
291 unsigned align;
292
293 cipher = crypto_spawn_skcipher(spawn);
294 if (IS_ERR(cipher))
295 return PTR_ERR(cipher);
296
297 ctx->child = cipher;
298
299 align = crypto_skcipher_alignmask(tfm);
300 bsize = crypto_skcipher_blocksize(cipher);
301 reqsize = ALIGN(sizeof(struct crypto_cts_reqctx) +
302 crypto_skcipher_reqsize(cipher),
303 crypto_tfm_ctx_alignment()) +
304 (align & ~(crypto_tfm_ctx_alignment() - 1)) + bsize;
305
306 crypto_skcipher_set_reqsize(tfm, reqsize);
307
308 return 0;
309}
310
311static void crypto_cts_exit_tfm(struct crypto_skcipher *tfm)
312{
313 struct crypto_cts_ctx *ctx = crypto_skcipher_ctx(tfm);
314
315 crypto_free_skcipher(ctx->child);
316}
317
318static void crypto_cts_free(struct skcipher_instance *inst)
319{
320 crypto_drop_skcipher(skcipher_instance_ctx(inst));
321 kfree(inst);
322}
323
324static int crypto_cts_create(struct crypto_template *tmpl, struct rtattr **tb)
325{
326 struct crypto_skcipher_spawn *spawn;
327 struct skcipher_instance *inst;
328 struct crypto_attr_type *algt;
329 struct skcipher_alg *alg;
330 const char *cipher_name;
331 int err;
332
333 algt = crypto_get_attr_type(tb);
334 if (IS_ERR(algt))
335 return PTR_ERR(algt);
336
337 if ((algt->type ^ CRYPTO_ALG_TYPE_SKCIPHER) & algt->mask)
338 return -EINVAL;
339
340 cipher_name = crypto_attr_alg_name(tb[1]);
341 if (IS_ERR(cipher_name))
342 return PTR_ERR(cipher_name);
343
344 inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL);
345 if (!inst)
346 return -ENOMEM;
347
348 spawn = skcipher_instance_ctx(inst);
349
350 crypto_set_skcipher_spawn(spawn, skcipher_crypto_instance(inst));
351 err = crypto_grab_skcipher(spawn, cipher_name, 0,
352 crypto_requires_sync(algt->type,
353 algt->mask));
354 if (err)
355 goto err_free_inst;
356
357 alg = crypto_spawn_skcipher_alg(spawn);
358
359 err = -EINVAL;
360 if (crypto_skcipher_alg_ivsize(alg) != alg->base.cra_blocksize)
361 goto err_drop_spawn;
362
363 if (strncmp(alg->base.cra_name, "cbc(", 4))
364 goto err_drop_spawn;
365
366 err = crypto_inst_setname(skcipher_crypto_instance(inst), "cts",
367 &alg->base);
368 if (err)
369 goto err_drop_spawn;
370
371 inst->alg.base.cra_flags = alg->base.cra_flags & CRYPTO_ALG_ASYNC;
372 inst->alg.base.cra_priority = alg->base.cra_priority;
373 inst->alg.base.cra_blocksize = alg->base.cra_blocksize;
374 inst->alg.base.cra_alignmask = alg->base.cra_alignmask;
375
376 /* We access the data as u32s when xoring. */
377 inst->alg.base.cra_alignmask |= __alignof__(u32) - 1;
378
379 inst->alg.ivsize = alg->base.cra_blocksize;
380 inst->alg.chunksize = crypto_skcipher_alg_chunksize(alg);
381 inst->alg.min_keysize = crypto_skcipher_alg_min_keysize(alg);
382 inst->alg.max_keysize = crypto_skcipher_alg_max_keysize(alg);
383
384 inst->alg.base.cra_ctxsize = sizeof(struct crypto_cts_ctx);
385
386 inst->alg.init = crypto_cts_init_tfm;
387 inst->alg.exit = crypto_cts_exit_tfm;
388
389 inst->alg.setkey = crypto_cts_setkey;
390 inst->alg.encrypt = crypto_cts_encrypt;
391 inst->alg.decrypt = crypto_cts_decrypt;
392
393 inst->free = crypto_cts_free;
394
395 err = skcipher_register_instance(tmpl, inst);
396 if (err)
397 goto err_drop_spawn;
398
399out:
400 return err;
401
402err_drop_spawn:
403 crypto_drop_skcipher(spawn);
404err_free_inst:
405 kfree(inst);
406 goto out;
407}
408
409static struct crypto_template crypto_cts_tmpl = {
410 .name = "cts",
411 .create = crypto_cts_create,
412 .module = THIS_MODULE,
413};
414
415static int __init crypto_cts_module_init(void)
416{
417 return crypto_register_template(&crypto_cts_tmpl);
418}
419
420static void __exit crypto_cts_module_exit(void)
421{
422 crypto_unregister_template(&crypto_cts_tmpl);
423}
424
425module_init(crypto_cts_module_init);
426module_exit(crypto_cts_module_exit);
427
428MODULE_LICENSE("Dual BSD/GPL");
429MODULE_DESCRIPTION("CTS-CBC CipherText Stealing for CBC");
430MODULE_ALIAS_CRYPTO("cts");