Loading...
1/*
2 * CTS: Cipher Text Stealing mode
3 *
4 * COPYRIGHT (c) 2008
5 * The Regents of the University of Michigan
6 * ALL RIGHTS RESERVED
7 *
8 * Permission is granted to use, copy, create derivative works
9 * and redistribute this software and such derivative works
10 * for any purpose, so long as the name of The University of
11 * Michigan is not used in any advertising or publicity
12 * pertaining to the use of distribution of this software
13 * without specific, written prior authorization. If the
14 * above copyright notice or any other identification of the
15 * University of Michigan is included in any copy of any
16 * portion of this software, then the disclaimer below must
17 * also be included.
18 *
19 * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
20 * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
21 * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
22 * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
23 * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
24 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
25 * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
26 * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
27 * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
28 * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
29 * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGES.
31 */
32
33/* Derived from various:
34 * Copyright (c) 2006 Herbert Xu <herbert@gondor.apana.org.au>
35 */
36
37/*
38 * This is the Cipher Text Stealing mode as described by
39 * Section 8 of rfc2040 and referenced by rfc3962.
40 * rfc3962 includes errata information in its Appendix A.
41 */
42
43#include <crypto/algapi.h>
44#include <crypto/internal/skcipher.h>
45#include <linux/err.h>
46#include <linux/init.h>
47#include <linux/kernel.h>
48#include <linux/log2.h>
49#include <linux/module.h>
50#include <linux/scatterlist.h>
51#include <crypto/scatterwalk.h>
52#include <linux/slab.h>
53#include <linux/compiler.h>
54
55struct crypto_cts_ctx {
56 struct crypto_skcipher *child;
57};
58
59struct crypto_cts_reqctx {
60 struct scatterlist sg[2];
61 unsigned offset;
62 struct skcipher_request subreq;
63};
64
65static inline u8 *crypto_cts_reqctx_space(struct skcipher_request *req)
66{
67 struct crypto_cts_reqctx *rctx = skcipher_request_ctx(req);
68 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
69 struct crypto_cts_ctx *ctx = crypto_skcipher_ctx(tfm);
70 struct crypto_skcipher *child = ctx->child;
71
72 return PTR_ALIGN((u8 *)(rctx + 1) + crypto_skcipher_reqsize(child),
73 crypto_skcipher_alignmask(tfm) + 1);
74}
75
76static int crypto_cts_setkey(struct crypto_skcipher *parent, const u8 *key,
77 unsigned int keylen)
78{
79 struct crypto_cts_ctx *ctx = crypto_skcipher_ctx(parent);
80 struct crypto_skcipher *child = ctx->child;
81
82 crypto_skcipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
83 crypto_skcipher_set_flags(child, crypto_skcipher_get_flags(parent) &
84 CRYPTO_TFM_REQ_MASK);
85 return crypto_skcipher_setkey(child, key, keylen);
86}
87
88static void cts_cbc_crypt_done(void *data, int err)
89{
90 struct skcipher_request *req = data;
91
92 if (err == -EINPROGRESS)
93 return;
94
95 skcipher_request_complete(req, err);
96}
97
98static int cts_cbc_encrypt(struct skcipher_request *req)
99{
100 struct crypto_cts_reqctx *rctx = skcipher_request_ctx(req);
101 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
102 struct skcipher_request *subreq = &rctx->subreq;
103 int bsize = crypto_skcipher_blocksize(tfm);
104 u8 d[MAX_CIPHER_BLOCKSIZE * 2] __aligned(__alignof__(u32));
105 struct scatterlist *sg;
106 unsigned int offset;
107 int lastn;
108
109 offset = rctx->offset;
110 lastn = req->cryptlen - offset;
111
112 sg = scatterwalk_ffwd(rctx->sg, req->dst, offset - bsize);
113 scatterwalk_map_and_copy(d + bsize, sg, 0, bsize, 0);
114
115 memset(d, 0, bsize);
116 scatterwalk_map_and_copy(d, req->src, offset, lastn, 0);
117
118 scatterwalk_map_and_copy(d, sg, 0, bsize + lastn, 1);
119 memzero_explicit(d, sizeof(d));
120
121 skcipher_request_set_callback(subreq, req->base.flags &
122 CRYPTO_TFM_REQ_MAY_BACKLOG,
123 cts_cbc_crypt_done, req);
124 skcipher_request_set_crypt(subreq, sg, sg, bsize, req->iv);
125 return crypto_skcipher_encrypt(subreq);
126}
127
128static void crypto_cts_encrypt_done(void *data, int err)
129{
130 struct skcipher_request *req = data;
131
132 if (err)
133 goto out;
134
135 err = cts_cbc_encrypt(req);
136 if (err == -EINPROGRESS || err == -EBUSY)
137 return;
138
139out:
140 skcipher_request_complete(req, err);
141}
142
143static int crypto_cts_encrypt(struct skcipher_request *req)
144{
145 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
146 struct crypto_cts_reqctx *rctx = skcipher_request_ctx(req);
147 struct crypto_cts_ctx *ctx = crypto_skcipher_ctx(tfm);
148 struct skcipher_request *subreq = &rctx->subreq;
149 int bsize = crypto_skcipher_blocksize(tfm);
150 unsigned int nbytes = req->cryptlen;
151 unsigned int offset;
152
153 skcipher_request_set_tfm(subreq, ctx->child);
154
155 if (nbytes < bsize)
156 return -EINVAL;
157
158 if (nbytes == bsize) {
159 skcipher_request_set_callback(subreq, req->base.flags,
160 req->base.complete,
161 req->base.data);
162 skcipher_request_set_crypt(subreq, req->src, req->dst, nbytes,
163 req->iv);
164 return crypto_skcipher_encrypt(subreq);
165 }
166
167 offset = rounddown(nbytes - 1, bsize);
168 rctx->offset = offset;
169
170 skcipher_request_set_callback(subreq, req->base.flags,
171 crypto_cts_encrypt_done, req);
172 skcipher_request_set_crypt(subreq, req->src, req->dst,
173 offset, req->iv);
174
175 return crypto_skcipher_encrypt(subreq) ?:
176 cts_cbc_encrypt(req);
177}
178
179static int cts_cbc_decrypt(struct skcipher_request *req)
180{
181 struct crypto_cts_reqctx *rctx = skcipher_request_ctx(req);
182 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
183 struct skcipher_request *subreq = &rctx->subreq;
184 int bsize = crypto_skcipher_blocksize(tfm);
185 u8 d[MAX_CIPHER_BLOCKSIZE * 2] __aligned(__alignof__(u32));
186 struct scatterlist *sg;
187 unsigned int offset;
188 u8 *space;
189 int lastn;
190
191 offset = rctx->offset;
192 lastn = req->cryptlen - offset;
193
194 sg = scatterwalk_ffwd(rctx->sg, req->dst, offset - bsize);
195
196 /* 1. Decrypt Cn-1 (s) to create Dn */
197 scatterwalk_map_and_copy(d + bsize, sg, 0, bsize, 0);
198 space = crypto_cts_reqctx_space(req);
199 crypto_xor(d + bsize, space, bsize);
200 /* 2. Pad Cn with zeros at the end to create C of length BB */
201 memset(d, 0, bsize);
202 scatterwalk_map_and_copy(d, req->src, offset, lastn, 0);
203 /* 3. Exclusive-or Dn with C to create Xn */
204 /* 4. Select the first Ln bytes of Xn to create Pn */
205 crypto_xor(d + bsize, d, lastn);
206
207 /* 5. Append the tail (BB - Ln) bytes of Xn to Cn to create En */
208 memcpy(d + lastn, d + bsize + lastn, bsize - lastn);
209 /* 6. Decrypt En to create Pn-1 */
210
211 scatterwalk_map_and_copy(d, sg, 0, bsize + lastn, 1);
212 memzero_explicit(d, sizeof(d));
213
214 skcipher_request_set_callback(subreq, req->base.flags &
215 CRYPTO_TFM_REQ_MAY_BACKLOG,
216 cts_cbc_crypt_done, req);
217
218 skcipher_request_set_crypt(subreq, sg, sg, bsize, space);
219 return crypto_skcipher_decrypt(subreq);
220}
221
222static void crypto_cts_decrypt_done(void *data, int err)
223{
224 struct skcipher_request *req = data;
225
226 if (err)
227 goto out;
228
229 err = cts_cbc_decrypt(req);
230 if (err == -EINPROGRESS || err == -EBUSY)
231 return;
232
233out:
234 skcipher_request_complete(req, err);
235}
236
237static int crypto_cts_decrypt(struct skcipher_request *req)
238{
239 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
240 struct crypto_cts_reqctx *rctx = skcipher_request_ctx(req);
241 struct crypto_cts_ctx *ctx = crypto_skcipher_ctx(tfm);
242 struct skcipher_request *subreq = &rctx->subreq;
243 int bsize = crypto_skcipher_blocksize(tfm);
244 unsigned int nbytes = req->cryptlen;
245 unsigned int offset;
246 u8 *space;
247
248 skcipher_request_set_tfm(subreq, ctx->child);
249
250 if (nbytes < bsize)
251 return -EINVAL;
252
253 if (nbytes == bsize) {
254 skcipher_request_set_callback(subreq, req->base.flags,
255 req->base.complete,
256 req->base.data);
257 skcipher_request_set_crypt(subreq, req->src, req->dst, nbytes,
258 req->iv);
259 return crypto_skcipher_decrypt(subreq);
260 }
261
262 skcipher_request_set_callback(subreq, req->base.flags,
263 crypto_cts_decrypt_done, req);
264
265 space = crypto_cts_reqctx_space(req);
266
267 offset = rounddown(nbytes - 1, bsize);
268 rctx->offset = offset;
269
270 if (offset <= bsize)
271 memcpy(space, req->iv, bsize);
272 else
273 scatterwalk_map_and_copy(space, req->src, offset - 2 * bsize,
274 bsize, 0);
275
276 skcipher_request_set_crypt(subreq, req->src, req->dst,
277 offset, req->iv);
278
279 return crypto_skcipher_decrypt(subreq) ?:
280 cts_cbc_decrypt(req);
281}
282
283static int crypto_cts_init_tfm(struct crypto_skcipher *tfm)
284{
285 struct skcipher_instance *inst = skcipher_alg_instance(tfm);
286 struct crypto_skcipher_spawn *spawn = skcipher_instance_ctx(inst);
287 struct crypto_cts_ctx *ctx = crypto_skcipher_ctx(tfm);
288 struct crypto_skcipher *cipher;
289 unsigned reqsize;
290 unsigned bsize;
291 unsigned align;
292
293 cipher = crypto_spawn_skcipher(spawn);
294 if (IS_ERR(cipher))
295 return PTR_ERR(cipher);
296
297 ctx->child = cipher;
298
299 align = crypto_skcipher_alignmask(tfm);
300 bsize = crypto_skcipher_blocksize(cipher);
301 reqsize = ALIGN(sizeof(struct crypto_cts_reqctx) +
302 crypto_skcipher_reqsize(cipher),
303 crypto_tfm_ctx_alignment()) +
304 (align & ~(crypto_tfm_ctx_alignment() - 1)) + bsize;
305
306 crypto_skcipher_set_reqsize(tfm, reqsize);
307
308 return 0;
309}
310
311static void crypto_cts_exit_tfm(struct crypto_skcipher *tfm)
312{
313 struct crypto_cts_ctx *ctx = crypto_skcipher_ctx(tfm);
314
315 crypto_free_skcipher(ctx->child);
316}
317
318static void crypto_cts_free(struct skcipher_instance *inst)
319{
320 crypto_drop_skcipher(skcipher_instance_ctx(inst));
321 kfree(inst);
322}
323
324static int crypto_cts_create(struct crypto_template *tmpl, struct rtattr **tb)
325{
326 struct crypto_skcipher_spawn *spawn;
327 struct skcipher_alg_common *alg;
328 struct skcipher_instance *inst;
329 u32 mask;
330 int err;
331
332 err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_SKCIPHER, &mask);
333 if (err)
334 return err;
335
336 inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL);
337 if (!inst)
338 return -ENOMEM;
339
340 spawn = skcipher_instance_ctx(inst);
341
342 err = crypto_grab_skcipher(spawn, skcipher_crypto_instance(inst),
343 crypto_attr_alg_name(tb[1]), 0, mask);
344 if (err)
345 goto err_free_inst;
346
347 alg = crypto_spawn_skcipher_alg_common(spawn);
348
349 err = -EINVAL;
350 if (alg->ivsize != alg->base.cra_blocksize)
351 goto err_free_inst;
352
353 if (strncmp(alg->base.cra_name, "cbc(", 4))
354 goto err_free_inst;
355
356 err = crypto_inst_setname(skcipher_crypto_instance(inst), "cts",
357 &alg->base);
358 if (err)
359 goto err_free_inst;
360
361 inst->alg.base.cra_priority = alg->base.cra_priority;
362 inst->alg.base.cra_blocksize = alg->base.cra_blocksize;
363 inst->alg.base.cra_alignmask = alg->base.cra_alignmask;
364
365 inst->alg.ivsize = alg->base.cra_blocksize;
366 inst->alg.chunksize = alg->chunksize;
367 inst->alg.min_keysize = alg->min_keysize;
368 inst->alg.max_keysize = alg->max_keysize;
369
370 inst->alg.base.cra_ctxsize = sizeof(struct crypto_cts_ctx);
371
372 inst->alg.init = crypto_cts_init_tfm;
373 inst->alg.exit = crypto_cts_exit_tfm;
374
375 inst->alg.setkey = crypto_cts_setkey;
376 inst->alg.encrypt = crypto_cts_encrypt;
377 inst->alg.decrypt = crypto_cts_decrypt;
378
379 inst->free = crypto_cts_free;
380
381 err = skcipher_register_instance(tmpl, inst);
382 if (err) {
383err_free_inst:
384 crypto_cts_free(inst);
385 }
386 return err;
387}
388
389static struct crypto_template crypto_cts_tmpl = {
390 .name = "cts",
391 .create = crypto_cts_create,
392 .module = THIS_MODULE,
393};
394
395static int __init crypto_cts_module_init(void)
396{
397 return crypto_register_template(&crypto_cts_tmpl);
398}
399
400static void __exit crypto_cts_module_exit(void)
401{
402 crypto_unregister_template(&crypto_cts_tmpl);
403}
404
405subsys_initcall(crypto_cts_module_init);
406module_exit(crypto_cts_module_exit);
407
408MODULE_LICENSE("Dual BSD/GPL");
409MODULE_DESCRIPTION("CTS-CBC CipherText Stealing for CBC");
410MODULE_ALIAS_CRYPTO("cts");
1/*
2 * CTS: Cipher Text Stealing mode
3 *
4 * COPYRIGHT (c) 2008
5 * The Regents of the University of Michigan
6 * ALL RIGHTS RESERVED
7 *
8 * Permission is granted to use, copy, create derivative works
9 * and redistribute this software and such derivative works
10 * for any purpose, so long as the name of The University of
11 * Michigan is not used in any advertising or publicity
12 * pertaining to the use of distribution of this software
13 * without specific, written prior authorization. If the
14 * above copyright notice or any other identification of the
15 * University of Michigan is included in any copy of any
16 * portion of this software, then the disclaimer below must
17 * also be included.
18 *
19 * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
20 * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
21 * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
22 * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
23 * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
24 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
25 * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
26 * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
27 * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
28 * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
29 * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGES.
31 */
32
33/* Derived from various:
34 * Copyright (c) 2006 Herbert Xu <herbert@gondor.apana.org.au>
35 */
36
37/*
38 * This is the Cipher Text Stealing mode as described by
39 * Section 8 of rfc2040 and referenced by rfc3962.
40 * rfc3962 includes errata information in its Appendix A.
41 */
42
43#include <crypto/algapi.h>
44#include <crypto/internal/skcipher.h>
45#include <linux/err.h>
46#include <linux/init.h>
47#include <linux/kernel.h>
48#include <linux/log2.h>
49#include <linux/module.h>
50#include <linux/scatterlist.h>
51#include <crypto/scatterwalk.h>
52#include <linux/slab.h>
53#include <linux/compiler.h>
54
55struct crypto_cts_ctx {
56 struct crypto_skcipher *child;
57};
58
59struct crypto_cts_reqctx {
60 struct scatterlist sg[2];
61 unsigned offset;
62 struct skcipher_request subreq;
63};
64
65static inline u8 *crypto_cts_reqctx_space(struct skcipher_request *req)
66{
67 struct crypto_cts_reqctx *rctx = skcipher_request_ctx(req);
68 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
69 struct crypto_cts_ctx *ctx = crypto_skcipher_ctx(tfm);
70 struct crypto_skcipher *child = ctx->child;
71
72 return PTR_ALIGN((u8 *)(rctx + 1) + crypto_skcipher_reqsize(child),
73 crypto_skcipher_alignmask(tfm) + 1);
74}
75
76static int crypto_cts_setkey(struct crypto_skcipher *parent, const u8 *key,
77 unsigned int keylen)
78{
79 struct crypto_cts_ctx *ctx = crypto_skcipher_ctx(parent);
80 struct crypto_skcipher *child = ctx->child;
81 int err;
82
83 crypto_skcipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
84 crypto_skcipher_set_flags(child, crypto_skcipher_get_flags(parent) &
85 CRYPTO_TFM_REQ_MASK);
86 err = crypto_skcipher_setkey(child, key, keylen);
87 crypto_skcipher_set_flags(parent, crypto_skcipher_get_flags(child) &
88 CRYPTO_TFM_RES_MASK);
89 return err;
90}
91
92static void cts_cbc_crypt_done(struct crypto_async_request *areq, int err)
93{
94 struct skcipher_request *req = areq->data;
95
96 if (err == -EINPROGRESS)
97 return;
98
99 skcipher_request_complete(req, err);
100}
101
102static int cts_cbc_encrypt(struct skcipher_request *req)
103{
104 struct crypto_cts_reqctx *rctx = skcipher_request_ctx(req);
105 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
106 struct skcipher_request *subreq = &rctx->subreq;
107 int bsize = crypto_skcipher_blocksize(tfm);
108 u8 d[MAX_CIPHER_BLOCKSIZE * 2] __aligned(__alignof__(u32));
109 struct scatterlist *sg;
110 unsigned int offset;
111 int lastn;
112
113 offset = rctx->offset;
114 lastn = req->cryptlen - offset;
115
116 sg = scatterwalk_ffwd(rctx->sg, req->dst, offset - bsize);
117 scatterwalk_map_and_copy(d + bsize, sg, 0, bsize, 0);
118
119 memset(d, 0, bsize);
120 scatterwalk_map_and_copy(d, req->src, offset, lastn, 0);
121
122 scatterwalk_map_and_copy(d, sg, 0, bsize + lastn, 1);
123 memzero_explicit(d, sizeof(d));
124
125 skcipher_request_set_callback(subreq, req->base.flags &
126 CRYPTO_TFM_REQ_MAY_BACKLOG,
127 cts_cbc_crypt_done, req);
128 skcipher_request_set_crypt(subreq, sg, sg, bsize, req->iv);
129 return crypto_skcipher_encrypt(subreq);
130}
131
132static void crypto_cts_encrypt_done(struct crypto_async_request *areq, int err)
133{
134 struct skcipher_request *req = areq->data;
135
136 if (err)
137 goto out;
138
139 err = cts_cbc_encrypt(req);
140 if (err == -EINPROGRESS || err == -EBUSY)
141 return;
142
143out:
144 skcipher_request_complete(req, err);
145}
146
147static int crypto_cts_encrypt(struct skcipher_request *req)
148{
149 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
150 struct crypto_cts_reqctx *rctx = skcipher_request_ctx(req);
151 struct crypto_cts_ctx *ctx = crypto_skcipher_ctx(tfm);
152 struct skcipher_request *subreq = &rctx->subreq;
153 int bsize = crypto_skcipher_blocksize(tfm);
154 unsigned int nbytes = req->cryptlen;
155 unsigned int offset;
156
157 skcipher_request_set_tfm(subreq, ctx->child);
158
159 if (nbytes < bsize)
160 return -EINVAL;
161
162 if (nbytes == bsize) {
163 skcipher_request_set_callback(subreq, req->base.flags,
164 req->base.complete,
165 req->base.data);
166 skcipher_request_set_crypt(subreq, req->src, req->dst, nbytes,
167 req->iv);
168 return crypto_skcipher_encrypt(subreq);
169 }
170
171 offset = rounddown(nbytes - 1, bsize);
172 rctx->offset = offset;
173
174 skcipher_request_set_callback(subreq, req->base.flags,
175 crypto_cts_encrypt_done, req);
176 skcipher_request_set_crypt(subreq, req->src, req->dst,
177 offset, req->iv);
178
179 return crypto_skcipher_encrypt(subreq) ?:
180 cts_cbc_encrypt(req);
181}
182
183static int cts_cbc_decrypt(struct skcipher_request *req)
184{
185 struct crypto_cts_reqctx *rctx = skcipher_request_ctx(req);
186 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
187 struct skcipher_request *subreq = &rctx->subreq;
188 int bsize = crypto_skcipher_blocksize(tfm);
189 u8 d[MAX_CIPHER_BLOCKSIZE * 2] __aligned(__alignof__(u32));
190 struct scatterlist *sg;
191 unsigned int offset;
192 u8 *space;
193 int lastn;
194
195 offset = rctx->offset;
196 lastn = req->cryptlen - offset;
197
198 sg = scatterwalk_ffwd(rctx->sg, req->dst, offset - bsize);
199
200 /* 1. Decrypt Cn-1 (s) to create Dn */
201 scatterwalk_map_and_copy(d + bsize, sg, 0, bsize, 0);
202 space = crypto_cts_reqctx_space(req);
203 crypto_xor(d + bsize, space, bsize);
204 /* 2. Pad Cn with zeros at the end to create C of length BB */
205 memset(d, 0, bsize);
206 scatterwalk_map_and_copy(d, req->src, offset, lastn, 0);
207 /* 3. Exclusive-or Dn with C to create Xn */
208 /* 4. Select the first Ln bytes of Xn to create Pn */
209 crypto_xor(d + bsize, d, lastn);
210
211 /* 5. Append the tail (BB - Ln) bytes of Xn to Cn to create En */
212 memcpy(d + lastn, d + bsize + lastn, bsize - lastn);
213 /* 6. Decrypt En to create Pn-1 */
214
215 scatterwalk_map_and_copy(d, sg, 0, bsize + lastn, 1);
216 memzero_explicit(d, sizeof(d));
217
218 skcipher_request_set_callback(subreq, req->base.flags &
219 CRYPTO_TFM_REQ_MAY_BACKLOG,
220 cts_cbc_crypt_done, req);
221
222 skcipher_request_set_crypt(subreq, sg, sg, bsize, space);
223 return crypto_skcipher_decrypt(subreq);
224}
225
226static void crypto_cts_decrypt_done(struct crypto_async_request *areq, int err)
227{
228 struct skcipher_request *req = areq->data;
229
230 if (err)
231 goto out;
232
233 err = cts_cbc_decrypt(req);
234 if (err == -EINPROGRESS || err == -EBUSY)
235 return;
236
237out:
238 skcipher_request_complete(req, err);
239}
240
241static int crypto_cts_decrypt(struct skcipher_request *req)
242{
243 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
244 struct crypto_cts_reqctx *rctx = skcipher_request_ctx(req);
245 struct crypto_cts_ctx *ctx = crypto_skcipher_ctx(tfm);
246 struct skcipher_request *subreq = &rctx->subreq;
247 int bsize = crypto_skcipher_blocksize(tfm);
248 unsigned int nbytes = req->cryptlen;
249 unsigned int offset;
250 u8 *space;
251
252 skcipher_request_set_tfm(subreq, ctx->child);
253
254 if (nbytes < bsize)
255 return -EINVAL;
256
257 if (nbytes == bsize) {
258 skcipher_request_set_callback(subreq, req->base.flags,
259 req->base.complete,
260 req->base.data);
261 skcipher_request_set_crypt(subreq, req->src, req->dst, nbytes,
262 req->iv);
263 return crypto_skcipher_decrypt(subreq);
264 }
265
266 skcipher_request_set_callback(subreq, req->base.flags,
267 crypto_cts_decrypt_done, req);
268
269 space = crypto_cts_reqctx_space(req);
270
271 offset = rounddown(nbytes - 1, bsize);
272 rctx->offset = offset;
273
274 if (offset <= bsize)
275 memcpy(space, req->iv, bsize);
276 else
277 scatterwalk_map_and_copy(space, req->src, offset - 2 * bsize,
278 bsize, 0);
279
280 skcipher_request_set_crypt(subreq, req->src, req->dst,
281 offset, req->iv);
282
283 return crypto_skcipher_decrypt(subreq) ?:
284 cts_cbc_decrypt(req);
285}
286
287static int crypto_cts_init_tfm(struct crypto_skcipher *tfm)
288{
289 struct skcipher_instance *inst = skcipher_alg_instance(tfm);
290 struct crypto_skcipher_spawn *spawn = skcipher_instance_ctx(inst);
291 struct crypto_cts_ctx *ctx = crypto_skcipher_ctx(tfm);
292 struct crypto_skcipher *cipher;
293 unsigned reqsize;
294 unsigned bsize;
295 unsigned align;
296
297 cipher = crypto_spawn_skcipher(spawn);
298 if (IS_ERR(cipher))
299 return PTR_ERR(cipher);
300
301 ctx->child = cipher;
302
303 align = crypto_skcipher_alignmask(tfm);
304 bsize = crypto_skcipher_blocksize(cipher);
305 reqsize = ALIGN(sizeof(struct crypto_cts_reqctx) +
306 crypto_skcipher_reqsize(cipher),
307 crypto_tfm_ctx_alignment()) +
308 (align & ~(crypto_tfm_ctx_alignment() - 1)) + bsize;
309
310 crypto_skcipher_set_reqsize(tfm, reqsize);
311
312 return 0;
313}
314
315static void crypto_cts_exit_tfm(struct crypto_skcipher *tfm)
316{
317 struct crypto_cts_ctx *ctx = crypto_skcipher_ctx(tfm);
318
319 crypto_free_skcipher(ctx->child);
320}
321
322static void crypto_cts_free(struct skcipher_instance *inst)
323{
324 crypto_drop_skcipher(skcipher_instance_ctx(inst));
325 kfree(inst);
326}
327
328static int crypto_cts_create(struct crypto_template *tmpl, struct rtattr **tb)
329{
330 struct crypto_skcipher_spawn *spawn;
331 struct skcipher_instance *inst;
332 struct crypto_attr_type *algt;
333 struct skcipher_alg *alg;
334 const char *cipher_name;
335 int err;
336
337 algt = crypto_get_attr_type(tb);
338 if (IS_ERR(algt))
339 return PTR_ERR(algt);
340
341 if ((algt->type ^ CRYPTO_ALG_TYPE_SKCIPHER) & algt->mask)
342 return -EINVAL;
343
344 cipher_name = crypto_attr_alg_name(tb[1]);
345 if (IS_ERR(cipher_name))
346 return PTR_ERR(cipher_name);
347
348 inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL);
349 if (!inst)
350 return -ENOMEM;
351
352 spawn = skcipher_instance_ctx(inst);
353
354 crypto_set_skcipher_spawn(spawn, skcipher_crypto_instance(inst));
355 err = crypto_grab_skcipher(spawn, cipher_name, 0,
356 crypto_requires_sync(algt->type,
357 algt->mask));
358 if (err)
359 goto err_free_inst;
360
361 alg = crypto_spawn_skcipher_alg(spawn);
362
363 err = -EINVAL;
364 if (crypto_skcipher_alg_ivsize(alg) != alg->base.cra_blocksize)
365 goto err_drop_spawn;
366
367 if (strncmp(alg->base.cra_name, "cbc(", 4))
368 goto err_drop_spawn;
369
370 err = crypto_inst_setname(skcipher_crypto_instance(inst), "cts",
371 &alg->base);
372 if (err)
373 goto err_drop_spawn;
374
375 inst->alg.base.cra_flags = alg->base.cra_flags & CRYPTO_ALG_ASYNC;
376 inst->alg.base.cra_priority = alg->base.cra_priority;
377 inst->alg.base.cra_blocksize = alg->base.cra_blocksize;
378 inst->alg.base.cra_alignmask = alg->base.cra_alignmask;
379
380 inst->alg.ivsize = alg->base.cra_blocksize;
381 inst->alg.chunksize = crypto_skcipher_alg_chunksize(alg);
382 inst->alg.min_keysize = crypto_skcipher_alg_min_keysize(alg);
383 inst->alg.max_keysize = crypto_skcipher_alg_max_keysize(alg);
384
385 inst->alg.base.cra_ctxsize = sizeof(struct crypto_cts_ctx);
386
387 inst->alg.init = crypto_cts_init_tfm;
388 inst->alg.exit = crypto_cts_exit_tfm;
389
390 inst->alg.setkey = crypto_cts_setkey;
391 inst->alg.encrypt = crypto_cts_encrypt;
392 inst->alg.decrypt = crypto_cts_decrypt;
393
394 inst->free = crypto_cts_free;
395
396 err = skcipher_register_instance(tmpl, inst);
397 if (err)
398 goto err_drop_spawn;
399
400out:
401 return err;
402
403err_drop_spawn:
404 crypto_drop_skcipher(spawn);
405err_free_inst:
406 kfree(inst);
407 goto out;
408}
409
410static struct crypto_template crypto_cts_tmpl = {
411 .name = "cts",
412 .create = crypto_cts_create,
413 .module = THIS_MODULE,
414};
415
416static int __init crypto_cts_module_init(void)
417{
418 return crypto_register_template(&crypto_cts_tmpl);
419}
420
421static void __exit crypto_cts_module_exit(void)
422{
423 crypto_unregister_template(&crypto_cts_tmpl);
424}
425
426subsys_initcall(crypto_cts_module_init);
427module_exit(crypto_cts_module_exit);
428
429MODULE_LICENSE("Dual BSD/GPL");
430MODULE_DESCRIPTION("CTS-CBC CipherText Stealing for CBC");
431MODULE_ALIAS_CRYPTO("cts");