cts.c 9.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355
  1. /*
  2. * CTS: Cipher Text Stealing mode
  3. *
  4. * COPYRIGHT (c) 2008
  5. * The Regents of the University of Michigan
  6. * ALL RIGHTS RESERVED
  7. *
  8. * Permission is granted to use, copy, create derivative works
  9. * and redistribute this software and such derivative works
  10. * for any purpose, so long as the name of The University of
  11. * Michigan is not used in any advertising or publicity
  12. * pertaining to the use of distribution of this software
  13. * without specific, written prior authorization. If the
  14. * above copyright notice or any other identification of the
  15. * University of Michigan is included in any copy of any
  16. * portion of this software, then the disclaimer below must
  17. * also be included.
  18. *
  19. * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
  20. * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
  21. * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
  22. * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
  23. * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
  24. * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
  25. * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
  26. * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
  27. * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
  28. * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
  29. * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
  30. * SUCH DAMAGES.
  31. */
  32. /* Derived from various:
  33. * Copyright (c) 2006 Herbert Xu <herbert@gondor.apana.org.au>
  34. */
  35. /*
  36. * This is the Cipher Text Stealing mode as described by
  37. * Section 8 of rfc2040 and referenced by rfc3962.
  38. * rfc3962 includes errata information in its Appendix A.
  39. */
  40. #include <crypto/algapi.h>
  41. #include <linux/err.h>
  42. #include <linux/init.h>
  43. #include <linux/kernel.h>
  44. #include <linux/log2.h>
  45. #include <linux/module.h>
  46. #include <linux/scatterlist.h>
  47. #include <crypto/scatterwalk.h>
  48. #include <linux/slab.h>
  49. struct crypto_cts_ctx {
  50. struct crypto_blkcipher *child;
  51. };
  52. static int crypto_cts_setkey(struct crypto_tfm *parent, const u8 *key,
  53. unsigned int keylen)
  54. {
  55. struct crypto_cts_ctx *ctx = crypto_tfm_ctx(parent);
  56. struct crypto_blkcipher *child = ctx->child;
  57. int err;
  58. crypto_blkcipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
  59. crypto_blkcipher_set_flags(child, crypto_tfm_get_flags(parent) &
  60. CRYPTO_TFM_REQ_MASK);
  61. err = crypto_blkcipher_setkey(child, key, keylen);
  62. crypto_tfm_set_flags(parent, crypto_blkcipher_get_flags(child) &
  63. CRYPTO_TFM_RES_MASK);
  64. return err;
  65. }
  66. static int cts_cbc_encrypt(struct crypto_cts_ctx *ctx,
  67. struct blkcipher_desc *desc,
  68. struct scatterlist *dst,
  69. struct scatterlist *src,
  70. unsigned int offset,
  71. unsigned int nbytes)
  72. {
  73. int bsize = crypto_blkcipher_blocksize(desc->tfm);
  74. u8 tmp[bsize], tmp2[bsize];
  75. struct blkcipher_desc lcldesc;
  76. struct scatterlist sgsrc[1], sgdst[1];
  77. int lastn = nbytes - bsize;
  78. u8 iv[bsize];
  79. u8 s[bsize * 2], d[bsize * 2];
  80. int err;
  81. if (lastn < 0)
  82. return -EINVAL;
  83. sg_init_table(sgsrc, 1);
  84. sg_init_table(sgdst, 1);
  85. memset(s, 0, sizeof(s));
  86. scatterwalk_map_and_copy(s, src, offset, nbytes, 0);
  87. memcpy(iv, desc->info, bsize);
  88. lcldesc.tfm = ctx->child;
  89. lcldesc.info = iv;
  90. lcldesc.flags = desc->flags;
  91. sg_set_buf(&sgsrc[0], s, bsize);
  92. sg_set_buf(&sgdst[0], tmp, bsize);
  93. err = crypto_blkcipher_encrypt_iv(&lcldesc, sgdst, sgsrc, bsize);
  94. memcpy(d + bsize, tmp, lastn);
  95. lcldesc.info = tmp;
  96. sg_set_buf(&sgsrc[0], s + bsize, bsize);
  97. sg_set_buf(&sgdst[0], tmp2, bsize);
  98. err = crypto_blkcipher_encrypt_iv(&lcldesc, sgdst, sgsrc, bsize);
  99. memcpy(d, tmp2, bsize);
  100. scatterwalk_map_and_copy(d, dst, offset, nbytes, 1);
  101. memcpy(desc->info, tmp2, bsize);
  102. return err;
  103. }
  104. static int crypto_cts_encrypt(struct blkcipher_desc *desc,
  105. struct scatterlist *dst, struct scatterlist *src,
  106. unsigned int nbytes)
  107. {
  108. struct crypto_cts_ctx *ctx = crypto_blkcipher_ctx(desc->tfm);
  109. int bsize = crypto_blkcipher_blocksize(desc->tfm);
  110. int tot_blocks = (nbytes + bsize - 1) / bsize;
  111. int cbc_blocks = tot_blocks > 2 ? tot_blocks - 2 : 0;
  112. struct blkcipher_desc lcldesc;
  113. int err;
  114. lcldesc.tfm = ctx->child;
  115. lcldesc.info = desc->info;
  116. lcldesc.flags = desc->flags;
  117. if (tot_blocks <= 1) {
  118. err = crypto_blkcipher_encrypt_iv(&lcldesc, dst, src, nbytes);
  119. } else if (nbytes <= bsize * 2) {
  120. err = cts_cbc_encrypt(ctx, desc, dst, src, 0, nbytes);
  121. } else {
  122. /* do normal function for tot_blocks - 2 */
  123. err = crypto_blkcipher_encrypt_iv(&lcldesc, dst, src,
  124. cbc_blocks * bsize);
  125. if (err == 0) {
  126. /* do cts for final two blocks */
  127. err = cts_cbc_encrypt(ctx, desc, dst, src,
  128. cbc_blocks * bsize,
  129. nbytes - (cbc_blocks * bsize));
  130. }
  131. }
  132. return err;
  133. }
  134. static int cts_cbc_decrypt(struct crypto_cts_ctx *ctx,
  135. struct blkcipher_desc *desc,
  136. struct scatterlist *dst,
  137. struct scatterlist *src,
  138. unsigned int offset,
  139. unsigned int nbytes)
  140. {
  141. int bsize = crypto_blkcipher_blocksize(desc->tfm);
  142. u8 tmp[bsize];
  143. struct blkcipher_desc lcldesc;
  144. struct scatterlist sgsrc[1], sgdst[1];
  145. int lastn = nbytes - bsize;
  146. u8 iv[bsize];
  147. u8 s[bsize * 2], d[bsize * 2];
  148. int err;
  149. if (lastn < 0)
  150. return -EINVAL;
  151. sg_init_table(sgsrc, 1);
  152. sg_init_table(sgdst, 1);
  153. scatterwalk_map_and_copy(s, src, offset, nbytes, 0);
  154. lcldesc.tfm = ctx->child;
  155. lcldesc.info = iv;
  156. lcldesc.flags = desc->flags;
  157. /* 1. Decrypt Cn-1 (s) to create Dn (tmp)*/
  158. memset(iv, 0, sizeof(iv));
  159. sg_set_buf(&sgsrc[0], s, bsize);
  160. sg_set_buf(&sgdst[0], tmp, bsize);
  161. err = crypto_blkcipher_decrypt_iv(&lcldesc, sgdst, sgsrc, bsize);
  162. if (err)
  163. return err;
  164. /* 2. Pad Cn with zeros at the end to create C of length BB */
  165. memset(iv, 0, sizeof(iv));
  166. memcpy(iv, s + bsize, lastn);
  167. /* 3. Exclusive-or Dn (tmp) with C (iv) to create Xn (tmp) */
  168. crypto_xor(tmp, iv, bsize);
  169. /* 4. Select the first Ln bytes of Xn (tmp) to create Pn */
  170. memcpy(d + bsize, tmp, lastn);
  171. /* 5. Append the tail (BB - Ln) bytes of Xn (tmp) to Cn to create En */
  172. memcpy(s + bsize + lastn, tmp + lastn, bsize - lastn);
  173. /* 6. Decrypt En to create Pn-1 */
  174. memzero_explicit(iv, sizeof(iv));
  175. sg_set_buf(&sgsrc[0], s + bsize, bsize);
  176. sg_set_buf(&sgdst[0], d, bsize);
  177. err = crypto_blkcipher_decrypt_iv(&lcldesc, sgdst, sgsrc, bsize);
  178. /* XOR with previous block */
  179. crypto_xor(d, desc->info, bsize);
  180. scatterwalk_map_and_copy(d, dst, offset, nbytes, 1);
  181. memcpy(desc->info, s, bsize);
  182. return err;
  183. }
  184. static int crypto_cts_decrypt(struct blkcipher_desc *desc,
  185. struct scatterlist *dst, struct scatterlist *src,
  186. unsigned int nbytes)
  187. {
  188. struct crypto_cts_ctx *ctx = crypto_blkcipher_ctx(desc->tfm);
  189. int bsize = crypto_blkcipher_blocksize(desc->tfm);
  190. int tot_blocks = (nbytes + bsize - 1) / bsize;
  191. int cbc_blocks = tot_blocks > 2 ? tot_blocks - 2 : 0;
  192. struct blkcipher_desc lcldesc;
  193. int err;
  194. lcldesc.tfm = ctx->child;
  195. lcldesc.info = desc->info;
  196. lcldesc.flags = desc->flags;
  197. if (tot_blocks <= 1) {
  198. err = crypto_blkcipher_decrypt_iv(&lcldesc, dst, src, nbytes);
  199. } else if (nbytes <= bsize * 2) {
  200. err = cts_cbc_decrypt(ctx, desc, dst, src, 0, nbytes);
  201. } else {
  202. /* do normal function for tot_blocks - 2 */
  203. err = crypto_blkcipher_decrypt_iv(&lcldesc, dst, src,
  204. cbc_blocks * bsize);
  205. if (err == 0) {
  206. /* do cts for final two blocks */
  207. err = cts_cbc_decrypt(ctx, desc, dst, src,
  208. cbc_blocks * bsize,
  209. nbytes - (cbc_blocks * bsize));
  210. }
  211. }
  212. return err;
  213. }
  214. static int crypto_cts_init_tfm(struct crypto_tfm *tfm)
  215. {
  216. struct crypto_instance *inst = (void *)tfm->__crt_alg;
  217. struct crypto_spawn *spawn = crypto_instance_ctx(inst);
  218. struct crypto_cts_ctx *ctx = crypto_tfm_ctx(tfm);
  219. struct crypto_blkcipher *cipher;
  220. cipher = crypto_spawn_blkcipher(spawn);
  221. if (IS_ERR(cipher))
  222. return PTR_ERR(cipher);
  223. ctx->child = cipher;
  224. return 0;
  225. }
  226. static void crypto_cts_exit_tfm(struct crypto_tfm *tfm)
  227. {
  228. struct crypto_cts_ctx *ctx = crypto_tfm_ctx(tfm);
  229. crypto_free_blkcipher(ctx->child);
  230. }
  231. static struct crypto_instance *crypto_cts_alloc(struct rtattr **tb)
  232. {
  233. struct crypto_instance *inst;
  234. struct crypto_alg *alg;
  235. int err;
  236. err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_BLKCIPHER);
  237. if (err)
  238. return ERR_PTR(err);
  239. alg = crypto_attr_alg(tb[1], CRYPTO_ALG_TYPE_BLKCIPHER,
  240. CRYPTO_ALG_TYPE_MASK);
  241. if (IS_ERR(alg))
  242. return ERR_CAST(alg);
  243. inst = ERR_PTR(-EINVAL);
  244. if (!is_power_of_2(alg->cra_blocksize))
  245. goto out_put_alg;
  246. if (strncmp(alg->cra_name, "cbc(", 4))
  247. goto out_put_alg;
  248. inst = crypto_alloc_instance("cts", alg);
  249. if (IS_ERR(inst))
  250. goto out_put_alg;
  251. inst->alg.cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER;
  252. inst->alg.cra_priority = alg->cra_priority;
  253. inst->alg.cra_blocksize = alg->cra_blocksize;
  254. inst->alg.cra_alignmask = alg->cra_alignmask;
  255. inst->alg.cra_type = &crypto_blkcipher_type;
  256. /* We access the data as u32s when xoring. */
  257. inst->alg.cra_alignmask |= __alignof__(u32) - 1;
  258. inst->alg.cra_blkcipher.ivsize = alg->cra_blocksize;
  259. inst->alg.cra_blkcipher.min_keysize = alg->cra_blkcipher.min_keysize;
  260. inst->alg.cra_blkcipher.max_keysize = alg->cra_blkcipher.max_keysize;
  261. inst->alg.cra_ctxsize = sizeof(struct crypto_cts_ctx);
  262. inst->alg.cra_init = crypto_cts_init_tfm;
  263. inst->alg.cra_exit = crypto_cts_exit_tfm;
  264. inst->alg.cra_blkcipher.setkey = crypto_cts_setkey;
  265. inst->alg.cra_blkcipher.encrypt = crypto_cts_encrypt;
  266. inst->alg.cra_blkcipher.decrypt = crypto_cts_decrypt;
  267. out_put_alg:
  268. crypto_mod_put(alg);
  269. return inst;
  270. }
  271. static void crypto_cts_free(struct crypto_instance *inst)
  272. {
  273. crypto_drop_spawn(crypto_instance_ctx(inst));
  274. kfree(inst);
  275. }
  276. static struct crypto_template crypto_cts_tmpl = {
  277. .name = "cts",
  278. .alloc = crypto_cts_alloc,
  279. .free = crypto_cts_free,
  280. .module = THIS_MODULE,
  281. };
  282. static int __init crypto_cts_module_init(void)
  283. {
  284. return crypto_register_template(&crypto_cts_tmpl);
  285. }
  286. static void __exit crypto_cts_module_exit(void)
  287. {
  288. crypto_unregister_template(&crypto_cts_tmpl);
  289. }
  290. module_init(crypto_cts_module_init);
  291. module_exit(crypto_cts_module_exit);
  292. MODULE_LICENSE("Dual BSD/GPL");
  293. MODULE_DESCRIPTION("CTS-CBC CipherText Stealing for CBC");
  294. MODULE_ALIAS_CRYPTO("cts");