1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* LRW: as defined by Cyril Guyot in
3 * http://grouper.ieee.org/groups/1619/email/pdf00017.pdf
5 * Copyright (c) 2006 Rik Snel <rsnel@cube.dyndns.org>
8 * Copyright (c) 2006 Herbert Xu <herbert@gondor.apana.org.au>
10 /* This implementation is checked against the test vectors in the above
11 * document and by a test vector provided by Ken Buchanan at
12 * http://www.mail-archive.com/stds-p1619@listserv.ieee.org/msg00173.html
14 * The test vectors are included in the testing module tcrypt.[ch] */
16 #include <crypto/internal/skcipher.h>
17 #include <crypto/scatterwalk.h>
18 #include <linux/err.h>
19 #include <linux/init.h>
20 #include <linux/kernel.h>
21 #include <linux/module.h>
22 #include <linux/scatterlist.h>
23 #include <linux/slab.h>
25 #include <crypto/b128ops.h>
26 #include <crypto/gf128mul.h>
28 #define LRW_BLOCK_SIZE 16
31 struct crypto_skcipher
*child
;
34 * optimizes multiplying a random (non incrementing, as at the
35 * start of a new sector) value with key2, we could also have
36 * used 4k optimization tables or no optimization at all. In the
37 * latter case we would have to store key2 here
39 struct gf128mul_64k
*table
;
43 * key2*{ 0,0,...0,0,0,0,1 }, key2*{ 0,0,...0,0,0,1,1 },
44 * key2*{ 0,0,...0,0,1,1,1 }, key2*{ 0,0,...0,1,1,1,1 }
45 * key2*{ 0,0,...1,1,1,1,1 }, etc
46 * needed for optimized multiplication of incrementing values
54 struct skcipher_request subreq
;
57 static inline void setbit128_bbe(void *b
, int bit
)
59 __set_bit(bit
^ (0x80 -
68 static int setkey(struct crypto_skcipher
*parent
, const u8
*key
,
71 struct priv
*ctx
= crypto_skcipher_ctx(parent
);
72 struct crypto_skcipher
*child
= ctx
->child
;
73 int err
, bsize
= LRW_BLOCK_SIZE
;
74 const u8
*tweak
= key
+ keylen
- bsize
;
78 crypto_skcipher_clear_flags(child
, CRYPTO_TFM_REQ_MASK
);
79 crypto_skcipher_set_flags(child
, crypto_skcipher_get_flags(parent
) &
81 err
= crypto_skcipher_setkey(child
, key
, keylen
- bsize
);
86 gf128mul_free_64k(ctx
->table
);
88 /* initialize multiplication table for Key2 */
89 ctx
->table
= gf128mul_init_64k_bbe((be128
*)tweak
);
93 /* initialize optimization table */
94 for (i
= 0; i
< 128; i
++) {
95 setbit128_bbe(&tmp
, i
);
97 gf128mul_64k_bbe(&ctx
->mulinc
[i
], ctx
->table
);
104 * Returns the number of trailing '1' bits in the words of the counter, which is
105 * represented by 4 32-bit words, arranged from least to most significant.
106 * At the same time, increments the counter by one.
110 * u32 counter[4] = { 0xFFFFFFFF, 0x1, 0x0, 0x0 };
111 * int i = next_index(&counter);
112 * // i == 33, counter == { 0x0, 0x2, 0x0, 0x0 }
114 static int next_index(u32
*counter
)
118 for (i
= 0; i
< 4; i
++) {
119 if (counter
[i
] + 1 != 0)
120 return res
+ ffz(counter
[i
]++);
127 * If we get here, then x == 128 and we are incrementing the counter
128 * from all ones to all zeros. This means we must return index 127, i.e.
129 * the one corresponding to key2*{ 1,...,1 }.
135 * We compute the tweak masks twice (both before and after the ECB encryption or
136 * decryption) to avoid having to allocate a temporary buffer and/or make
137 * mutliple calls to the 'ecb(..)' instance, which usually would be slower than
138 * just doing the next_index() calls again.
140 static int xor_tweak(struct skcipher_request
*req
, bool second_pass
)
142 const int bs
= LRW_BLOCK_SIZE
;
143 struct crypto_skcipher
*tfm
= crypto_skcipher_reqtfm(req
);
144 struct priv
*ctx
= crypto_skcipher_ctx(tfm
);
145 struct rctx
*rctx
= skcipher_request_ctx(req
);
147 struct skcipher_walk w
;
154 /* set to our TFM to enforce correct alignment: */
155 skcipher_request_set_tfm(req
, tfm
);
158 err
= skcipher_walk_virt(&w
, req
, false);
163 counter
[0] = be32_to_cpu(iv
[3]);
164 counter
[1] = be32_to_cpu(iv
[2]);
165 counter
[2] = be32_to_cpu(iv
[1]);
166 counter
[3] = be32_to_cpu(iv
[0]);
169 unsigned int avail
= w
.nbytes
;
173 wsrc
= w
.src
.virt
.addr
;
174 wdst
= w
.dst
.virt
.addr
;
177 be128_xor(wdst
++, &t
, wsrc
++);
179 /* T <- I*Key2, using the optimization
180 * discussed in the specification */
181 be128_xor(&t
, &t
, &ctx
->mulinc
[next_index(counter
)]);
182 } while ((avail
-= bs
) >= bs
);
184 if (second_pass
&& w
.nbytes
== w
.total
) {
185 iv
[0] = cpu_to_be32(counter
[3]);
186 iv
[1] = cpu_to_be32(counter
[2]);
187 iv
[2] = cpu_to_be32(counter
[1]);
188 iv
[3] = cpu_to_be32(counter
[0]);
191 err
= skcipher_walk_done(&w
, avail
);
197 static int xor_tweak_pre(struct skcipher_request
*req
)
199 return xor_tweak(req
, false);
202 static int xor_tweak_post(struct skcipher_request
*req
)
204 return xor_tweak(req
, true);
207 static void crypt_done(struct crypto_async_request
*areq
, int err
)
209 struct skcipher_request
*req
= areq
->data
;
212 struct rctx
*rctx
= skcipher_request_ctx(req
);
214 rctx
->subreq
.base
.flags
&= ~CRYPTO_TFM_REQ_MAY_SLEEP
;
215 err
= xor_tweak_post(req
);
218 skcipher_request_complete(req
, err
);
221 static void init_crypt(struct skcipher_request
*req
)
223 struct priv
*ctx
= crypto_skcipher_ctx(crypto_skcipher_reqtfm(req
));
224 struct rctx
*rctx
= skcipher_request_ctx(req
);
225 struct skcipher_request
*subreq
= &rctx
->subreq
;
227 skcipher_request_set_tfm(subreq
, ctx
->child
);
228 skcipher_request_set_callback(subreq
, req
->base
.flags
, crypt_done
, req
);
229 /* pass req->iv as IV (will be used by xor_tweak, ECB will ignore it) */
230 skcipher_request_set_crypt(subreq
, req
->dst
, req
->dst
,
231 req
->cryptlen
, req
->iv
);
233 /* calculate first value of T */
234 memcpy(&rctx
->t
, req
->iv
, sizeof(rctx
->t
));
237 gf128mul_64k_bbe(&rctx
->t
, ctx
->table
);
240 static int encrypt(struct skcipher_request
*req
)
242 struct rctx
*rctx
= skcipher_request_ctx(req
);
243 struct skcipher_request
*subreq
= &rctx
->subreq
;
246 return xor_tweak_pre(req
) ?:
247 crypto_skcipher_encrypt(subreq
) ?:
251 static int decrypt(struct skcipher_request
*req
)
253 struct rctx
*rctx
= skcipher_request_ctx(req
);
254 struct skcipher_request
*subreq
= &rctx
->subreq
;
257 return xor_tweak_pre(req
) ?:
258 crypto_skcipher_decrypt(subreq
) ?:
262 static int init_tfm(struct crypto_skcipher
*tfm
)
264 struct skcipher_instance
*inst
= skcipher_alg_instance(tfm
);
265 struct crypto_skcipher_spawn
*spawn
= skcipher_instance_ctx(inst
);
266 struct priv
*ctx
= crypto_skcipher_ctx(tfm
);
267 struct crypto_skcipher
*cipher
;
269 cipher
= crypto_spawn_skcipher(spawn
);
271 return PTR_ERR(cipher
);
275 crypto_skcipher_set_reqsize(tfm
, crypto_skcipher_reqsize(cipher
) +
276 sizeof(struct rctx
));
281 static void exit_tfm(struct crypto_skcipher
*tfm
)
283 struct priv
*ctx
= crypto_skcipher_ctx(tfm
);
286 gf128mul_free_64k(ctx
->table
);
287 crypto_free_skcipher(ctx
->child
);
290 static void free(struct skcipher_instance
*inst
)
292 crypto_drop_skcipher(skcipher_instance_ctx(inst
));
296 static int create(struct crypto_template
*tmpl
, struct rtattr
**tb
)
298 struct crypto_skcipher_spawn
*spawn
;
299 struct skcipher_instance
*inst
;
300 struct crypto_attr_type
*algt
;
301 struct skcipher_alg
*alg
;
302 const char *cipher_name
;
303 char ecb_name
[CRYPTO_MAX_ALG_NAME
];
307 algt
= crypto_get_attr_type(tb
);
309 return PTR_ERR(algt
);
311 if ((algt
->type
^ CRYPTO_ALG_TYPE_SKCIPHER
) & algt
->mask
)
314 mask
= crypto_requires_sync(algt
->type
, algt
->mask
);
316 cipher_name
= crypto_attr_alg_name(tb
[1]);
317 if (IS_ERR(cipher_name
))
318 return PTR_ERR(cipher_name
);
320 inst
= kzalloc(sizeof(*inst
) + sizeof(*spawn
), GFP_KERNEL
);
324 spawn
= skcipher_instance_ctx(inst
);
326 err
= crypto_grab_skcipher(spawn
, skcipher_crypto_instance(inst
),
327 cipher_name
, 0, mask
);
328 if (err
== -ENOENT
) {
330 if (snprintf(ecb_name
, CRYPTO_MAX_ALG_NAME
, "ecb(%s)",
331 cipher_name
) >= CRYPTO_MAX_ALG_NAME
)
334 err
= crypto_grab_skcipher(spawn
,
335 skcipher_crypto_instance(inst
),
342 alg
= crypto_skcipher_spawn_alg(spawn
);
345 if (alg
->base
.cra_blocksize
!= LRW_BLOCK_SIZE
)
348 if (crypto_skcipher_alg_ivsize(alg
))
351 err
= crypto_inst_setname(skcipher_crypto_instance(inst
), "lrw",
357 cipher_name
= alg
->base
.cra_name
;
359 /* Alas we screwed up the naming so we have to mangle the
362 if (!strncmp(cipher_name
, "ecb(", 4)) {
365 len
= strlcpy(ecb_name
, cipher_name
+ 4, sizeof(ecb_name
));
366 if (len
< 2 || len
>= sizeof(ecb_name
))
369 if (ecb_name
[len
- 1] != ')')
372 ecb_name
[len
- 1] = 0;
374 if (snprintf(inst
->alg
.base
.cra_name
, CRYPTO_MAX_ALG_NAME
,
375 "lrw(%s)", ecb_name
) >= CRYPTO_MAX_ALG_NAME
) {
382 inst
->alg
.base
.cra_flags
= alg
->base
.cra_flags
& CRYPTO_ALG_ASYNC
;
383 inst
->alg
.base
.cra_priority
= alg
->base
.cra_priority
;
384 inst
->alg
.base
.cra_blocksize
= LRW_BLOCK_SIZE
;
385 inst
->alg
.base
.cra_alignmask
= alg
->base
.cra_alignmask
|
386 (__alignof__(be128
) - 1);
388 inst
->alg
.ivsize
= LRW_BLOCK_SIZE
;
389 inst
->alg
.min_keysize
= crypto_skcipher_alg_min_keysize(alg
) +
391 inst
->alg
.max_keysize
= crypto_skcipher_alg_max_keysize(alg
) +
394 inst
->alg
.base
.cra_ctxsize
= sizeof(struct priv
);
396 inst
->alg
.init
= init_tfm
;
397 inst
->alg
.exit
= exit_tfm
;
399 inst
->alg
.setkey
= setkey
;
400 inst
->alg
.encrypt
= encrypt
;
401 inst
->alg
.decrypt
= decrypt
;
405 err
= skcipher_register_instance(tmpl
, inst
);
413 crypto_drop_skcipher(spawn
);
419 static struct crypto_template crypto_tmpl
= {
422 .module
= THIS_MODULE
,
425 static int __init
crypto_module_init(void)
427 return crypto_register_template(&crypto_tmpl
);
430 static void __exit
crypto_module_exit(void)
432 crypto_unregister_template(&crypto_tmpl
);
435 subsys_initcall(crypto_module_init
);
436 module_exit(crypto_module_exit
);
438 MODULE_LICENSE("GPL");
439 MODULE_DESCRIPTION("LRW block cipher mode");
440 MODULE_ALIAS_CRYPTO("lrw");