1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* LRW: as defined by Cyril Guyot in
3 * http://grouper.ieee.org/groups/1619/email/pdf00017.pdf
5 * Copyright (c) 2006 Rik Snel <rsnel@cube.dyndns.org>
8 * Copyright (c) 2006 Herbert Xu <herbert@gondor.apana.org.au>
10 /* This implementation is checked against the test vectors in the above
11 * document and by a test vector provided by Ken Buchanan at
12 * http://www.mail-archive.com/stds-p1619@listserv.ieee.org/msg00173.html
14 * The test vectors are included in the testing module tcrypt.[ch] */
16 #include <crypto/internal/skcipher.h>
17 #include <crypto/scatterwalk.h>
18 #include <linux/err.h>
19 #include <linux/init.h>
20 #include <linux/kernel.h>
21 #include <linux/module.h>
22 #include <linux/scatterlist.h>
23 #include <linux/slab.h>
25 #include <crypto/b128ops.h>
26 #include <crypto/gf128mul.h>
28 #define LRW_BLOCK_SIZE 16
31 struct crypto_skcipher
*child
;
34 * optimizes multiplying a random (non incrementing, as at the
35 * start of a new sector) value with key2, we could also have
36 * used 4k optimization tables or no optimization at all. In the
37 * latter case we would have to store key2 here
39 struct gf128mul_64k
*table
;
43 * key2*{ 0,0,...0,0,0,0,1 }, key2*{ 0,0,...0,0,0,1,1 },
44 * key2*{ 0,0,...0,0,1,1,1 }, key2*{ 0,0,...0,1,1,1,1 }
45 * key2*{ 0,0,...1,1,1,1,1 }, etc
46 * needed for optimized multiplication of incrementing values
54 struct skcipher_request subreq
;
57 static inline void setbit128_bbe(void *b
, int bit
)
59 __set_bit(bit
^ (0x80 -
68 static int setkey(struct crypto_skcipher
*parent
, const u8
*key
,
71 struct priv
*ctx
= crypto_skcipher_ctx(parent
);
72 struct crypto_skcipher
*child
= ctx
->child
;
73 int err
, bsize
= LRW_BLOCK_SIZE
;
74 const u8
*tweak
= key
+ keylen
- bsize
;
78 crypto_skcipher_clear_flags(child
, CRYPTO_TFM_REQ_MASK
);
79 crypto_skcipher_set_flags(child
, crypto_skcipher_get_flags(parent
) &
81 err
= crypto_skcipher_setkey(child
, key
, keylen
- bsize
);
82 crypto_skcipher_set_flags(parent
, crypto_skcipher_get_flags(child
) &
88 gf128mul_free_64k(ctx
->table
);
90 /* initialize multiplication table for Key2 */
91 ctx
->table
= gf128mul_init_64k_bbe((be128
*)tweak
);
95 /* initialize optimization table */
96 for (i
= 0; i
< 128; i
++) {
97 setbit128_bbe(&tmp
, i
);
99 gf128mul_64k_bbe(&ctx
->mulinc
[i
], ctx
->table
);
106 * Returns the number of trailing '1' bits in the words of the counter, which is
107 * represented by 4 32-bit words, arranged from least to most significant.
108 * At the same time, increments the counter by one.
112 * u32 counter[4] = { 0xFFFFFFFF, 0x1, 0x0, 0x0 };
113 * int i = next_index(&counter);
114 * // i == 33, counter == { 0x0, 0x2, 0x0, 0x0 }
116 static int next_index(u32
*counter
)
120 for (i
= 0; i
< 4; i
++) {
121 if (counter
[i
] + 1 != 0)
122 return res
+ ffz(counter
[i
]++);
129 * If we get here, then x == 128 and we are incrementing the counter
130 * from all ones to all zeros. This means we must return index 127, i.e.
131 * the one corresponding to key2*{ 1,...,1 }.
137 * We compute the tweak masks twice (both before and after the ECB encryption or
138 * decryption) to avoid having to allocate a temporary buffer and/or make
139 * mutliple calls to the 'ecb(..)' instance, which usually would be slower than
140 * just doing the next_index() calls again.
142 static int xor_tweak(struct skcipher_request
*req
, bool second_pass
)
144 const int bs
= LRW_BLOCK_SIZE
;
145 struct crypto_skcipher
*tfm
= crypto_skcipher_reqtfm(req
);
146 struct priv
*ctx
= crypto_skcipher_ctx(tfm
);
147 struct rctx
*rctx
= skcipher_request_ctx(req
);
149 struct skcipher_walk w
;
156 /* set to our TFM to enforce correct alignment: */
157 skcipher_request_set_tfm(req
, tfm
);
160 err
= skcipher_walk_virt(&w
, req
, false);
165 counter
[0] = be32_to_cpu(iv
[3]);
166 counter
[1] = be32_to_cpu(iv
[2]);
167 counter
[2] = be32_to_cpu(iv
[1]);
168 counter
[3] = be32_to_cpu(iv
[0]);
171 unsigned int avail
= w
.nbytes
;
175 wsrc
= w
.src
.virt
.addr
;
176 wdst
= w
.dst
.virt
.addr
;
179 be128_xor(wdst
++, &t
, wsrc
++);
181 /* T <- I*Key2, using the optimization
182 * discussed in the specification */
183 be128_xor(&t
, &t
, &ctx
->mulinc
[next_index(counter
)]);
184 } while ((avail
-= bs
) >= bs
);
186 if (second_pass
&& w
.nbytes
== w
.total
) {
187 iv
[0] = cpu_to_be32(counter
[3]);
188 iv
[1] = cpu_to_be32(counter
[2]);
189 iv
[2] = cpu_to_be32(counter
[1]);
190 iv
[3] = cpu_to_be32(counter
[0]);
193 err
= skcipher_walk_done(&w
, avail
);
199 static int xor_tweak_pre(struct skcipher_request
*req
)
201 return xor_tweak(req
, false);
204 static int xor_tweak_post(struct skcipher_request
*req
)
206 return xor_tweak(req
, true);
209 static void crypt_done(struct crypto_async_request
*areq
, int err
)
211 struct skcipher_request
*req
= areq
->data
;
214 struct rctx
*rctx
= skcipher_request_ctx(req
);
216 rctx
->subreq
.base
.flags
&= ~CRYPTO_TFM_REQ_MAY_SLEEP
;
217 err
= xor_tweak_post(req
);
220 skcipher_request_complete(req
, err
);
223 static void init_crypt(struct skcipher_request
*req
)
225 struct priv
*ctx
= crypto_skcipher_ctx(crypto_skcipher_reqtfm(req
));
226 struct rctx
*rctx
= skcipher_request_ctx(req
);
227 struct skcipher_request
*subreq
= &rctx
->subreq
;
229 skcipher_request_set_tfm(subreq
, ctx
->child
);
230 skcipher_request_set_callback(subreq
, req
->base
.flags
, crypt_done
, req
);
231 /* pass req->iv as IV (will be used by xor_tweak, ECB will ignore it) */
232 skcipher_request_set_crypt(subreq
, req
->dst
, req
->dst
,
233 req
->cryptlen
, req
->iv
);
235 /* calculate first value of T */
236 memcpy(&rctx
->t
, req
->iv
, sizeof(rctx
->t
));
239 gf128mul_64k_bbe(&rctx
->t
, ctx
->table
);
242 static int encrypt(struct skcipher_request
*req
)
244 struct rctx
*rctx
= skcipher_request_ctx(req
);
245 struct skcipher_request
*subreq
= &rctx
->subreq
;
248 return xor_tweak_pre(req
) ?:
249 crypto_skcipher_encrypt(subreq
) ?:
253 static int decrypt(struct skcipher_request
*req
)
255 struct rctx
*rctx
= skcipher_request_ctx(req
);
256 struct skcipher_request
*subreq
= &rctx
->subreq
;
259 return xor_tweak_pre(req
) ?:
260 crypto_skcipher_decrypt(subreq
) ?:
264 static int init_tfm(struct crypto_skcipher
*tfm
)
266 struct skcipher_instance
*inst
= skcipher_alg_instance(tfm
);
267 struct crypto_skcipher_spawn
*spawn
= skcipher_instance_ctx(inst
);
268 struct priv
*ctx
= crypto_skcipher_ctx(tfm
);
269 struct crypto_skcipher
*cipher
;
271 cipher
= crypto_spawn_skcipher(spawn
);
273 return PTR_ERR(cipher
);
277 crypto_skcipher_set_reqsize(tfm
, crypto_skcipher_reqsize(cipher
) +
278 sizeof(struct rctx
));
283 static void exit_tfm(struct crypto_skcipher
*tfm
)
285 struct priv
*ctx
= crypto_skcipher_ctx(tfm
);
288 gf128mul_free_64k(ctx
->table
);
289 crypto_free_skcipher(ctx
->child
);
292 static void free_inst(struct skcipher_instance
*inst
)
294 crypto_drop_skcipher(skcipher_instance_ctx(inst
));
298 static int create(struct crypto_template
*tmpl
, struct rtattr
**tb
)
300 struct crypto_skcipher_spawn
*spawn
;
301 struct skcipher_instance
*inst
;
302 struct crypto_attr_type
*algt
;
303 struct skcipher_alg
*alg
;
304 const char *cipher_name
;
305 char ecb_name
[CRYPTO_MAX_ALG_NAME
];
308 algt
= crypto_get_attr_type(tb
);
310 return PTR_ERR(algt
);
312 if ((algt
->type
^ CRYPTO_ALG_TYPE_SKCIPHER
) & algt
->mask
)
315 cipher_name
= crypto_attr_alg_name(tb
[1]);
316 if (IS_ERR(cipher_name
))
317 return PTR_ERR(cipher_name
);
319 inst
= kzalloc(sizeof(*inst
) + sizeof(*spawn
), GFP_KERNEL
);
323 spawn
= skcipher_instance_ctx(inst
);
325 crypto_set_skcipher_spawn(spawn
, skcipher_crypto_instance(inst
));
326 err
= crypto_grab_skcipher(spawn
, cipher_name
, 0,
327 crypto_requires_sync(algt
->type
,
329 if (err
== -ENOENT
) {
331 if (snprintf(ecb_name
, CRYPTO_MAX_ALG_NAME
, "ecb(%s)",
332 cipher_name
) >= CRYPTO_MAX_ALG_NAME
)
335 err
= crypto_grab_skcipher(spawn
, ecb_name
, 0,
336 crypto_requires_sync(algt
->type
,
343 alg
= crypto_skcipher_spawn_alg(spawn
);
346 if (alg
->base
.cra_blocksize
!= LRW_BLOCK_SIZE
)
349 if (crypto_skcipher_alg_ivsize(alg
))
352 err
= crypto_inst_setname(skcipher_crypto_instance(inst
), "lrw",
358 cipher_name
= alg
->base
.cra_name
;
360 /* Alas we screwed up the naming so we have to mangle the
363 if (!strncmp(cipher_name
, "ecb(", 4)) {
366 len
= strlcpy(ecb_name
, cipher_name
+ 4, sizeof(ecb_name
));
367 if (len
< 2 || len
>= sizeof(ecb_name
))
370 if (ecb_name
[len
- 1] != ')')
373 ecb_name
[len
- 1] = 0;
375 if (snprintf(inst
->alg
.base
.cra_name
, CRYPTO_MAX_ALG_NAME
,
376 "lrw(%s)", ecb_name
) >= CRYPTO_MAX_ALG_NAME
) {
383 inst
->alg
.base
.cra_flags
= alg
->base
.cra_flags
& CRYPTO_ALG_ASYNC
;
384 inst
->alg
.base
.cra_priority
= alg
->base
.cra_priority
;
385 inst
->alg
.base
.cra_blocksize
= LRW_BLOCK_SIZE
;
386 inst
->alg
.base
.cra_alignmask
= alg
->base
.cra_alignmask
|
387 (__alignof__(be128
) - 1);
389 inst
->alg
.ivsize
= LRW_BLOCK_SIZE
;
390 inst
->alg
.min_keysize
= crypto_skcipher_alg_min_keysize(alg
) +
392 inst
->alg
.max_keysize
= crypto_skcipher_alg_max_keysize(alg
) +
395 inst
->alg
.base
.cra_ctxsize
= sizeof(struct priv
);
397 inst
->alg
.init
= init_tfm
;
398 inst
->alg
.exit
= exit_tfm
;
400 inst
->alg
.setkey
= setkey
;
401 inst
->alg
.encrypt
= encrypt
;
402 inst
->alg
.decrypt
= decrypt
;
404 inst
->free
= free_inst
;
406 err
= skcipher_register_instance(tmpl
, inst
);
414 crypto_drop_skcipher(spawn
);
420 static struct crypto_template crypto_tmpl
= {
423 .module
= THIS_MODULE
,
426 static int __init
crypto_module_init(void)
428 return crypto_register_template(&crypto_tmpl
);
431 static void __exit
crypto_module_exit(void)
433 crypto_unregister_template(&crypto_tmpl
);
436 subsys_initcall(crypto_module_init
);
437 module_exit(crypto_module_exit
);
439 MODULE_LICENSE("GPL");
440 MODULE_DESCRIPTION("LRW block cipher mode");
441 MODULE_ALIAS_CRYPTO("lrw");