164470f1bSRik Snel /* LRW: as defined by Cyril Guyot in 264470f1bSRik Snel * http://grouper.ieee.org/groups/1619/email/pdf00017.pdf 364470f1bSRik Snel * 464470f1bSRik Snel * Copyright (c) 2006 Rik Snel <rsnel@cube.dyndns.org> 564470f1bSRik Snel * 664470f1bSRik Snel * Based om ecb.c 764470f1bSRik Snel * Copyright (c) 2006 Herbert Xu <herbert@gondor.apana.org.au> 864470f1bSRik Snel * 964470f1bSRik Snel * This program is free software; you can redistribute it and/or modify it 1064470f1bSRik Snel * under the terms of the GNU General Public License as published by the Free 1164470f1bSRik Snel * Software Foundation; either version 2 of the License, or (at your option) 1264470f1bSRik Snel * any later version. 1364470f1bSRik Snel */ 1464470f1bSRik Snel /* This implementation is checked against the test vectors in the above 1564470f1bSRik Snel * document and by a test vector provided by Ken Buchanan at 1664470f1bSRik Snel * http://www.mail-archive.com/stds-p1619@listserv.ieee.org/msg00173.html 1764470f1bSRik Snel * 1864470f1bSRik Snel * The test vectors are included in the testing module tcrypt.[ch] */ 1964470f1bSRik Snel #include <crypto/algapi.h> 2064470f1bSRik Snel #include <linux/err.h> 2164470f1bSRik Snel #include <linux/init.h> 2264470f1bSRik Snel #include <linux/kernel.h> 2364470f1bSRik Snel #include <linux/module.h> 2464470f1bSRik Snel #include <linux/scatterlist.h> 2564470f1bSRik Snel #include <linux/slab.h> 2664470f1bSRik Snel 2764470f1bSRik Snel #include <crypto/b128ops.h> 2864470f1bSRik Snel #include <crypto/gf128mul.h> 2964470f1bSRik Snel 304660720dSJussi Kivilinna #define LRW_BLOCK_SIZE 16 314660720dSJussi Kivilinna 32*171c0204SJussi Kivilinna struct lrw_table_ctx { 3364470f1bSRik Snel /* optimizes multiplying a random (non incrementing, as at the 3464470f1bSRik Snel * start of a new sector) value with key2, we could also have 3564470f1bSRik Snel * used 4k optimization tables or no optimization at all. In the 3664470f1bSRik Snel * latter case we would have to store key2 here */ 3764470f1bSRik Snel struct gf128mul_64k *table; 3864470f1bSRik Snel /* stores: 3964470f1bSRik Snel * key2*{ 0,0,...0,0,0,0,1 }, key2*{ 0,0,...0,0,0,1,1 }, 4064470f1bSRik Snel * key2*{ 0,0,...0,0,1,1,1 }, key2*{ 0,0,...0,1,1,1,1 } 4164470f1bSRik Snel * key2*{ 0,0,...1,1,1,1,1 }, etc 4264470f1bSRik Snel * needed for optimized multiplication of incrementing values 4364470f1bSRik Snel * with key2 */ 4464470f1bSRik Snel be128 mulinc[128]; 4564470f1bSRik Snel }; 4664470f1bSRik Snel 47*171c0204SJussi Kivilinna struct priv { 48*171c0204SJussi Kivilinna struct crypto_cipher *child; 49*171c0204SJussi Kivilinna struct lrw_table_ctx table; 50*171c0204SJussi Kivilinna }; 51*171c0204SJussi Kivilinna 5264470f1bSRik Snel static inline void setbit128_bbe(void *b, int bit) 5364470f1bSRik Snel { 548eb2dfacSHerbert Xu __set_bit(bit ^ (0x80 - 558eb2dfacSHerbert Xu #ifdef __BIG_ENDIAN 568eb2dfacSHerbert Xu BITS_PER_LONG 578eb2dfacSHerbert Xu #else 588eb2dfacSHerbert Xu BITS_PER_BYTE 598eb2dfacSHerbert Xu #endif 608eb2dfacSHerbert Xu ), b); 6164470f1bSRik Snel } 6264470f1bSRik Snel 63*171c0204SJussi Kivilinna static int lrw_init_table(struct lrw_table_ctx *ctx, const u8 *tweak) 6464470f1bSRik Snel { 6564470f1bSRik Snel be128 tmp = { 0 }; 66*171c0204SJussi Kivilinna int i; 6764470f1bSRik Snel 6864470f1bSRik Snel if (ctx->table) 6964470f1bSRik Snel gf128mul_free_64k(ctx->table); 7064470f1bSRik Snel 7164470f1bSRik Snel /* initialize multiplication table for Key2 */ 72*171c0204SJussi Kivilinna ctx->table = gf128mul_init_64k_bbe((be128 *)tweak); 7364470f1bSRik Snel if (!ctx->table) 7464470f1bSRik Snel return -ENOMEM; 7564470f1bSRik Snel 7664470f1bSRik Snel /* initialize optimization table */ 7764470f1bSRik Snel for (i = 0; i < 128; i++) { 7864470f1bSRik Snel setbit128_bbe(&tmp, i); 7964470f1bSRik Snel ctx->mulinc[i] = tmp; 8064470f1bSRik Snel gf128mul_64k_bbe(&ctx->mulinc[i], ctx->table); 8164470f1bSRik Snel } 8264470f1bSRik Snel 8364470f1bSRik Snel return 0; 8464470f1bSRik Snel } 8564470f1bSRik Snel 86*171c0204SJussi Kivilinna static void lrw_free_table(struct lrw_table_ctx *ctx) 87*171c0204SJussi Kivilinna { 88*171c0204SJussi Kivilinna if (ctx->table) 89*171c0204SJussi Kivilinna gf128mul_free_64k(ctx->table); 90*171c0204SJussi Kivilinna } 91*171c0204SJussi Kivilinna 92*171c0204SJussi Kivilinna static int setkey(struct crypto_tfm *parent, const u8 *key, 93*171c0204SJussi Kivilinna unsigned int keylen) 94*171c0204SJussi Kivilinna { 95*171c0204SJussi Kivilinna struct priv *ctx = crypto_tfm_ctx(parent); 96*171c0204SJussi Kivilinna struct crypto_cipher *child = ctx->child; 97*171c0204SJussi Kivilinna int err, bsize = LRW_BLOCK_SIZE; 98*171c0204SJussi Kivilinna const u8 *tweak = key + keylen - bsize; 99*171c0204SJussi Kivilinna 100*171c0204SJussi Kivilinna crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK); 101*171c0204SJussi Kivilinna crypto_cipher_set_flags(child, crypto_tfm_get_flags(parent) & 102*171c0204SJussi Kivilinna CRYPTO_TFM_REQ_MASK); 103*171c0204SJussi Kivilinna err = crypto_cipher_setkey(child, key, keylen - bsize); 104*171c0204SJussi Kivilinna if (err) 105*171c0204SJussi Kivilinna return err; 106*171c0204SJussi Kivilinna crypto_tfm_set_flags(parent, crypto_cipher_get_flags(child) & 107*171c0204SJussi Kivilinna CRYPTO_TFM_RES_MASK); 108*171c0204SJussi Kivilinna 109*171c0204SJussi Kivilinna return lrw_init_table(&ctx->table, tweak); 110*171c0204SJussi Kivilinna } 111*171c0204SJussi Kivilinna 11264470f1bSRik Snel struct sinfo { 11364470f1bSRik Snel be128 t; 11464470f1bSRik Snel struct crypto_tfm *tfm; 11564470f1bSRik Snel void (*fn)(struct crypto_tfm *, u8 *, const u8 *); 11664470f1bSRik Snel }; 11764470f1bSRik Snel 11864470f1bSRik Snel static inline void inc(be128 *iv) 11964470f1bSRik Snel { 120fd4609a8SMarcin Slusarz be64_add_cpu(&iv->b, 1); 121fd4609a8SMarcin Slusarz if (!iv->b) 122fd4609a8SMarcin Slusarz be64_add_cpu(&iv->a, 1); 12364470f1bSRik Snel } 12464470f1bSRik Snel 1259ebed9d1SDavid S. Miller static inline void lrw_round(struct sinfo *s, void *dst, const void *src) 12664470f1bSRik Snel { 12764470f1bSRik Snel be128_xor(dst, &s->t, src); /* PP <- T xor P */ 12864470f1bSRik Snel s->fn(s->tfm, dst, dst); /* CC <- E(Key2,PP) */ 12964470f1bSRik Snel be128_xor(dst, dst, &s->t); /* C <- T xor CC */ 13064470f1bSRik Snel } 13164470f1bSRik Snel 13264470f1bSRik Snel /* this returns the number of consequative 1 bits starting 13364470f1bSRik Snel * from the right, get_index128(00 00 00 00 00 00 ... 00 00 10 FB) = 2 */ 13464470f1bSRik Snel static inline int get_index128(be128 *block) 13564470f1bSRik Snel { 13664470f1bSRik Snel int x; 13764470f1bSRik Snel __be32 *p = (__be32 *) block; 13864470f1bSRik Snel 13964470f1bSRik Snel for (p += 3, x = 0; x < 128; p--, x += 32) { 14064470f1bSRik Snel u32 val = be32_to_cpup(p); 14164470f1bSRik Snel 14264470f1bSRik Snel if (!~val) 14364470f1bSRik Snel continue; 14464470f1bSRik Snel 14564470f1bSRik Snel return x + ffz(val); 14664470f1bSRik Snel } 14764470f1bSRik Snel 14864470f1bSRik Snel return x; 14964470f1bSRik Snel } 15064470f1bSRik Snel 15164470f1bSRik Snel static int crypt(struct blkcipher_desc *d, 15264470f1bSRik Snel struct blkcipher_walk *w, struct priv *ctx, 15364470f1bSRik Snel void (*fn)(struct crypto_tfm *, u8 *, const u8 *)) 15464470f1bSRik Snel { 15564470f1bSRik Snel int err; 15664470f1bSRik Snel unsigned int avail; 1574660720dSJussi Kivilinna const int bs = LRW_BLOCK_SIZE; 15864470f1bSRik Snel struct sinfo s = { 15964470f1bSRik Snel .tfm = crypto_cipher_tfm(ctx->child), 16064470f1bSRik Snel .fn = fn 16164470f1bSRik Snel }; 16264470f1bSRik Snel be128 *iv; 16364470f1bSRik Snel u8 *wsrc; 16464470f1bSRik Snel u8 *wdst; 16564470f1bSRik Snel 16664470f1bSRik Snel err = blkcipher_walk_virt(d, w); 16764470f1bSRik Snel if (!(avail = w->nbytes)) 16864470f1bSRik Snel return err; 16964470f1bSRik Snel 17064470f1bSRik Snel wsrc = w->src.virt.addr; 17164470f1bSRik Snel wdst = w->dst.virt.addr; 17264470f1bSRik Snel 17364470f1bSRik Snel /* calculate first value of T */ 17464470f1bSRik Snel iv = (be128 *)w->iv; 17564470f1bSRik Snel s.t = *iv; 17664470f1bSRik Snel 17764470f1bSRik Snel /* T <- I*Key2 */ 178*171c0204SJussi Kivilinna gf128mul_64k_bbe(&s.t, ctx->table.table); 17964470f1bSRik Snel 18064470f1bSRik Snel goto first; 18164470f1bSRik Snel 18264470f1bSRik Snel for (;;) { 18364470f1bSRik Snel do { 18464470f1bSRik Snel /* T <- I*Key2, using the optimization 18564470f1bSRik Snel * discussed in the specification */ 186*171c0204SJussi Kivilinna be128_xor(&s.t, &s.t, 187*171c0204SJussi Kivilinna &ctx->table.mulinc[get_index128(iv)]); 18864470f1bSRik Snel inc(iv); 18964470f1bSRik Snel 19064470f1bSRik Snel first: 1919ebed9d1SDavid S. Miller lrw_round(&s, wdst, wsrc); 19264470f1bSRik Snel 19364470f1bSRik Snel wsrc += bs; 19464470f1bSRik Snel wdst += bs; 19564470f1bSRik Snel } while ((avail -= bs) >= bs); 19664470f1bSRik Snel 19764470f1bSRik Snel err = blkcipher_walk_done(d, w, avail); 19864470f1bSRik Snel if (!(avail = w->nbytes)) 19964470f1bSRik Snel break; 20064470f1bSRik Snel 20164470f1bSRik Snel wsrc = w->src.virt.addr; 20264470f1bSRik Snel wdst = w->dst.virt.addr; 20364470f1bSRik Snel } 20464470f1bSRik Snel 20564470f1bSRik Snel return err; 20664470f1bSRik Snel } 20764470f1bSRik Snel 20864470f1bSRik Snel static int encrypt(struct blkcipher_desc *desc, struct scatterlist *dst, 20964470f1bSRik Snel struct scatterlist *src, unsigned int nbytes) 21064470f1bSRik Snel { 21164470f1bSRik Snel struct priv *ctx = crypto_blkcipher_ctx(desc->tfm); 21264470f1bSRik Snel struct blkcipher_walk w; 21364470f1bSRik Snel 21464470f1bSRik Snel blkcipher_walk_init(&w, dst, src, nbytes); 21564470f1bSRik Snel return crypt(desc, &w, ctx, 21664470f1bSRik Snel crypto_cipher_alg(ctx->child)->cia_encrypt); 21764470f1bSRik Snel } 21864470f1bSRik Snel 21964470f1bSRik Snel static int decrypt(struct blkcipher_desc *desc, struct scatterlist *dst, 22064470f1bSRik Snel struct scatterlist *src, unsigned int nbytes) 22164470f1bSRik Snel { 22264470f1bSRik Snel struct priv *ctx = crypto_blkcipher_ctx(desc->tfm); 22364470f1bSRik Snel struct blkcipher_walk w; 22464470f1bSRik Snel 22564470f1bSRik Snel blkcipher_walk_init(&w, dst, src, nbytes); 22664470f1bSRik Snel return crypt(desc, &w, ctx, 22764470f1bSRik Snel crypto_cipher_alg(ctx->child)->cia_decrypt); 22864470f1bSRik Snel } 22964470f1bSRik Snel 23064470f1bSRik Snel static int init_tfm(struct crypto_tfm *tfm) 23164470f1bSRik Snel { 2322e306ee0SHerbert Xu struct crypto_cipher *cipher; 23364470f1bSRik Snel struct crypto_instance *inst = (void *)tfm->__crt_alg; 23464470f1bSRik Snel struct crypto_spawn *spawn = crypto_instance_ctx(inst); 23564470f1bSRik Snel struct priv *ctx = crypto_tfm_ctx(tfm); 23664470f1bSRik Snel u32 *flags = &tfm->crt_flags; 23764470f1bSRik Snel 2382e306ee0SHerbert Xu cipher = crypto_spawn_cipher(spawn); 2392e306ee0SHerbert Xu if (IS_ERR(cipher)) 2402e306ee0SHerbert Xu return PTR_ERR(cipher); 24164470f1bSRik Snel 2424660720dSJussi Kivilinna if (crypto_cipher_blocksize(cipher) != LRW_BLOCK_SIZE) { 24364470f1bSRik Snel *flags |= CRYPTO_TFM_RES_BAD_BLOCK_LEN; 244b884f8b9SJussi Kivilinna crypto_free_cipher(cipher); 24564470f1bSRik Snel return -EINVAL; 24664470f1bSRik Snel } 24764470f1bSRik Snel 2482e306ee0SHerbert Xu ctx->child = cipher; 24964470f1bSRik Snel return 0; 25064470f1bSRik Snel } 25164470f1bSRik Snel 25264470f1bSRik Snel static void exit_tfm(struct crypto_tfm *tfm) 25364470f1bSRik Snel { 25464470f1bSRik Snel struct priv *ctx = crypto_tfm_ctx(tfm); 255*171c0204SJussi Kivilinna 256*171c0204SJussi Kivilinna lrw_free_table(&ctx->table); 25764470f1bSRik Snel crypto_free_cipher(ctx->child); 25864470f1bSRik Snel } 25964470f1bSRik Snel 260ebc610e5SHerbert Xu static struct crypto_instance *alloc(struct rtattr **tb) 26164470f1bSRik Snel { 26264470f1bSRik Snel struct crypto_instance *inst; 26364470f1bSRik Snel struct crypto_alg *alg; 264ebc610e5SHerbert Xu int err; 26564470f1bSRik Snel 266ebc610e5SHerbert Xu err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_BLKCIPHER); 267ebc610e5SHerbert Xu if (err) 268ebc610e5SHerbert Xu return ERR_PTR(err); 269ebc610e5SHerbert Xu 270ebc610e5SHerbert Xu alg = crypto_get_attr_alg(tb, CRYPTO_ALG_TYPE_CIPHER, 271ebc610e5SHerbert Xu CRYPTO_ALG_TYPE_MASK); 27264470f1bSRik Snel if (IS_ERR(alg)) 273e231c2eeSDavid Howells return ERR_CAST(alg); 27464470f1bSRik Snel 27564470f1bSRik Snel inst = crypto_alloc_instance("lrw", alg); 27664470f1bSRik Snel if (IS_ERR(inst)) 27764470f1bSRik Snel goto out_put_alg; 27864470f1bSRik Snel 27964470f1bSRik Snel inst->alg.cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER; 28064470f1bSRik Snel inst->alg.cra_priority = alg->cra_priority; 28164470f1bSRik Snel inst->alg.cra_blocksize = alg->cra_blocksize; 28264470f1bSRik Snel 28364470f1bSRik Snel if (alg->cra_alignmask < 7) inst->alg.cra_alignmask = 7; 28464470f1bSRik Snel else inst->alg.cra_alignmask = alg->cra_alignmask; 28564470f1bSRik Snel inst->alg.cra_type = &crypto_blkcipher_type; 28664470f1bSRik Snel 28764470f1bSRik Snel if (!(alg->cra_blocksize % 4)) 28864470f1bSRik Snel inst->alg.cra_alignmask |= 3; 28964470f1bSRik Snel inst->alg.cra_blkcipher.ivsize = alg->cra_blocksize; 29064470f1bSRik Snel inst->alg.cra_blkcipher.min_keysize = 29164470f1bSRik Snel alg->cra_cipher.cia_min_keysize + alg->cra_blocksize; 29264470f1bSRik Snel inst->alg.cra_blkcipher.max_keysize = 29364470f1bSRik Snel alg->cra_cipher.cia_max_keysize + alg->cra_blocksize; 29464470f1bSRik Snel 29564470f1bSRik Snel inst->alg.cra_ctxsize = sizeof(struct priv); 29664470f1bSRik Snel 29764470f1bSRik Snel inst->alg.cra_init = init_tfm; 29864470f1bSRik Snel inst->alg.cra_exit = exit_tfm; 29964470f1bSRik Snel 30064470f1bSRik Snel inst->alg.cra_blkcipher.setkey = setkey; 30164470f1bSRik Snel inst->alg.cra_blkcipher.encrypt = encrypt; 30264470f1bSRik Snel inst->alg.cra_blkcipher.decrypt = decrypt; 30364470f1bSRik Snel 30464470f1bSRik Snel out_put_alg: 30564470f1bSRik Snel crypto_mod_put(alg); 30664470f1bSRik Snel return inst; 30764470f1bSRik Snel } 30864470f1bSRik Snel 30964470f1bSRik Snel static void free(struct crypto_instance *inst) 31064470f1bSRik Snel { 31164470f1bSRik Snel crypto_drop_spawn(crypto_instance_ctx(inst)); 31264470f1bSRik Snel kfree(inst); 31364470f1bSRik Snel } 31464470f1bSRik Snel 31564470f1bSRik Snel static struct crypto_template crypto_tmpl = { 31664470f1bSRik Snel .name = "lrw", 31764470f1bSRik Snel .alloc = alloc, 31864470f1bSRik Snel .free = free, 31964470f1bSRik Snel .module = THIS_MODULE, 32064470f1bSRik Snel }; 32164470f1bSRik Snel 32264470f1bSRik Snel static int __init crypto_module_init(void) 32364470f1bSRik Snel { 32464470f1bSRik Snel return crypto_register_template(&crypto_tmpl); 32564470f1bSRik Snel } 32664470f1bSRik Snel 32764470f1bSRik Snel static void __exit crypto_module_exit(void) 32864470f1bSRik Snel { 32964470f1bSRik Snel crypto_unregister_template(&crypto_tmpl); 33064470f1bSRik Snel } 33164470f1bSRik Snel 33264470f1bSRik Snel module_init(crypto_module_init); 33364470f1bSRik Snel module_exit(crypto_module_exit); 33464470f1bSRik Snel 33564470f1bSRik Snel MODULE_LICENSE("GPL"); 33664470f1bSRik Snel MODULE_DESCRIPTION("LRW block cipher mode"); 337