18c2ecf20Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0-or-later 28c2ecf20Sopenharmony_ci/* XTS: as defined in IEEE1619/D16 38c2ecf20Sopenharmony_ci * http://grouper.ieee.org/groups/1619/email/pdf00086.pdf 48c2ecf20Sopenharmony_ci * 58c2ecf20Sopenharmony_ci * Copyright (c) 2007 Rik Snel <rsnel@cube.dyndns.org> 68c2ecf20Sopenharmony_ci * 78c2ecf20Sopenharmony_ci * Based on ecb.c 88c2ecf20Sopenharmony_ci * Copyright (c) 2006 Herbert Xu <herbert@gondor.apana.org.au> 98c2ecf20Sopenharmony_ci */ 108c2ecf20Sopenharmony_ci#include <crypto/internal/skcipher.h> 118c2ecf20Sopenharmony_ci#include <crypto/scatterwalk.h> 128c2ecf20Sopenharmony_ci#include <linux/err.h> 138c2ecf20Sopenharmony_ci#include <linux/init.h> 148c2ecf20Sopenharmony_ci#include <linux/kernel.h> 158c2ecf20Sopenharmony_ci#include <linux/module.h> 168c2ecf20Sopenharmony_ci#include <linux/scatterlist.h> 178c2ecf20Sopenharmony_ci#include <linux/slab.h> 188c2ecf20Sopenharmony_ci 198c2ecf20Sopenharmony_ci#include <crypto/xts.h> 208c2ecf20Sopenharmony_ci#include <crypto/b128ops.h> 218c2ecf20Sopenharmony_ci#include <crypto/gf128mul.h> 228c2ecf20Sopenharmony_ci 238c2ecf20Sopenharmony_cistruct xts_tfm_ctx { 248c2ecf20Sopenharmony_ci struct crypto_skcipher *child; 258c2ecf20Sopenharmony_ci struct crypto_cipher *tweak; 268c2ecf20Sopenharmony_ci}; 278c2ecf20Sopenharmony_ci 288c2ecf20Sopenharmony_cistruct xts_instance_ctx { 298c2ecf20Sopenharmony_ci struct crypto_skcipher_spawn spawn; 308c2ecf20Sopenharmony_ci char name[CRYPTO_MAX_ALG_NAME]; 318c2ecf20Sopenharmony_ci}; 328c2ecf20Sopenharmony_ci 338c2ecf20Sopenharmony_cistruct xts_request_ctx { 348c2ecf20Sopenharmony_ci le128 t; 358c2ecf20Sopenharmony_ci struct scatterlist *tail; 368c2ecf20Sopenharmony_ci struct scatterlist sg[2]; 378c2ecf20Sopenharmony_ci struct skcipher_request subreq; 388c2ecf20Sopenharmony_ci}; 398c2ecf20Sopenharmony_ci 408c2ecf20Sopenharmony_cistatic int xts_setkey(struct crypto_skcipher *parent, const u8 *key, 418c2ecf20Sopenharmony_ci unsigned int keylen) 428c2ecf20Sopenharmony_ci{ 438c2ecf20Sopenharmony_ci struct xts_tfm_ctx *ctx = crypto_skcipher_ctx(parent); 448c2ecf20Sopenharmony_ci struct crypto_skcipher *child; 458c2ecf20Sopenharmony_ci struct crypto_cipher *tweak; 468c2ecf20Sopenharmony_ci int err; 478c2ecf20Sopenharmony_ci 488c2ecf20Sopenharmony_ci err = xts_verify_key(parent, key, keylen); 498c2ecf20Sopenharmony_ci if (err) 508c2ecf20Sopenharmony_ci return err; 518c2ecf20Sopenharmony_ci 528c2ecf20Sopenharmony_ci keylen /= 2; 538c2ecf20Sopenharmony_ci 548c2ecf20Sopenharmony_ci /* we need two cipher instances: one to compute the initial 'tweak' 558c2ecf20Sopenharmony_ci * by encrypting the IV (usually the 'plain' iv) and the other 568c2ecf20Sopenharmony_ci * one to encrypt and decrypt the data */ 578c2ecf20Sopenharmony_ci 588c2ecf20Sopenharmony_ci /* tweak cipher, uses Key2 i.e. the second half of *key */ 598c2ecf20Sopenharmony_ci tweak = ctx->tweak; 608c2ecf20Sopenharmony_ci crypto_cipher_clear_flags(tweak, CRYPTO_TFM_REQ_MASK); 618c2ecf20Sopenharmony_ci crypto_cipher_set_flags(tweak, crypto_skcipher_get_flags(parent) & 628c2ecf20Sopenharmony_ci CRYPTO_TFM_REQ_MASK); 638c2ecf20Sopenharmony_ci err = crypto_cipher_setkey(tweak, key + keylen, keylen); 648c2ecf20Sopenharmony_ci if (err) 658c2ecf20Sopenharmony_ci return err; 668c2ecf20Sopenharmony_ci 678c2ecf20Sopenharmony_ci /* data cipher, uses Key1 i.e. the first half of *key */ 688c2ecf20Sopenharmony_ci child = ctx->child; 698c2ecf20Sopenharmony_ci crypto_skcipher_clear_flags(child, CRYPTO_TFM_REQ_MASK); 708c2ecf20Sopenharmony_ci crypto_skcipher_set_flags(child, crypto_skcipher_get_flags(parent) & 718c2ecf20Sopenharmony_ci CRYPTO_TFM_REQ_MASK); 728c2ecf20Sopenharmony_ci return crypto_skcipher_setkey(child, key, keylen); 738c2ecf20Sopenharmony_ci} 748c2ecf20Sopenharmony_ci 758c2ecf20Sopenharmony_ci/* 768c2ecf20Sopenharmony_ci * We compute the tweak masks twice (both before and after the ECB encryption or 778c2ecf20Sopenharmony_ci * decryption) to avoid having to allocate a temporary buffer and/or make 788c2ecf20Sopenharmony_ci * mutliple calls to the 'ecb(..)' instance, which usually would be slower than 798c2ecf20Sopenharmony_ci * just doing the gf128mul_x_ble() calls again. 808c2ecf20Sopenharmony_ci */ 818c2ecf20Sopenharmony_cistatic int xts_xor_tweak(struct skcipher_request *req, bool second_pass, 828c2ecf20Sopenharmony_ci bool enc) 838c2ecf20Sopenharmony_ci{ 848c2ecf20Sopenharmony_ci struct xts_request_ctx *rctx = skcipher_request_ctx(req); 858c2ecf20Sopenharmony_ci struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 868c2ecf20Sopenharmony_ci const bool cts = (req->cryptlen % XTS_BLOCK_SIZE); 878c2ecf20Sopenharmony_ci const int bs = XTS_BLOCK_SIZE; 888c2ecf20Sopenharmony_ci struct skcipher_walk w; 898c2ecf20Sopenharmony_ci le128 t = rctx->t; 908c2ecf20Sopenharmony_ci int err; 918c2ecf20Sopenharmony_ci 928c2ecf20Sopenharmony_ci if (second_pass) { 938c2ecf20Sopenharmony_ci req = &rctx->subreq; 948c2ecf20Sopenharmony_ci /* set to our TFM to enforce correct alignment: */ 958c2ecf20Sopenharmony_ci skcipher_request_set_tfm(req, tfm); 968c2ecf20Sopenharmony_ci } 978c2ecf20Sopenharmony_ci err = skcipher_walk_virt(&w, req, false); 988c2ecf20Sopenharmony_ci 998c2ecf20Sopenharmony_ci while (w.nbytes) { 1008c2ecf20Sopenharmony_ci unsigned int avail = w.nbytes; 1018c2ecf20Sopenharmony_ci le128 *wsrc; 1028c2ecf20Sopenharmony_ci le128 *wdst; 1038c2ecf20Sopenharmony_ci 1048c2ecf20Sopenharmony_ci wsrc = w.src.virt.addr; 1058c2ecf20Sopenharmony_ci wdst = w.dst.virt.addr; 1068c2ecf20Sopenharmony_ci 1078c2ecf20Sopenharmony_ci do { 1088c2ecf20Sopenharmony_ci if (unlikely(cts) && 1098c2ecf20Sopenharmony_ci w.total - w.nbytes + avail < 2 * XTS_BLOCK_SIZE) { 1108c2ecf20Sopenharmony_ci if (!enc) { 1118c2ecf20Sopenharmony_ci if (second_pass) 1128c2ecf20Sopenharmony_ci rctx->t = t; 1138c2ecf20Sopenharmony_ci gf128mul_x_ble(&t, &t); 1148c2ecf20Sopenharmony_ci } 1158c2ecf20Sopenharmony_ci le128_xor(wdst, &t, wsrc); 1168c2ecf20Sopenharmony_ci if (enc && second_pass) 1178c2ecf20Sopenharmony_ci gf128mul_x_ble(&rctx->t, &t); 1188c2ecf20Sopenharmony_ci skcipher_walk_done(&w, avail - bs); 1198c2ecf20Sopenharmony_ci return 0; 1208c2ecf20Sopenharmony_ci } 1218c2ecf20Sopenharmony_ci 1228c2ecf20Sopenharmony_ci le128_xor(wdst++, &t, wsrc++); 1238c2ecf20Sopenharmony_ci gf128mul_x_ble(&t, &t); 1248c2ecf20Sopenharmony_ci } while ((avail -= bs) >= bs); 1258c2ecf20Sopenharmony_ci 1268c2ecf20Sopenharmony_ci err = skcipher_walk_done(&w, avail); 1278c2ecf20Sopenharmony_ci } 1288c2ecf20Sopenharmony_ci 1298c2ecf20Sopenharmony_ci return err; 1308c2ecf20Sopenharmony_ci} 1318c2ecf20Sopenharmony_ci 1328c2ecf20Sopenharmony_cistatic int xts_xor_tweak_pre(struct skcipher_request *req, bool enc) 1338c2ecf20Sopenharmony_ci{ 1348c2ecf20Sopenharmony_ci return xts_xor_tweak(req, false, enc); 1358c2ecf20Sopenharmony_ci} 1368c2ecf20Sopenharmony_ci 1378c2ecf20Sopenharmony_cistatic int xts_xor_tweak_post(struct skcipher_request *req, bool enc) 1388c2ecf20Sopenharmony_ci{ 1398c2ecf20Sopenharmony_ci return xts_xor_tweak(req, true, enc); 1408c2ecf20Sopenharmony_ci} 1418c2ecf20Sopenharmony_ci 1428c2ecf20Sopenharmony_cistatic void xts_cts_done(struct crypto_async_request *areq, int err) 1438c2ecf20Sopenharmony_ci{ 1448c2ecf20Sopenharmony_ci struct skcipher_request *req = areq->data; 1458c2ecf20Sopenharmony_ci le128 b; 1468c2ecf20Sopenharmony_ci 1478c2ecf20Sopenharmony_ci if (!err) { 1488c2ecf20Sopenharmony_ci struct xts_request_ctx *rctx = skcipher_request_ctx(req); 1498c2ecf20Sopenharmony_ci 1508c2ecf20Sopenharmony_ci scatterwalk_map_and_copy(&b, rctx->tail, 0, XTS_BLOCK_SIZE, 0); 1518c2ecf20Sopenharmony_ci le128_xor(&b, &rctx->t, &b); 1528c2ecf20Sopenharmony_ci scatterwalk_map_and_copy(&b, rctx->tail, 0, XTS_BLOCK_SIZE, 1); 1538c2ecf20Sopenharmony_ci } 1548c2ecf20Sopenharmony_ci 1558c2ecf20Sopenharmony_ci skcipher_request_complete(req, err); 1568c2ecf20Sopenharmony_ci} 1578c2ecf20Sopenharmony_ci 1588c2ecf20Sopenharmony_cistatic int xts_cts_final(struct skcipher_request *req, 1598c2ecf20Sopenharmony_ci int (*crypt)(struct skcipher_request *req)) 1608c2ecf20Sopenharmony_ci{ 1618c2ecf20Sopenharmony_ci const struct xts_tfm_ctx *ctx = 1628c2ecf20Sopenharmony_ci crypto_skcipher_ctx(crypto_skcipher_reqtfm(req)); 1638c2ecf20Sopenharmony_ci int offset = req->cryptlen & ~(XTS_BLOCK_SIZE - 1); 1648c2ecf20Sopenharmony_ci struct xts_request_ctx *rctx = skcipher_request_ctx(req); 1658c2ecf20Sopenharmony_ci struct skcipher_request *subreq = &rctx->subreq; 1668c2ecf20Sopenharmony_ci int tail = req->cryptlen % XTS_BLOCK_SIZE; 1678c2ecf20Sopenharmony_ci le128 b[2]; 1688c2ecf20Sopenharmony_ci int err; 1698c2ecf20Sopenharmony_ci 1708c2ecf20Sopenharmony_ci rctx->tail = scatterwalk_ffwd(rctx->sg, req->dst, 1718c2ecf20Sopenharmony_ci offset - XTS_BLOCK_SIZE); 1728c2ecf20Sopenharmony_ci 1738c2ecf20Sopenharmony_ci scatterwalk_map_and_copy(b, rctx->tail, 0, XTS_BLOCK_SIZE, 0); 1748c2ecf20Sopenharmony_ci b[1] = b[0]; 1758c2ecf20Sopenharmony_ci scatterwalk_map_and_copy(b, req->src, offset, tail, 0); 1768c2ecf20Sopenharmony_ci 1778c2ecf20Sopenharmony_ci le128_xor(b, &rctx->t, b); 1788c2ecf20Sopenharmony_ci 1798c2ecf20Sopenharmony_ci scatterwalk_map_and_copy(b, rctx->tail, 0, XTS_BLOCK_SIZE + tail, 1); 1808c2ecf20Sopenharmony_ci 1818c2ecf20Sopenharmony_ci skcipher_request_set_tfm(subreq, ctx->child); 1828c2ecf20Sopenharmony_ci skcipher_request_set_callback(subreq, req->base.flags, xts_cts_done, 1838c2ecf20Sopenharmony_ci req); 1848c2ecf20Sopenharmony_ci skcipher_request_set_crypt(subreq, rctx->tail, rctx->tail, 1858c2ecf20Sopenharmony_ci XTS_BLOCK_SIZE, NULL); 1868c2ecf20Sopenharmony_ci 1878c2ecf20Sopenharmony_ci err = crypt(subreq); 1888c2ecf20Sopenharmony_ci if (err) 1898c2ecf20Sopenharmony_ci return err; 1908c2ecf20Sopenharmony_ci 1918c2ecf20Sopenharmony_ci scatterwalk_map_and_copy(b, rctx->tail, 0, XTS_BLOCK_SIZE, 0); 1928c2ecf20Sopenharmony_ci le128_xor(b, &rctx->t, b); 1938c2ecf20Sopenharmony_ci scatterwalk_map_and_copy(b, rctx->tail, 0, XTS_BLOCK_SIZE, 1); 1948c2ecf20Sopenharmony_ci 1958c2ecf20Sopenharmony_ci return 0; 1968c2ecf20Sopenharmony_ci} 1978c2ecf20Sopenharmony_ci 1988c2ecf20Sopenharmony_cistatic void xts_encrypt_done(struct crypto_async_request *areq, int err) 1998c2ecf20Sopenharmony_ci{ 2008c2ecf20Sopenharmony_ci struct skcipher_request *req = areq->data; 2018c2ecf20Sopenharmony_ci 2028c2ecf20Sopenharmony_ci if (!err) { 2038c2ecf20Sopenharmony_ci struct xts_request_ctx *rctx = skcipher_request_ctx(req); 2048c2ecf20Sopenharmony_ci 2058c2ecf20Sopenharmony_ci rctx->subreq.base.flags &= CRYPTO_TFM_REQ_MAY_BACKLOG; 2068c2ecf20Sopenharmony_ci err = xts_xor_tweak_post(req, true); 2078c2ecf20Sopenharmony_ci 2088c2ecf20Sopenharmony_ci if (!err && unlikely(req->cryptlen % XTS_BLOCK_SIZE)) { 2098c2ecf20Sopenharmony_ci err = xts_cts_final(req, crypto_skcipher_encrypt); 2108c2ecf20Sopenharmony_ci if (err == -EINPROGRESS || err == -EBUSY) 2118c2ecf20Sopenharmony_ci return; 2128c2ecf20Sopenharmony_ci } 2138c2ecf20Sopenharmony_ci } 2148c2ecf20Sopenharmony_ci 2158c2ecf20Sopenharmony_ci skcipher_request_complete(req, err); 2168c2ecf20Sopenharmony_ci} 2178c2ecf20Sopenharmony_ci 2188c2ecf20Sopenharmony_cistatic void xts_decrypt_done(struct crypto_async_request *areq, int err) 2198c2ecf20Sopenharmony_ci{ 2208c2ecf20Sopenharmony_ci struct skcipher_request *req = areq->data; 2218c2ecf20Sopenharmony_ci 2228c2ecf20Sopenharmony_ci if (!err) { 2238c2ecf20Sopenharmony_ci struct xts_request_ctx *rctx = skcipher_request_ctx(req); 2248c2ecf20Sopenharmony_ci 2258c2ecf20Sopenharmony_ci rctx->subreq.base.flags &= CRYPTO_TFM_REQ_MAY_BACKLOG; 2268c2ecf20Sopenharmony_ci err = xts_xor_tweak_post(req, false); 2278c2ecf20Sopenharmony_ci 2288c2ecf20Sopenharmony_ci if (!err && unlikely(req->cryptlen % XTS_BLOCK_SIZE)) { 2298c2ecf20Sopenharmony_ci err = xts_cts_final(req, crypto_skcipher_decrypt); 2308c2ecf20Sopenharmony_ci if (err == -EINPROGRESS || err == -EBUSY) 2318c2ecf20Sopenharmony_ci return; 2328c2ecf20Sopenharmony_ci } 2338c2ecf20Sopenharmony_ci } 2348c2ecf20Sopenharmony_ci 2358c2ecf20Sopenharmony_ci skcipher_request_complete(req, err); 2368c2ecf20Sopenharmony_ci} 2378c2ecf20Sopenharmony_ci 2388c2ecf20Sopenharmony_cistatic int xts_init_crypt(struct skcipher_request *req, 2398c2ecf20Sopenharmony_ci crypto_completion_t compl) 2408c2ecf20Sopenharmony_ci{ 2418c2ecf20Sopenharmony_ci const struct xts_tfm_ctx *ctx = 2428c2ecf20Sopenharmony_ci crypto_skcipher_ctx(crypto_skcipher_reqtfm(req)); 2438c2ecf20Sopenharmony_ci struct xts_request_ctx *rctx = skcipher_request_ctx(req); 2448c2ecf20Sopenharmony_ci struct skcipher_request *subreq = &rctx->subreq; 2458c2ecf20Sopenharmony_ci 2468c2ecf20Sopenharmony_ci if (req->cryptlen < XTS_BLOCK_SIZE) 2478c2ecf20Sopenharmony_ci return -EINVAL; 2488c2ecf20Sopenharmony_ci 2498c2ecf20Sopenharmony_ci skcipher_request_set_tfm(subreq, ctx->child); 2508c2ecf20Sopenharmony_ci skcipher_request_set_callback(subreq, req->base.flags, compl, req); 2518c2ecf20Sopenharmony_ci skcipher_request_set_crypt(subreq, req->dst, req->dst, 2528c2ecf20Sopenharmony_ci req->cryptlen & ~(XTS_BLOCK_SIZE - 1), NULL); 2538c2ecf20Sopenharmony_ci 2548c2ecf20Sopenharmony_ci /* calculate first value of T */ 2558c2ecf20Sopenharmony_ci crypto_cipher_encrypt_one(ctx->tweak, (u8 *)&rctx->t, req->iv); 2568c2ecf20Sopenharmony_ci 2578c2ecf20Sopenharmony_ci return 0; 2588c2ecf20Sopenharmony_ci} 2598c2ecf20Sopenharmony_ci 2608c2ecf20Sopenharmony_cistatic int xts_encrypt(struct skcipher_request *req) 2618c2ecf20Sopenharmony_ci{ 2628c2ecf20Sopenharmony_ci struct xts_request_ctx *rctx = skcipher_request_ctx(req); 2638c2ecf20Sopenharmony_ci struct skcipher_request *subreq = &rctx->subreq; 2648c2ecf20Sopenharmony_ci int err; 2658c2ecf20Sopenharmony_ci 2668c2ecf20Sopenharmony_ci err = xts_init_crypt(req, xts_encrypt_done) ?: 2678c2ecf20Sopenharmony_ci xts_xor_tweak_pre(req, true) ?: 2688c2ecf20Sopenharmony_ci crypto_skcipher_encrypt(subreq) ?: 2698c2ecf20Sopenharmony_ci xts_xor_tweak_post(req, true); 2708c2ecf20Sopenharmony_ci 2718c2ecf20Sopenharmony_ci if (err || likely((req->cryptlen % XTS_BLOCK_SIZE) == 0)) 2728c2ecf20Sopenharmony_ci return err; 2738c2ecf20Sopenharmony_ci 2748c2ecf20Sopenharmony_ci return xts_cts_final(req, crypto_skcipher_encrypt); 2758c2ecf20Sopenharmony_ci} 2768c2ecf20Sopenharmony_ci 2778c2ecf20Sopenharmony_cistatic int xts_decrypt(struct skcipher_request *req) 2788c2ecf20Sopenharmony_ci{ 2798c2ecf20Sopenharmony_ci struct xts_request_ctx *rctx = skcipher_request_ctx(req); 2808c2ecf20Sopenharmony_ci struct skcipher_request *subreq = &rctx->subreq; 2818c2ecf20Sopenharmony_ci int err; 2828c2ecf20Sopenharmony_ci 2838c2ecf20Sopenharmony_ci err = xts_init_crypt(req, xts_decrypt_done) ?: 2848c2ecf20Sopenharmony_ci xts_xor_tweak_pre(req, false) ?: 2858c2ecf20Sopenharmony_ci crypto_skcipher_decrypt(subreq) ?: 2868c2ecf20Sopenharmony_ci xts_xor_tweak_post(req, false); 2878c2ecf20Sopenharmony_ci 2888c2ecf20Sopenharmony_ci if (err || likely((req->cryptlen % XTS_BLOCK_SIZE) == 0)) 2898c2ecf20Sopenharmony_ci return err; 2908c2ecf20Sopenharmony_ci 2918c2ecf20Sopenharmony_ci return xts_cts_final(req, crypto_skcipher_decrypt); 2928c2ecf20Sopenharmony_ci} 2938c2ecf20Sopenharmony_ci 2948c2ecf20Sopenharmony_cistatic int xts_init_tfm(struct crypto_skcipher *tfm) 2958c2ecf20Sopenharmony_ci{ 2968c2ecf20Sopenharmony_ci struct skcipher_instance *inst = skcipher_alg_instance(tfm); 2978c2ecf20Sopenharmony_ci struct xts_instance_ctx *ictx = skcipher_instance_ctx(inst); 2988c2ecf20Sopenharmony_ci struct xts_tfm_ctx *ctx = crypto_skcipher_ctx(tfm); 2998c2ecf20Sopenharmony_ci struct crypto_skcipher *child; 3008c2ecf20Sopenharmony_ci struct crypto_cipher *tweak; 3018c2ecf20Sopenharmony_ci 3028c2ecf20Sopenharmony_ci child = crypto_spawn_skcipher(&ictx->spawn); 3038c2ecf20Sopenharmony_ci if (IS_ERR(child)) 3048c2ecf20Sopenharmony_ci return PTR_ERR(child); 3058c2ecf20Sopenharmony_ci 3068c2ecf20Sopenharmony_ci ctx->child = child; 3078c2ecf20Sopenharmony_ci 3088c2ecf20Sopenharmony_ci tweak = crypto_alloc_cipher(ictx->name, 0, 0); 3098c2ecf20Sopenharmony_ci if (IS_ERR(tweak)) { 3108c2ecf20Sopenharmony_ci crypto_free_skcipher(ctx->child); 3118c2ecf20Sopenharmony_ci return PTR_ERR(tweak); 3128c2ecf20Sopenharmony_ci } 3138c2ecf20Sopenharmony_ci 3148c2ecf20Sopenharmony_ci ctx->tweak = tweak; 3158c2ecf20Sopenharmony_ci 3168c2ecf20Sopenharmony_ci crypto_skcipher_set_reqsize(tfm, crypto_skcipher_reqsize(child) + 3178c2ecf20Sopenharmony_ci sizeof(struct xts_request_ctx)); 3188c2ecf20Sopenharmony_ci 3198c2ecf20Sopenharmony_ci return 0; 3208c2ecf20Sopenharmony_ci} 3218c2ecf20Sopenharmony_ci 3228c2ecf20Sopenharmony_cistatic void xts_exit_tfm(struct crypto_skcipher *tfm) 3238c2ecf20Sopenharmony_ci{ 3248c2ecf20Sopenharmony_ci struct xts_tfm_ctx *ctx = crypto_skcipher_ctx(tfm); 3258c2ecf20Sopenharmony_ci 3268c2ecf20Sopenharmony_ci crypto_free_skcipher(ctx->child); 3278c2ecf20Sopenharmony_ci crypto_free_cipher(ctx->tweak); 3288c2ecf20Sopenharmony_ci} 3298c2ecf20Sopenharmony_ci 3308c2ecf20Sopenharmony_cistatic void xts_free_instance(struct skcipher_instance *inst) 3318c2ecf20Sopenharmony_ci{ 3328c2ecf20Sopenharmony_ci struct xts_instance_ctx *ictx = skcipher_instance_ctx(inst); 3338c2ecf20Sopenharmony_ci 3348c2ecf20Sopenharmony_ci crypto_drop_skcipher(&ictx->spawn); 3358c2ecf20Sopenharmony_ci kfree(inst); 3368c2ecf20Sopenharmony_ci} 3378c2ecf20Sopenharmony_ci 3388c2ecf20Sopenharmony_cistatic int xts_create(struct crypto_template *tmpl, struct rtattr **tb) 3398c2ecf20Sopenharmony_ci{ 3408c2ecf20Sopenharmony_ci struct skcipher_instance *inst; 3418c2ecf20Sopenharmony_ci struct xts_instance_ctx *ctx; 3428c2ecf20Sopenharmony_ci struct skcipher_alg *alg; 3438c2ecf20Sopenharmony_ci const char *cipher_name; 3448c2ecf20Sopenharmony_ci u32 mask; 3458c2ecf20Sopenharmony_ci int err; 3468c2ecf20Sopenharmony_ci 3478c2ecf20Sopenharmony_ci err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_SKCIPHER, &mask); 3488c2ecf20Sopenharmony_ci if (err) 3498c2ecf20Sopenharmony_ci return err; 3508c2ecf20Sopenharmony_ci 3518c2ecf20Sopenharmony_ci cipher_name = crypto_attr_alg_name(tb[1]); 3528c2ecf20Sopenharmony_ci if (IS_ERR(cipher_name)) 3538c2ecf20Sopenharmony_ci return PTR_ERR(cipher_name); 3548c2ecf20Sopenharmony_ci 3558c2ecf20Sopenharmony_ci inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL); 3568c2ecf20Sopenharmony_ci if (!inst) 3578c2ecf20Sopenharmony_ci return -ENOMEM; 3588c2ecf20Sopenharmony_ci 3598c2ecf20Sopenharmony_ci ctx = skcipher_instance_ctx(inst); 3608c2ecf20Sopenharmony_ci 3618c2ecf20Sopenharmony_ci err = crypto_grab_skcipher(&ctx->spawn, skcipher_crypto_instance(inst), 3628c2ecf20Sopenharmony_ci cipher_name, 0, mask); 3638c2ecf20Sopenharmony_ci if (err == -ENOENT) { 3648c2ecf20Sopenharmony_ci err = -ENAMETOOLONG; 3658c2ecf20Sopenharmony_ci if (snprintf(ctx->name, CRYPTO_MAX_ALG_NAME, "ecb(%s)", 3668c2ecf20Sopenharmony_ci cipher_name) >= CRYPTO_MAX_ALG_NAME) 3678c2ecf20Sopenharmony_ci goto err_free_inst; 3688c2ecf20Sopenharmony_ci 3698c2ecf20Sopenharmony_ci err = crypto_grab_skcipher(&ctx->spawn, 3708c2ecf20Sopenharmony_ci skcipher_crypto_instance(inst), 3718c2ecf20Sopenharmony_ci ctx->name, 0, mask); 3728c2ecf20Sopenharmony_ci } 3738c2ecf20Sopenharmony_ci 3748c2ecf20Sopenharmony_ci if (err) 3758c2ecf20Sopenharmony_ci goto err_free_inst; 3768c2ecf20Sopenharmony_ci 3778c2ecf20Sopenharmony_ci alg = crypto_skcipher_spawn_alg(&ctx->spawn); 3788c2ecf20Sopenharmony_ci 3798c2ecf20Sopenharmony_ci err = -EINVAL; 3808c2ecf20Sopenharmony_ci if (alg->base.cra_blocksize != XTS_BLOCK_SIZE) 3818c2ecf20Sopenharmony_ci goto err_free_inst; 3828c2ecf20Sopenharmony_ci 3838c2ecf20Sopenharmony_ci if (crypto_skcipher_alg_ivsize(alg)) 3848c2ecf20Sopenharmony_ci goto err_free_inst; 3858c2ecf20Sopenharmony_ci 3868c2ecf20Sopenharmony_ci err = crypto_inst_setname(skcipher_crypto_instance(inst), "xts", 3878c2ecf20Sopenharmony_ci &alg->base); 3888c2ecf20Sopenharmony_ci if (err) 3898c2ecf20Sopenharmony_ci goto err_free_inst; 3908c2ecf20Sopenharmony_ci 3918c2ecf20Sopenharmony_ci err = -EINVAL; 3928c2ecf20Sopenharmony_ci cipher_name = alg->base.cra_name; 3938c2ecf20Sopenharmony_ci 3948c2ecf20Sopenharmony_ci /* Alas we screwed up the naming so we have to mangle the 3958c2ecf20Sopenharmony_ci * cipher name. 3968c2ecf20Sopenharmony_ci */ 3978c2ecf20Sopenharmony_ci if (!strncmp(cipher_name, "ecb(", 4)) { 3988c2ecf20Sopenharmony_ci int len; 3998c2ecf20Sopenharmony_ci 4008c2ecf20Sopenharmony_ci len = strscpy(ctx->name, cipher_name + 4, sizeof(ctx->name)); 4018c2ecf20Sopenharmony_ci if (len < 2) 4028c2ecf20Sopenharmony_ci goto err_free_inst; 4038c2ecf20Sopenharmony_ci 4048c2ecf20Sopenharmony_ci if (ctx->name[len - 1] != ')') 4058c2ecf20Sopenharmony_ci goto err_free_inst; 4068c2ecf20Sopenharmony_ci 4078c2ecf20Sopenharmony_ci ctx->name[len - 1] = 0; 4088c2ecf20Sopenharmony_ci 4098c2ecf20Sopenharmony_ci if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME, 4108c2ecf20Sopenharmony_ci "xts(%s)", ctx->name) >= CRYPTO_MAX_ALG_NAME) { 4118c2ecf20Sopenharmony_ci err = -ENAMETOOLONG; 4128c2ecf20Sopenharmony_ci goto err_free_inst; 4138c2ecf20Sopenharmony_ci } 4148c2ecf20Sopenharmony_ci } else 4158c2ecf20Sopenharmony_ci goto err_free_inst; 4168c2ecf20Sopenharmony_ci 4178c2ecf20Sopenharmony_ci inst->alg.base.cra_priority = alg->base.cra_priority; 4188c2ecf20Sopenharmony_ci inst->alg.base.cra_blocksize = XTS_BLOCK_SIZE; 4198c2ecf20Sopenharmony_ci inst->alg.base.cra_alignmask = alg->base.cra_alignmask | 4208c2ecf20Sopenharmony_ci (__alignof__(u64) - 1); 4218c2ecf20Sopenharmony_ci 4228c2ecf20Sopenharmony_ci inst->alg.ivsize = XTS_BLOCK_SIZE; 4238c2ecf20Sopenharmony_ci inst->alg.min_keysize = crypto_skcipher_alg_min_keysize(alg) * 2; 4248c2ecf20Sopenharmony_ci inst->alg.max_keysize = crypto_skcipher_alg_max_keysize(alg) * 2; 4258c2ecf20Sopenharmony_ci 4268c2ecf20Sopenharmony_ci inst->alg.base.cra_ctxsize = sizeof(struct xts_tfm_ctx); 4278c2ecf20Sopenharmony_ci 4288c2ecf20Sopenharmony_ci inst->alg.init = xts_init_tfm; 4298c2ecf20Sopenharmony_ci inst->alg.exit = xts_exit_tfm; 4308c2ecf20Sopenharmony_ci 4318c2ecf20Sopenharmony_ci inst->alg.setkey = xts_setkey; 4328c2ecf20Sopenharmony_ci inst->alg.encrypt = xts_encrypt; 4338c2ecf20Sopenharmony_ci inst->alg.decrypt = xts_decrypt; 4348c2ecf20Sopenharmony_ci 4358c2ecf20Sopenharmony_ci inst->free = xts_free_instance; 4368c2ecf20Sopenharmony_ci 4378c2ecf20Sopenharmony_ci err = skcipher_register_instance(tmpl, inst); 4388c2ecf20Sopenharmony_ci if (err) { 4398c2ecf20Sopenharmony_cierr_free_inst: 4408c2ecf20Sopenharmony_ci xts_free_instance(inst); 4418c2ecf20Sopenharmony_ci } 4428c2ecf20Sopenharmony_ci return err; 4438c2ecf20Sopenharmony_ci} 4448c2ecf20Sopenharmony_ci 4458c2ecf20Sopenharmony_cistatic struct crypto_template xts_tmpl = { 4468c2ecf20Sopenharmony_ci .name = "xts", 4478c2ecf20Sopenharmony_ci .create = xts_create, 4488c2ecf20Sopenharmony_ci .module = THIS_MODULE, 4498c2ecf20Sopenharmony_ci}; 4508c2ecf20Sopenharmony_ci 4518c2ecf20Sopenharmony_cistatic int __init xts_module_init(void) 4528c2ecf20Sopenharmony_ci{ 4538c2ecf20Sopenharmony_ci return crypto_register_template(&xts_tmpl); 4548c2ecf20Sopenharmony_ci} 4558c2ecf20Sopenharmony_ci 4568c2ecf20Sopenharmony_cistatic void __exit xts_module_exit(void) 4578c2ecf20Sopenharmony_ci{ 4588c2ecf20Sopenharmony_ci crypto_unregister_template(&xts_tmpl); 4598c2ecf20Sopenharmony_ci} 4608c2ecf20Sopenharmony_ci 4618c2ecf20Sopenharmony_cisubsys_initcall(xts_module_init); 4628c2ecf20Sopenharmony_cimodule_exit(xts_module_exit); 4638c2ecf20Sopenharmony_ci 4648c2ecf20Sopenharmony_ciMODULE_LICENSE("GPL"); 4658c2ecf20Sopenharmony_ciMODULE_DESCRIPTION("XTS block cipher mode"); 4668c2ecf20Sopenharmony_ciMODULE_ALIAS_CRYPTO("xts"); 467