crypto: keywrap - add key wrapping block chaining mode

This patch implements the AES key wrapping as specified in NIST SP800-38F and RFC3394. The implementation covers key wrapping without padding. IV handling: The caller does not provide an IV for encryption, but must obtain the IV after encryption which would serve as the first semblock in the ciphertext structure defined by SP800-38F. Conversely, for decryption, the caller must provide the first semiblock of the data as the IV and the following blocks as ciphertext. The key wrapping is an authenticated decryption operation. The caller will receive EBADMSG during decryption if the authentication failed. Albeit the standards define the key wrapping for AES only, the template can be used with any other block cipher that has a block size of 16 bytes. During initialization of the template, that condition is checked. Any cipher not having a block size of 16 bytes will cause the initialization to fail. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
author: Stephan Mueller <smueller@chronox.de> 2015-09-21 14:58:23 -0400
committer: Herbert Xu <herbert@gondor.apana.org.au> 2015-10-15 09:05:04 -0400
commit: e28facde3c39005071cc5323d56539bb44efa446 (patch)
tree: f103a8d64c47cf5ffb985f9f387cfd06d4505db6 /crypto/keywrap.c
parent: 8a826a34a52eef9ea1cb93f49ada358fa7b0bb32 (diff)
1 files changed, 419 insertions, 0 deletions
diff --git a/crypto/keywrap.c b/crypto/keywrap.c
new file mode 100644
index 000000000000..b1d106ce55f3
--- /dev/null
+++ b/crypto/keywrap.c
@@ -0,0 +1,419 @@
+/*
+ * Key Wrapping: RFC3394 / NIST SP800-38F
+ *
+ * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, and the entire permission notice in its entirety,
+ *    including the disclaimer of warranties.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior
+ *    written permission.
+ *
+ * ALTERNATIVELY, this product may be distributed under the terms of
+ * the GNU General Public License, in which case the provisions of the GPL2
+ * are required INSTEAD OF the above restrictions.  (This clause is
+ * necessary due to a potential bad interaction between the GPL and
+ * the restrictions contained in a BSD-style copyright.)
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
+ * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
+ * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+ * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ */
+/*
+ * Note for using key wrapping:
+ *
+ *      * The result of the encryption operation is the ciphertext starting
+ *        with the 2nd semiblock. The first semiblock is provided as the IV.
+ *        The IV used to start the encryption operation is the default IV.
+ *
+ *      * The input for the decryption is the first semiblock handed in as an
+ *        IV. The ciphertext is the data starting with the 2nd semiblock. The
+ *        return code of the decryption operation will be EBADMSG in case an
+ *        integrity error occurs.
+ *
+ * To obtain the full result of an encryption as expected by SP800-38F, the
+ * caller must allocate a buffer of plaintext + 8 bytes:
+ *
+ *      unsigned int datalen = ptlen + crypto_skcipher_ivsize(tfm);
+ *      u8 data[datalen];
+ *      u8 *iv = data;
+ *      u8 *pt = data + crypto_skcipher_ivsize(tfm);
+ *              <ensure that pt contains the plaintext of size ptlen>
+ *      sg_init_one(&sg, ptdata, ptlen);
+ *      skcipher_request_set_crypt(req, &sg, &sg, ptlen, iv);
+ *
+ *      ==> After encryption, data now contains full KW result as per SP800-38F.
+ *
+ * In case of decryption, ciphertext now already has the expected length
+ * and must be segmented appropriately:
+ *
+ *      unsigned int datalen = CTLEN;
+ *      u8 data[datalen];
+ *              <ensure that data contains full ciphertext>
+ *      u8 *iv = data;
+ *      u8 *ct = data + crypto_skcipher_ivsize(tfm);
+ *      unsigned int ctlen = datalen - crypto_skcipher_ivsize(tfm);
+ *      sg_init_one(&sg, ctdata, ctlen);
+ *      skcipher_request_set_crypt(req, &sg, &sg, ptlen, iv);
+ *
+ *      ==> After decryption (which hopefully does not return EBADMSG), the ct
+ *      pointer now points to the plaintext of size ctlen.
+ *
+ * Note 2: KWP is not implemented as this would defy in-place operation.
+ *         If somebody wants to wrap non-aligned data, he should simply pad
+ *         the input with zeros to fill it up to the 8 byte boundary.
+ */
+#include <linux/module.h>
+#include <linux/crypto.h>
+#include <linux/scatterlist.h>
+#include <crypto/scatterwalk.h>
+#include <crypto/internal/skcipher.h>
+struct crypto_kw_ctx {
+        struct crypto_cipher *child;
+};
+struct crypto_kw_block {
+#define SEMIBSIZE 8
+        u8 A[SEMIBSIZE];
+        u8 R[SEMIBSIZE];
+};
+/* convert 64 bit integer into its string representation */
+static inline void crypto_kw_cpu_to_be64(u64 val, u8 *buf)
+{
+        __be64 *a = (__be64 *)buf;
+        *a = cpu_to_be64(val);
+}
+/*
+ * Fast forward the SGL to the "end" length minus SEMIBSIZE.
+ * The start in the SGL defined by the fast-forward is returned with
+ * the walk variable
+ */
+static void crypto_kw_scatterlist_ff(struct scatter_walk *walk,
+                                     struct scatterlist *sg,
+                                     unsigned int end)
+{
+        unsigned int skip = 0;
+        /* The caller should only operate on full SEMIBLOCKs. */
+        BUG_ON(end < SEMIBSIZE);
+        skip = end - SEMIBSIZE;
+        while (sg) {
+                if (sg->length > skip) {
+                        scatterwalk_start(walk, sg);
+                        scatterwalk_advance(walk, skip);
+                        break;
+                } else
+                        skip -= sg->length;
+                sg = sg_next(sg);
+        }
+}
+static int crypto_kw_decrypt(struct blkcipher_desc *desc,
+                             struct scatterlist *dst, struct scatterlist *src,
+                             unsigned int nbytes)
+{
+        struct crypto_blkcipher *tfm = desc->tfm;
+        struct crypto_kw_ctx *ctx = crypto_blkcipher_ctx(tfm);
+        struct crypto_cipher *child = ctx->child;
+        unsigned long alignmask = max_t(unsigned long, SEMIBSIZE,
+                                        crypto_cipher_alignmask(child));
+        unsigned int i;
+        u8 blockbuf[sizeof(struct crypto_kw_block) + alignmask];
+        struct crypto_kw_block *block = (struct crypto_kw_block *)
+                                        PTR_ALIGN(blockbuf + 0, alignmask + 1);
+        u64 t = 6 * ((nbytes) >> 3);
+        struct scatterlist *lsrc, *ldst;
+        int ret = 0;
+        /*
+         * Require at least 2 semiblocks (note, the 3rd semiblock that is
+         * required by SP800-38F is the IV.
+         */
+        if (nbytes < (2 * SEMIBSIZE) || nbytes % SEMIBSIZE)
+                return -EINVAL;
+        /* Place the IV into block A */
+        memcpy(block->A, desc->info, SEMIBSIZE);
+        /*
+         * src scatterlist is read-only. dst scatterlist is r/w. During the
+         * first loop, lsrc points to src and ldst to dst. For any
+         * subsequent round, the code operates on dst only.
+         */
+        lsrc = src;
+        ldst = dst;
+        for (i = 0; i < 6; i++) {
+                u8 tbe_buffer[SEMIBSIZE + alignmask];
+                /* alignment for the crypto_xor and the _to_be64 operation */
+                u8 *tbe = PTR_ALIGN(tbe_buffer + 0, alignmask + 1);
+                unsigned int tmp_nbytes = nbytes;
+                struct scatter_walk src_walk, dst_walk;
+                while (tmp_nbytes) {
+                        /* move pointer by tmp_nbytes in the SGL */
+                        crypto_kw_scatterlist_ff(&src_walk, lsrc, tmp_nbytes);
+                        /* get the source block */
+                        scatterwalk_copychunks(block->R, &src_walk, SEMIBSIZE,
+                                               false);
+                        /* perform KW operation: get counter as byte string */
+                        crypto_kw_cpu_to_be64(t, tbe);
+                        /* perform KW operation: modify IV with counter */
+                        crypto_xor(block->A, tbe, SEMIBSIZE);
+                        t--;
+                        /* perform KW operation: decrypt block */
+                        crypto_cipher_decrypt_one(child, (u8*)block,
+                                                  (u8*)block);
+                        /* move pointer by tmp_nbytes in the SGL */
+                        crypto_kw_scatterlist_ff(&dst_walk, ldst, tmp_nbytes);
+                        /* Copy block->R into place */
+                        scatterwalk_copychunks(block->R, &dst_walk, SEMIBSIZE,
+                                               true);
+                        tmp_nbytes -= SEMIBSIZE;
+                }
+                /* we now start to operate on the dst SGL only */
+                lsrc = dst;
+                ldst = dst;
+        }
+        /* Perform authentication check */
+        if (crypto_memneq("\xA6\xA6\xA6\xA6\xA6\xA6\xA6\xA6", block->A,
+                          SEMIBSIZE))
+                ret = -EBADMSG;
+        memzero_explicit(&block, sizeof(struct crypto_kw_block));
+        return ret;
+}
+static int crypto_kw_encrypt(struct blkcipher_desc *desc,
+                             struct scatterlist *dst, struct scatterlist *src,
+                             unsigned int nbytes)
+{
+        struct crypto_blkcipher *tfm = desc->tfm;
+        struct crypto_kw_ctx *ctx = crypto_blkcipher_ctx(tfm);
+        struct crypto_cipher *child = ctx->child;
+        unsigned long alignmask = max_t(unsigned long, SEMIBSIZE,
+                                        crypto_cipher_alignmask(child));
+        unsigned int i;
+        u8 blockbuf[sizeof(struct crypto_kw_block) + alignmask];
+        struct crypto_kw_block *block = (struct crypto_kw_block *)
+                                        PTR_ALIGN(blockbuf + 0, alignmask + 1);
+        u64 t = 1;
+        struct scatterlist *lsrc, *ldst;
+        /*
+         * Require at least 2 semiblocks (note, the 3rd semiblock that is
+         * required by SP800-38F is the IV that occupies the first semiblock.
+         * This means that the dst memory must be one semiblock larger than src.
+         * Also ensure that the given data is aligned to semiblock.
+         */
+        if (nbytes < (2 * SEMIBSIZE) || nbytes % SEMIBSIZE)
+                return -EINVAL;
+        /*
+         * Place the predefined IV into block A -- for encrypt, the caller
+         * does not need to provide an IV, but he needs to fetch the final IV.
+         */
+        memcpy(block->A, "\xA6\xA6\xA6\xA6\xA6\xA6\xA6\xA6", SEMIBSIZE);
+        /*
+         * src scatterlist is read-only. dst scatterlist is r/w. During the
+         * first loop, lsrc points to src and ldst to dst. For any
+         * subsequent round, the code operates on dst only.
+         */
+        lsrc = src;
+        ldst = dst;
+        for (i = 0; i < 6; i++) {
+                u8 tbe_buffer[SEMIBSIZE + alignmask];
+                u8 *tbe = PTR_ALIGN(tbe_buffer + 0, alignmask + 1);
+                unsigned int tmp_nbytes = nbytes;
+                struct scatter_walk src_walk, dst_walk;
+                scatterwalk_start(&src_walk, lsrc);
+                scatterwalk_start(&dst_walk, ldst);
+                while (tmp_nbytes) {
+                        /* get the source block */
+                        scatterwalk_copychunks(block->R, &src_walk, SEMIBSIZE,
+                                               false);
+                        /* perform KW operation: encrypt block */
+                        crypto_cipher_encrypt_one(child, (u8 *)block,
+                                                  (u8 *)block);
+                        /* perform KW operation: get counter as byte string */
+                        crypto_kw_cpu_to_be64(t, tbe);
+                        /* perform KW operation: modify IV with counter */
+                        crypto_xor(block->A, tbe, SEMIBSIZE);
+                        t++;
+                        /* Copy block->R into place */
+                        scatterwalk_copychunks(block->R, &dst_walk, SEMIBSIZE,
+                                               true);
+                        tmp_nbytes -= SEMIBSIZE;
+                }
+                /* we now start to operate on the dst SGL only */
+                lsrc = dst;
+                ldst = dst;
+        }
+        /* establish the IV for the caller to pick up */
+        memcpy(desc->info, block->A, SEMIBSIZE);
+        memzero_explicit(&block, sizeof(struct crypto_kw_block));
+        return 0;
+}
+static int crypto_kw_setkey(struct crypto_tfm *parent, const u8 *key,
+                            unsigned int keylen)
+{
+        struct crypto_kw_ctx *ctx = crypto_tfm_ctx(parent);
+        struct crypto_cipher *child = ctx->child;
+        int err;
+        crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
+        crypto_cipher_set_flags(child, crypto_tfm_get_flags(parent) &
+                                       CRYPTO_TFM_REQ_MASK);
+        err = crypto_cipher_setkey(child, key, keylen);
+        crypto_tfm_set_flags(parent, crypto_cipher_get_flags(child) &
+                                     CRYPTO_TFM_RES_MASK);
+        return err;
+}
+static int crypto_kw_init_tfm(struct crypto_tfm *tfm)
+{
+        struct crypto_instance *inst = crypto_tfm_alg_instance(tfm);
+        struct crypto_spawn *spawn = crypto_instance_ctx(inst);
+        struct crypto_kw_ctx *ctx = crypto_tfm_ctx(tfm);
+        struct crypto_cipher *cipher;
+        cipher = crypto_spawn_cipher(spawn);
+        if (IS_ERR(cipher))
+                return PTR_ERR(cipher);
+        ctx->child = cipher;
+        return 0;
+}
+static void crypto_kw_exit_tfm(struct crypto_tfm *tfm)
+{
+        struct crypto_kw_ctx *ctx = crypto_tfm_ctx(tfm);
+        crypto_free_cipher(ctx->child);
+}
+static struct crypto_instance *crypto_kw_alloc(struct rtattr **tb)
+{
+        struct crypto_instance *inst = NULL;
+        struct crypto_alg *alg = NULL;
+        int err;
+        err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_BLKCIPHER);
+        if (err)
+                return ERR_PTR(err);
+        alg = crypto_get_attr_alg(tb, CRYPTO_ALG_TYPE_CIPHER,
+                                  CRYPTO_ALG_TYPE_MASK);
+        if (IS_ERR(alg))
+                return ERR_CAST(alg);
+        inst = ERR_PTR(-EINVAL);
+        /* Section 5.1 requirement for KW */
+        if (alg->cra_blocksize != sizeof(struct crypto_kw_block))
+                goto err;
+        inst = crypto_alloc_instance("kw", alg);
+        if (IS_ERR(inst))
+                goto err;
+        inst->alg.cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER;
+        inst->alg.cra_priority = alg->cra_priority;
+        inst->alg.cra_blocksize = SEMIBSIZE;
+        inst->alg.cra_alignmask = 0;
+        inst->alg.cra_type = &crypto_blkcipher_type;
+        inst->alg.cra_blkcipher.ivsize = SEMIBSIZE;
+        inst->alg.cra_blkcipher.min_keysize = alg->cra_cipher.cia_min_keysize;
+        inst->alg.cra_blkcipher.max_keysize = alg->cra_cipher.cia_max_keysize;
+        inst->alg.cra_ctxsize = sizeof(struct crypto_kw_ctx);
+        inst->alg.cra_init = crypto_kw_init_tfm;
+        inst->alg.cra_exit = crypto_kw_exit_tfm;
+        inst->alg.cra_blkcipher.setkey = crypto_kw_setkey;
+        inst->alg.cra_blkcipher.encrypt = crypto_kw_encrypt;
+        inst->alg.cra_blkcipher.decrypt = crypto_kw_decrypt;
+err:
+        crypto_mod_put(alg);
+        return inst;
+}
+static void crypto_kw_free(struct crypto_instance *inst)
+{
+        crypto_drop_spawn(crypto_instance_ctx(inst));
+        kfree(inst);
+}
+static struct crypto_template crypto_kw_tmpl = {
+        .name = "kw",
+        .alloc = crypto_kw_alloc,
+        .free = crypto_kw_free,
+        .module = THIS_MODULE,
+};
+static int __init crypto_kw_init(void)
+{
+        return crypto_register_template(&crypto_kw_tmpl);
+}
+static void __exit crypto_kw_exit(void)
+{
+        crypto_unregister_template(&crypto_kw_tmpl);
+}
+module_init(crypto_kw_init);
+module_exit(crypto_kw_exit);
+MODULE_LICENSE("Dual BSD/GPL");
+MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
+MODULE_DESCRIPTION("Key Wrapping (RFC3394 / NIST SP800-38F)");
+MODULE_ALIAS_CRYPTO("kw");
author	Stephan Mueller <smueller@chronox.de>	2015-09-21 14:58:23 -0400
committer	Herbert Xu <herbert@gondor.apana.org.au>	2015-10-15 09:05:04 -0400
commit	e28facde3c39005071cc5323d56539bb44efa446 (patch)
tree	f103a8d64c47cf5ffb985f9f387cfd06d4505db6 /crypto/keywrap.c
parent	8a826a34a52eef9ea1cb93f49ada358fa7b0bb32 (diff)

diff --git a/crypto/keywrap.c b/crypto/keywrap.c new file mode 100644 index 000000000000..b1d106ce55f3 --- /dev/null +++ b/crypto/keywrap.c
@@ -0,0 +1,419 @@
	1	/*
	2	* Key Wrapping: RFC3394 / NIST SP800-38F
	3	*
	4	* Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
	5	*
	6	* Redistribution and use in source and binary forms, with or without
	7	* modification, are permitted provided that the following conditions
	8	* are met:
	9	* 1. Redistributions of source code must retain the above copyright
	10	* notice, and the entire permission notice in its entirety,
	11	* including the disclaimer of warranties.
	12	* 2. Redistributions in binary form must reproduce the above copyright
	13	* notice, this list of conditions and the following disclaimer in the
	14	* documentation and/or other materials provided with the distribution.
	15	* 3. The name of the author may not be used to endorse or promote
	16	* products derived from this software without specific prior
	17	* written permission.
	18	*
	19	* ALTERNATIVELY, this product may be distributed under the terms of
	20	* the GNU General Public License, in which case the provisions of the GPL2
	21	* are required INSTEAD OF the above restrictions. (This clause is
	22	* necessary due to a potential bad interaction between the GPL and
	23	* the restrictions contained in a BSD-style copyright.)
	24	*
	25	* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
	26	* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	27	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
	28	* WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
	29	* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
	30	* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
	31	* OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
	32	* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
	33	* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	34	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
	35	* USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
	36	* DAMAGE.
	37	*/
	38
	39	/*
	40	* Note for using key wrapping:
	41	*
	42	* * The result of the encryption operation is the ciphertext starting
	43	* with the 2nd semiblock. The first semiblock is provided as the IV.
	44	* The IV used to start the encryption operation is the default IV.
	45	*
	46	* * The input for the decryption is the first semiblock handed in as an
	47	* IV. The ciphertext is the data starting with the 2nd semiblock. The
	48	* return code of the decryption operation will be EBADMSG in case an
	49	* integrity error occurs.
	50	*
	51	* To obtain the full result of an encryption as expected by SP800-38F, the
	52	* caller must allocate a buffer of plaintext + 8 bytes:
	53	*
	54	* unsigned int datalen = ptlen + crypto_skcipher_ivsize(tfm);
	55	* u8 data[datalen];
	56	* u8 *iv = data;
	57	* u8 *pt = data + crypto_skcipher_ivsize(tfm);
	58	* <ensure that pt contains the plaintext of size ptlen>
	59	* sg_init_one(&sg, ptdata, ptlen);
	60	* skcipher_request_set_crypt(req, &sg, &sg, ptlen, iv);
	61	*
	62	* ==> After encryption, data now contains full KW result as per SP800-38F.
	63	*
	64	* In case of decryption, ciphertext now already has the expected length
	65	* and must be segmented appropriately:
	66	*
	67	* unsigned int datalen = CTLEN;
	68	* u8 data[datalen];
	69	* <ensure that data contains full ciphertext>
	70	* u8 *iv = data;
	71	* u8 *ct = data + crypto_skcipher_ivsize(tfm);
	72	* unsigned int ctlen = datalen - crypto_skcipher_ivsize(tfm);
	73	* sg_init_one(&sg, ctdata, ctlen);
	74	* skcipher_request_set_crypt(req, &sg, &sg, ptlen, iv);
	75	*
	76	* ==> After decryption (which hopefully does not return EBADMSG), the ct
	77	* pointer now points to the plaintext of size ctlen.
	78	*
	79	* Note 2: KWP is not implemented as this would defy in-place operation.
	80	* If somebody wants to wrap non-aligned data, he should simply pad
	81	* the input with zeros to fill it up to the 8 byte boundary.
	82	*/
	83
	84	#include <linux/module.h>
	85	#include <linux/crypto.h>
	86	#include <linux/scatterlist.h>
	87	#include <crypto/scatterwalk.h>
	88	#include <crypto/internal/skcipher.h>
	89
	90	struct crypto_kw_ctx {
	91	struct crypto_cipher *child;
	92	};
	93
	94	struct crypto_kw_block {
	95	#define SEMIBSIZE 8
	96	u8 A[SEMIBSIZE];
	97	u8 R[SEMIBSIZE];
	98	};
	99
	100	/* convert 64 bit integer into its string representation */
	101	static inline void crypto_kw_cpu_to_be64(u64 val, u8 *buf)
	102	{
	103	__be64 a = (__be64 )buf;
	104
	105	*a = cpu_to_be64(val);
	106	}
	107
	108	/*
	109	* Fast forward the SGL to the "end" length minus SEMIBSIZE.
	110	* The start in the SGL defined by the fast-forward is returned with
	111	* the walk variable
	112	*/
	113	static void crypto_kw_scatterlist_ff(struct scatter_walk *walk,
	114	struct scatterlist *sg,
	115	unsigned int end)
	116	{
	117	unsigned int skip = 0;
	118
	119	/* The caller should only operate on full SEMIBLOCKs. */
	120	BUG_ON(end < SEMIBSIZE);
	121
	122	skip = end - SEMIBSIZE;
	123	while (sg) {
	124	if (sg->length > skip) {
	125	scatterwalk_start(walk, sg);
	126	scatterwalk_advance(walk, skip);
	127	break;
	128	} else
	129	skip -= sg->length;
	130
	131	sg = sg_next(sg);
	132	}
	133	}
	134
	135	static int crypto_kw_decrypt(struct blkcipher_desc *desc,
	136	struct scatterlist dst, struct scatterlist src,
	137	unsigned int nbytes)
	138	{
	139	struct crypto_blkcipher *tfm = desc->tfm;
	140	struct crypto_kw_ctx *ctx = crypto_blkcipher_ctx(tfm);
	141	struct crypto_cipher *child = ctx->child;
	142
	143	unsigned long alignmask = max_t(unsigned long, SEMIBSIZE,
	144	crypto_cipher_alignmask(child));
	145	unsigned int i;
	146
	147	u8 blockbuf[sizeof(struct crypto_kw_block) + alignmask];
	148	struct crypto_kw_block block = (struct crypto_kw_block )
	149	PTR_ALIGN(blockbuf + 0, alignmask + 1);
	150
	151	u64 t = 6 * ((nbytes) >> 3);
	152	struct scatterlist lsrc, ldst;
	153	int ret = 0;
	154
	155	/*
	156	* Require at least 2 semiblocks (note, the 3rd semiblock that is
	157	* required by SP800-38F is the IV.
	158	*/
	159	if (nbytes < (2 * SEMIBSIZE) \|\| nbytes % SEMIBSIZE)
	160	return -EINVAL;
	161
	162	/* Place the IV into block A */
	163	memcpy(block->A, desc->info, SEMIBSIZE);
	164
	165	/*
	166	* src scatterlist is read-only. dst scatterlist is r/w. During the
	167	* first loop, lsrc points to src and ldst to dst. For any
	168	* subsequent round, the code operates on dst only.
	169	*/
	170	lsrc = src;
	171	ldst = dst;
	172
	173	for (i = 0; i < 6; i++) {
	174	u8 tbe_buffer[SEMIBSIZE + alignmask];
	175	/* alignment for the crypto_xor and the _to_be64 operation */
	176	u8 *tbe = PTR_ALIGN(tbe_buffer + 0, alignmask + 1);
	177	unsigned int tmp_nbytes = nbytes;
	178	struct scatter_walk src_walk, dst_walk;
	179
	180	while (tmp_nbytes) {
	181	/* move pointer by tmp_nbytes in the SGL */
	182	crypto_kw_scatterlist_ff(&src_walk, lsrc, tmp_nbytes);
	183	/* get the source block */
	184	scatterwalk_copychunks(block->R, &src_walk, SEMIBSIZE,
	185	false);
	186
	187	/* perform KW operation: get counter as byte string */
	188	crypto_kw_cpu_to_be64(t, tbe);
	189	/* perform KW operation: modify IV with counter */
	190	crypto_xor(block->A, tbe, SEMIBSIZE);
	191	t--;
	192	/* perform KW operation: decrypt block */
	193	crypto_cipher_decrypt_one(child, (u8*)block,
	194	(u8*)block);
	195
	196	/* move pointer by tmp_nbytes in the SGL */
	197	crypto_kw_scatterlist_ff(&dst_walk, ldst, tmp_nbytes);
	198	/* Copy block->R into place */
	199	scatterwalk_copychunks(block->R, &dst_walk, SEMIBSIZE,
	200	true);
	201
	202	tmp_nbytes -= SEMIBSIZE;
	203	}
	204
	205	/* we now start to operate on the dst SGL only */
	206	lsrc = dst;
	207	ldst = dst;
	208	}
	209
	210	/* Perform authentication check */
	211	if (crypto_memneq("\xA6\xA6\xA6\xA6\xA6\xA6\xA6\xA6", block->A,
	212	SEMIBSIZE))
	213	ret = -EBADMSG;
	214
	215	memzero_explicit(&block, sizeof(struct crypto_kw_block));
	216
	217	return ret;
	218	}
	219
	220	static int crypto_kw_encrypt(struct blkcipher_desc *desc,
	221	struct scatterlist dst, struct scatterlist src,
	222	unsigned int nbytes)
	223	{
	224	struct crypto_blkcipher *tfm = desc->tfm;
	225	struct crypto_kw_ctx *ctx = crypto_blkcipher_ctx(tfm);
	226	struct crypto_cipher *child = ctx->child;
	227
	228	unsigned long alignmask = max_t(unsigned long, SEMIBSIZE,
	229	crypto_cipher_alignmask(child));
	230	unsigned int i;
	231
	232	u8 blockbuf[sizeof(struct crypto_kw_block) + alignmask];
	233	struct crypto_kw_block block = (struct crypto_kw_block )
	234	PTR_ALIGN(blockbuf + 0, alignmask + 1);
	235
	236	u64 t = 1;
	237	struct scatterlist lsrc, ldst;
	238
	239	/*
	240	* Require at least 2 semiblocks (note, the 3rd semiblock that is
	241	* required by SP800-38F is the IV that occupies the first semiblock.
	242	* This means that the dst memory must be one semiblock larger than src.
	243	* Also ensure that the given data is aligned to semiblock.
	244	*/
	245	if (nbytes < (2 * SEMIBSIZE) \|\| nbytes % SEMIBSIZE)
	246	return -EINVAL;
	247
	248	/*
	249	* Place the predefined IV into block A -- for encrypt, the caller
	250	* does not need to provide an IV, but he needs to fetch the final IV.
	251	*/
	252	memcpy(block->A, "\xA6\xA6\xA6\xA6\xA6\xA6\xA6\xA6", SEMIBSIZE);
	253
	254	/*
	255	* src scatterlist is read-only. dst scatterlist is r/w. During the
	256	* first loop, lsrc points to src and ldst to dst. For any
	257	* subsequent round, the code operates on dst only.
	258	*/
	259	lsrc = src;
	260	ldst = dst;
	261
	262	for (i = 0; i < 6; i++) {
	263	u8 tbe_buffer[SEMIBSIZE + alignmask];
	264	u8 *tbe = PTR_ALIGN(tbe_buffer + 0, alignmask + 1);
	265	unsigned int tmp_nbytes = nbytes;
	266	struct scatter_walk src_walk, dst_walk;
	267
	268	scatterwalk_start(&src_walk, lsrc);
	269	scatterwalk_start(&dst_walk, ldst);
	270
	271	while (tmp_nbytes) {
	272	/* get the source block */
	273	scatterwalk_copychunks(block->R, &src_walk, SEMIBSIZE,
	274	false);
	275
	276	/* perform KW operation: encrypt block */
	277	crypto_cipher_encrypt_one(child, (u8 *)block,
	278	(u8 *)block);
	279	/* perform KW operation: get counter as byte string */
	280	crypto_kw_cpu_to_be64(t, tbe);
	281	/* perform KW operation: modify IV with counter */
	282	crypto_xor(block->A, tbe, SEMIBSIZE);
	283	t++;
	284
	285	/* Copy block->R into place */
	286	scatterwalk_copychunks(block->R, &dst_walk, SEMIBSIZE,
	287	true);
	288
	289	tmp_nbytes -= SEMIBSIZE;
	290	}
	291
	292	/* we now start to operate on the dst SGL only */
	293	lsrc = dst;
	294	ldst = dst;
	295	}
	296
	297	/* establish the IV for the caller to pick up */
	298	memcpy(desc->info, block->A, SEMIBSIZE);
	299
	300	memzero_explicit(&block, sizeof(struct crypto_kw_block));
	301
	302	return 0;
	303	}
	304
	305	static int crypto_kw_setkey(struct crypto_tfm parent, const u8 key,
	306	unsigned int keylen)
	307	{
	308	struct crypto_kw_ctx *ctx = crypto_tfm_ctx(parent);
	309	struct crypto_cipher *child = ctx->child;
	310	int err;
	311
	312	crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
	313	crypto_cipher_set_flags(child, crypto_tfm_get_flags(parent) &
	314	CRYPTO_TFM_REQ_MASK);
	315	err = crypto_cipher_setkey(child, key, keylen);
	316	crypto_tfm_set_flags(parent, crypto_cipher_get_flags(child) &
	317	CRYPTO_TFM_RES_MASK);
	318	return err;
	319	}
	320
	321	static int crypto_kw_init_tfm(struct crypto_tfm *tfm)
	322	{
	323	struct crypto_instance *inst = crypto_tfm_alg_instance(tfm);
	324	struct crypto_spawn *spawn = crypto_instance_ctx(inst);
	325	struct crypto_kw_ctx *ctx = crypto_tfm_ctx(tfm);
	326	struct crypto_cipher *cipher;
	327
	328	cipher = crypto_spawn_cipher(spawn);
	329	if (IS_ERR(cipher))
	330	return PTR_ERR(cipher);
	331
	332	ctx->child = cipher;
	333	return 0;
	334	}
	335
	336	static void crypto_kw_exit_tfm(struct crypto_tfm *tfm)
	337	{
	338	struct crypto_kw_ctx *ctx = crypto_tfm_ctx(tfm);
	339
	340	crypto_free_cipher(ctx->child);
	341	}
	342
	343	static struct crypto_instance crypto_kw_alloc(struct rtattr *tb)
	344	{
	345	struct crypto_instance *inst = NULL;
	346	struct crypto_alg *alg = NULL;
	347	int err;
	348
	349	err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_BLKCIPHER);
	350	if (err)
	351	return ERR_PTR(err);
	352
	353	alg = crypto_get_attr_alg(tb, CRYPTO_ALG_TYPE_CIPHER,
	354	CRYPTO_ALG_TYPE_MASK);
	355	if (IS_ERR(alg))
	356	return ERR_CAST(alg);
	357
	358	inst = ERR_PTR(-EINVAL);
	359	/* Section 5.1 requirement for KW */
	360	if (alg->cra_blocksize != sizeof(struct crypto_kw_block))
	361	goto err;
	362
	363	inst = crypto_alloc_instance("kw", alg);
	364	if (IS_ERR(inst))
	365	goto err;
	366
	367	inst->alg.cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER;
	368	inst->alg.cra_priority = alg->cra_priority;
	369	inst->alg.cra_blocksize = SEMIBSIZE;
	370	inst->alg.cra_alignmask = 0;
	371	inst->alg.cra_type = &crypto_blkcipher_type;
	372	inst->alg.cra_blkcipher.ivsize = SEMIBSIZE;
	373	inst->alg.cra_blkcipher.min_keysize = alg->cra_cipher.cia_min_keysize;
	374	inst->alg.cra_blkcipher.max_keysize = alg->cra_cipher.cia_max_keysize;
	375
	376	inst->alg.cra_ctxsize = sizeof(struct crypto_kw_ctx);
	377
	378	inst->alg.cra_init = crypto_kw_init_tfm;
	379	inst->alg.cra_exit = crypto_kw_exit_tfm;
	380
	381	inst->alg.cra_blkcipher.setkey = crypto_kw_setkey;
	382	inst->alg.cra_blkcipher.encrypt = crypto_kw_encrypt;
	383	inst->alg.cra_blkcipher.decrypt = crypto_kw_decrypt;
	384
	385	err:
	386	crypto_mod_put(alg);
	387	return inst;
	388	}
	389
	390	static void crypto_kw_free(struct crypto_instance *inst)
	391	{
	392	crypto_drop_spawn(crypto_instance_ctx(inst));
	393	kfree(inst);
	394	}
	395
	396	static struct crypto_template crypto_kw_tmpl = {
	397	.name = "kw",
	398	.alloc = crypto_kw_alloc,
	399	.free = crypto_kw_free,
	400	.module = THIS_MODULE,
	401	};
	402
	403	static int __init crypto_kw_init(void)
	404	{
	405	return crypto_register_template(&crypto_kw_tmpl);
	406	}
	407
	408	static void __exit crypto_kw_exit(void)
	409	{
	410	crypto_unregister_template(&crypto_kw_tmpl);
	411	}
	412
	413	module_init(crypto_kw_init);
	414	module_exit(crypto_kw_exit);
	415
	416	MODULE_LICENSE("Dual BSD/GPL");
	417	MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
	418	MODULE_DESCRIPTION("Key Wrapping (RFC3394 / NIST SP800-38F)");
	419	MODULE_ALIAS_CRYPTO("kw");