aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRik Snel <rsnel@cube.dyndns.org>2007-09-19 08:23:13 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2007-10-10 19:55:45 -0400
commitf19f5111c94053ba4931892f5c01c806de33942e (patch)
treeb40dfae8fa170ebdc92fdcfeb3000c84d6203645
parent5aaff0c8f7dd3515c9f1ca57f86463f30779acc7 (diff)
[CRYPTO] xts: XTS blockcipher mode implementation without partial blocks
XTS currently considered to be the successor of the LRW mode by the IEEE1619 workgroup. LRW was discarded, because it was not secure if the encyption key itself is encrypted with LRW. XTS does not have this problem. The implementation is pretty straightforward, a new function was added to gf128mul to handle GF(128) elements in ble format. Four testvectors from the specification http://grouper.ieee.org/groups/1619/email/pdf00086.pdf were added, and they verify on my system. Signed-off-by: Rik Snel <rsnel@cube.dyndns.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-rw-r--r--crypto/Kconfig11
-rw-r--r--crypto/Makefile1
-rw-r--r--crypto/gf128mul.c11
-rw-r--r--crypto/tcrypt.c12
-rw-r--r--crypto/tcrypt.h417
-rw-r--r--crypto/xts.c292
-rw-r--r--include/crypto/gf128mul.h2
7 files changed, 746 insertions, 0 deletions
diff --git a/crypto/Kconfig b/crypto/Kconfig
index 05f46dfdf185..083d2e1dfc21 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -184,6 +184,17 @@ config CRYPTO_LRW
184 The first 128, 192 or 256 bits in the key are used for AES and the 184 The first 128, 192 or 256 bits in the key are used for AES and the
185 rest is used to tie each cipher block to its logical position. 185 rest is used to tie each cipher block to its logical position.
186 186
187config CRYPTO_XTS
188 tristate "XTS support (EXPERIMENTAL)"
189 depends on EXPERIMENTAL
190 select CRYPTO_BLKCIPHER
191 select CRYPTO_MANAGER
192 select CRYPTO_GF128MUL
193 help
194 XTS: IEEE1619/D16 narrow block cipher use with aes-xts-plain,
195 key size 256, 384 or 512 bits. This implementation currently
196 can't handle a sectorsize which is not a multiple of 16 bytes.
197
187config CRYPTO_CRYPTD 198config CRYPTO_CRYPTD
188 tristate "Software async crypto daemon" 199 tristate "Software async crypto daemon"
189 select CRYPTO_ABLKCIPHER 200 select CRYPTO_ABLKCIPHER
diff --git a/crypto/Makefile b/crypto/Makefile
index da256665aae9..e96a07e16bf2 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -31,6 +31,7 @@ obj-$(CONFIG_CRYPTO_ECB) += ecb.o
31obj-$(CONFIG_CRYPTO_CBC) += cbc.o 31obj-$(CONFIG_CRYPTO_CBC) += cbc.o
32obj-$(CONFIG_CRYPTO_PCBC) += pcbc.o 32obj-$(CONFIG_CRYPTO_PCBC) += pcbc.o
33obj-$(CONFIG_CRYPTO_LRW) += lrw.o 33obj-$(CONFIG_CRYPTO_LRW) += lrw.o
34obj-$(CONFIG_CRYPTO_XTS) += xts.o
34obj-$(CONFIG_CRYPTO_CRYPTD) += cryptd.o 35obj-$(CONFIG_CRYPTO_CRYPTD) += cryptd.o
35obj-$(CONFIG_CRYPTO_DES) += des.o 36obj-$(CONFIG_CRYPTO_DES) += des.o
36obj-$(CONFIG_CRYPTO_FCRYPT) += fcrypt.o 37obj-$(CONFIG_CRYPTO_FCRYPT) += fcrypt.o
diff --git a/crypto/gf128mul.c b/crypto/gf128mul.c
index 0a2aadfa1d85..ecbeaa1f17e1 100644
--- a/crypto/gf128mul.c
+++ b/crypto/gf128mul.c
@@ -142,6 +142,17 @@ static void gf128mul_x_bbe(be128 *r, const be128 *x)
142 r->b = cpu_to_be64((b << 1) ^ _tt); 142 r->b = cpu_to_be64((b << 1) ^ _tt);
143} 143}
144 144
145void gf128mul_x_ble(be128 *r, const be128 *x)
146{
147 u64 a = le64_to_cpu(x->a);
148 u64 b = le64_to_cpu(x->b);
149 u64 _tt = gf128mul_table_bbe[b >> 63];
150
151 r->a = cpu_to_le64((a << 1) ^ _tt);
152 r->b = cpu_to_le64((b << 1) | (a >> 63));
153}
154EXPORT_SYMBOL(gf128mul_x_ble);
155
145static void gf128mul_x8_lle(be128 *x) 156static void gf128mul_x8_lle(be128 *x)
146{ 157{
147 u64 a = be64_to_cpu(x->a); 158 u64 a = be64_to_cpu(x->a);
diff --git a/crypto/tcrypt.c b/crypto/tcrypt.c
index de6435ea9bf8..18d489c8b935 100644
--- a/crypto/tcrypt.c
+++ b/crypto/tcrypt.c
@@ -955,6 +955,10 @@ static void do_test(void)
955 AES_LRW_ENC_TEST_VECTORS); 955 AES_LRW_ENC_TEST_VECTORS);
956 test_cipher("lrw(aes)", DECRYPT, aes_lrw_dec_tv_template, 956 test_cipher("lrw(aes)", DECRYPT, aes_lrw_dec_tv_template,
957 AES_LRW_DEC_TEST_VECTORS); 957 AES_LRW_DEC_TEST_VECTORS);
958 test_cipher("xts(aes)", ENCRYPT, aes_xts_enc_tv_template,
959 AES_XTS_ENC_TEST_VECTORS);
960 test_cipher("xts(aes)", DECRYPT, aes_xts_dec_tv_template,
961 AES_XTS_DEC_TEST_VECTORS);
958 962
959 //CAST5 963 //CAST5
960 test_cipher("ecb(cast5)", ENCRYPT, cast5_enc_tv_template, 964 test_cipher("ecb(cast5)", ENCRYPT, cast5_enc_tv_template,
@@ -1138,6 +1142,10 @@ static void do_test(void)
1138 AES_LRW_ENC_TEST_VECTORS); 1142 AES_LRW_ENC_TEST_VECTORS);
1139 test_cipher("lrw(aes)", DECRYPT, aes_lrw_dec_tv_template, 1143 test_cipher("lrw(aes)", DECRYPT, aes_lrw_dec_tv_template,
1140 AES_LRW_DEC_TEST_VECTORS); 1144 AES_LRW_DEC_TEST_VECTORS);
1145 test_cipher("xts(aes)", ENCRYPT, aes_xts_enc_tv_template,
1146 AES_XTS_ENC_TEST_VECTORS);
1147 test_cipher("xts(aes)", DECRYPT, aes_xts_dec_tv_template,
1148 AES_XTS_DEC_TEST_VECTORS);
1141 break; 1149 break;
1142 1150
1143 case 11: 1151 case 11:
@@ -1313,6 +1321,10 @@ static void do_test(void)
1313 aes_lrw_speed_template); 1321 aes_lrw_speed_template);
1314 test_cipher_speed("lrw(aes)", DECRYPT, sec, NULL, 0, 1322 test_cipher_speed("lrw(aes)", DECRYPT, sec, NULL, 0,
1315 aes_lrw_speed_template); 1323 aes_lrw_speed_template);
1324 test_cipher_speed("xts(aes)", ENCRYPT, sec, NULL, 0,
1325 aes_xts_speed_template);
1326 test_cipher_speed("xts(aes)", DECRYPT, sec, NULL, 0,
1327 aes_xts_speed_template);
1316 break; 1328 break;
1317 1329
1318 case 201: 1330 case 201:
diff --git a/crypto/tcrypt.h b/crypto/tcrypt.h
index beab3f345584..ec861388d9a0 100644
--- a/crypto/tcrypt.h
+++ b/crypto/tcrypt.h
@@ -2144,6 +2144,8 @@ static struct cipher_testvec cast6_dec_tv_template[] = {
2144#define AES_CBC_DEC_TEST_VECTORS 2 2144#define AES_CBC_DEC_TEST_VECTORS 2
2145#define AES_LRW_ENC_TEST_VECTORS 8 2145#define AES_LRW_ENC_TEST_VECTORS 8
2146#define AES_LRW_DEC_TEST_VECTORS 8 2146#define AES_LRW_DEC_TEST_VECTORS 8
2147#define AES_XTS_ENC_TEST_VECTORS 4
2148#define AES_XTS_DEC_TEST_VECTORS 4
2147 2149
2148static struct cipher_testvec aes_enc_tv_template[] = { 2150static struct cipher_testvec aes_enc_tv_template[] = {
2149 { /* From FIPS-197 */ 2151 { /* From FIPS-197 */
@@ -2784,6 +2786,400 @@ static struct cipher_testvec aes_lrw_dec_tv_template[] = {
2784 } 2786 }
2785}; 2787};
2786 2788
2789static struct cipher_testvec aes_xts_enc_tv_template[] = {
2790 /* http://grouper.ieee.org/groups/1619/email/pdf00086.pdf */
2791 { /* XTS-AES 1 */
2792 .key = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2793 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2794 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2795 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
2796 .klen = 32,
2797 .iv = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2798 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
2799 .input = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2800 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2801 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2802 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
2803 .ilen = 32,
2804 .result = { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
2805 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
2806 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
2807 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
2808 .rlen = 32,
2809 }, { /* XTS-AES 2 */
2810 .key = { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
2811 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
2812 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
2813 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
2814 .klen = 32,
2815 .iv = { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
2816 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
2817 .input = { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
2818 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
2819 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
2820 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
2821 .ilen = 32,
2822 .result = { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
2823 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
2824 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
2825 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
2826 .rlen = 32,
2827 }, { /* XTS-AES 3 */
2828 .key = { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
2829 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
2830 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
2831 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
2832 .klen = 32,
2833 .iv = { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
2834 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
2835 .input = { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
2836 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
2837 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
2838 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
2839 .ilen = 32,
2840 .result = { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
2841 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
2842 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
2843 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
2844 .rlen = 32,
2845 }, { /* XTS-AES 4 */
2846 .key = { 0x27, 0x18, 0x28, 0x18, 0x28, 0x45, 0x90, 0x45,
2847 0x23, 0x53, 0x60, 0x28, 0x74, 0x71, 0x35, 0x26,
2848 0x31, 0x41, 0x59, 0x26, 0x53, 0x58, 0x97, 0x93,
2849 0x23, 0x84, 0x62, 0x64, 0x33, 0x83, 0x27, 0x95 },
2850 .klen = 32,
2851 .iv = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2852 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
2853 .input = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
2854 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
2855 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2856 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
2857 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
2858 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
2859 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
2860 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
2861 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
2862 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f,
2863 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
2864 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
2865 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
2866 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
2867 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
2868 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f,
2869 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
2870 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
2871 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
2872 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f,
2873 0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
2874 0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf,
2875 0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7,
2876 0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
2877 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
2878 0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf,
2879 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
2880 0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
2881 0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7,
2882 0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
2883 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
2884 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff,
2885 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
2886 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
2887 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2888 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
2889 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
2890 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
2891 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
2892 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
2893 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
2894 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f,
2895 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
2896 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
2897 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
2898 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
2899 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
2900 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f,
2901 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
2902 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
2903 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
2904 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f,
2905 0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
2906 0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf,
2907 0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7,
2908 0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
2909 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
2910 0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf,
2911 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
2912 0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
2913 0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7,
2914 0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
2915 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
2916 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff },
2917 .ilen = 512,
2918 .result = { 0x27, 0xa7, 0x47, 0x9b, 0xef, 0xa1, 0xd4, 0x76,
2919 0x48, 0x9f, 0x30, 0x8c, 0xd4, 0xcf, 0xa6, 0xe2,
2920 0xa9, 0x6e, 0x4b, 0xbe, 0x32, 0x08, 0xff, 0x25,
2921 0x28, 0x7d, 0xd3, 0x81, 0x96, 0x16, 0xe8, 0x9c,
2922 0xc7, 0x8c, 0xf7, 0xf5, 0xe5, 0x43, 0x44, 0x5f,
2923 0x83, 0x33, 0xd8, 0xfa, 0x7f, 0x56, 0x00, 0x00,
2924 0x05, 0x27, 0x9f, 0xa5, 0xd8, 0xb5, 0xe4, 0xad,
2925 0x40, 0xe7, 0x36, 0xdd, 0xb4, 0xd3, 0x54, 0x12,
2926 0x32, 0x80, 0x63, 0xfd, 0x2a, 0xab, 0x53, 0xe5,
2927 0xea, 0x1e, 0x0a, 0x9f, 0x33, 0x25, 0x00, 0xa5,
2928 0xdf, 0x94, 0x87, 0xd0, 0x7a, 0x5c, 0x92, 0xcc,
2929 0x51, 0x2c, 0x88, 0x66, 0xc7, 0xe8, 0x60, 0xce,
2930 0x93, 0xfd, 0xf1, 0x66, 0xa2, 0x49, 0x12, 0xb4,
2931 0x22, 0x97, 0x61, 0x46, 0xae, 0x20, 0xce, 0x84,
2932 0x6b, 0xb7, 0xdc, 0x9b, 0xa9, 0x4a, 0x76, 0x7a,
2933 0xae, 0xf2, 0x0c, 0x0d, 0x61, 0xad, 0x02, 0x65,
2934 0x5e, 0xa9, 0x2d, 0xc4, 0xc4, 0xe4, 0x1a, 0x89,
2935 0x52, 0xc6, 0x51, 0xd3, 0x31, 0x74, 0xbe, 0x51,
2936 0xa1, 0x0c, 0x42, 0x11, 0x10, 0xe6, 0xd8, 0x15,
2937 0x88, 0xed, 0xe8, 0x21, 0x03, 0xa2, 0x52, 0xd8,
2938 0xa7, 0x50, 0xe8, 0x76, 0x8d, 0xef, 0xff, 0xed,
2939 0x91, 0x22, 0x81, 0x0a, 0xae, 0xb9, 0x9f, 0x91,
2940 0x72, 0xaf, 0x82, 0xb6, 0x04, 0xdc, 0x4b, 0x8e,
2941 0x51, 0xbc, 0xb0, 0x82, 0x35, 0xa6, 0xf4, 0x34,
2942 0x13, 0x32, 0xe4, 0xca, 0x60, 0x48, 0x2a, 0x4b,
2943 0xa1, 0xa0, 0x3b, 0x3e, 0x65, 0x00, 0x8f, 0xc5,
2944 0xda, 0x76, 0xb7, 0x0b, 0xf1, 0x69, 0x0d, 0xb4,
2945 0xea, 0xe2, 0x9c, 0x5f, 0x1b, 0xad, 0xd0, 0x3c,
2946 0x5c, 0xcf, 0x2a, 0x55, 0xd7, 0x05, 0xdd, 0xcd,
2947 0x86, 0xd4, 0x49, 0x51, 0x1c, 0xeb, 0x7e, 0xc3,
2948 0x0b, 0xf1, 0x2b, 0x1f, 0xa3, 0x5b, 0x91, 0x3f,
2949 0x9f, 0x74, 0x7a, 0x8a, 0xfd, 0x1b, 0x13, 0x0e,
2950 0x94, 0xbf, 0xf9, 0x4e, 0xff, 0xd0, 0x1a, 0x91,
2951 0x73, 0x5c, 0xa1, 0x72, 0x6a, 0xcd, 0x0b, 0x19,
2952 0x7c, 0x4e, 0x5b, 0x03, 0x39, 0x36, 0x97, 0xe1,
2953 0x26, 0x82, 0x6f, 0xb6, 0xbb, 0xde, 0x8e, 0xcc,
2954 0x1e, 0x08, 0x29, 0x85, 0x16, 0xe2, 0xc9, 0xed,
2955 0x03, 0xff, 0x3c, 0x1b, 0x78, 0x60, 0xf6, 0xde,
2956 0x76, 0xd4, 0xce, 0xcd, 0x94, 0xc8, 0x11, 0x98,
2957 0x55, 0xef, 0x52, 0x97, 0xca, 0x67, 0xe9, 0xf3,
2958 0xe7, 0xff, 0x72, 0xb1, 0xe9, 0x97, 0x85, 0xca,
2959 0x0a, 0x7e, 0x77, 0x20, 0xc5, 0xb3, 0x6d, 0xc6,
2960 0xd7, 0x2c, 0xac, 0x95, 0x74, 0xc8, 0xcb, 0xbc,
2961 0x2f, 0x80, 0x1e, 0x23, 0xe5, 0x6f, 0xd3, 0x44,
2962 0xb0, 0x7f, 0x22, 0x15, 0x4b, 0xeb, 0xa0, 0xf0,
2963 0x8c, 0xe8, 0x89, 0x1e, 0x64, 0x3e, 0xd9, 0x95,
2964 0xc9, 0x4d, 0x9a, 0x69, 0xc9, 0xf1, 0xb5, 0xf4,
2965 0x99, 0x02, 0x7a, 0x78, 0x57, 0x2a, 0xee, 0xbd,
2966 0x74, 0xd2, 0x0c, 0xc3, 0x98, 0x81, 0xc2, 0x13,
2967 0xee, 0x77, 0x0b, 0x10, 0x10, 0xe4, 0xbe, 0xa7,
2968 0x18, 0x84, 0x69, 0x77, 0xae, 0x11, 0x9f, 0x7a,
2969 0x02, 0x3a, 0xb5, 0x8c, 0xca, 0x0a, 0xd7, 0x52,
2970 0xaf, 0xe6, 0x56, 0xbb, 0x3c, 0x17, 0x25, 0x6a,
2971 0x9f, 0x6e, 0x9b, 0xf1, 0x9f, 0xdd, 0x5a, 0x38,
2972 0xfc, 0x82, 0xbb, 0xe8, 0x72, 0xc5, 0x53, 0x9e,
2973 0xdb, 0x60, 0x9e, 0xf4, 0xf7, 0x9c, 0x20, 0x3e,
2974 0xbb, 0x14, 0x0f, 0x2e, 0x58, 0x3c, 0xb2, 0xad,
2975 0x15, 0xb4, 0xaa, 0x5b, 0x65, 0x50, 0x16, 0xa8,
2976 0x44, 0x92, 0x77, 0xdb, 0xd4, 0x77, 0xef, 0x2c,
2977 0x8d, 0x6c, 0x01, 0x7d, 0xb7, 0x38, 0xb1, 0x8d,
2978 0xeb, 0x4a, 0x42, 0x7d, 0x19, 0x23, 0xce, 0x3f,
2979 0xf2, 0x62, 0x73, 0x57, 0x79, 0xa4, 0x18, 0xf2,
2980 0x0a, 0x28, 0x2d, 0xf9, 0x20, 0x14, 0x7b, 0xea,
2981 0xbe, 0x42, 0x1e, 0xe5, 0x31, 0x9d, 0x05, 0x68 },
2982 .rlen = 512,
2983 }
2984};
2985
2986static struct cipher_testvec aes_xts_dec_tv_template[] = {
2987 /* http://grouper.ieee.org/groups/1619/email/pdf00086.pdf */
2988 { /* XTS-AES 1 */
2989 .key = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2990 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2991 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2992 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
2993 .klen = 32,
2994 .iv = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2995 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
2996 .input = { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
2997 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
2998 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
2999 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
3000 .ilen = 32,
3001 .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3002 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3003 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3004 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
3005 .rlen = 32,
3006 }, { /* XTS-AES 2 */
3007 .key = { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
3008 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
3009 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
3010 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
3011 .klen = 32,
3012 .iv = { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
3013 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
3014 .input = { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
3015 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
3016 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
3017 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
3018 .ilen = 32,
3019 .result = { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
3020 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
3021 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
3022 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
3023 .rlen = 32,
3024 }, { /* XTS-AES 3 */
3025 .key = { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
3026 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
3027 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
3028 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
3029 .klen = 32,
3030 .iv = { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
3031 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
3032 .input = { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
3033 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
3034 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
3035 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
3036 .ilen = 32,
3037 .result = { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
3038 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
3039 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
3040 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
3041 .rlen = 32,
3042 }, { /* XTS-AES 4 */
3043 .key = { 0x27, 0x18, 0x28, 0x18, 0x28, 0x45, 0x90, 0x45,
3044 0x23, 0x53, 0x60, 0x28, 0x74, 0x71, 0x35, 0x26,
3045 0x31, 0x41, 0x59, 0x26, 0x53, 0x58, 0x97, 0x93,
3046 0x23, 0x84, 0x62, 0x64, 0x33, 0x83, 0x27, 0x95 },
3047 .klen = 32,
3048 .iv = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3049 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
3050 .input = { 0x27, 0xa7, 0x47, 0x9b, 0xef, 0xa1, 0xd4, 0x76,
3051 0x48, 0x9f, 0x30, 0x8c, 0xd4, 0xcf, 0xa6, 0xe2,
3052 0xa9, 0x6e, 0x4b, 0xbe, 0x32, 0x08, 0xff, 0x25,
3053 0x28, 0x7d, 0xd3, 0x81, 0x96, 0x16, 0xe8, 0x9c,
3054 0xc7, 0x8c, 0xf7, 0xf5, 0xe5, 0x43, 0x44, 0x5f,
3055 0x83, 0x33, 0xd8, 0xfa, 0x7f, 0x56, 0x00, 0x00,
3056 0x05, 0x27, 0x9f, 0xa5, 0xd8, 0xb5, 0xe4, 0xad,
3057 0x40, 0xe7, 0x36, 0xdd, 0xb4, 0xd3, 0x54, 0x12,
3058 0x32, 0x80, 0x63, 0xfd, 0x2a, 0xab, 0x53, 0xe5,
3059 0xea, 0x1e, 0x0a, 0x9f, 0x33, 0x25, 0x00, 0xa5,
3060 0xdf, 0x94, 0x87, 0xd0, 0x7a, 0x5c, 0x92, 0xcc,
3061 0x51, 0x2c, 0x88, 0x66, 0xc7, 0xe8, 0x60, 0xce,
3062 0x93, 0xfd, 0xf1, 0x66, 0xa2, 0x49, 0x12, 0xb4,
3063 0x22, 0x97, 0x61, 0x46, 0xae, 0x20, 0xce, 0x84,
3064 0x6b, 0xb7, 0xdc, 0x9b, 0xa9, 0x4a, 0x76, 0x7a,
3065 0xae, 0xf2, 0x0c, 0x0d, 0x61, 0xad, 0x02, 0x65,
3066 0x5e, 0xa9, 0x2d, 0xc4, 0xc4, 0xe4, 0x1a, 0x89,
3067 0x52, 0xc6, 0x51, 0xd3, 0x31, 0x74, 0xbe, 0x51,
3068 0xa1, 0x0c, 0x42, 0x11, 0x10, 0xe6, 0xd8, 0x15,
3069 0x88, 0xed, 0xe8, 0x21, 0x03, 0xa2, 0x52, 0xd8,
3070 0xa7, 0x50, 0xe8, 0x76, 0x8d, 0xef, 0xff, 0xed,
3071 0x91, 0x22, 0x81, 0x0a, 0xae, 0xb9, 0x9f, 0x91,
3072 0x72, 0xaf, 0x82, 0xb6, 0x04, 0xdc, 0x4b, 0x8e,
3073 0x51, 0xbc, 0xb0, 0x82, 0x35, 0xa6, 0xf4, 0x34,
3074 0x13, 0x32, 0xe4, 0xca, 0x60, 0x48, 0x2a, 0x4b,
3075 0xa1, 0xa0, 0x3b, 0x3e, 0x65, 0x00, 0x8f, 0xc5,
3076 0xda, 0x76, 0xb7, 0x0b, 0xf1, 0x69, 0x0d, 0xb4,
3077 0xea, 0xe2, 0x9c, 0x5f, 0x1b, 0xad, 0xd0, 0x3c,
3078 0x5c, 0xcf, 0x2a, 0x55, 0xd7, 0x05, 0xdd, 0xcd,
3079 0x86, 0xd4, 0x49, 0x51, 0x1c, 0xeb, 0x7e, 0xc3,
3080 0x0b, 0xf1, 0x2b, 0x1f, 0xa3, 0x5b, 0x91, 0x3f,
3081 0x9f, 0x74, 0x7a, 0x8a, 0xfd, 0x1b, 0x13, 0x0e,
3082 0x94, 0xbf, 0xf9, 0x4e, 0xff, 0xd0, 0x1a, 0x91,
3083 0x73, 0x5c, 0xa1, 0x72, 0x6a, 0xcd, 0x0b, 0x19,
3084 0x7c, 0x4e, 0x5b, 0x03, 0x39, 0x36, 0x97, 0xe1,
3085 0x26, 0x82, 0x6f, 0xb6, 0xbb, 0xde, 0x8e, 0xcc,
3086 0x1e, 0x08, 0x29, 0x85, 0x16, 0xe2, 0xc9, 0xed,
3087 0x03, 0xff, 0x3c, 0x1b, 0x78, 0x60, 0xf6, 0xde,
3088 0x76, 0xd4, 0xce, 0xcd, 0x94, 0xc8, 0x11, 0x98,
3089 0x55, 0xef, 0x52, 0x97, 0xca, 0x67, 0xe9, 0xf3,
3090 0xe7, 0xff, 0x72, 0xb1, 0xe9, 0x97, 0x85, 0xca,
3091 0x0a, 0x7e, 0x77, 0x20, 0xc5, 0xb3, 0x6d, 0xc6,
3092 0xd7, 0x2c, 0xac, 0x95, 0x74, 0xc8, 0xcb, 0xbc,
3093 0x2f, 0x80, 0x1e, 0x23, 0xe5, 0x6f, 0xd3, 0x44,
3094 0xb0, 0x7f, 0x22, 0x15, 0x4b, 0xeb, 0xa0, 0xf0,
3095 0x8c, 0xe8, 0x89, 0x1e, 0x64, 0x3e, 0xd9, 0x95,
3096 0xc9, 0x4d, 0x9a, 0x69, 0xc9, 0xf1, 0xb5, 0xf4,
3097 0x99, 0x02, 0x7a, 0x78, 0x57, 0x2a, 0xee, 0xbd,
3098 0x74, 0xd2, 0x0c, 0xc3, 0x98, 0x81, 0xc2, 0x13,
3099 0xee, 0x77, 0x0b, 0x10, 0x10, 0xe4, 0xbe, 0xa7,
3100 0x18, 0x84, 0x69, 0x77, 0xae, 0x11, 0x9f, 0x7a,
3101 0x02, 0x3a, 0xb5, 0x8c, 0xca, 0x0a, 0xd7, 0x52,
3102 0xaf, 0xe6, 0x56, 0xbb, 0x3c, 0x17, 0x25, 0x6a,
3103 0x9f, 0x6e, 0x9b, 0xf1, 0x9f, 0xdd, 0x5a, 0x38,
3104 0xfc, 0x82, 0xbb, 0xe8, 0x72, 0xc5, 0x53, 0x9e,
3105 0xdb, 0x60, 0x9e, 0xf4, 0xf7, 0x9c, 0x20, 0x3e,
3106 0xbb, 0x14, 0x0f, 0x2e, 0x58, 0x3c, 0xb2, 0xad,
3107 0x15, 0xb4, 0xaa, 0x5b, 0x65, 0x50, 0x16, 0xa8,
3108 0x44, 0x92, 0x77, 0xdb, 0xd4, 0x77, 0xef, 0x2c,
3109 0x8d, 0x6c, 0x01, 0x7d, 0xb7, 0x38, 0xb1, 0x8d,
3110 0xeb, 0x4a, 0x42, 0x7d, 0x19, 0x23, 0xce, 0x3f,
3111 0xf2, 0x62, 0x73, 0x57, 0x79, 0xa4, 0x18, 0xf2,
3112 0x0a, 0x28, 0x2d, 0xf9, 0x20, 0x14, 0x7b, 0xea,
3113 0xbe, 0x42, 0x1e, 0xe5, 0x31, 0x9d, 0x05, 0x68 },
3114 .ilen = 512,
3115 .result = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
3116 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
3117 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
3118 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
3119 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
3120 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
3121 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
3122 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
3123 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
3124 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f,
3125 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
3126 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
3127 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
3128 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
3129 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
3130 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f,
3131 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
3132 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
3133 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
3134 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f,
3135 0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
3136 0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf,
3137 0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7,
3138 0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
3139 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
3140 0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf,
3141 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
3142 0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
3143 0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7,
3144 0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
3145 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
3146 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff,
3147 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
3148 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
3149 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
3150 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
3151 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
3152 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
3153 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
3154 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
3155 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
3156 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f,
3157 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
3158 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
3159 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
3160 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
3161 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
3162 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f,
3163 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
3164 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
3165 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
3166 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f,
3167 0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
3168 0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf,
3169 0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7,
3170 0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
3171 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
3172 0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf,
3173 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
3174 0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
3175 0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7,
3176 0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
3177 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
3178 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff },
3179 .rlen = 512,
3180 }
3181};
3182
2787/* Cast5 test vectors from RFC 2144 */ 3183/* Cast5 test vectors from RFC 2144 */
2788#define CAST5_ENC_TEST_VECTORS 3 3184#define CAST5_ENC_TEST_VECTORS 3
2789#define CAST5_DEC_TEST_VECTORS 3 3185#define CAST5_DEC_TEST_VECTORS 3
@@ -4283,6 +4679,27 @@ static struct cipher_speed aes_lrw_speed_template[] = {
4283 { .klen = 0, .blen = 0, } 4679 { .klen = 0, .blen = 0, }
4284}; 4680};
4285 4681
4682static struct cipher_speed aes_xts_speed_template[] = {
4683 { .klen = 32, .blen = 16, },
4684 { .klen = 32, .blen = 64, },
4685 { .klen = 32, .blen = 256, },
4686 { .klen = 32, .blen = 1024, },
4687 { .klen = 32, .blen = 8192, },
4688 { .klen = 48, .blen = 16, },
4689 { .klen = 48, .blen = 64, },
4690 { .klen = 48, .blen = 256, },
4691 { .klen = 48, .blen = 1024, },
4692 { .klen = 48, .blen = 8192, },
4693 { .klen = 64, .blen = 16, },
4694 { .klen = 64, .blen = 64, },
4695 { .klen = 64, .blen = 256, },
4696 { .klen = 64, .blen = 1024, },
4697 { .klen = 64, .blen = 8192, },
4698
4699 /* End marker */
4700 { .klen = 0, .blen = 0, }
4701};
4702
4286static struct cipher_speed des3_ede_speed_template[] = { 4703static struct cipher_speed des3_ede_speed_template[] = {
4287 { .klen = 24, .blen = 16, }, 4704 { .klen = 24, .blen = 16, },
4288 { .klen = 24, .blen = 64, }, 4705 { .klen = 24, .blen = 64, },
diff --git a/crypto/xts.c b/crypto/xts.c
new file mode 100644
index 000000000000..8eb08bfaf7c0
--- /dev/null
+++ b/crypto/xts.c
@@ -0,0 +1,292 @@
1/* XTS: as defined in IEEE1619/D16
2 * http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
3 * (sector sizes which are not a multiple of 16 bytes are,
4 * however currently unsupported)
5 *
6 * Copyright (c) 2007 Rik Snel <rsnel@cube.dyndns.org>
7 *
8 * Based om ecb.c
9 * Copyright (c) 2006 Herbert Xu <herbert@gondor.apana.org.au>
10 *
11 * This program is free software; you can redistribute it and/or modify it
12 * under the terms of the GNU General Public License as published by the Free
13 * Software Foundation; either version 2 of the License, or (at your option)
14 * any later version.
15 */
16#include <crypto/algapi.h>
17#include <linux/err.h>
18#include <linux/init.h>
19#include <linux/kernel.h>
20#include <linux/module.h>
21#include <linux/scatterlist.h>
22#include <linux/slab.h>
23
24#include <crypto/b128ops.h>
25#include <crypto/gf128mul.h>
26
27struct priv {
28 struct crypto_cipher *child;
29 struct crypto_cipher *tweak;
30};
31
32static int setkey(struct crypto_tfm *parent, const u8 *key,
33 unsigned int keylen)
34{
35 struct priv *ctx = crypto_tfm_ctx(parent);
36 struct crypto_cipher *child = ctx->tweak;
37 u32 *flags = &parent->crt_flags;
38 int err;
39
40 /* key consists of keys of equal size concatenated, therefore
41 * the length must be even */
42 if (keylen % 2) {
43 /* tell the user why there was an error */
44 *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
45 return -EINVAL;
46 }
47
48 /* we need two cipher instances: one to compute the inital 'tweak'
49 * by encrypting the IV (usually the 'plain' iv) and the other
50 * one to encrypt and decrypt the data */
51
52 /* tweak cipher, uses Key2 i.e. the second half of *key */
53 crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
54 crypto_cipher_set_flags(child, crypto_tfm_get_flags(parent) &
55 CRYPTO_TFM_REQ_MASK);
56 err = crypto_cipher_setkey(child, key + keylen/2, keylen/2);
57 if (err)
58 return err;
59
60 crypto_tfm_set_flags(parent, crypto_cipher_get_flags(child) &
61 CRYPTO_TFM_RES_MASK);
62
63 child = ctx->child;
64
65 /* data cipher, uses Key1 i.e. the first half of *key */
66 crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
67 crypto_cipher_set_flags(child, crypto_tfm_get_flags(parent) &
68 CRYPTO_TFM_REQ_MASK);
69 err = crypto_cipher_setkey(child, key, keylen/2);
70 if (err)
71 return err;
72
73 crypto_tfm_set_flags(parent, crypto_cipher_get_flags(child) &
74 CRYPTO_TFM_RES_MASK);
75
76 return 0;
77}
78
79struct sinfo {
80 be128 t;
81 struct crypto_tfm *tfm;
82 void (*fn)(struct crypto_tfm *, u8 *, const u8 *);
83};
84
85static inline void xts_round(struct sinfo *s, void *dst, const void *src)
86{
87 be128_xor(dst, &s->t, src); /* PP <- T xor P */
88 s->fn(s->tfm, dst, dst); /* CC <- E(Key1,PP) */
89 be128_xor(dst, dst, &s->t); /* C <- T xor CC */
90}
91
92static int crypt(struct blkcipher_desc *d,
93 struct blkcipher_walk *w, struct priv *ctx,
94 void (*tw)(struct crypto_tfm *, u8 *, const u8 *),
95 void (*fn)(struct crypto_tfm *, u8 *, const u8 *))
96{
97 int err;
98 unsigned int avail;
99 const int bs = crypto_cipher_blocksize(ctx->child);
100 struct sinfo s = {
101 .tfm = crypto_cipher_tfm(ctx->child),
102 .fn = fn
103 };
104 be128 *iv;
105 u8 *wsrc;
106 u8 *wdst;
107
108 err = blkcipher_walk_virt(d, w);
109 if (!w->nbytes)
110 return err;
111
112 avail = w->nbytes;
113
114 wsrc = w->src.virt.addr;
115 wdst = w->dst.virt.addr;
116
117 /* calculate first value of T */
118 iv = (be128 *)w->iv;
119 tw(crypto_cipher_tfm(ctx->tweak), (void *)&s.t, w->iv);
120
121 goto first;
122
123 for (;;) {
124 do {
125 gf128mul_x_ble(&s.t, &s.t);
126
127first:
128 xts_round(&s, wdst, wsrc);
129
130 wsrc += bs;
131 wdst += bs;
132 } while ((avail -= bs) >= bs);
133
134 err = blkcipher_walk_done(d, w, avail);
135 if (!w->nbytes)
136 break;
137
138 avail = w->nbytes;
139
140 wsrc = w->src.virt.addr;
141 wdst = w->dst.virt.addr;
142 }
143
144 return err;
145}
146
147static int encrypt(struct blkcipher_desc *desc, struct scatterlist *dst,
148 struct scatterlist *src, unsigned int nbytes)
149{
150 struct priv *ctx = crypto_blkcipher_ctx(desc->tfm);
151 struct blkcipher_walk w;
152
153 blkcipher_walk_init(&w, dst, src, nbytes);
154 return crypt(desc, &w, ctx, crypto_cipher_alg(ctx->tweak)->cia_encrypt,
155 crypto_cipher_alg(ctx->child)->cia_encrypt);
156}
157
158static int decrypt(struct blkcipher_desc *desc, struct scatterlist *dst,
159 struct scatterlist *src, unsigned int nbytes)
160{
161 struct priv *ctx = crypto_blkcipher_ctx(desc->tfm);
162 struct blkcipher_walk w;
163
164 blkcipher_walk_init(&w, dst, src, nbytes);
165 return crypt(desc, &w, ctx, crypto_cipher_alg(ctx->tweak)->cia_encrypt,
166 crypto_cipher_alg(ctx->child)->cia_decrypt);
167}
168
169static int init_tfm(struct crypto_tfm *tfm)
170{
171 struct crypto_cipher *cipher;
172 struct crypto_instance *inst = (void *)tfm->__crt_alg;
173 struct crypto_spawn *spawn = crypto_instance_ctx(inst);
174 struct priv *ctx = crypto_tfm_ctx(tfm);
175 u32 *flags = &tfm->crt_flags;
176
177 cipher = crypto_spawn_cipher(spawn);
178 if (IS_ERR(cipher))
179 return PTR_ERR(cipher);
180
181 if (crypto_cipher_blocksize(cipher) != 16) {
182 *flags |= CRYPTO_TFM_RES_BAD_BLOCK_LEN;
183 crypto_free_cipher(cipher);
184 return -EINVAL;
185 }
186
187 ctx->child = cipher;
188
189 cipher = crypto_spawn_cipher(spawn);
190 if (IS_ERR(cipher)) {
191 crypto_free_cipher(ctx->child);
192 return PTR_ERR(cipher);
193 }
194
195 /* this check isn't really needed, leave it here just in case */
196 if (crypto_cipher_blocksize(cipher) != 16) {
197 crypto_free_cipher(cipher);
198 crypto_free_cipher(ctx->child);
199 *flags |= CRYPTO_TFM_RES_BAD_BLOCK_LEN;
200 return -EINVAL;
201 }
202
203 ctx->tweak = cipher;
204
205 return 0;
206}
207
208static void exit_tfm(struct crypto_tfm *tfm)
209{
210 struct priv *ctx = crypto_tfm_ctx(tfm);
211 crypto_free_cipher(ctx->child);
212 crypto_free_cipher(ctx->tweak);
213}
214
215static struct crypto_instance *alloc(struct rtattr **tb)
216{
217 struct crypto_instance *inst;
218 struct crypto_alg *alg;
219 int err;
220
221 err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_BLKCIPHER);
222 if (err)
223 return ERR_PTR(err);
224
225 alg = crypto_get_attr_alg(tb, CRYPTO_ALG_TYPE_CIPHER,
226 CRYPTO_ALG_TYPE_MASK);
227 if (IS_ERR(alg))
228 return ERR_PTR(PTR_ERR(alg));
229
230 inst = crypto_alloc_instance("xts", alg);
231 if (IS_ERR(inst))
232 goto out_put_alg;
233
234 inst->alg.cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER;
235 inst->alg.cra_priority = alg->cra_priority;
236 inst->alg.cra_blocksize = alg->cra_blocksize;
237
238 if (alg->cra_alignmask < 7)
239 inst->alg.cra_alignmask = 7;
240 else
241 inst->alg.cra_alignmask = alg->cra_alignmask;
242
243 inst->alg.cra_type = &crypto_blkcipher_type;
244
245 inst->alg.cra_blkcipher.ivsize = alg->cra_blocksize;
246 inst->alg.cra_blkcipher.min_keysize =
247 2 * alg->cra_cipher.cia_min_keysize;
248 inst->alg.cra_blkcipher.max_keysize =
249 2 * alg->cra_cipher.cia_max_keysize;
250
251 inst->alg.cra_ctxsize = sizeof(struct priv);
252
253 inst->alg.cra_init = init_tfm;
254 inst->alg.cra_exit = exit_tfm;
255
256 inst->alg.cra_blkcipher.setkey = setkey;
257 inst->alg.cra_blkcipher.encrypt = encrypt;
258 inst->alg.cra_blkcipher.decrypt = decrypt;
259
260out_put_alg:
261 crypto_mod_put(alg);
262 return inst;
263}
264
265static void free(struct crypto_instance *inst)
266{
267 crypto_drop_spawn(crypto_instance_ctx(inst));
268 kfree(inst);
269}
270
271static struct crypto_template crypto_tmpl = {
272 .name = "xts",
273 .alloc = alloc,
274 .free = free,
275 .module = THIS_MODULE,
276};
277
278static int __init crypto_module_init(void)
279{
280 return crypto_register_template(&crypto_tmpl);
281}
282
283static void __exit crypto_module_exit(void)
284{
285 crypto_unregister_template(&crypto_tmpl);
286}
287
288module_init(crypto_module_init);
289module_exit(crypto_module_exit);
290
291MODULE_LICENSE("GPL");
292MODULE_DESCRIPTION("XTS block cipher mode");
diff --git a/include/crypto/gf128mul.h b/include/crypto/gf128mul.h
index 4fd315202442..4086b8ebfafe 100644
--- a/include/crypto/gf128mul.h
+++ b/include/crypto/gf128mul.h
@@ -161,6 +161,8 @@ void gf128mul_lle(be128 *a, const be128 *b);
161 161
162void gf128mul_bbe(be128 *a, const be128 *b); 162void gf128mul_bbe(be128 *a, const be128 *b);
163 163
164/* multiply by x in ble format, needed by XTS */
165void gf128mul_x_ble(be128 *a, const be128 *b);
164 166
165/* 4k table optimization */ 167/* 4k table optimization */
166 168