From 23e353c8a681cc30d42fbd4f2c2be85c44fe209b Mon Sep 17 00:00:00 2001 From: Joy Latten Date: Tue, 23 Oct 2007 08:50:32 +0800 Subject: [CRYPTO] ctr: Add CTR (Counter) block cipher mode This patch implements CTR mode for IPsec. It is based off of RFC 3686. Please note: 1. CTR turns a block cipher into a stream cipher. Encryption is done in blocks, however the last block may be a partial block. A "counter block" is encrypted, creating a keystream that is xor'ed with the plaintext. The counter portion of the counter block is incremented after each block of plaintext is encrypted. Decryption is performed in same manner. 2. The CTR counterblock is composed of, nonce + IV + counter The size of the counterblock is equivalent to the blocksize of the cipher. sizeof(nonce) + sizeof(IV) + sizeof(counter) = blocksize The CTR template requires the name of the cipher algorithm, the sizeof the nonce, and the sizeof the iv. ctr(cipher,sizeof_nonce,sizeof_iv) So for example, ctr(aes,4,8) specifies the counterblock will be composed of 4 bytes from a nonce, 8 bytes from the iv, and 4 bytes for counter since aes has a blocksize of 16 bytes. 3. The counter portion of the counter block is stored in big endian for conformance to rfc 3686. Signed-off-by: Joy Latten Signed-off-by: Herbert Xu --- crypto/ctr.c | 369 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 369 insertions(+) create mode 100644 crypto/ctr.c (limited to 'crypto/ctr.c') diff --git a/crypto/ctr.c b/crypto/ctr.c new file mode 100644 index 00000000000..810d5ec2d5d --- /dev/null +++ b/crypto/ctr.c @@ -0,0 +1,369 @@ +/* + * CTR: Counter mode + * + * (C) Copyright IBM Corp. 2007 - Joy Latten + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the Free + * Software Foundation; either version 2 of the License, or (at your option) + * any later version. + * + */ + +#include +#include +#include +#include +#include +#include +#include +#include + +struct ctr_instance_ctx { + struct crypto_spawn alg; + unsigned int noncesize; + unsigned int ivsize; +}; + +struct crypto_ctr_ctx { + struct crypto_cipher *child; + u8 *nonce; +}; + +static inline void __ctr_inc_byte(u8 *a, unsigned int size) +{ + u8 *b = (a + size); + u8 c; + + for (; size; size--) { + c = *--b + 1; + *b = c; + if (c) + break; + } +} + +static void ctr_inc_quad(u8 *a, unsigned int size) +{ + __be32 *b = (__be32 *)(a + size); + u32 c; + + for (; size >= 4; size -=4) { + c = be32_to_cpu(*--b) + 1; + *b = cpu_to_be32(c); + if (c) + return; + } + + __ctr_inc_byte(a, size); +} + +static void xor_byte(u8 *a, const u8 *b, unsigned int bs) +{ + for (; bs; bs--) + *a++ ^= *b++; +} + +static void xor_quad(u8 *dst, const u8 *src, unsigned int bs) +{ + u32 *a = (u32 *)dst; + u32 *b = (u32 *)src; + + for (; bs >= 4; bs -= 4) + *a++ ^= *b++; + + xor_byte((u8 *)a, (u8 *)b, bs); +} + +static int crypto_ctr_setkey(struct crypto_tfm *parent, const u8 *key, + unsigned int keylen) +{ + struct crypto_ctr_ctx *ctx = crypto_tfm_ctx(parent); + struct crypto_cipher *child = ctx->child; + struct ctr_instance_ctx *ictx = + crypto_instance_ctx(crypto_tfm_alg_instance(parent)); + unsigned int noncelen = ictx->noncesize; + int err = 0; + + /* the nonce is stored in bytes at end of key */ + if (keylen < noncelen) + return -EINVAL; + + memcpy(ctx->nonce, key + (keylen - noncelen), noncelen); + + keylen -= noncelen; + + crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK); + crypto_cipher_set_flags(child, crypto_tfm_get_flags(parent) & + CRYPTO_TFM_REQ_MASK); + err = crypto_cipher_setkey(child, key, keylen); + crypto_tfm_set_flags(parent, crypto_cipher_get_flags(child) & + CRYPTO_TFM_RES_MASK); + + return err; +} + +static int crypto_ctr_crypt_segment(struct blkcipher_walk *walk, + struct crypto_cipher *tfm, u8 *ctrblk, + unsigned int countersize) +{ + void (*fn)(struct crypto_tfm *, u8 *, const u8 *) = + crypto_cipher_alg(tfm)->cia_encrypt; + unsigned int bsize = crypto_cipher_blocksize(tfm); + unsigned long alignmask = crypto_cipher_alignmask(tfm); + u8 ks[bsize + alignmask]; + u8 *keystream = (u8 *)ALIGN((unsigned long)ks, alignmask + 1); + u8 *src = walk->src.virt.addr; + u8 *dst = walk->dst.virt.addr; + unsigned int nbytes = walk->nbytes; + + do { + /* create keystream */ + fn(crypto_cipher_tfm(tfm), keystream, ctrblk); + xor_quad(keystream, src, min(nbytes, bsize)); + + /* copy result into dst */ + memcpy(dst, keystream, min(nbytes, bsize)); + + /* increment counter in counterblock */ + ctr_inc_quad(ctrblk + (bsize - countersize), countersize); + + if (nbytes < bsize) + break; + + src += bsize; + dst += bsize; + nbytes -= bsize; + + } while (nbytes); + + return 0; +} + +static int crypto_ctr_crypt_inplace(struct blkcipher_walk *walk, + struct crypto_cipher *tfm, u8 *ctrblk, + unsigned int countersize) +{ + void (*fn)(struct crypto_tfm *, u8 *, const u8 *) = + crypto_cipher_alg(tfm)->cia_encrypt; + unsigned int bsize = crypto_cipher_blocksize(tfm); + unsigned long alignmask = crypto_cipher_alignmask(tfm); + unsigned int nbytes = walk->nbytes; + u8 *src = walk->src.virt.addr; + u8 ks[bsize + alignmask]; + u8 *keystream = (u8 *)ALIGN((unsigned long)ks, alignmask + 1); + + do { + /* create keystream */ + fn(crypto_cipher_tfm(tfm), keystream, ctrblk); + xor_quad(src, keystream, min(nbytes, bsize)); + + /* increment counter in counterblock */ + ctr_inc_quad(ctrblk + (bsize - countersize), countersize); + + if (nbytes < bsize) + break; + + src += bsize; + nbytes -= bsize; + + } while (nbytes); + + return 0; +} + +static int crypto_ctr_crypt(struct blkcipher_desc *desc, + struct scatterlist *dst, struct scatterlist *src, + unsigned int nbytes) +{ + struct blkcipher_walk walk; + struct crypto_blkcipher *tfm = desc->tfm; + struct crypto_ctr_ctx *ctx = crypto_blkcipher_ctx(tfm); + struct crypto_cipher *child = ctx->child; + unsigned int bsize = crypto_cipher_blocksize(child); + struct ctr_instance_ctx *ictx = + crypto_instance_ctx(crypto_tfm_alg_instance(&tfm->base)); + unsigned long alignmask = crypto_cipher_alignmask(child); + u8 cblk[bsize + alignmask]; + u8 *counterblk = (u8 *)ALIGN((unsigned long)cblk, alignmask + 1); + unsigned int countersize; + int err; + + blkcipher_walk_init(&walk, dst, src, nbytes); + err = blkcipher_walk_virt_block(desc, &walk, bsize); + + /* set up counter block */ + memset(counterblk, 0 , bsize); + memcpy(counterblk, ctx->nonce, ictx->noncesize); + memcpy(counterblk + ictx->noncesize, walk.iv, ictx->ivsize); + + /* initialize counter portion of counter block */ + countersize = bsize - ictx->noncesize - ictx->ivsize; + ctr_inc_quad(counterblk + (bsize - countersize), countersize); + + while (walk.nbytes) { + if (walk.src.virt.addr == walk.dst.virt.addr) + nbytes = crypto_ctr_crypt_inplace(&walk, child, + counterblk, + countersize); + else + nbytes = crypto_ctr_crypt_segment(&walk, child, + counterblk, + countersize); + + err = blkcipher_walk_done(desc, &walk, nbytes); + } + return err; +} + +static int crypto_ctr_init_tfm(struct crypto_tfm *tfm) +{ + struct crypto_instance *inst = (void *)tfm->__crt_alg; + struct ctr_instance_ctx *ictx = crypto_instance_ctx(inst); + struct crypto_ctr_ctx *ctx = crypto_tfm_ctx(tfm); + struct crypto_cipher *cipher; + + ctx->nonce = kzalloc(ictx->noncesize, GFP_KERNEL); + if (!ctx->nonce) + return -ENOMEM; + + cipher = crypto_spawn_cipher(&ictx->alg); + if (IS_ERR(cipher)) + return PTR_ERR(cipher); + + ctx->child = cipher; + + return 0; +} + +static void crypto_ctr_exit_tfm(struct crypto_tfm *tfm) +{ + struct crypto_ctr_ctx *ctx = crypto_tfm_ctx(tfm); + + kfree(ctx->nonce); + crypto_free_cipher(ctx->child); +} + +static struct crypto_instance *crypto_ctr_alloc(struct rtattr **tb) +{ + struct crypto_instance *inst; + struct crypto_alg *alg; + struct ctr_instance_ctx *ictx; + unsigned int noncesize; + unsigned int ivsize; + int err; + + err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_BLKCIPHER); + if (err) + return ERR_PTR(err); + + alg = crypto_attr_alg(tb[1], CRYPTO_ALG_TYPE_CIPHER, + CRYPTO_ALG_TYPE_MASK); + if (IS_ERR(alg)) + return ERR_PTR(PTR_ERR(alg)); + + err = crypto_attr_u32(tb[2], &noncesize); + if (err) + goto out_put_alg; + + err = crypto_attr_u32(tb[3], &ivsize); + if (err) + goto out_put_alg; + + /* verify size of nonce + iv + counter */ + err = -EINVAL; + if ((noncesize + ivsize) >= alg->cra_blocksize) + goto out_put_alg; + + inst = kzalloc(sizeof(*inst) + sizeof(*ictx), GFP_KERNEL); + err = -ENOMEM; + if (!inst) + goto out_put_alg; + + err = -ENAMETOOLONG; + if (snprintf(inst->alg.cra_name, CRYPTO_MAX_ALG_NAME, + "ctr(%s,%u,%u)", alg->cra_name, noncesize, + ivsize) >= CRYPTO_MAX_ALG_NAME) { + goto err_free_inst; + } + + if (snprintf(inst->alg.cra_driver_name, CRYPTO_MAX_ALG_NAME, + "ctr(%s,%u,%u)", alg->cra_driver_name, noncesize, + ivsize) >= CRYPTO_MAX_ALG_NAME) { + goto err_free_inst; + } + + ictx = crypto_instance_ctx(inst); + ictx->noncesize = noncesize; + ictx->ivsize = ivsize; + + err = crypto_init_spawn(&ictx->alg, alg, inst, + CRYPTO_ALG_TYPE_MASK | CRYPTO_ALG_ASYNC); + if (err) + goto err_free_inst; + + err = 0; + inst->alg.cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER; + inst->alg.cra_priority = alg->cra_priority; + inst->alg.cra_blocksize = 1; + inst->alg.cra_alignmask = 3; + inst->alg.cra_type = &crypto_blkcipher_type; + + inst->alg.cra_blkcipher.ivsize = ivsize; + inst->alg.cra_blkcipher.min_keysize = alg->cra_cipher.cia_min_keysize + + noncesize; + inst->alg.cra_blkcipher.max_keysize = alg->cra_cipher.cia_max_keysize + + noncesize; + + inst->alg.cra_ctxsize = sizeof(struct crypto_ctr_ctx); + + inst->alg.cra_init = crypto_ctr_init_tfm; + inst->alg.cra_exit = crypto_ctr_exit_tfm; + + inst->alg.cra_blkcipher.setkey = crypto_ctr_setkey; + inst->alg.cra_blkcipher.encrypt = crypto_ctr_crypt; + inst->alg.cra_blkcipher.decrypt = crypto_ctr_crypt; + +err_free_inst: + if (err) + kfree(inst); + +out_put_alg: + crypto_mod_put(alg); + + if (err) + inst = ERR_PTR(err); + + return inst; +} + +static void crypto_ctr_free(struct crypto_instance *inst) +{ + struct ctr_instance_ctx *ictx = crypto_instance_ctx(inst); + + crypto_drop_spawn(&ictx->alg); + kfree(inst); +} + +static struct crypto_template crypto_ctr_tmpl = { + .name = "ctr", + .alloc = crypto_ctr_alloc, + .free = crypto_ctr_free, + .module = THIS_MODULE, +}; + +static int __init crypto_ctr_module_init(void) +{ + return crypto_register_template(&crypto_ctr_tmpl); +} + +static void __exit crypto_ctr_module_exit(void) +{ + crypto_unregister_template(&crypto_ctr_tmpl); +} + +module_init(crypto_ctr_module_init); +module_exit(crypto_ctr_module_exit); + +MODULE_LICENSE("GPL"); +MODULE_DESCRIPTION("CTR Counter block mode"); -- cgit v1.2.3 From 41fdab3dd385dde36caae60ed2df82aecb7a32f0 Mon Sep 17 00:00:00 2001 From: Joy Latten Date: Wed, 7 Nov 2007 22:59:47 +0800 Subject: [CRYPTO] ctr: Add countersize This patch adds countersize to CTR mode. The template is now ctr(algo,noncesize,ivsize,countersize). For example, ctr(aes,4,8,4) indicates the counterblock will be composed of a salt/nonce that is 4 bytes, an iv that is 8 bytes and the counter is 4 bytes. When noncesize + ivsize < blocksize, CTR initializes the last block - ivsize - noncesize portion of the block to zero. Otherwise the counter block is composed of the IV (and nonce if necessary). If noncesize + ivsize == blocksize, then this indicates that user is passing in entire counterblock. Thus countersize indicates the amount of bytes in counterblock to use as the counter for incrementing. CTR will increment counter portion by 1, and begin encryption with that value. Note that CTR assumes the counter portion of the block that will be incremented is stored in big endian. Signed-off-by: Joy Latten Signed-off-by: Herbert Xu --- crypto/ctr.c | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) (limited to 'crypto/ctr.c') diff --git a/crypto/ctr.c b/crypto/ctr.c index 810d5ec2d5d..b974a9f9b87 100644 --- a/crypto/ctr.c +++ b/crypto/ctr.c @@ -23,6 +23,7 @@ struct ctr_instance_ctx { struct crypto_spawn alg; unsigned int noncesize; unsigned int ivsize; + unsigned int countersize; }; struct crypto_ctr_ctx { @@ -186,7 +187,6 @@ static int crypto_ctr_crypt(struct blkcipher_desc *desc, unsigned long alignmask = crypto_cipher_alignmask(child); u8 cblk[bsize + alignmask]; u8 *counterblk = (u8 *)ALIGN((unsigned long)cblk, alignmask + 1); - unsigned int countersize; int err; blkcipher_walk_init(&walk, dst, src, nbytes); @@ -198,18 +198,18 @@ static int crypto_ctr_crypt(struct blkcipher_desc *desc, memcpy(counterblk + ictx->noncesize, walk.iv, ictx->ivsize); /* initialize counter portion of counter block */ - countersize = bsize - ictx->noncesize - ictx->ivsize; - ctr_inc_quad(counterblk + (bsize - countersize), countersize); + ctr_inc_quad(counterblk + (bsize - ictx->countersize), + ictx->countersize); while (walk.nbytes) { if (walk.src.virt.addr == walk.dst.virt.addr) nbytes = crypto_ctr_crypt_inplace(&walk, child, counterblk, - countersize); + ictx->countersize); else nbytes = crypto_ctr_crypt_segment(&walk, child, counterblk, - countersize); + ictx->countersize); err = blkcipher_walk_done(desc, &walk, nbytes); } @@ -251,6 +251,7 @@ static struct crypto_instance *crypto_ctr_alloc(struct rtattr **tb) struct ctr_instance_ctx *ictx; unsigned int noncesize; unsigned int ivsize; + unsigned int countersize; int err; err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_BLKCIPHER); @@ -270,9 +271,17 @@ static struct crypto_instance *crypto_ctr_alloc(struct rtattr **tb) if (err) goto out_put_alg; - /* verify size of nonce + iv + counter */ + err = crypto_attr_u32(tb[4], &countersize); + if (err) + goto out_put_alg; + + /* verify size of nonce + iv + counter + * counter must be >= 4 bytes. + */ err = -EINVAL; - if ((noncesize + ivsize) >= alg->cra_blocksize) + if (((noncesize + ivsize + countersize) < alg->cra_blocksize) || + ((noncesize + ivsize) > alg->cra_blocksize) || + (countersize > alg->cra_blocksize) || (countersize < 4)) goto out_put_alg; inst = kzalloc(sizeof(*inst) + sizeof(*ictx), GFP_KERNEL); @@ -282,20 +291,21 @@ static struct crypto_instance *crypto_ctr_alloc(struct rtattr **tb) err = -ENAMETOOLONG; if (snprintf(inst->alg.cra_name, CRYPTO_MAX_ALG_NAME, - "ctr(%s,%u,%u)", alg->cra_name, noncesize, - ivsize) >= CRYPTO_MAX_ALG_NAME) { + "ctr(%s,%u,%u,%u)", alg->cra_name, noncesize, + ivsize, countersize) >= CRYPTO_MAX_ALG_NAME) { goto err_free_inst; } if (snprintf(inst->alg.cra_driver_name, CRYPTO_MAX_ALG_NAME, - "ctr(%s,%u,%u)", alg->cra_driver_name, noncesize, - ivsize) >= CRYPTO_MAX_ALG_NAME) { + "ctr(%s,%u,%u,%u)", alg->cra_driver_name, noncesize, + ivsize, countersize) >= CRYPTO_MAX_ALG_NAME) { goto err_free_inst; } ictx = crypto_instance_ctx(inst); ictx->noncesize = noncesize; ictx->ivsize = ivsize; + ictx->countersize = countersize; err = crypto_init_spawn(&ictx->alg, alg, inst, CRYPTO_ALG_TYPE_MASK | CRYPTO_ALG_ASYNC); -- cgit v1.2.3 From 3f8214ea335e422702340d7e835921e78367f99d Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Tue, 20 Nov 2007 20:32:56 +0800 Subject: [CRYPTO] ctr: Use crypto_inc and crypto_xor This patch replaces the custom inc/xor in CTR with the generic functions. Signed-off-by: Herbert Xu --- crypto/ctr.c | 71 ++++++++++++++---------------------------------------------- 1 file changed, 16 insertions(+), 55 deletions(-) (limited to 'crypto/ctr.c') diff --git a/crypto/ctr.c b/crypto/ctr.c index b974a9f9b87..b816e959fa5 100644 --- a/crypto/ctr.c +++ b/crypto/ctr.c @@ -31,51 +31,6 @@ struct crypto_ctr_ctx { u8 *nonce; }; -static inline void __ctr_inc_byte(u8 *a, unsigned int size) -{ - u8 *b = (a + size); - u8 c; - - for (; size; size--) { - c = *--b + 1; - *b = c; - if (c) - break; - } -} - -static void ctr_inc_quad(u8 *a, unsigned int size) -{ - __be32 *b = (__be32 *)(a + size); - u32 c; - - for (; size >= 4; size -=4) { - c = be32_to_cpu(*--b) + 1; - *b = cpu_to_be32(c); - if (c) - return; - } - - __ctr_inc_byte(a, size); -} - -static void xor_byte(u8 *a, const u8 *b, unsigned int bs) -{ - for (; bs; bs--) - *a++ ^= *b++; -} - -static void xor_quad(u8 *dst, const u8 *src, unsigned int bs) -{ - u32 *a = (u32 *)dst; - u32 *b = (u32 *)src; - - for (; bs >= 4; bs -= 4) - *a++ ^= *b++; - - xor_byte((u8 *)a, (u8 *)b, bs); -} - static int crypto_ctr_setkey(struct crypto_tfm *parent, const u8 *key, unsigned int keylen) { @@ -111,7 +66,8 @@ static int crypto_ctr_crypt_segment(struct blkcipher_walk *walk, void (*fn)(struct crypto_tfm *, u8 *, const u8 *) = crypto_cipher_alg(tfm)->cia_encrypt; unsigned int bsize = crypto_cipher_blocksize(tfm); - unsigned long alignmask = crypto_cipher_alignmask(tfm); + unsigned long alignmask = crypto_cipher_alignmask(tfm) | + (__alignof__(u32) - 1); u8 ks[bsize + alignmask]; u8 *keystream = (u8 *)ALIGN((unsigned long)ks, alignmask + 1); u8 *src = walk->src.virt.addr; @@ -121,13 +77,13 @@ static int crypto_ctr_crypt_segment(struct blkcipher_walk *walk, do { /* create keystream */ fn(crypto_cipher_tfm(tfm), keystream, ctrblk); - xor_quad(keystream, src, min(nbytes, bsize)); + crypto_xor(keystream, src, min(nbytes, bsize)); /* copy result into dst */ memcpy(dst, keystream, min(nbytes, bsize)); /* increment counter in counterblock */ - ctr_inc_quad(ctrblk + (bsize - countersize), countersize); + crypto_inc(ctrblk + bsize - countersize, countersize); if (nbytes < bsize) break; @@ -148,7 +104,8 @@ static int crypto_ctr_crypt_inplace(struct blkcipher_walk *walk, void (*fn)(struct crypto_tfm *, u8 *, const u8 *) = crypto_cipher_alg(tfm)->cia_encrypt; unsigned int bsize = crypto_cipher_blocksize(tfm); - unsigned long alignmask = crypto_cipher_alignmask(tfm); + unsigned long alignmask = crypto_cipher_alignmask(tfm) | + (__alignof__(u32) - 1); unsigned int nbytes = walk->nbytes; u8 *src = walk->src.virt.addr; u8 ks[bsize + alignmask]; @@ -157,10 +114,10 @@ static int crypto_ctr_crypt_inplace(struct blkcipher_walk *walk, do { /* create keystream */ fn(crypto_cipher_tfm(tfm), keystream, ctrblk); - xor_quad(src, keystream, min(nbytes, bsize)); + crypto_xor(src, keystream, min(nbytes, bsize)); /* increment counter in counterblock */ - ctr_inc_quad(ctrblk + (bsize - countersize), countersize); + crypto_inc(ctrblk + bsize - countersize, countersize); if (nbytes < bsize) break; @@ -184,7 +141,8 @@ static int crypto_ctr_crypt(struct blkcipher_desc *desc, unsigned int bsize = crypto_cipher_blocksize(child); struct ctr_instance_ctx *ictx = crypto_instance_ctx(crypto_tfm_alg_instance(&tfm->base)); - unsigned long alignmask = crypto_cipher_alignmask(child); + unsigned long alignmask = crypto_cipher_alignmask(child) | + (__alignof__(u32) - 1); u8 cblk[bsize + alignmask]; u8 *counterblk = (u8 *)ALIGN((unsigned long)cblk, alignmask + 1); int err; @@ -198,8 +156,7 @@ static int crypto_ctr_crypt(struct blkcipher_desc *desc, memcpy(counterblk + ictx->noncesize, walk.iv, ictx->ivsize); /* initialize counter portion of counter block */ - ctr_inc_quad(counterblk + (bsize - ictx->countersize), - ictx->countersize); + crypto_inc(counterblk + bsize - ictx->countersize, ictx->countersize); while (walk.nbytes) { if (walk.src.virt.addr == walk.dst.virt.addr) @@ -284,6 +241,10 @@ static struct crypto_instance *crypto_ctr_alloc(struct rtattr **tb) (countersize > alg->cra_blocksize) || (countersize < 4)) goto out_put_alg; + /* If this is false we'd fail the alignment of crypto_inc. */ + if ((alg->cra_blocksize - countersize) % 4) + goto out_put_alg; + inst = kzalloc(sizeof(*inst) + sizeof(*ictx), GFP_KERNEL); err = -ENOMEM; if (!inst) @@ -316,7 +277,7 @@ static struct crypto_instance *crypto_ctr_alloc(struct rtattr **tb) inst->alg.cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER; inst->alg.cra_priority = alg->cra_priority; inst->alg.cra_blocksize = 1; - inst->alg.cra_alignmask = 3; + inst->alg.cra_alignmask = __alignof__(u32) - 1; inst->alg.cra_type = &crypto_blkcipher_type; inst->alg.cra_blkcipher.ivsize = ivsize; -- cgit v1.2.3 From 0971eb0de9446b66bd45696338f54948314db379 Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Fri, 30 Nov 2007 00:23:53 +1100 Subject: [CRYPTO] ctr: Fix multi-page processing When the data spans across a page boundary, CTR may incorrectly process a partial block in the middle because the blkcipher walking code may supply partial blocks in the middle as long as the total length of the supplied data is more than a block. CTR is supposed to return any unused partial block in that case to the walker. This patch fixes this by doing exactly that, returning partial blocks to the walker unless we received less than a block-worth of data to start with. This also allows us to optimise the bulk of the processing since we no longer have to worry about partial blocks until the very end. Thanks to Tan Swee Heng for fixes and actually testing this :) Signed-off-by: Herbert Xu --- crypto/ctr.c | 64 +++++++++++++++++++++++++++++++----------------------------- 1 file changed, 33 insertions(+), 31 deletions(-) (limited to 'crypto/ctr.c') diff --git a/crypto/ctr.c b/crypto/ctr.c index b816e959fa5..57da7d0affc 100644 --- a/crypto/ctr.c +++ b/crypto/ctr.c @@ -59,6 +59,21 @@ static int crypto_ctr_setkey(struct crypto_tfm *parent, const u8 *key, return err; } +static void crypto_ctr_crypt_final(struct blkcipher_walk *walk, + struct crypto_cipher *tfm, u8 *ctrblk, + unsigned int countersize) +{ + unsigned int bsize = crypto_cipher_blocksize(tfm); + u8 *keystream = ctrblk + bsize; + u8 *src = walk->src.virt.addr; + u8 *dst = walk->dst.virt.addr; + unsigned int nbytes = walk->nbytes; + + crypto_cipher_encrypt_one(tfm, keystream, ctrblk); + crypto_xor(keystream, src, nbytes); + memcpy(dst, keystream, nbytes); +} + static int crypto_ctr_crypt_segment(struct blkcipher_walk *walk, struct crypto_cipher *tfm, u8 *ctrblk, unsigned int countersize) @@ -66,35 +81,23 @@ static int crypto_ctr_crypt_segment(struct blkcipher_walk *walk, void (*fn)(struct crypto_tfm *, u8 *, const u8 *) = crypto_cipher_alg(tfm)->cia_encrypt; unsigned int bsize = crypto_cipher_blocksize(tfm); - unsigned long alignmask = crypto_cipher_alignmask(tfm) | - (__alignof__(u32) - 1); - u8 ks[bsize + alignmask]; - u8 *keystream = (u8 *)ALIGN((unsigned long)ks, alignmask + 1); u8 *src = walk->src.virt.addr; u8 *dst = walk->dst.virt.addr; unsigned int nbytes = walk->nbytes; do { /* create keystream */ - fn(crypto_cipher_tfm(tfm), keystream, ctrblk); - crypto_xor(keystream, src, min(nbytes, bsize)); - - /* copy result into dst */ - memcpy(dst, keystream, min(nbytes, bsize)); + fn(crypto_cipher_tfm(tfm), dst, ctrblk); + crypto_xor(dst, src, bsize); /* increment counter in counterblock */ crypto_inc(ctrblk + bsize - countersize, countersize); - if (nbytes < bsize) - break; - src += bsize; dst += bsize; - nbytes -= bsize; - - } while (nbytes); + } while ((nbytes -= bsize) >= bsize); - return 0; + return nbytes; } static int crypto_ctr_crypt_inplace(struct blkcipher_walk *walk, @@ -104,30 +107,22 @@ static int crypto_ctr_crypt_inplace(struct blkcipher_walk *walk, void (*fn)(struct crypto_tfm *, u8 *, const u8 *) = crypto_cipher_alg(tfm)->cia_encrypt; unsigned int bsize = crypto_cipher_blocksize(tfm); - unsigned long alignmask = crypto_cipher_alignmask(tfm) | - (__alignof__(u32) - 1); unsigned int nbytes = walk->nbytes; u8 *src = walk->src.virt.addr; - u8 ks[bsize + alignmask]; - u8 *keystream = (u8 *)ALIGN((unsigned long)ks, alignmask + 1); + u8 *keystream = ctrblk + bsize; do { /* create keystream */ fn(crypto_cipher_tfm(tfm), keystream, ctrblk); - crypto_xor(src, keystream, min(nbytes, bsize)); + crypto_xor(src, keystream, bsize); /* increment counter in counterblock */ crypto_inc(ctrblk + bsize - countersize, countersize); - if (nbytes < bsize) - break; - src += bsize; - nbytes -= bsize; + } while ((nbytes -= bsize) >= bsize); - } while (nbytes); - - return 0; + return nbytes; } static int crypto_ctr_crypt(struct blkcipher_desc *desc, @@ -143,7 +138,7 @@ static int crypto_ctr_crypt(struct blkcipher_desc *desc, crypto_instance_ctx(crypto_tfm_alg_instance(&tfm->base)); unsigned long alignmask = crypto_cipher_alignmask(child) | (__alignof__(u32) - 1); - u8 cblk[bsize + alignmask]; + u8 cblk[bsize * 2 + alignmask]; u8 *counterblk = (u8 *)ALIGN((unsigned long)cblk, alignmask + 1); int err; @@ -158,7 +153,7 @@ static int crypto_ctr_crypt(struct blkcipher_desc *desc, /* initialize counter portion of counter block */ crypto_inc(counterblk + bsize - ictx->countersize, ictx->countersize); - while (walk.nbytes) { + while (walk.nbytes >= bsize) { if (walk.src.virt.addr == walk.dst.virt.addr) nbytes = crypto_ctr_crypt_inplace(&walk, child, counterblk, @@ -170,6 +165,13 @@ static int crypto_ctr_crypt(struct blkcipher_desc *desc, err = blkcipher_walk_done(desc, &walk, nbytes); } + + if (walk.nbytes) { + crypto_ctr_crypt_final(&walk, child, counterblk, + ictx->countersize); + err = blkcipher_walk_done(desc, &walk, 0); + } + return err; } @@ -277,7 +279,7 @@ static struct crypto_instance *crypto_ctr_alloc(struct rtattr **tb) inst->alg.cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER; inst->alg.cra_priority = alg->cra_priority; inst->alg.cra_blocksize = 1; - inst->alg.cra_alignmask = __alignof__(u32) - 1; + inst->alg.cra_alignmask = alg->cra_alignmask | (__alignof__(u32) - 1); inst->alg.cra_type = &crypto_blkcipher_type; inst->alg.cra_blkcipher.ivsize = ivsize; -- cgit v1.2.3 From 5311f248b7764ba8b59e6d477355f766e5609686 Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Mon, 17 Dec 2007 21:34:32 +0800 Subject: [CRYPTO] ctr: Refactor into ctr and rfc3686 As discussed previously, this patch moves the basic CTR functionality into a chainable algorithm called ctr. The IPsec-specific variant of it is now placed on top with the name rfc3686. So ctr(aes) gives a chainable cipher with IV size 16 while the IPsec variant will be called rfc3686(ctr(aes)). This patch also adjusts gcm accordingly. Signed-off-by: Herbert Xu --- crypto/ctr.c | 334 ++++++++++++++++++++++++++++++++++++----------------------- 1 file changed, 206 insertions(+), 128 deletions(-) (limited to 'crypto/ctr.c') diff --git a/crypto/ctr.c b/crypto/ctr.c index 57da7d0affc..1052b318aed 100644 --- a/crypto/ctr.c +++ b/crypto/ctr.c @@ -11,6 +11,7 @@ */ #include +#include #include #include #include @@ -19,16 +20,13 @@ #include #include -struct ctr_instance_ctx { - struct crypto_spawn alg; - unsigned int noncesize; - unsigned int ivsize; - unsigned int countersize; -}; - struct crypto_ctr_ctx { struct crypto_cipher *child; - u8 *nonce; +}; + +struct crypto_rfc3686_ctx { + struct crypto_blkcipher *child; + u8 nonce[CTR_RFC3686_NONCE_SIZE]; }; static int crypto_ctr_setkey(struct crypto_tfm *parent, const u8 *key, @@ -36,18 +34,7 @@ static int crypto_ctr_setkey(struct crypto_tfm *parent, const u8 *key, { struct crypto_ctr_ctx *ctx = crypto_tfm_ctx(parent); struct crypto_cipher *child = ctx->child; - struct ctr_instance_ctx *ictx = - crypto_instance_ctx(crypto_tfm_alg_instance(parent)); - unsigned int noncelen = ictx->noncesize; - int err = 0; - - /* the nonce is stored in bytes at end of key */ - if (keylen < noncelen) - return -EINVAL; - - memcpy(ctx->nonce, key + (keylen - noncelen), noncelen); - - keylen -= noncelen; + int err; crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK); crypto_cipher_set_flags(child, crypto_tfm_get_flags(parent) & @@ -60,11 +47,13 @@ static int crypto_ctr_setkey(struct crypto_tfm *parent, const u8 *key, } static void crypto_ctr_crypt_final(struct blkcipher_walk *walk, - struct crypto_cipher *tfm, u8 *ctrblk, - unsigned int countersize) + struct crypto_cipher *tfm) { unsigned int bsize = crypto_cipher_blocksize(tfm); - u8 *keystream = ctrblk + bsize; + unsigned long alignmask = crypto_cipher_alignmask(tfm); + u8 *ctrblk = walk->iv; + u8 tmp[bsize + alignmask]; + u8 *keystream = PTR_ALIGN(tmp + 0, alignmask + 1); u8 *src = walk->src.virt.addr; u8 *dst = walk->dst.virt.addr; unsigned int nbytes = walk->nbytes; @@ -72,15 +61,17 @@ static void crypto_ctr_crypt_final(struct blkcipher_walk *walk, crypto_cipher_encrypt_one(tfm, keystream, ctrblk); crypto_xor(keystream, src, nbytes); memcpy(dst, keystream, nbytes); + + crypto_inc(ctrblk, bsize); } static int crypto_ctr_crypt_segment(struct blkcipher_walk *walk, - struct crypto_cipher *tfm, u8 *ctrblk, - unsigned int countersize) + struct crypto_cipher *tfm) { void (*fn)(struct crypto_tfm *, u8 *, const u8 *) = crypto_cipher_alg(tfm)->cia_encrypt; unsigned int bsize = crypto_cipher_blocksize(tfm); + u8 *ctrblk = walk->iv; u8 *src = walk->src.virt.addr; u8 *dst = walk->dst.virt.addr; unsigned int nbytes = walk->nbytes; @@ -91,7 +82,7 @@ static int crypto_ctr_crypt_segment(struct blkcipher_walk *walk, crypto_xor(dst, src, bsize); /* increment counter in counterblock */ - crypto_inc(ctrblk + bsize - countersize, countersize); + crypto_inc(ctrblk, bsize); src += bsize; dst += bsize; @@ -101,15 +92,17 @@ static int crypto_ctr_crypt_segment(struct blkcipher_walk *walk, } static int crypto_ctr_crypt_inplace(struct blkcipher_walk *walk, - struct crypto_cipher *tfm, u8 *ctrblk, - unsigned int countersize) + struct crypto_cipher *tfm) { void (*fn)(struct crypto_tfm *, u8 *, const u8 *) = crypto_cipher_alg(tfm)->cia_encrypt; unsigned int bsize = crypto_cipher_blocksize(tfm); + unsigned long alignmask = crypto_cipher_alignmask(tfm); unsigned int nbytes = walk->nbytes; + u8 *ctrblk = walk->iv; u8 *src = walk->src.virt.addr; - u8 *keystream = ctrblk + bsize; + u8 tmp[bsize + alignmask]; + u8 *keystream = PTR_ALIGN(tmp + 0, alignmask + 1); do { /* create keystream */ @@ -117,7 +110,7 @@ static int crypto_ctr_crypt_inplace(struct blkcipher_walk *walk, crypto_xor(src, keystream, bsize); /* increment counter in counterblock */ - crypto_inc(ctrblk + bsize - countersize, countersize); + crypto_inc(ctrblk, bsize); src += bsize; } while ((nbytes -= bsize) >= bsize); @@ -134,41 +127,22 @@ static int crypto_ctr_crypt(struct blkcipher_desc *desc, struct crypto_ctr_ctx *ctx = crypto_blkcipher_ctx(tfm); struct crypto_cipher *child = ctx->child; unsigned int bsize = crypto_cipher_blocksize(child); - struct ctr_instance_ctx *ictx = - crypto_instance_ctx(crypto_tfm_alg_instance(&tfm->base)); - unsigned long alignmask = crypto_cipher_alignmask(child) | - (__alignof__(u32) - 1); - u8 cblk[bsize * 2 + alignmask]; - u8 *counterblk = (u8 *)ALIGN((unsigned long)cblk, alignmask + 1); int err; blkcipher_walk_init(&walk, dst, src, nbytes); err = blkcipher_walk_virt_block(desc, &walk, bsize); - /* set up counter block */ - memset(counterblk, 0 , bsize); - memcpy(counterblk, ctx->nonce, ictx->noncesize); - memcpy(counterblk + ictx->noncesize, walk.iv, ictx->ivsize); - - /* initialize counter portion of counter block */ - crypto_inc(counterblk + bsize - ictx->countersize, ictx->countersize); - while (walk.nbytes >= bsize) { if (walk.src.virt.addr == walk.dst.virt.addr) - nbytes = crypto_ctr_crypt_inplace(&walk, child, - counterblk, - ictx->countersize); + nbytes = crypto_ctr_crypt_inplace(&walk, child); else - nbytes = crypto_ctr_crypt_segment(&walk, child, - counterblk, - ictx->countersize); + nbytes = crypto_ctr_crypt_segment(&walk, child); err = blkcipher_walk_done(desc, &walk, nbytes); } if (walk.nbytes) { - crypto_ctr_crypt_final(&walk, child, counterblk, - ictx->countersize); + crypto_ctr_crypt_final(&walk, child); err = blkcipher_walk_done(desc, &walk, 0); } @@ -178,15 +152,11 @@ static int crypto_ctr_crypt(struct blkcipher_desc *desc, static int crypto_ctr_init_tfm(struct crypto_tfm *tfm) { struct crypto_instance *inst = (void *)tfm->__crt_alg; - struct ctr_instance_ctx *ictx = crypto_instance_ctx(inst); + struct crypto_spawn *spawn = crypto_instance_ctx(inst); struct crypto_ctr_ctx *ctx = crypto_tfm_ctx(tfm); struct crypto_cipher *cipher; - ctx->nonce = kzalloc(ictx->noncesize, GFP_KERNEL); - if (!ctx->nonce) - return -ENOMEM; - - cipher = crypto_spawn_cipher(&ictx->alg); + cipher = crypto_spawn_cipher(spawn); if (IS_ERR(cipher)) return PTR_ERR(cipher); @@ -199,7 +169,6 @@ static void crypto_ctr_exit_tfm(struct crypto_tfm *tfm) { struct crypto_ctr_ctx *ctx = crypto_tfm_ctx(tfm); - kfree(ctx->nonce); crypto_free_cipher(ctx->child); } @@ -207,10 +176,6 @@ static struct crypto_instance *crypto_ctr_alloc(struct rtattr **tb) { struct crypto_instance *inst; struct crypto_alg *alg; - struct ctr_instance_ctx *ictx; - unsigned int noncesize; - unsigned int ivsize; - unsigned int countersize; int err; err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_BLKCIPHER); @@ -222,71 +187,28 @@ static struct crypto_instance *crypto_ctr_alloc(struct rtattr **tb) if (IS_ERR(alg)) return ERR_PTR(PTR_ERR(alg)); - err = crypto_attr_u32(tb[2], &noncesize); - if (err) - goto out_put_alg; - - err = crypto_attr_u32(tb[3], &ivsize); - if (err) - goto out_put_alg; - - err = crypto_attr_u32(tb[4], &countersize); - if (err) - goto out_put_alg; - - /* verify size of nonce + iv + counter - * counter must be >= 4 bytes. - */ + /* Block size must be >= 4 bytes. */ err = -EINVAL; - if (((noncesize + ivsize + countersize) < alg->cra_blocksize) || - ((noncesize + ivsize) > alg->cra_blocksize) || - (countersize > alg->cra_blocksize) || (countersize < 4)) + if (alg->cra_blocksize < 4) goto out_put_alg; /* If this is false we'd fail the alignment of crypto_inc. */ - if ((alg->cra_blocksize - countersize) % 4) + if (alg->cra_blocksize % 4) goto out_put_alg; - inst = kzalloc(sizeof(*inst) + sizeof(*ictx), GFP_KERNEL); - err = -ENOMEM; - if (!inst) - goto out_put_alg; - - err = -ENAMETOOLONG; - if (snprintf(inst->alg.cra_name, CRYPTO_MAX_ALG_NAME, - "ctr(%s,%u,%u,%u)", alg->cra_name, noncesize, - ivsize, countersize) >= CRYPTO_MAX_ALG_NAME) { - goto err_free_inst; - } - - if (snprintf(inst->alg.cra_driver_name, CRYPTO_MAX_ALG_NAME, - "ctr(%s,%u,%u,%u)", alg->cra_driver_name, noncesize, - ivsize, countersize) >= CRYPTO_MAX_ALG_NAME) { - goto err_free_inst; - } - - ictx = crypto_instance_ctx(inst); - ictx->noncesize = noncesize; - ictx->ivsize = ivsize; - ictx->countersize = countersize; - - err = crypto_init_spawn(&ictx->alg, alg, inst, - CRYPTO_ALG_TYPE_MASK | CRYPTO_ALG_ASYNC); - if (err) - goto err_free_inst; + inst = crypto_alloc_instance("ctr", alg); + if (IS_ERR(inst)) + goto out; - err = 0; inst->alg.cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER; inst->alg.cra_priority = alg->cra_priority; inst->alg.cra_blocksize = 1; inst->alg.cra_alignmask = alg->cra_alignmask | (__alignof__(u32) - 1); inst->alg.cra_type = &crypto_blkcipher_type; - inst->alg.cra_blkcipher.ivsize = ivsize; - inst->alg.cra_blkcipher.min_keysize = alg->cra_cipher.cia_min_keysize - + noncesize; - inst->alg.cra_blkcipher.max_keysize = alg->cra_cipher.cia_max_keysize - + noncesize; + inst->alg.cra_blkcipher.ivsize = alg->cra_blocksize; + inst->alg.cra_blkcipher.min_keysize = alg->cra_cipher.cia_min_keysize; + inst->alg.cra_blkcipher.max_keysize = alg->cra_cipher.cia_max_keysize; inst->alg.cra_ctxsize = sizeof(struct crypto_ctr_ctx); @@ -297,24 +219,18 @@ static struct crypto_instance *crypto_ctr_alloc(struct rtattr **tb) inst->alg.cra_blkcipher.encrypt = crypto_ctr_crypt; inst->alg.cra_blkcipher.decrypt = crypto_ctr_crypt; -err_free_inst: - if (err) - kfree(inst); - -out_put_alg: +out: crypto_mod_put(alg); - - if (err) - inst = ERR_PTR(err); - return inst; + +out_put_alg: + inst = ERR_PTR(err); + goto out; } static void crypto_ctr_free(struct crypto_instance *inst) { - struct ctr_instance_ctx *ictx = crypto_instance_ctx(inst); - - crypto_drop_spawn(&ictx->alg); + crypto_drop_spawn(crypto_instance_ctx(inst)); kfree(inst); } @@ -325,13 +241,174 @@ static struct crypto_template crypto_ctr_tmpl = { .module = THIS_MODULE, }; +static int crypto_rfc3686_setkey(struct crypto_tfm *parent, const u8 *key, + unsigned int keylen) +{ + struct crypto_rfc3686_ctx *ctx = crypto_tfm_ctx(parent); + struct crypto_blkcipher *child = ctx->child; + int err; + + /* the nonce is stored in bytes at end of key */ + if (keylen < CTR_RFC3686_NONCE_SIZE) + return -EINVAL; + + memcpy(ctx->nonce, key + (keylen - CTR_RFC3686_NONCE_SIZE), + CTR_RFC3686_NONCE_SIZE); + + keylen -= CTR_RFC3686_NONCE_SIZE; + + crypto_blkcipher_clear_flags(child, CRYPTO_TFM_REQ_MASK); + crypto_blkcipher_set_flags(child, crypto_tfm_get_flags(parent) & + CRYPTO_TFM_REQ_MASK); + err = crypto_blkcipher_setkey(child, key, keylen); + crypto_tfm_set_flags(parent, crypto_blkcipher_get_flags(child) & + CRYPTO_TFM_RES_MASK); + + return err; +} + +static int crypto_rfc3686_crypt(struct blkcipher_desc *desc, + struct scatterlist *dst, + struct scatterlist *src, unsigned int nbytes) +{ + struct crypto_blkcipher *tfm = desc->tfm; + struct crypto_rfc3686_ctx *ctx = crypto_blkcipher_ctx(tfm); + struct crypto_blkcipher *child = ctx->child; + unsigned long alignmask = crypto_blkcipher_alignmask(tfm); + u8 ivblk[CTR_RFC3686_BLOCK_SIZE + alignmask]; + u8 *iv = PTR_ALIGN(ivblk + 0, alignmask + 1); + u8 *info = desc->info; + int err; + + /* set up counter block */ + memcpy(iv, ctx->nonce, CTR_RFC3686_NONCE_SIZE); + memcpy(iv + CTR_RFC3686_NONCE_SIZE, info, CTR_RFC3686_IV_SIZE); + + /* initialize counter portion of counter block */ + *(__be32 *)(iv + CTR_RFC3686_NONCE_SIZE + CTR_RFC3686_IV_SIZE) = + cpu_to_be32(1); + + desc->tfm = child; + desc->info = iv; + err = crypto_blkcipher_encrypt_iv(desc, dst, src, nbytes); + desc->tfm = tfm; + desc->info = info; + + return err; +} + +static int crypto_rfc3686_init_tfm(struct crypto_tfm *tfm) +{ + struct crypto_instance *inst = (void *)tfm->__crt_alg; + struct crypto_spawn *spawn = crypto_instance_ctx(inst); + struct crypto_rfc3686_ctx *ctx = crypto_tfm_ctx(tfm); + struct crypto_blkcipher *cipher; + + cipher = crypto_spawn_blkcipher(spawn); + if (IS_ERR(cipher)) + return PTR_ERR(cipher); + + ctx->child = cipher; + + return 0; +} + +static void crypto_rfc3686_exit_tfm(struct crypto_tfm *tfm) +{ + struct crypto_rfc3686_ctx *ctx = crypto_tfm_ctx(tfm); + + crypto_free_blkcipher(ctx->child); +} + +static struct crypto_instance *crypto_rfc3686_alloc(struct rtattr **tb) +{ + struct crypto_instance *inst; + struct crypto_alg *alg; + int err; + + err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_BLKCIPHER); + if (err) + return ERR_PTR(err); + + alg = crypto_attr_alg(tb[1], CRYPTO_ALG_TYPE_BLKCIPHER, + CRYPTO_ALG_TYPE_MASK); + err = PTR_ERR(alg); + if (IS_ERR(alg)) + return ERR_PTR(err); + + /* We only support 16-byte blocks. */ + err = -EINVAL; + if (alg->cra_blkcipher.ivsize != CTR_RFC3686_BLOCK_SIZE) + goto out_put_alg; + + /* Not a stream cipher? */ + if (alg->cra_blocksize != 1) + goto out_put_alg; + + inst = crypto_alloc_instance("rfc3686", alg); + if (IS_ERR(inst)) + goto out; + + inst->alg.cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER; + inst->alg.cra_priority = alg->cra_priority; + inst->alg.cra_blocksize = 1; + inst->alg.cra_alignmask = alg->cra_alignmask; + inst->alg.cra_type = &crypto_blkcipher_type; + + inst->alg.cra_blkcipher.ivsize = CTR_RFC3686_IV_SIZE; + inst->alg.cra_blkcipher.min_keysize = alg->cra_blkcipher.min_keysize + + CTR_RFC3686_NONCE_SIZE; + inst->alg.cra_blkcipher.max_keysize = alg->cra_blkcipher.max_keysize + + CTR_RFC3686_NONCE_SIZE; + + inst->alg.cra_ctxsize = sizeof(struct crypto_rfc3686_ctx); + + inst->alg.cra_init = crypto_rfc3686_init_tfm; + inst->alg.cra_exit = crypto_rfc3686_exit_tfm; + + inst->alg.cra_blkcipher.setkey = crypto_rfc3686_setkey; + inst->alg.cra_blkcipher.encrypt = crypto_rfc3686_crypt; + inst->alg.cra_blkcipher.decrypt = crypto_rfc3686_crypt; + +out: + crypto_mod_put(alg); + return inst; + +out_put_alg: + inst = ERR_PTR(err); + goto out; +} + +static struct crypto_template crypto_rfc3686_tmpl = { + .name = "rfc3686", + .alloc = crypto_rfc3686_alloc, + .free = crypto_ctr_free, + .module = THIS_MODULE, +}; + static int __init crypto_ctr_module_init(void) { - return crypto_register_template(&crypto_ctr_tmpl); + int err; + + err = crypto_register_template(&crypto_ctr_tmpl); + if (err) + goto out; + + err = crypto_register_template(&crypto_rfc3686_tmpl); + if (err) + goto out_drop_ctr; + +out: + return err; + +out_drop_ctr: + crypto_unregister_template(&crypto_ctr_tmpl); + goto out; } static void __exit crypto_ctr_module_exit(void) { + crypto_unregister_template(&crypto_rfc3686_tmpl); crypto_unregister_template(&crypto_ctr_tmpl); } @@ -340,3 +417,4 @@ module_exit(crypto_ctr_module_exit); MODULE_LICENSE("GPL"); MODULE_DESCRIPTION("CTR Counter block mode"); +MODULE_ALIAS("rfc3686"); -- cgit v1.2.3 From 0a270321dbf948963aeb0e8382fe17d2c2eb3771 Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Fri, 30 Nov 2007 21:38:37 +1100 Subject: [CRYPTO] seqiv: Add Sequence Number IV Generator This generator generates an IV based on a sequence number by xoring it with a salt. This algorithm is mainly useful for CTR and similar modes. This patch also sets it as the default IV generator for ctr. Signed-off-by: Herbert Xu --- crypto/ctr.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'crypto/ctr.c') diff --git a/crypto/ctr.c b/crypto/ctr.c index 1052b318aed..2d7425f0e7b 100644 --- a/crypto/ctr.c +++ b/crypto/ctr.c @@ -361,6 +361,8 @@ static struct crypto_instance *crypto_rfc3686_alloc(struct rtattr **tb) inst->alg.cra_blkcipher.max_keysize = alg->cra_blkcipher.max_keysize + CTR_RFC3686_NONCE_SIZE; + inst->alg.cra_blkcipher.geniv = "seqiv"; + inst->alg.cra_ctxsize = sizeof(struct crypto_rfc3686_ctx); inst->alg.cra_init = crypto_rfc3686_init_tfm; -- cgit v1.2.3