Commit 333b0d7eeacbd47159daf23757aa81368470c409
Committed by
David S. Miller
1 parent
45789328e5
Exists in
master
and in
4 other branches
[CRYPTO] xcbc: New algorithm
This is core code of XCBC. XCBC is an algorithm that forms a MAC algorithm out of a cipher algorithm. For example, AES-XCBC-MAC is a MAC algorithm based on the AES cipher algorithm. Signed-off-by: Kazunori MIYAZAWA <miyazawa@linux-ipv6.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Showing 3 changed files with 358 additions and 0 deletions Side-by-side Diff
crypto/Kconfig
... | ... | @@ -39,6 +39,17 @@ |
39 | 39 | HMAC: Keyed-Hashing for Message Authentication (RFC2104). |
40 | 40 | This is required for IPSec. |
41 | 41 | |
42 | +config CRYPTO_XCBC | |
43 | + tristate "XCBC support" | |
44 | + depends on EXPERIMENTAL | |
45 | + select CRYPTO_HASH | |
46 | + select CRYPTO_MANAGER | |
47 | + help | |
48 | + XCBC: Keyed-Hashing with encryption algorithm | |
49 | + http://www.ietf.org/rfc/rfc3566.txt | |
50 | + http://csrc.nist.gov/encryption/modes/proposedmodes/ | |
51 | + xcbc-mac/xcbc-mac-spec.pdf | |
52 | + | |
42 | 53 | config CRYPTO_NULL |
43 | 54 | tristate "Null algorithms" |
44 | 55 | select CRYPTO_ALGAPI |
crypto/Makefile
crypto/xcbc.c
1 | +/* | |
2 | + * Copyright (C)2006 USAGI/WIDE Project | |
3 | + * | |
4 | + * This program is free software; you can redistribute it and/or modify | |
5 | + * it under the terms of the GNU General Public License as published by | |
6 | + * the Free Software Foundation; either version 2 of the License, or | |
7 | + * (at your option) any later version. | |
8 | + * | |
9 | + * This program is distributed in the hope that it will be useful, | |
10 | + * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
11 | + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
12 | + * GNU General Public License for more details. | |
13 | + * | |
14 | + * You should have received a copy of the GNU General Public License | |
15 | + * along with this program; if not, write to the Free Software | |
16 | + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
17 | + * | |
18 | + * Author: | |
19 | + * Kazunori Miyazawa <miyazawa@linux-ipv6.org> | |
20 | + */ | |
21 | + | |
22 | +#include <linux/crypto.h> | |
23 | +#include <linux/err.h> | |
24 | +#include <linux/kernel.h> | |
25 | +#include <linux/mm.h> | |
26 | +#include <linux/rtnetlink.h> | |
27 | +#include <linux/slab.h> | |
28 | +#include <linux/scatterlist.h> | |
29 | +#include "internal.h" | |
30 | + | |
31 | +u_int32_t ks[12] = {0x01010101, 0x01010101, 0x01010101, 0x01010101, | |
32 | + 0x02020202, 0x02020202, 0x02020202, 0x02020202, | |
33 | + 0x03030303, 0x03030303, 0x03030303, 0x03030303}; | |
34 | +/* | |
35 | + * +------------------------ | |
36 | + * | <parent tfm> | |
37 | + * +------------------------ | |
38 | + * | crypto_xcbc_ctx | |
39 | + * +------------------------ | |
40 | + * | odds (block size) | |
41 | + * +------------------------ | |
42 | + * | prev (block size) | |
43 | + * +------------------------ | |
44 | + * | key (block size) | |
45 | + * +------------------------ | |
46 | + * | consts (block size * 3) | |
47 | + * +------------------------ | |
48 | + */ | |
49 | +struct crypto_xcbc_ctx { | |
50 | + struct crypto_tfm *child; | |
51 | + u8 *odds; | |
52 | + u8 *prev; | |
53 | + u8 *key; | |
54 | + u8 *consts; | |
55 | + void (*xor)(u8 *a, const u8 *b, unsigned int bs); | |
56 | + unsigned int keylen; | |
57 | + unsigned int len; | |
58 | +}; | |
59 | + | |
60 | +static void xor_128(u8 *a, const u8 *b, unsigned int bs) | |
61 | +{ | |
62 | + ((u32 *)a)[0] ^= ((u32 *)b)[0]; | |
63 | + ((u32 *)a)[1] ^= ((u32 *)b)[1]; | |
64 | + ((u32 *)a)[2] ^= ((u32 *)b)[2]; | |
65 | + ((u32 *)a)[3] ^= ((u32 *)b)[3]; | |
66 | +} | |
67 | + | |
68 | +static int _crypto_xcbc_digest_setkey(struct crypto_hash *parent, | |
69 | + struct crypto_xcbc_ctx *ctx) | |
70 | +{ | |
71 | + int bs = crypto_hash_blocksize(parent); | |
72 | + int err = 0; | |
73 | + u8 key1[bs]; | |
74 | + | |
75 | + if ((err = crypto_cipher_setkey(ctx->child, ctx->key, ctx->keylen))) | |
76 | + return err; | |
77 | + | |
78 | + ctx->child->__crt_alg->cra_cipher.cia_encrypt(ctx->child, key1, | |
79 | + ctx->consts); | |
80 | + | |
81 | + return crypto_cipher_setkey(ctx->child, key1, bs); | |
82 | +} | |
83 | + | |
84 | +static int crypto_xcbc_digest_setkey(struct crypto_hash *parent, | |
85 | + const u8 *inkey, unsigned int keylen) | |
86 | +{ | |
87 | + struct crypto_xcbc_ctx *ctx = crypto_hash_ctx_aligned(parent); | |
88 | + | |
89 | + if (keylen != crypto_tfm_alg_blocksize(ctx->child)) | |
90 | + return -EINVAL; | |
91 | + | |
92 | + ctx->keylen = keylen; | |
93 | + memcpy(ctx->key, inkey, keylen); | |
94 | + ctx->consts = (u8*)ks; | |
95 | + | |
96 | + return _crypto_xcbc_digest_setkey(parent, ctx); | |
97 | +} | |
98 | + | |
99 | +int crypto_xcbc_digest_init(struct hash_desc *pdesc) | |
100 | +{ | |
101 | + struct crypto_xcbc_ctx *ctx = crypto_hash_ctx_aligned(pdesc->tfm); | |
102 | + int bs = crypto_hash_blocksize(pdesc->tfm); | |
103 | + | |
104 | + ctx->len = 0; | |
105 | + memset(ctx->odds, 0, bs); | |
106 | + memset(ctx->prev, 0, bs); | |
107 | + | |
108 | + return 0; | |
109 | +} | |
110 | + | |
111 | +int crypto_xcbc_digest_update(struct hash_desc *pdesc, struct scatterlist *sg, unsigned int nbytes) | |
112 | +{ | |
113 | + struct crypto_hash *parent = pdesc->tfm; | |
114 | + struct crypto_xcbc_ctx *ctx = crypto_hash_ctx_aligned(parent); | |
115 | + struct crypto_tfm *tfm = ctx->child; | |
116 | + int bs = crypto_hash_blocksize(parent); | |
117 | + unsigned int i = 0; | |
118 | + | |
119 | + do { | |
120 | + | |
121 | + struct page *pg = sg[i].page; | |
122 | + unsigned int offset = sg[i].offset; | |
123 | + unsigned int slen = sg[i].length; | |
124 | + | |
125 | + while (slen > 0) { | |
126 | + unsigned int len = min(slen, ((unsigned int)(PAGE_SIZE)) - offset); | |
127 | + char *p = crypto_kmap(pg, 0) + offset; | |
128 | + | |
129 | + /* checking the data can fill the block */ | |
130 | + if ((ctx->len + len) <= bs) { | |
131 | + memcpy(ctx->odds + ctx->len, p, len); | |
132 | + ctx->len += len; | |
133 | + slen -= len; | |
134 | + | |
135 | + /* checking the rest of the page */ | |
136 | + if (len + offset >= PAGE_SIZE) { | |
137 | + offset = 0; | |
138 | + pg++; | |
139 | + } else | |
140 | + offset += len; | |
141 | + | |
142 | + crypto_kunmap(p, 0); | |
143 | + crypto_yield(tfm->crt_flags); | |
144 | + continue; | |
145 | + } | |
146 | + | |
147 | + /* filling odds with new data and encrypting it */ | |
148 | + memcpy(ctx->odds + ctx->len, p, bs - ctx->len); | |
149 | + len -= bs - ctx->len; | |
150 | + p += bs - ctx->len; | |
151 | + | |
152 | + ctx->xor(ctx->prev, ctx->odds, bs); | |
153 | + tfm->__crt_alg->cra_cipher.cia_encrypt(tfm, ctx->prev, ctx->prev); | |
154 | + | |
155 | + /* clearing the length */ | |
156 | + ctx->len = 0; | |
157 | + | |
158 | + /* encrypting the rest of data */ | |
159 | + while (len > bs) { | |
160 | + ctx->xor(ctx->prev, p, bs); | |
161 | + tfm->__crt_alg->cra_cipher.cia_encrypt(tfm, ctx->prev, ctx->prev); | |
162 | + p += bs; | |
163 | + len -= bs; | |
164 | + } | |
165 | + | |
166 | + /* keeping the surplus of blocksize */ | |
167 | + if (len) { | |
168 | + memcpy(ctx->odds, p, len); | |
169 | + ctx->len = len; | |
170 | + } | |
171 | + crypto_kunmap(p, 0); | |
172 | + crypto_yield(tfm->crt_flags); | |
173 | + slen -= min(slen, ((unsigned int)(PAGE_SIZE)) - offset); | |
174 | + offset = 0; | |
175 | + pg++; | |
176 | + } | |
177 | + nbytes-=sg[i].length; | |
178 | + i++; | |
179 | + } while (nbytes>0); | |
180 | + | |
181 | + return 0; | |
182 | +} | |
183 | + | |
184 | +int crypto_xcbc_digest_final(struct hash_desc *pdesc, u8 *out) | |
185 | +{ | |
186 | + struct crypto_hash *parent = pdesc->tfm; | |
187 | + struct crypto_xcbc_ctx *ctx = crypto_hash_ctx_aligned(parent); | |
188 | + struct crypto_tfm *tfm = ctx->child; | |
189 | + int bs = crypto_hash_blocksize(parent); | |
190 | + int err = 0; | |
191 | + | |
192 | + if (ctx->len == bs) { | |
193 | + u8 key2[bs]; | |
194 | + | |
195 | + if ((err = crypto_cipher_setkey(tfm, ctx->key, ctx->keylen)) != 0) | |
196 | + return err; | |
197 | + | |
198 | + tfm->__crt_alg->cra_cipher.cia_encrypt(tfm, key2, (const u8*)(ctx->consts+bs)); | |
199 | + | |
200 | + ctx->xor(ctx->prev, ctx->odds, bs); | |
201 | + ctx->xor(ctx->prev, key2, bs); | |
202 | + _crypto_xcbc_digest_setkey(parent, ctx); | |
203 | + | |
204 | + tfm->__crt_alg->cra_cipher.cia_encrypt(tfm, out, ctx->prev); | |
205 | + } else { | |
206 | + u8 key3[bs]; | |
207 | + unsigned int rlen; | |
208 | + u8 *p = ctx->odds + ctx->len; | |
209 | + *p = 0x80; | |
210 | + p++; | |
211 | + | |
212 | + rlen = bs - ctx->len -1; | |
213 | + if (rlen) | |
214 | + memset(p, 0, rlen); | |
215 | + | |
216 | + if ((err = crypto_cipher_setkey(tfm, ctx->key, ctx->keylen)) != 0) | |
217 | + return err; | |
218 | + | |
219 | + tfm->__crt_alg->cra_cipher.cia_encrypt(tfm, key3, (const u8*)(ctx->consts+bs*2)); | |
220 | + | |
221 | + ctx->xor(ctx->prev, ctx->odds, bs); | |
222 | + ctx->xor(ctx->prev, key3, bs); | |
223 | + | |
224 | + _crypto_xcbc_digest_setkey(parent, ctx); | |
225 | + | |
226 | + tfm->__crt_alg->cra_cipher.cia_encrypt(tfm, out, ctx->prev); | |
227 | + } | |
228 | + | |
229 | + return 0; | |
230 | +} | |
231 | + | |
232 | +static int crypto_xcbc_digest(struct hash_desc *pdesc, | |
233 | + struct scatterlist *sg, unsigned int nbytes, u8 *out) | |
234 | +{ | |
235 | + crypto_xcbc_digest_init(pdesc); | |
236 | + crypto_xcbc_digest_update(pdesc, sg, nbytes); | |
237 | + return crypto_xcbc_digest_final(pdesc, out); | |
238 | +} | |
239 | + | |
240 | +static int xcbc_init_tfm(struct crypto_tfm *tfm) | |
241 | +{ | |
242 | + struct crypto_instance *inst = (void *)tfm->__crt_alg; | |
243 | + struct crypto_spawn *spawn = crypto_instance_ctx(inst); | |
244 | + struct crypto_xcbc_ctx *ctx = crypto_hash_ctx_aligned(__crypto_hash_cast(tfm)); | |
245 | + int bs = crypto_hash_blocksize(__crypto_hash_cast(tfm)); | |
246 | + | |
247 | + tfm = crypto_spawn_tfm(spawn); | |
248 | + if (IS_ERR(tfm)) | |
249 | + return PTR_ERR(tfm); | |
250 | + | |
251 | + switch(bs) { | |
252 | + case 16: | |
253 | + ctx->xor = xor_128; | |
254 | + break; | |
255 | + default: | |
256 | + return -EINVAL; | |
257 | + } | |
258 | + | |
259 | + ctx->child = crypto_cipher_cast(tfm); | |
260 | + ctx->odds = (u8*)(ctx+1); | |
261 | + ctx->prev = ctx->odds + bs; | |
262 | + ctx->key = ctx->prev + bs; | |
263 | + | |
264 | + return 0; | |
265 | +}; | |
266 | + | |
267 | +static void xcbc_exit_tfm(struct crypto_tfm *tfm) | |
268 | +{ | |
269 | + struct crypto_xcbc_ctx *ctx = crypto_hash_ctx_aligned(__crypto_hash_cast(tfm)); | |
270 | + crypto_free_cipher(ctx->child); | |
271 | +} | |
272 | + | |
273 | +static struct crypto_instance *xcbc_alloc(void *param, unsigned int len) | |
274 | +{ | |
275 | + struct crypto_instance *inst; | |
276 | + struct crypto_alg *alg; | |
277 | + alg = crypto_get_attr_alg(param, len, CRYPTO_ALG_TYPE_CIPHER, | |
278 | + CRYPTO_ALG_TYPE_HASH_MASK | CRYPTO_ALG_ASYNC); | |
279 | + if (IS_ERR(alg)) | |
280 | + return ERR_PTR(PTR_ERR(alg)); | |
281 | + | |
282 | + switch(alg->cra_blocksize) { | |
283 | + case 16: | |
284 | + break; | |
285 | + default: | |
286 | + return ERR_PTR(PTR_ERR(alg)); | |
287 | + } | |
288 | + | |
289 | + inst = crypto_alloc_instance("xcbc", alg); | |
290 | + if (IS_ERR(inst)) | |
291 | + goto out_put_alg; | |
292 | + | |
293 | + inst->alg.cra_flags = CRYPTO_ALG_TYPE_HASH; | |
294 | + inst->alg.cra_priority = alg->cra_priority; | |
295 | + inst->alg.cra_blocksize = alg->cra_blocksize; | |
296 | + inst->alg.cra_alignmask = alg->cra_alignmask; | |
297 | + inst->alg.cra_type = &crypto_hash_type; | |
298 | + | |
299 | + inst->alg.cra_hash.digestsize = | |
300 | + (alg->cra_flags & CRYPTO_ALG_TYPE_MASK) == | |
301 | + CRYPTO_ALG_TYPE_HASH ? alg->cra_hash.digestsize : | |
302 | + alg->cra_blocksize; | |
303 | + inst->alg.cra_ctxsize = sizeof(struct crypto_xcbc_ctx) + | |
304 | + ALIGN(inst->alg.cra_blocksize * 3, sizeof(void *)); | |
305 | + inst->alg.cra_init = xcbc_init_tfm; | |
306 | + inst->alg.cra_exit = xcbc_exit_tfm; | |
307 | + | |
308 | + inst->alg.cra_hash.init = crypto_xcbc_digest_init; | |
309 | + inst->alg.cra_hash.update = crypto_xcbc_digest_update; | |
310 | + inst->alg.cra_hash.final = crypto_xcbc_digest_final; | |
311 | + inst->alg.cra_hash.digest = crypto_xcbc_digest; | |
312 | + inst->alg.cra_hash.setkey = crypto_xcbc_digest_setkey; | |
313 | + | |
314 | +out_put_alg: | |
315 | + crypto_mod_put(alg); | |
316 | + return inst; | |
317 | +} | |
318 | + | |
319 | +static void xcbc_free(struct crypto_instance *inst) | |
320 | +{ | |
321 | + crypto_drop_spawn(crypto_instance_ctx(inst)); | |
322 | + kfree(inst); | |
323 | +} | |
324 | + | |
325 | +static struct crypto_template crypto_xcbc_tmpl = { | |
326 | + .name = "xcbc", | |
327 | + .alloc = xcbc_alloc, | |
328 | + .free = xcbc_free, | |
329 | + .module = THIS_MODULE, | |
330 | +}; | |
331 | + | |
332 | +static int __init crypto_xcbc_module_init(void) | |
333 | +{ | |
334 | + return crypto_register_template(&crypto_xcbc_tmpl); | |
335 | +} | |
336 | + | |
337 | +static void __exit crypto_xcbc_module_exit(void) | |
338 | +{ | |
339 | + crypto_unregister_template(&crypto_xcbc_tmpl); | |
340 | +} | |
341 | + | |
342 | +module_init(crypto_xcbc_module_init); | |
343 | +module_exit(crypto_xcbc_module_exit); | |
344 | + | |
345 | +MODULE_LICENSE("GPL"); | |
346 | +MODULE_DESCRIPTION("XCBC keyed hash algorithm"); |