Orange Pi5 kernel

Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards

3 Commits   0 Branches   0 Tags   |
Index
Trunk
Branches
Tags
Trunk
Branches
Tags
Home page
Home page
orangepi/linux-orangepi-5.10.y.git/trunk/crypto/keywrap.c
log
diff
blame
/*
 * Key Wrapping: RFC3394 / NIST SP800-38F
 *
 * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, and the entire permission notice in its entirety,
 *    including the disclaimer of warranties.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote
 *    products derived from this software without specific prior
 *    written permission.
 *
 * ALTERNATIVELY, this product may be distributed under the terms of
 * the GNU General Public License, in which case the provisions of the GPL2
 * are required INSTEAD OF the above restrictions.  (This clause is
 * necessary due to a potential bad interaction between the GPL and
 * the restrictions contained in a BSD-style copyright.)
 *
 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
 * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
 * DAMAGE.
 */
 
/*
 * Note for using key wrapping:
 *
 *	* The result of the encryption operation is the ciphertext starting
 *	  with the 2nd semiblock. The first semiblock is provided as the IV.
 *	  The IV used to start the encryption operation is the default IV.
 *
 *	* The input for the decryption is the first semiblock handed in as an
 *	  IV. The ciphertext is the data starting with the 2nd semiblock. The
 *	  return code of the decryption operation will be EBADMSG in case an
 *	  integrity error occurs.
 *
 * To obtain the full result of an encryption as expected by SP800-38F, the
 * caller must allocate a buffer of plaintext + 8 bytes:
 *
 *	unsigned int datalen = ptlen + crypto_skcipher_ivsize(tfm);
 *	u8 data[datalen];
 *	u8 *iv = data;
 *	u8 *pt = data + crypto_skcipher_ivsize(tfm);
 *		<ensure that pt contains the plaintext of size ptlen>
 *	sg_init_one(&sg, pt, ptlen);
 *	skcipher_request_set_crypt(req, &sg, &sg, ptlen, iv);
 *
 *	==> After encryption, data now contains full KW result as per SP800-38F.
 *
 * In case of decryption, ciphertext now already has the expected length
 * and must be segmented appropriately:
 *
 *	unsigned int datalen = CTLEN;
 *	u8 data[datalen];
 *		<ensure that data contains full ciphertext>
 *	u8 *iv = data;
 *	u8 *ct = data + crypto_skcipher_ivsize(tfm);
 *	unsigned int ctlen = datalen - crypto_skcipher_ivsize(tfm);
 *	sg_init_one(&sg, ct, ctlen);
 *	skcipher_request_set_crypt(req, &sg, &sg, ctlen, iv);
 *
 *	==> After decryption (which hopefully does not return EBADMSG), the ct
 *	pointer now points to the plaintext of size ctlen.
 *
 * Note 2: KWP is not implemented as this would defy in-place operation.
 *	   If somebody wants to wrap non-aligned data, he should simply pad
 *	   the input with zeros to fill it up to the 8 byte boundary.
 */
 
#include <linux/module.h>
#include <linux/crypto.h>
#include <linux/scatterlist.h>
#include <crypto/scatterwalk.h>
#include <crypto/internal/cipher.h>
#include <crypto/internal/skcipher.h>
 
struct crypto_kw_block {
#define SEMIBSIZE 8
<------>__be64 A;
<------>__be64 R;
};
 
/*
 * Fast forward the SGL to the "end" length minus SEMIBSIZE.
 * The start in the SGL defined by the fast-forward is returned with
 * the walk variable
 */
static void crypto_kw_scatterlist_ff(struct scatter_walk *walk,
<------><------><------><------>     struct scatterlist *sg,
<------><------><------><------>     unsigned int end)
{
<------>unsigned int skip = 0;
 
<------>/* The caller should only operate on full SEMIBLOCKs. */
<------>BUG_ON(end < SEMIBSIZE);
 
<------>skip = end - SEMIBSIZE;
<------>while (sg) {
<------><------>if (sg->length > skip) {
<------><------><------>scatterwalk_start(walk, sg);
<------><------><------>scatterwalk_advance(walk, skip);
<------><------><------>break;
<------><------>} else
<------><------><------>skip -= sg->length;
 
<------><------>sg = sg_next(sg);
<------>}
}
 
static int crypto_kw_decrypt(struct skcipher_request *req)
{
<------>struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
<------>struct crypto_cipher *cipher = skcipher_cipher_simple(tfm);
<------>struct crypto_kw_block block;
<------>struct scatterlist *src, *dst;
<------>u64 t = 6 * ((req->cryptlen) >> 3);
<------>unsigned int i;
<------>int ret = 0;
 
<------>/*
<------> * Require at least 2 semiblocks (note, the 3rd semiblock that is
<------> * required by SP800-38F is the IV.
<------> */
<------>if (req->cryptlen < (2 * SEMIBSIZE) || req->cryptlen % SEMIBSIZE)
<------><------>return -EINVAL;
 
<------>/* Place the IV into block A */
<------>memcpy(&block.A, req->iv, SEMIBSIZE);
 
<------>/*
<------> * src scatterlist is read-only. dst scatterlist is r/w. During the
<------> * first loop, src points to req->src and dst to req->dst. For any
<------> * subsequent round, the code operates on req->dst only.
<------> */
<------>src = req->src;
<------>dst = req->dst;
 
<------>for (i = 0; i < 6; i++) {
<------><------>struct scatter_walk src_walk, dst_walk;
<------><------>unsigned int nbytes = req->cryptlen;
 
<------><------>while (nbytes) {
<------><------><------>/* move pointer by nbytes in the SGL */
<------><------><------>crypto_kw_scatterlist_ff(&src_walk, src, nbytes);
<------><------><------>/* get the source block */
<------><------><------>scatterwalk_copychunks(&block.R, &src_walk, SEMIBSIZE,
<------><------><------><------><------>       false);
 
<------><------><------>/* perform KW operation: modify IV with counter */
<------><------><------>block.A ^= cpu_to_be64(t);
<------><------><------>t--;
<------><------><------>/* perform KW operation: decrypt block */
<------><------><------>crypto_cipher_decrypt_one(cipher, (u8 *)&block,
<------><------><------><------><------><------>  (u8 *)&block);
 
<------><------><------>/* move pointer by nbytes in the SGL */
<------><------><------>crypto_kw_scatterlist_ff(&dst_walk, dst, nbytes);
<------><------><------>/* Copy block->R into place */
<------><------><------>scatterwalk_copychunks(&block.R, &dst_walk, SEMIBSIZE,
<------><------><------><------><------>       true);
 
<------><------><------>nbytes -= SEMIBSIZE;
<------><------>}
 
<------><------>/* we now start to operate on the dst SGL only */
<------><------>src = req->dst;
<------><------>dst = req->dst;
<------>}
 
<------>/* Perform authentication check */
<------>if (block.A != cpu_to_be64(0xa6a6a6a6a6a6a6a6ULL))
<------><------>ret = -EBADMSG;
 
<------>memzero_explicit(&block, sizeof(struct crypto_kw_block));
 
<------>return ret;
}
 
static int crypto_kw_encrypt(struct skcipher_request *req)
{
<------>struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
<------>struct crypto_cipher *cipher = skcipher_cipher_simple(tfm);
<------>struct crypto_kw_block block;
<------>struct scatterlist *src, *dst;
<------>u64 t = 1;
<------>unsigned int i;
 
<------>/*
<------> * Require at least 2 semiblocks (note, the 3rd semiblock that is
<------> * required by SP800-38F is the IV that occupies the first semiblock.
<------> * This means that the dst memory must be one semiblock larger than src.
<------> * Also ensure that the given data is aligned to semiblock.
<------> */
<------>if (req->cryptlen < (2 * SEMIBSIZE) || req->cryptlen % SEMIBSIZE)
<------><------>return -EINVAL;
 
<------>/*
<------> * Place the predefined IV into block A -- for encrypt, the caller
<------> * does not need to provide an IV, but he needs to fetch the final IV.
<------> */
<------>block.A = cpu_to_be64(0xa6a6a6a6a6a6a6a6ULL);
 
<------>/*
<------> * src scatterlist is read-only. dst scatterlist is r/w. During the
<------> * first loop, src points to req->src and dst to req->dst. For any
<------> * subsequent round, the code operates on req->dst only.
<------> */
<------>src = req->src;
<------>dst = req->dst;
 
<------>for (i = 0; i < 6; i++) {
<------><------>struct scatter_walk src_walk, dst_walk;
<------><------>unsigned int nbytes = req->cryptlen;
 
<------><------>scatterwalk_start(&src_walk, src);
<------><------>scatterwalk_start(&dst_walk, dst);
 
<------><------>while (nbytes) {
<------><------><------>/* get the source block */
<------><------><------>scatterwalk_copychunks(&block.R, &src_walk, SEMIBSIZE,
<------><------><------><------><------>       false);
 
<------><------><------>/* perform KW operation: encrypt block */
<------><------><------>crypto_cipher_encrypt_one(cipher, (u8 *)&block,
<------><------><------><------><------><------>  (u8 *)&block);
<------><------><------>/* perform KW operation: modify IV with counter */
<------><------><------>block.A ^= cpu_to_be64(t);
<------><------><------>t++;
 
<------><------><------>/* Copy block->R into place */
<------><------><------>scatterwalk_copychunks(&block.R, &dst_walk, SEMIBSIZE,
<------><------><------><------><------>       true);
 
<------><------><------>nbytes -= SEMIBSIZE;
<------><------>}
 
<------><------>/* we now start to operate on the dst SGL only */
<------><------>src = req->dst;
<------><------>dst = req->dst;
<------>}
 
<------>/* establish the IV for the caller to pick up */
<------>memcpy(req->iv, &block.A, SEMIBSIZE);
 
<------>memzero_explicit(&block, sizeof(struct crypto_kw_block));
 
<------>return 0;
}
 
static int crypto_kw_create(struct crypto_template *tmpl, struct rtattr **tb)
{
<------>struct skcipher_instance *inst;
<------>struct crypto_alg *alg;
<------>int err;
 
<------>inst = skcipher_alloc_instance_simple(tmpl, tb);
<------>if (IS_ERR(inst))
<------><------>return PTR_ERR(inst);
 
<------>alg = skcipher_ialg_simple(inst);
 
<------>err = -EINVAL;
<------>/* Section 5.1 requirement for KW */
<------>if (alg->cra_blocksize != sizeof(struct crypto_kw_block))
<------><------>goto out_free_inst;
 
<------>inst->alg.base.cra_blocksize = SEMIBSIZE;
<------>inst->alg.base.cra_alignmask = 0;
<------>inst->alg.ivsize = SEMIBSIZE;
 
<------>inst->alg.encrypt = crypto_kw_encrypt;
<------>inst->alg.decrypt = crypto_kw_decrypt;
 
<------>err = skcipher_register_instance(tmpl, inst);
<------>if (err) {
out_free_inst:
<------><------>inst->free(inst);
<------>}
 
<------>return err;
}
 
static struct crypto_template crypto_kw_tmpl = {
<------>.name = "kw",
<------>.create = crypto_kw_create,
<------>.module = THIS_MODULE,
};
 
static int __init crypto_kw_init(void)
{
<------>return crypto_register_template(&crypto_kw_tmpl);
}
 
static void __exit crypto_kw_exit(void)
{
<------>crypto_unregister_template(&crypto_kw_tmpl);
}
 
subsys_initcall(crypto_kw_init);
module_exit(crypto_kw_exit);
 
MODULE_LICENSE("Dual BSD/GPL");
MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
MODULE_DESCRIPTION("Key Wrapping (RFC3394 / NIST SP800-38F)");
MODULE_ALIAS_CRYPTO("kw");
MODULE_IMPORT_NS(CRYPTO_INTERNAL);
log
diff
blame
cGit-ui 0.1.7
Git 2.40.0
Nginx 1.22.1

Where any material of this site is being reproduced, published or issued to others the reference to the source is obligatory.

© Andrey V. Kosteltsev, 2019 – 2025.