[PATCH 01/28] [CRYPTO] cts: Add CTS mode required for Kerberos AES support
Kevin Coffman
kwc at citi.umich.edu
Mon Mar 31 13:29:48 EDT 2008
On Mon, Mar 31, 2008 at 1:22 PM, J. Bruce Fields <bfields at fieldses.org> wrote:
>
> On Mon, Mar 31, 2008 at 10:30:58AM -0400, Kevin Coffman wrote:
> > Implement CTS wrapper for CBC mode required for support of AES
> > encryption support for Kerberos (rfc3962).
> >
> > Signed-off-by: Kevin Coffman <kwc at citi.umich.edu>
> > Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
> > ---
> >
> > crypto/Kconfig | 11 ++
> > crypto/Makefile | 1
> > crypto/cts.c | 347 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
> > crypto/tcrypt.c | 16 ++-
> > crypto/tcrypt.h | 209 +++++++++++++++++++++++++++++++++
> > 5 files changed, 582 insertions(+), 2 deletions(-)
> >
> > diff --git a/crypto/Kconfig b/crypto/Kconfig
> > index 69f1be6..e14ff12 100644
> > --- a/crypto/Kconfig
> > +++ b/crypto/Kconfig
> > @@ -213,6 +213,17 @@ config CRYPTO_CTR
> > CTR: Counter mode
> > This block cipher algorithm is required for IPSec.
> >
> > +config CRYPTO_CTS
> > + tristate "CTS support"
> > + select CRYPTO_BLKCIPHER
> > + help
> > + CTS: Cipher Text Stealing
> > + This is the Cipher Text Stealing mode as described by
> > + Section 8 of rfc2040 and referenced by rfc3962.
> > + (rfc3962 includes errata information in its Appendix A)
> > + This mode is required for Kerberos gss mechanism support
> > + for AES encryption.
> > +
> > config CRYPTO_GCM
> > tristate "GCM/GMAC support"
> > select CRYPTO_CTR
> > diff --git a/crypto/Makefile b/crypto/Makefile
> > index 7cf3625..8b110cf 100644
> > --- a/crypto/Makefile
> > +++ b/crypto/Makefile
> > @@ -35,6 +35,7 @@ obj-$(CONFIG_CRYPTO_GF128MUL) += gf128mul.o
> > obj-$(CONFIG_CRYPTO_ECB) += ecb.o
> > obj-$(CONFIG_CRYPTO_CBC) += cbc.o
> > obj-$(CONFIG_CRYPTO_PCBC) += pcbc.o
> > +obj-$(CONFIG_CRYPTO_CTS) += cts.o
> > obj-$(CONFIG_CRYPTO_LRW) += lrw.o
> > obj-$(CONFIG_CRYPTO_XTS) += xts.o
> > obj-$(CONFIG_CRYPTO_CTR) += ctr.o
> > diff --git a/crypto/cts.c b/crypto/cts.c
> > new file mode 100644
> > index 0000000..6fe968a
> > --- /dev/null
> > +++ b/crypto/cts.c
> > @@ -0,0 +1,347 @@
> > +/*
> > + * CTS: Cipher Text Stealing mode
> > + *
> > + * COPYRIGHT (c) 2008
> > + * The Regents of the University of Michigan
> > + * ALL RIGHTS RESERVED
> > + *
> > + * Permission is granted to use, copy, create derivative works
> > + * and redistribute this software and such derivative works
> > + * for any purpose, so long as the name of The University of
> > + * Michigan is not used in any advertising or publicity
> > + * pertaining to the use of distribution of this software
> > + * without specific, written prior authorization. If the
> > + * above copyright notice or any other identification of the
> > + * University of Michigan is included in any copy of any
> > + * portion of this software, then the disclaimer below must
> > + * also be included.
> > + *
> > + * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
> > + * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
> > + * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
> > + * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
> > + * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
> > + * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
> > + * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
> > + * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
> > + * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
> > + * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
> > + * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
> > + * SUCH DAMAGES.
> > + */
> > +
> > +/* Derived from various:
> > + * Copyright (c) 2006 Herbert Xu <herbert at gondor.apana.org.au>
> > + */
> > +
> > +/*
> > + * This is the Cipher Text Stealing mode as described by
> > + * Section 8 of rfc2040 and referenced by rfc3962.
> > + * rfc3962 includes errata information in its Appendix A.
> > + */
> > +
> > +#include <crypto/algapi.h>
> > +#include <linux/err.h>
> > +#include <linux/init.h>
> > +#include <linux/kernel.h>
> > +#include <linux/log2.h>
> > +#include <linux/module.h>
> > +#include <linux/scatterlist.h>
> > +#include <crypto/scatterwalk.h>
> > +#include <linux/slab.h>
> > +
> > +struct crypto_cts_ctx {
> > + struct crypto_blkcipher *child;
> > +};
> > +
> > +static int crypto_cts_setkey(struct crypto_tfm *parent, const u8 *key,
> > + unsigned int keylen)
> > +{
> > + struct crypto_cts_ctx *ctx = crypto_tfm_ctx(parent);
> > + struct crypto_blkcipher *child = ctx->child;
> > + int err;
> > +
> > + crypto_blkcipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
> > + crypto_blkcipher_set_flags(child, crypto_tfm_get_flags(parent) &
> > + CRYPTO_TFM_REQ_MASK);
> > + err = crypto_blkcipher_setkey(child, key, keylen);
> > + crypto_tfm_set_flags(parent, crypto_blkcipher_get_flags(child) &
> > + CRYPTO_TFM_RES_MASK);
> > + return err;
> > +}
> > +
> > +static int cts_cbc_encrypt(struct crypto_cts_ctx *ctx,
> > + struct blkcipher_desc *desc,
> > + struct scatterlist *dst,
> > + struct scatterlist *src,
> > + unsigned int offset,
> > + unsigned int nbytes)
> > +{
> > + int bsize = crypto_blkcipher_blocksize(desc->tfm);
> > + u8 tmp[bsize], tmp2[bsize];
> > + struct blkcipher_desc lcldesc;
> > + struct scatterlist sgsrc[1], sgdst[1];
> > + int lastn = nbytes - bsize;
> > + u8 iv[bsize];
> > + u8 s[bsize * 2], d[bsize * 2];
> > + int err;
> > +
> > + if (lastn < 0)
> > + return -EINVAL;
> > +
> > + memset(s, 0, sizeof(s));
> > + scatterwalk_map_and_copy(s, src, offset, nbytes, 0);
> > +
> > + memcpy(iv, desc->info, bsize);
> > +
> > + lcldesc.tfm = ctx->child;
> > + lcldesc.info = iv;
> > + lcldesc.flags = desc->flags;
> > +
> > + sg_set_buf(&sgsrc[0], s, bsize);
> > + sg_set_buf(&sgdst[0], tmp, bsize);
> > + err = crypto_blkcipher_encrypt_iv(&lcldesc, sgdst, sgsrc, bsize);
> > +
> > + memcpy(d + bsize, tmp, lastn);
> > +
> > + lcldesc.info = tmp;
> > +
> > + sg_set_buf(&sgsrc[0], s + bsize, bsize);
> > + sg_set_buf(&sgdst[0], tmp2, bsize);
> > + err = crypto_blkcipher_encrypt_iv(&lcldesc, sgdst, sgsrc, bsize);
> > +
> > + memcpy(d, tmp2, bsize);
> > +
> > + scatterwalk_map_and_copy(d, dst, offset, nbytes, 1);
> > +
> > + memcpy(desc->info, tmp2, bsize);
> > +
> > + return err;
> > +}
> > +
> > +static int crypto_cts_encrypt(struct blkcipher_desc *desc,
> > + struct scatterlist *dst, struct scatterlist *src,
> > + unsigned int nbytes)
> > +{
> > + struct crypto_cts_ctx *ctx = crypto_blkcipher_ctx(desc->tfm);
> > + int bsize = crypto_blkcipher_blocksize(desc->tfm);
> > + int tot_blocks = (nbytes + bsize - 1) / bsize;
> > + int cbc_blocks = tot_blocks > 2 ? tot_blocks - 2 : 0;
> > + struct blkcipher_desc lcldesc;
> > + int err;
> > +
> > + lcldesc.tfm = ctx->child;
> > + lcldesc.info = desc->info;
> > + lcldesc.flags = desc->flags;
> > +
> > + if (tot_blocks == 1) {
> > + err = crypto_blkcipher_encrypt_iv(&lcldesc, dst, src, bsize);
> > + } else if (nbytes <= bsize * 2) {
> > + err = cts_cbc_encrypt(ctx, desc, dst, src, 0, nbytes);
> > + } else {
> > + /* do normal function for tot_blocks - 2 */
> > + err = crypto_blkcipher_encrypt_iv(&lcldesc, dst, src,
> > + cbc_blocks * bsize);
> > + if (err == 0) {
> > + /* do cts for final two blocks */
> > + err = cts_cbc_encrypt(ctx, desc, dst, src,
> > + cbc_blocks * bsize,
> > + nbytes - (cbc_blocks * bsize));
> > + }
> > + }
> > +
> > + return err;
> > +}
> > +
> > +static int cts_cbc_decrypt(struct crypto_cts_ctx *ctx,
> > + struct blkcipher_desc *desc,
> > + struct scatterlist *dst,
> > + struct scatterlist *src,
> > + unsigned int offset,
> > + unsigned int nbytes)
> > +{
> > + int bsize = crypto_blkcipher_blocksize(desc->tfm);
> > + u8 tmp[bsize];
> > + struct blkcipher_desc lcldesc;
> > + struct scatterlist sgsrc[1], sgdst[1];
> > + int lastn = nbytes - bsize;
> > + u8 iv[bsize];
> > + u8 s[bsize * 2], d[bsize * 2];
> > + int err;
> > +
> > + if (lastn < 0)
> > + return -EINVAL;
> > +
> > + scatterwalk_map_and_copy(s, src, offset, nbytes, 0);
> > +
> > + lcldesc.tfm = ctx->child;
> > + lcldesc.info = iv;
> > + lcldesc.flags = desc->flags;
> > +
> > + /* 1. Decrypt Cn-1 (s) to create Dn (tmp)*/
> > + memset(iv, 0, sizeof(iv));
> > + sg_set_buf(&sgsrc[0], s, bsize);
> > + sg_set_buf(&sgdst[0], tmp, bsize);
> > + err = crypto_blkcipher_decrypt_iv(&lcldesc, sgdst, sgsrc, bsize);
> > + if (err)
> > + return err;
> > + /* 2. Pad Cn with zeros at the end to create C of length BB */
> > + memset(iv, 0, sizeof(iv));
> > + memcpy(iv, s + bsize, lastn);
> > + /* 3. Exclusive-or Dn (tmp) with C (iv) to create Xn (tmp) */
> > + crypto_xor(tmp, iv, bsize);
> > + /* 4. Select the first Ln bytes of Xn (tmp) to create Pn */
> > + memcpy(d + bsize, tmp, lastn);
> > +
> > + /* 5. Append the tail (BB - Ln) bytes of Xn (tmp) to Cn to create En */
> > + memcpy(s + bsize + lastn, tmp + lastn, bsize - lastn);
> > + /* 6. Decrypt En to create Pn-1 */
> > + memset(iv, 0, sizeof(iv));
> > + sg_set_buf(&sgsrc[0], s + bsize, bsize);
> > + sg_set_buf(&sgdst[0], d, bsize);
> > + err = crypto_blkcipher_decrypt_iv(&lcldesc, sgdst, sgsrc, bsize);
> > +
> > + /* XXX xor with previous block ?? */
> > + crypto_xor(d, desc->info, bsize);
>
> What's that "XXX" about?
It should have been removed. I'll submit an update patch to Herbert.
> > +
> > + scatterwalk_map_and_copy(d, dst, offset, nbytes, 1);
> > +
> > + memcpy(desc->info, s, bsize);
> > + return err;
> > +}
> > +
> > +static int crypto_cts_decrypt(struct blkcipher_desc *desc,
> > + struct scatterlist *dst, struct scatterlist *src,
> > + unsigned int nbytes)
> > +{
> > + struct crypto_cts_ctx *ctx = crypto_blkcipher_ctx(desc->tfm);
> > + int bsize = crypto_blkcipher_blocksize(desc->tfm);
> > + int tot_blocks = (nbytes + bsize - 1) / bsize;
> > + int cbc_blocks = tot_blocks > 2 ? tot_blocks - 2 : 0;
> > + struct blkcipher_desc lcldesc;
> > + int err;
> > +
> > + lcldesc.tfm = ctx->child;
> > + lcldesc.info = desc->info;
> > + lcldesc.flags = desc->flags;
> > +
> > + if (tot_blocks == 1) {
> > + err = crypto_blkcipher_decrypt_iv(&lcldesc, dst, src, bsize);
> > + } else if (nbytes <= bsize * 2) {
> > + err = cts_cbc_decrypt(ctx, desc, dst, src, 0, nbytes);
> > + } else {
> > + /* do normal function for tot_blocks - 2 */
> > + err = crypto_blkcipher_decrypt_iv(&lcldesc, dst, src,
> > + cbc_blocks * bsize);
> > + if (err == 0) {
> > + /* do cts for final two blocks */
> > + err = cts_cbc_decrypt(ctx, desc, dst, src,
> > + cbc_blocks * bsize,
> > + nbytes - (cbc_blocks * bsize));
> > + }
> > + }
> > + return err;
> > +}
> > +
> > +static int crypto_cts_init_tfm(struct crypto_tfm *tfm)
> > +{
> > + struct crypto_instance *inst = (void *)tfm->__crt_alg;
> > + struct crypto_spawn *spawn = crypto_instance_ctx(inst);
> > + struct crypto_cts_ctx *ctx = crypto_tfm_ctx(tfm);
> > + struct crypto_blkcipher *cipher;
> > +
> > + cipher = crypto_spawn_blkcipher(spawn);
> > + if (IS_ERR(cipher))
> > + return PTR_ERR(cipher);
> > +
> > + ctx->child = cipher;
> > + return 0;
> > +}
> > +
> > +static void crypto_cts_exit_tfm(struct crypto_tfm *tfm)
> > +{
> > + struct crypto_cts_ctx *ctx = crypto_tfm_ctx(tfm);
> > + crypto_free_blkcipher(ctx->child);
> > +}
> > +
> > +static struct crypto_instance *crypto_cts_alloc(struct rtattr **tb)
> > +{
> > + struct crypto_instance *inst;
> > + struct crypto_alg *alg;
> > + int err;
> > +
> > + err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_BLKCIPHER);
> > + if (err)
> > + return ERR_PTR(err);
> > +
> > + alg = crypto_attr_alg(tb[1], CRYPTO_ALG_TYPE_BLKCIPHER,
> > + CRYPTO_ALG_TYPE_MASK);
> > + err = PTR_ERR(alg);
> > + if (IS_ERR(alg))
> > + return ERR_PTR(err);
> > +
> > + inst = ERR_PTR(-EINVAL);
> > + if (!is_power_of_2(alg->cra_blocksize))
> > + goto out_put_alg;
> > +
> > + inst = crypto_alloc_instance("cts", alg);
> > + if (IS_ERR(inst))
> > + goto out_put_alg;
> > +
> > + inst->alg.cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER;
> > + inst->alg.cra_priority = alg->cra_priority;
> > + inst->alg.cra_blocksize = alg->cra_blocksize;
> > + inst->alg.cra_alignmask = alg->cra_alignmask;
> > + inst->alg.cra_type = &crypto_blkcipher_type;
> > +
> > + /* We access the data as u32s when xoring. */
> > + inst->alg.cra_alignmask |= __alignof__(u32) - 1;
> > +
> > + inst->alg.cra_blkcipher.ivsize = alg->cra_blocksize;
> > + inst->alg.cra_blkcipher.min_keysize = alg->cra_blkcipher.min_keysize;
> > + inst->alg.cra_blkcipher.max_keysize = alg->cra_blkcipher.max_keysize;
> > +
> > + inst->alg.cra_blkcipher.geniv = "seqiv";
> > +
> > + inst->alg.cra_ctxsize = sizeof(struct crypto_cts_ctx);
> > +
> > + inst->alg.cra_init = crypto_cts_init_tfm;
> > + inst->alg.cra_exit = crypto_cts_exit_tfm;
> > +
> > + inst->alg.cra_blkcipher.setkey = crypto_cts_setkey;
> > + inst->alg.cra_blkcipher.encrypt = crypto_cts_encrypt;
> > + inst->alg.cra_blkcipher.decrypt = crypto_cts_decrypt;
> > +
> > +out_put_alg:
> > + crypto_mod_put(alg);
> > + return inst;
> > +}
> > +
> > +static void crypto_cts_free(struct crypto_instance *inst)
> > +{
> > + crypto_drop_spawn(crypto_instance_ctx(inst));
> > + kfree(inst);
> > +}
> > +
> > +static struct crypto_template crypto_cts_tmpl = {
> > + .name = "cts",
> > + .alloc = crypto_cts_alloc,
> > + .free = crypto_cts_free,
> > + .module = THIS_MODULE,
> > +};
> > +
> > +static int __init crypto_cts_module_init(void)
> > +{
> > + return crypto_register_template(&crypto_cts_tmpl);
> > +}
> > +
> > +static void __exit crypto_cts_module_exit(void)
> > +{
> > + crypto_unregister_template(&crypto_cts_tmpl);
> > +}
> > +
> > +module_init(crypto_cts_module_init);
> > +module_exit(crypto_cts_module_exit);
> > +
> > +MODULE_LICENSE("GPL");
> > +MODULE_DESCRIPTION("CTS-CBC) CipherText Stealing for CBC");
>
> Is the ")" after CTX-CBC a typo?
Yeah, I'll update that as well.
Thanks.
More information about the NFSv4
mailing list