adiantum.c 22 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693
  1. // SPDX-License-Identifier: GPL-2.0
  2. /*
  3. * Adiantum length-preserving encryption mode
  4. *
  5. * Copyright 2018 Google LLC
  6. */
  7. /*
  8. * Adiantum is a tweakable, length-preserving encryption mode designed for fast
  9. * and secure disk encryption, especially on CPUs without dedicated crypto
  10. * instructions. Adiantum encrypts each sector using the XChaCha12 stream
  11. * cipher, two passes of an ε-almost-∆-universal (ε-∆U) hash function based on
  12. * NH and Poly1305, and an invocation of the AES-256 block cipher on a single
  13. * 16-byte block. See the paper for details:
  14. *
  15. * Adiantum: length-preserving encryption for entry-level processors
  16. * (https://eprint.iacr.org/2018/720.pdf)
  17. *
  18. * For flexibility, this implementation also allows other ciphers:
  19. *
  20. * - Stream cipher: XChaCha12 or XChaCha20
  21. * - Block cipher: any with a 128-bit block size and 256-bit key
  22. */
  23. #include <crypto/b128ops.h>
  24. #include <crypto/chacha.h>
  25. #include <crypto/internal/cipher.h>
  26. #include <crypto/internal/poly1305.h>
  27. #include <crypto/internal/skcipher.h>
  28. #include <crypto/nh.h>
  29. #include <crypto/scatterwalk.h>
  30. #include <linux/module.h>
  31. /*
  32. * Size of right-hand part of input data, in bytes; also the size of the block
  33. * cipher's block size and the hash function's output.
  34. */
  35. #define BLOCKCIPHER_BLOCK_SIZE 16
  36. /* Size of the block cipher key (K_E) in bytes */
  37. #define BLOCKCIPHER_KEY_SIZE 32
  38. /* Size of the hash key (K_H) in bytes */
  39. #define HASH_KEY_SIZE (2 * POLY1305_BLOCK_SIZE + NH_KEY_BYTES)
  40. /*
  41. * The specification allows variable-length tweaks, but Linux's crypto API
  42. * currently only allows algorithms to support a single length. The "natural"
  43. * tweak length for Adiantum is 16, since that fits into one Poly1305 block for
  44. * the best performance. But longer tweaks are useful for fscrypt, to avoid
  45. * needing to derive per-file keys. So instead we use two blocks, or 32 bytes.
  46. */
  47. #define TWEAK_SIZE 32
  48. struct adiantum_instance_ctx {
  49. struct crypto_skcipher_spawn streamcipher_spawn;
  50. struct crypto_cipher_spawn blockcipher_spawn;
  51. };
  52. struct adiantum_tfm_ctx {
  53. struct crypto_skcipher *streamcipher;
  54. struct crypto_cipher *blockcipher;
  55. struct poly1305_core_key header_hash_key;
  56. struct poly1305_core_key msg_poly_key;
  57. u32 nh_key[NH_KEY_WORDS];
  58. };
  59. struct nhpoly1305_ctx {
  60. /* Running total of polynomial evaluation */
  61. struct poly1305_state poly_state;
  62. /* Partial block buffer */
  63. u8 buffer[NH_MESSAGE_UNIT];
  64. unsigned int buflen;
  65. /*
  66. * Number of bytes remaining until the current NH message reaches
  67. * NH_MESSAGE_BYTES. When nonzero, 'nh_hash' holds the partial NH hash.
  68. */
  69. unsigned int nh_remaining;
  70. __le64 nh_hash[NH_NUM_PASSES];
  71. };
  72. struct adiantum_request_ctx {
  73. /*
  74. * skcipher sub-request size is unknown at compile-time, so it needs to
  75. * go after the members with known sizes.
  76. */
  77. union {
  78. struct nhpoly1305_ctx hash_ctx;
  79. struct skcipher_request streamcipher_req;
  80. } u;
  81. };
  82. /*
  83. * Given the XChaCha stream key K_S, derive the block cipher key K_E and the
  84. * hash key K_H as follows:
  85. *
  86. * K_E || K_H || ... = XChaCha(key=K_S, nonce=1||0^191)
  87. *
  88. * Note that this denotes using bits from the XChaCha keystream, which here we
  89. * get indirectly by encrypting a buffer containing all 0's.
  90. */
  91. static int adiantum_setkey(struct crypto_skcipher *tfm, const u8 *key,
  92. unsigned int keylen)
  93. {
  94. struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm);
  95. struct {
  96. u8 iv[XCHACHA_IV_SIZE];
  97. u8 derived_keys[BLOCKCIPHER_KEY_SIZE + HASH_KEY_SIZE];
  98. struct scatterlist sg;
  99. struct crypto_wait wait;
  100. struct skcipher_request req; /* must be last */
  101. } *data;
  102. u8 *keyp;
  103. int err;
  104. /* Set the stream cipher key (K_S) */
  105. crypto_skcipher_clear_flags(tctx->streamcipher, CRYPTO_TFM_REQ_MASK);
  106. crypto_skcipher_set_flags(tctx->streamcipher,
  107. crypto_skcipher_get_flags(tfm) &
  108. CRYPTO_TFM_REQ_MASK);
  109. err = crypto_skcipher_setkey(tctx->streamcipher, key, keylen);
  110. if (err)
  111. return err;
  112. /* Derive the subkeys */
  113. data = kzalloc(sizeof(*data) +
  114. crypto_skcipher_reqsize(tctx->streamcipher), GFP_KERNEL);
  115. if (!data)
  116. return -ENOMEM;
  117. data->iv[0] = 1;
  118. sg_init_one(&data->sg, data->derived_keys, sizeof(data->derived_keys));
  119. crypto_init_wait(&data->wait);
  120. skcipher_request_set_tfm(&data->req, tctx->streamcipher);
  121. skcipher_request_set_callback(&data->req, CRYPTO_TFM_REQ_MAY_SLEEP |
  122. CRYPTO_TFM_REQ_MAY_BACKLOG,
  123. crypto_req_done, &data->wait);
  124. skcipher_request_set_crypt(&data->req, &data->sg, &data->sg,
  125. sizeof(data->derived_keys), data->iv);
  126. err = crypto_wait_req(crypto_skcipher_encrypt(&data->req), &data->wait);
  127. if (err)
  128. goto out;
  129. keyp = data->derived_keys;
  130. /* Set the block cipher key (K_E) */
  131. crypto_cipher_clear_flags(tctx->blockcipher, CRYPTO_TFM_REQ_MASK);
  132. crypto_cipher_set_flags(tctx->blockcipher,
  133. crypto_skcipher_get_flags(tfm) &
  134. CRYPTO_TFM_REQ_MASK);
  135. err = crypto_cipher_setkey(tctx->blockcipher, keyp,
  136. BLOCKCIPHER_KEY_SIZE);
  137. if (err)
  138. goto out;
  139. keyp += BLOCKCIPHER_KEY_SIZE;
  140. /* Set the hash key (K_H) */
  141. poly1305_core_setkey(&tctx->header_hash_key, keyp);
  142. keyp += POLY1305_BLOCK_SIZE;
  143. poly1305_core_setkey(&tctx->msg_poly_key, keyp);
  144. keyp += POLY1305_BLOCK_SIZE;
  145. for (int i = 0; i < NH_KEY_WORDS; i++)
  146. tctx->nh_key[i] = get_unaligned_le32(&keyp[i * 4]);
  147. keyp += NH_KEY_BYTES;
  148. WARN_ON(keyp != &data->derived_keys[ARRAY_SIZE(data->derived_keys)]);
  149. out:
  150. kfree_sensitive(data);
  151. return err;
  152. }
  153. /* Addition in Z/(2^{128}Z) */
  154. static inline void le128_add(le128 *r, const le128 *v1, const le128 *v2)
  155. {
  156. u64 x = le64_to_cpu(v1->b);
  157. u64 y = le64_to_cpu(v2->b);
  158. r->b = cpu_to_le64(x + y);
  159. r->a = cpu_to_le64(le64_to_cpu(v1->a) + le64_to_cpu(v2->a) +
  160. (x + y < x));
  161. }
  162. /* Subtraction in Z/(2^{128}Z) */
  163. static inline void le128_sub(le128 *r, const le128 *v1, const le128 *v2)
  164. {
  165. u64 x = le64_to_cpu(v1->b);
  166. u64 y = le64_to_cpu(v2->b);
  167. r->b = cpu_to_le64(x - y);
  168. r->a = cpu_to_le64(le64_to_cpu(v1->a) - le64_to_cpu(v2->a) -
  169. (x - y > x));
  170. }
  171. /*
  172. * Apply the Poly1305 ε-∆U hash function to (bulk length, tweak) and save the
  173. * result to @out. This is the calculation
  174. *
  175. * H_T ← Poly1305_{K_T}(bin_{128}(|L|) || T)
  176. *
  177. * from the procedure in section 6.4 of the Adiantum paper. The resulting value
  178. * is reused in both the first and second hash steps. Specifically, it's added
  179. * to the result of an independently keyed ε-∆U hash function (for equal length
  180. * inputs only) taken over the left-hand part (the "bulk") of the message, to
  181. * give the overall Adiantum hash of the (tweak, left-hand part) pair.
  182. */
  183. static void adiantum_hash_header(struct skcipher_request *req, le128 *out)
  184. {
  185. struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
  186. const struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm);
  187. const unsigned int bulk_len = req->cryptlen - BLOCKCIPHER_BLOCK_SIZE;
  188. struct {
  189. __le64 message_bits;
  190. __le64 padding;
  191. } header = {
  192. .message_bits = cpu_to_le64((u64)bulk_len * 8)
  193. };
  194. struct poly1305_state state;
  195. poly1305_core_init(&state);
  196. BUILD_BUG_ON(sizeof(header) % POLY1305_BLOCK_SIZE != 0);
  197. poly1305_core_blocks(&state, &tctx->header_hash_key,
  198. &header, sizeof(header) / POLY1305_BLOCK_SIZE, 1);
  199. BUILD_BUG_ON(TWEAK_SIZE % POLY1305_BLOCK_SIZE != 0);
  200. poly1305_core_blocks(&state, &tctx->header_hash_key, req->iv,
  201. TWEAK_SIZE / POLY1305_BLOCK_SIZE, 1);
  202. poly1305_core_emit(&state, NULL, out);
  203. }
  204. /* Pass the next NH hash value through Poly1305 */
  205. static void process_nh_hash_value(struct nhpoly1305_ctx *ctx,
  206. const struct adiantum_tfm_ctx *key)
  207. {
  208. static_assert(NH_HASH_BYTES % POLY1305_BLOCK_SIZE == 0);
  209. poly1305_core_blocks(&ctx->poly_state, &key->msg_poly_key, ctx->nh_hash,
  210. NH_HASH_BYTES / POLY1305_BLOCK_SIZE, 1);
  211. }
  212. /*
  213. * Feed the next portion of the message data, as a whole number of 16-byte
  214. * "NH message units", through NH and Poly1305. Each NH hash is taken over
  215. * 1024 bytes, except possibly the final one which is taken over a multiple of
  216. * 16 bytes up to 1024. Also, in the case where data is passed in misaligned
  217. * chunks, we combine partial hashes; the end result is the same either way.
  218. */
  219. static void nhpoly1305_units(struct nhpoly1305_ctx *ctx,
  220. const struct adiantum_tfm_ctx *key,
  221. const u8 *data, size_t len)
  222. {
  223. do {
  224. unsigned int bytes;
  225. if (ctx->nh_remaining == 0) {
  226. /* Starting a new NH message */
  227. bytes = min(len, NH_MESSAGE_BYTES);
  228. nh(key->nh_key, data, bytes, ctx->nh_hash);
  229. ctx->nh_remaining = NH_MESSAGE_BYTES - bytes;
  230. } else {
  231. /* Continuing a previous NH message */
  232. __le64 tmp_hash[NH_NUM_PASSES];
  233. unsigned int pos;
  234. pos = NH_MESSAGE_BYTES - ctx->nh_remaining;
  235. bytes = min(len, ctx->nh_remaining);
  236. nh(&key->nh_key[pos / 4], data, bytes, tmp_hash);
  237. for (int i = 0; i < NH_NUM_PASSES; i++)
  238. le64_add_cpu(&ctx->nh_hash[i],
  239. le64_to_cpu(tmp_hash[i]));
  240. ctx->nh_remaining -= bytes;
  241. }
  242. if (ctx->nh_remaining == 0)
  243. process_nh_hash_value(ctx, key);
  244. data += bytes;
  245. len -= bytes;
  246. } while (len);
  247. }
  248. static void nhpoly1305_init(struct nhpoly1305_ctx *ctx)
  249. {
  250. poly1305_core_init(&ctx->poly_state);
  251. ctx->buflen = 0;
  252. ctx->nh_remaining = 0;
  253. }
  254. static void nhpoly1305_update(struct nhpoly1305_ctx *ctx,
  255. const struct adiantum_tfm_ctx *key,
  256. const u8 *data, size_t len)
  257. {
  258. unsigned int bytes;
  259. if (ctx->buflen) {
  260. bytes = min(len, (int)NH_MESSAGE_UNIT - ctx->buflen);
  261. memcpy(&ctx->buffer[ctx->buflen], data, bytes);
  262. ctx->buflen += bytes;
  263. if (ctx->buflen < NH_MESSAGE_UNIT)
  264. return;
  265. nhpoly1305_units(ctx, key, ctx->buffer, NH_MESSAGE_UNIT);
  266. ctx->buflen = 0;
  267. data += bytes;
  268. len -= bytes;
  269. }
  270. if (len >= NH_MESSAGE_UNIT) {
  271. bytes = round_down(len, NH_MESSAGE_UNIT);
  272. nhpoly1305_units(ctx, key, data, bytes);
  273. data += bytes;
  274. len -= bytes;
  275. }
  276. if (len) {
  277. memcpy(ctx->buffer, data, len);
  278. ctx->buflen = len;
  279. }
  280. }
  281. static void nhpoly1305_final(struct nhpoly1305_ctx *ctx,
  282. const struct adiantum_tfm_ctx *key, le128 *out)
  283. {
  284. if (ctx->buflen) {
  285. memset(&ctx->buffer[ctx->buflen], 0,
  286. NH_MESSAGE_UNIT - ctx->buflen);
  287. nhpoly1305_units(ctx, key, ctx->buffer, NH_MESSAGE_UNIT);
  288. }
  289. if (ctx->nh_remaining)
  290. process_nh_hash_value(ctx, key);
  291. poly1305_core_emit(&ctx->poly_state, NULL, out);
  292. }
  293. /*
  294. * Hash the left-hand part (the "bulk") of the message as follows:
  295. *
  296. * H_L ← Poly1305_{K_L}(NH_{K_N}(pad_{128}(L)))
  297. *
  298. * See section 6.4 of the Adiantum paper. This is an ε-almost-∆-universal
  299. * (ε-∆U) hash function for equal-length inputs over Z/(2^{128}Z), where the "∆"
  300. * operation is addition. It hashes 1024-byte chunks of the input with the NH
  301. * hash function, reducing the input length by 32x. The resulting NH hashes are
  302. * evaluated as a polynomial in GF(2^{130}-5), like in the Poly1305 MAC. Note
  303. * that the polynomial evaluation by itself would suffice to achieve the ε-∆U
  304. * property; NH is used for performance since it's much faster than Poly1305.
  305. */
  306. static void adiantum_hash_message(struct skcipher_request *req,
  307. struct scatterlist *sgl, le128 *out)
  308. {
  309. struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
  310. const struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm);
  311. struct adiantum_request_ctx *rctx = skcipher_request_ctx(req);
  312. unsigned int len = req->cryptlen - BLOCKCIPHER_BLOCK_SIZE;
  313. struct scatter_walk walk;
  314. nhpoly1305_init(&rctx->u.hash_ctx);
  315. scatterwalk_start(&walk, sgl);
  316. while (len) {
  317. unsigned int n = scatterwalk_next(&walk, len);
  318. nhpoly1305_update(&rctx->u.hash_ctx, tctx, walk.addr, n);
  319. scatterwalk_done_src(&walk, n);
  320. len -= n;
  321. }
  322. nhpoly1305_final(&rctx->u.hash_ctx, tctx, out);
  323. }
  324. static int adiantum_crypt(struct skcipher_request *req, bool enc)
  325. {
  326. struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
  327. const struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm);
  328. struct adiantum_request_ctx *rctx = skcipher_request_ctx(req);
  329. const unsigned int bulk_len = req->cryptlen - BLOCKCIPHER_BLOCK_SIZE;
  330. struct scatterlist *src = req->src, *dst = req->dst;
  331. /*
  332. * Buffer for right-hand part of data, i.e.
  333. *
  334. * P_L => P_M => C_M => C_R when encrypting, or
  335. * C_R => C_M => P_M => P_L when decrypting.
  336. *
  337. * Also used to build the IV for the stream cipher.
  338. */
  339. union {
  340. u8 bytes[XCHACHA_IV_SIZE];
  341. __le32 words[XCHACHA_IV_SIZE / sizeof(__le32)];
  342. le128 bignum; /* interpret as element of Z/(2^{128}Z) */
  343. } rbuf;
  344. le128 header_hash, msg_hash;
  345. unsigned int stream_len;
  346. int err;
  347. if (req->cryptlen < BLOCKCIPHER_BLOCK_SIZE)
  348. return -EINVAL;
  349. /*
  350. * First hash step
  351. * enc: P_M = P_R + H_{K_H}(T, P_L)
  352. * dec: C_M = C_R + H_{K_H}(T, C_L)
  353. */
  354. adiantum_hash_header(req, &header_hash);
  355. if (src->length >= req->cryptlen &&
  356. src->offset + req->cryptlen <= PAGE_SIZE) {
  357. /* Fast path for single-page source */
  358. void *virt = kmap_local_page(sg_page(src)) + src->offset;
  359. nhpoly1305_init(&rctx->u.hash_ctx);
  360. nhpoly1305_update(&rctx->u.hash_ctx, tctx, virt, bulk_len);
  361. nhpoly1305_final(&rctx->u.hash_ctx, tctx, &msg_hash);
  362. memcpy(&rbuf.bignum, virt + bulk_len, sizeof(le128));
  363. kunmap_local(virt);
  364. } else {
  365. /* Slow path that works for any source scatterlist */
  366. adiantum_hash_message(req, src, &msg_hash);
  367. memcpy_from_sglist(&rbuf.bignum, src, bulk_len, sizeof(le128));
  368. }
  369. le128_add(&rbuf.bignum, &rbuf.bignum, &header_hash);
  370. le128_add(&rbuf.bignum, &rbuf.bignum, &msg_hash);
  371. /* If encrypting, encrypt P_M with the block cipher to get C_M */
  372. if (enc)
  373. crypto_cipher_encrypt_one(tctx->blockcipher, rbuf.bytes,
  374. rbuf.bytes);
  375. /* Initialize the rest of the XChaCha IV (first part is C_M) */
  376. BUILD_BUG_ON(BLOCKCIPHER_BLOCK_SIZE != 16);
  377. BUILD_BUG_ON(XCHACHA_IV_SIZE != 32); /* nonce || stream position */
  378. rbuf.words[4] = cpu_to_le32(1);
  379. rbuf.words[5] = 0;
  380. rbuf.words[6] = 0;
  381. rbuf.words[7] = 0;
  382. /*
  383. * XChaCha needs to be done on all the data except the last 16 bytes;
  384. * for disk encryption that usually means 4080 or 496 bytes. But ChaCha
  385. * implementations tend to be most efficient when passed a whole number
  386. * of 64-byte ChaCha blocks, or sometimes even a multiple of 256 bytes.
  387. * And here it doesn't matter whether the last 16 bytes are written to,
  388. * as the second hash step will overwrite them. Thus, round the XChaCha
  389. * length up to the next 64-byte boundary if possible.
  390. */
  391. stream_len = bulk_len;
  392. if (round_up(stream_len, CHACHA_BLOCK_SIZE) <= req->cryptlen)
  393. stream_len = round_up(stream_len, CHACHA_BLOCK_SIZE);
  394. skcipher_request_set_tfm(&rctx->u.streamcipher_req, tctx->streamcipher);
  395. skcipher_request_set_crypt(&rctx->u.streamcipher_req, req->src,
  396. req->dst, stream_len, &rbuf);
  397. skcipher_request_set_callback(&rctx->u.streamcipher_req,
  398. req->base.flags, NULL, NULL);
  399. err = crypto_skcipher_encrypt(&rctx->u.streamcipher_req);
  400. if (err)
  401. return err;
  402. /* If decrypting, decrypt C_M with the block cipher to get P_M */
  403. if (!enc)
  404. crypto_cipher_decrypt_one(tctx->blockcipher, rbuf.bytes,
  405. rbuf.bytes);
  406. /*
  407. * Second hash step
  408. * enc: C_R = C_M - H_{K_H}(T, C_L)
  409. * dec: P_R = P_M - H_{K_H}(T, P_L)
  410. */
  411. le128_sub(&rbuf.bignum, &rbuf.bignum, &header_hash);
  412. if (dst->length >= req->cryptlen &&
  413. dst->offset + req->cryptlen <= PAGE_SIZE) {
  414. /* Fast path for single-page destination */
  415. struct page *page = sg_page(dst);
  416. void *virt = kmap_local_page(page) + dst->offset;
  417. nhpoly1305_init(&rctx->u.hash_ctx);
  418. nhpoly1305_update(&rctx->u.hash_ctx, tctx, virt, bulk_len);
  419. nhpoly1305_final(&rctx->u.hash_ctx, tctx, &msg_hash);
  420. le128_sub(&rbuf.bignum, &rbuf.bignum, &msg_hash);
  421. memcpy(virt + bulk_len, &rbuf.bignum, sizeof(le128));
  422. flush_dcache_page(page);
  423. kunmap_local(virt);
  424. } else {
  425. /* Slow path that works for any destination scatterlist */
  426. adiantum_hash_message(req, dst, &msg_hash);
  427. le128_sub(&rbuf.bignum, &rbuf.bignum, &msg_hash);
  428. memcpy_to_sglist(dst, bulk_len, &rbuf.bignum, sizeof(le128));
  429. }
  430. return 0;
  431. }
  432. static int adiantum_encrypt(struct skcipher_request *req)
  433. {
  434. return adiantum_crypt(req, true);
  435. }
  436. static int adiantum_decrypt(struct skcipher_request *req)
  437. {
  438. return adiantum_crypt(req, false);
  439. }
  440. static int adiantum_init_tfm(struct crypto_skcipher *tfm)
  441. {
  442. struct skcipher_instance *inst = skcipher_alg_instance(tfm);
  443. struct adiantum_instance_ctx *ictx = skcipher_instance_ctx(inst);
  444. struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm);
  445. struct crypto_skcipher *streamcipher;
  446. struct crypto_cipher *blockcipher;
  447. int err;
  448. streamcipher = crypto_spawn_skcipher(&ictx->streamcipher_spawn);
  449. if (IS_ERR(streamcipher))
  450. return PTR_ERR(streamcipher);
  451. blockcipher = crypto_spawn_cipher(&ictx->blockcipher_spawn);
  452. if (IS_ERR(blockcipher)) {
  453. err = PTR_ERR(blockcipher);
  454. goto err_free_streamcipher;
  455. }
  456. tctx->streamcipher = streamcipher;
  457. tctx->blockcipher = blockcipher;
  458. BUILD_BUG_ON(offsetofend(struct adiantum_request_ctx, u) !=
  459. sizeof(struct adiantum_request_ctx));
  460. crypto_skcipher_set_reqsize(
  461. tfm, max(sizeof(struct adiantum_request_ctx),
  462. offsetofend(struct adiantum_request_ctx,
  463. u.streamcipher_req) +
  464. crypto_skcipher_reqsize(streamcipher)));
  465. return 0;
  466. err_free_streamcipher:
  467. crypto_free_skcipher(streamcipher);
  468. return err;
  469. }
  470. static void adiantum_exit_tfm(struct crypto_skcipher *tfm)
  471. {
  472. struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm);
  473. crypto_free_skcipher(tctx->streamcipher);
  474. crypto_free_cipher(tctx->blockcipher);
  475. }
  476. static void adiantum_free_instance(struct skcipher_instance *inst)
  477. {
  478. struct adiantum_instance_ctx *ictx = skcipher_instance_ctx(inst);
  479. crypto_drop_skcipher(&ictx->streamcipher_spawn);
  480. crypto_drop_cipher(&ictx->blockcipher_spawn);
  481. kfree(inst);
  482. }
  483. /*
  484. * Check for a supported set of inner algorithms.
  485. * See the comment at the beginning of this file.
  486. */
  487. static bool
  488. adiantum_supported_algorithms(struct skcipher_alg_common *streamcipher_alg,
  489. struct crypto_alg *blockcipher_alg)
  490. {
  491. if (strcmp(streamcipher_alg->base.cra_name, "xchacha12") != 0 &&
  492. strcmp(streamcipher_alg->base.cra_name, "xchacha20") != 0)
  493. return false;
  494. if (blockcipher_alg->cra_cipher.cia_min_keysize > BLOCKCIPHER_KEY_SIZE ||
  495. blockcipher_alg->cra_cipher.cia_max_keysize < BLOCKCIPHER_KEY_SIZE)
  496. return false;
  497. if (blockcipher_alg->cra_blocksize != BLOCKCIPHER_BLOCK_SIZE)
  498. return false;
  499. return true;
  500. }
  501. static int adiantum_create(struct crypto_template *tmpl, struct rtattr **tb)
  502. {
  503. u32 mask;
  504. struct skcipher_instance *inst;
  505. struct adiantum_instance_ctx *ictx;
  506. struct skcipher_alg_common *streamcipher_alg;
  507. struct crypto_alg *blockcipher_alg;
  508. int err;
  509. err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_SKCIPHER, &mask);
  510. if (err)
  511. return err;
  512. inst = kzalloc(sizeof(*inst) + sizeof(*ictx), GFP_KERNEL);
  513. if (!inst)
  514. return -ENOMEM;
  515. ictx = skcipher_instance_ctx(inst);
  516. /* Stream cipher, e.g. "xchacha12" */
  517. err = crypto_grab_skcipher(&ictx->streamcipher_spawn,
  518. skcipher_crypto_instance(inst),
  519. crypto_attr_alg_name(tb[1]), 0,
  520. mask | CRYPTO_ALG_ASYNC /* sync only */);
  521. if (err)
  522. goto err_free_inst;
  523. streamcipher_alg = crypto_spawn_skcipher_alg_common(&ictx->streamcipher_spawn);
  524. /* Block cipher, e.g. "aes" */
  525. err = crypto_grab_cipher(&ictx->blockcipher_spawn,
  526. skcipher_crypto_instance(inst),
  527. crypto_attr_alg_name(tb[2]), 0, mask);
  528. if (err)
  529. goto err_free_inst;
  530. blockcipher_alg = crypto_spawn_cipher_alg(&ictx->blockcipher_spawn);
  531. /*
  532. * Originally there was an optional third parameter, for requesting a
  533. * specific implementation of "nhpoly1305" for message hashing. This is
  534. * no longer supported. The best implementation is just always used.
  535. */
  536. if (crypto_attr_alg_name(tb[3]) != ERR_PTR(-ENOENT)) {
  537. err = -ENOENT;
  538. goto err_free_inst;
  539. }
  540. /* Check the set of algorithms */
  541. if (!adiantum_supported_algorithms(streamcipher_alg, blockcipher_alg)) {
  542. pr_warn("Unsupported Adiantum instantiation: (%s,%s)\n",
  543. streamcipher_alg->base.cra_name,
  544. blockcipher_alg->cra_name);
  545. err = -EINVAL;
  546. goto err_free_inst;
  547. }
  548. /* Instance fields */
  549. err = -ENAMETOOLONG;
  550. if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
  551. "adiantum(%s,%s)", streamcipher_alg->base.cra_name,
  552. blockcipher_alg->cra_name) >= CRYPTO_MAX_ALG_NAME)
  553. goto err_free_inst;
  554. if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
  555. "adiantum(%s,%s)", streamcipher_alg->base.cra_driver_name,
  556. blockcipher_alg->cra_driver_name) >= CRYPTO_MAX_ALG_NAME)
  557. goto err_free_inst;
  558. inst->alg.base.cra_blocksize = BLOCKCIPHER_BLOCK_SIZE;
  559. inst->alg.base.cra_ctxsize = sizeof(struct adiantum_tfm_ctx);
  560. inst->alg.base.cra_alignmask = streamcipher_alg->base.cra_alignmask;
  561. /*
  562. * The block cipher is only invoked once per message, so for long
  563. * messages (e.g. sectors for disk encryption) its performance doesn't
  564. * matter as much as that of the stream cipher. Thus, weigh the block
  565. * cipher's ->cra_priority less.
  566. */
  567. inst->alg.base.cra_priority = (4 * streamcipher_alg->base.cra_priority +
  568. blockcipher_alg->cra_priority) /
  569. 5;
  570. inst->alg.setkey = adiantum_setkey;
  571. inst->alg.encrypt = adiantum_encrypt;
  572. inst->alg.decrypt = adiantum_decrypt;
  573. inst->alg.init = adiantum_init_tfm;
  574. inst->alg.exit = adiantum_exit_tfm;
  575. inst->alg.min_keysize = streamcipher_alg->min_keysize;
  576. inst->alg.max_keysize = streamcipher_alg->max_keysize;
  577. inst->alg.ivsize = TWEAK_SIZE;
  578. inst->free = adiantum_free_instance;
  579. err = skcipher_register_instance(tmpl, inst);
  580. if (err) {
  581. err_free_inst:
  582. adiantum_free_instance(inst);
  583. }
  584. return err;
  585. }
  586. /* adiantum(streamcipher_name, blockcipher_name) */
  587. static struct crypto_template adiantum_tmpl = {
  588. .name = "adiantum",
  589. .create = adiantum_create,
  590. .module = THIS_MODULE,
  591. };
  592. static int __init adiantum_module_init(void)
  593. {
  594. return crypto_register_template(&adiantum_tmpl);
  595. }
  596. static void __exit adiantum_module_exit(void)
  597. {
  598. crypto_unregister_template(&adiantum_tmpl);
  599. }
  600. module_init(adiantum_module_init);
  601. module_exit(adiantum_module_exit);
  602. MODULE_DESCRIPTION("Adiantum length-preserving encryption mode");
  603. MODULE_LICENSE("GPL v2");
  604. MODULE_AUTHOR("Eric Biggers <ebiggers@google.com>");
  605. MODULE_ALIAS_CRYPTO("adiantum");
  606. MODULE_IMPORT_NS("CRYPTO_INTERNAL");