git.samba.org / sfrench / cifs-2.6.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge branch 'x86-alternatives-for-linus' of git://git.kernel.org/pub/scm/linux/kerne...
[sfrench/cifs-2.6.git] / crypto / morus640.c
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * The MORUS-640 Authenticated-Encryption Algorithm
4  *
5  * Copyright (c) 2016-2018 Ondrej Mosnacek <omosnacek@gmail.com>
6  * Copyright (C) 2017-2018 Red Hat, Inc. All rights reserved.
7  */
8
9 #include <asm/unaligned.h>
10 #include <crypto/algapi.h>
11 #include <crypto/internal/aead.h>
12 #include <crypto/internal/skcipher.h>
13 #include <crypto/morus_common.h>
14 #include <crypto/scatterwalk.h>
15 #include <linux/err.h>
16 #include <linux/init.h>
17 #include <linux/kernel.h>
18 #include <linux/module.h>
19 #include <linux/scatterlist.h>
20
21 #define MORUS640_WORD_SIZE 4
22 #define MORUS640_BLOCK_SIZE (MORUS_BLOCK_WORDS * MORUS640_WORD_SIZE)
23 #define MORUS640_BLOCK_ALIGN (__alignof__(__le32))
24 #define MORUS640_ALIGNED(p) IS_ALIGNED((uintptr_t)p, MORUS640_BLOCK_ALIGN)
25
26 struct morus640_block {
27         u32 words[MORUS_BLOCK_WORDS];
28 };
29
30 union morus640_block_in {
31         __le32 words[MORUS_BLOCK_WORDS];
32         u8 bytes[MORUS640_BLOCK_SIZE];
33 };
34
35 struct morus640_state {
36         struct morus640_block s[MORUS_STATE_BLOCKS];
37 };
38
39 struct morus640_ctx {
40         struct morus640_block key;
41 };
42
43 struct morus640_ops {
44         int (*skcipher_walk_init)(struct skcipher_walk *walk,
45                                   struct aead_request *req, bool atomic);
46
47         void (*crypt_chunk)(struct morus640_state *state,
48                             u8 *dst, const u8 *src, unsigned int size);
49 };
50
51 static const struct morus640_block crypto_morus640_const[2] = {
52         { .words = {
53                 U32_C(0x02010100),
54                 U32_C(0x0d080503),
55                 U32_C(0x59372215),
56                 U32_C(0x6279e990),
57         } },
58         { .words = {
59                 U32_C(0x55183ddb),
60                 U32_C(0xf12fc26d),
61                 U32_C(0x42311120),
62                 U32_C(0xdd28b573),
63         } },
64 };
65
66 static void crypto_morus640_round(struct morus640_block *b0,
67                                   struct morus640_block *b1,
68                                   struct morus640_block *b2,
69                                   struct morus640_block *b3,
70                                   struct morus640_block *b4,
71                                   const struct morus640_block *m,
72                                   unsigned int b, unsigned int w)
73 {
74         unsigned int i;
75         struct morus640_block tmp;
76
77         for (i = 0; i < MORUS_BLOCK_WORDS; i++) {
78                 b0->words[i] ^= b1->words[i] & b2->words[i];
79                 b0->words[i] ^= b3->words[i];
80                 b0->words[i] ^= m->words[i];
81                 b0->words[i] = rol32(b0->words[i], b);
82         }
83
84         tmp = *b3;
85         for (i = 0; i < MORUS_BLOCK_WORDS; i++)
86                 b3->words[(i + w) % MORUS_BLOCK_WORDS] = tmp.words[i];
87 }
88
89 static void crypto_morus640_update(struct morus640_state *state,
90                                    const struct morus640_block *m)
91 {
92         static const struct morus640_block z = {};
93
94         struct morus640_block *s = state->s;
95
96         crypto_morus640_round(&s[0], &s[1], &s[2], &s[3], &s[4], &z,  5, 1);
97         crypto_morus640_round(&s[1], &s[2], &s[3], &s[4], &s[0], m,  31, 2);
98         crypto_morus640_round(&s[2], &s[3], &s[4], &s[0], &s[1], m,   7, 3);
99         crypto_morus640_round(&s[3], &s[4], &s[0], &s[1], &s[2], m,  22, 2);
100         crypto_morus640_round(&s[4], &s[0], &s[1], &s[2], &s[3], m,  13, 1);
101 }
102
103 static void crypto_morus640_load_a(struct morus640_block *dst, const u8 *src)
104 {
105         unsigned int i;
106         for (i = 0; i < MORUS_BLOCK_WORDS; i++) {
107                 dst->words[i] = le32_to_cpu(*(const __le32 *)src);
108                 src += MORUS640_WORD_SIZE;
109         }
110 }
111
112 static void crypto_morus640_load_u(struct morus640_block *dst, const u8 *src)
113 {
114         unsigned int i;
115         for (i = 0; i < MORUS_BLOCK_WORDS; i++) {
116                 dst->words[i] = get_unaligned_le32(src);
117                 src += MORUS640_WORD_SIZE;
118         }
119 }
120
121 static void crypto_morus640_load(struct morus640_block *dst, const u8 *src)
122 {
123         if (MORUS640_ALIGNED(src))
124                 crypto_morus640_load_a(dst, src);
125         else
126                 crypto_morus640_load_u(dst, src);
127 }
128
129 static void crypto_morus640_store_a(u8 *dst, const struct morus640_block *src)
130 {
131         unsigned int i;
132         for (i = 0; i < MORUS_BLOCK_WORDS; i++) {
133                 *(__le32 *)dst = cpu_to_le32(src->words[i]);
134                 dst += MORUS640_WORD_SIZE;
135         }
136 }
137
138 static void crypto_morus640_store_u(u8 *dst, const struct morus640_block *src)
139 {
140         unsigned int i;
141         for (i = 0; i < MORUS_BLOCK_WORDS; i++) {
142                 put_unaligned_le32(src->words[i], dst);
143                 dst += MORUS640_WORD_SIZE;
144         }
145 }
146
147 static void crypto_morus640_store(u8 *dst, const struct morus640_block *src)
148 {
149         if (MORUS640_ALIGNED(dst))
150                 crypto_morus640_store_a(dst, src);
151         else
152                 crypto_morus640_store_u(dst, src);
153 }
154
155 static void crypto_morus640_ad(struct morus640_state *state, const u8 *src,
156                                unsigned int size)
157 {
158         struct morus640_block m;
159
160         if (MORUS640_ALIGNED(src)) {
161                 while (size >= MORUS640_BLOCK_SIZE) {
162                         crypto_morus640_load_a(&m, src);
163                         crypto_morus640_update(state, &m);
164
165                         size -= MORUS640_BLOCK_SIZE;
166                         src += MORUS640_BLOCK_SIZE;
167                 }
168         } else {
169                 while (size >= MORUS640_BLOCK_SIZE) {
170                         crypto_morus640_load_u(&m, src);
171                         crypto_morus640_update(state, &m);
172
173                         size -= MORUS640_BLOCK_SIZE;
174                         src += MORUS640_BLOCK_SIZE;
175                 }
176         }
177 }
178
179 static void crypto_morus640_core(const struct morus640_state *state,
180                                  struct morus640_block *blk)
181 {
182         unsigned int i;
183
184         for (i = 0; i < MORUS_BLOCK_WORDS; i++)
185                 blk->words[(i + 3) % MORUS_BLOCK_WORDS] ^= state->s[1].words[i];
186
187         for (i = 0; i < MORUS_BLOCK_WORDS; i++) {
188                 blk->words[i] ^= state->s[0].words[i];
189                 blk->words[i] ^= state->s[2].words[i] & state->s[3].words[i];
190         }
191 }
192
193 static void crypto_morus640_encrypt_chunk(struct morus640_state *state, u8 *dst,
194                                           const u8 *src, unsigned int size)
195 {
196         struct morus640_block c, m;
197
198         if (MORUS640_ALIGNED(src) && MORUS640_ALIGNED(dst)) {
199                 while (size >= MORUS640_BLOCK_SIZE) {
200                         crypto_morus640_load_a(&m, src);
201                         c = m;
202                         crypto_morus640_core(state, &c);
203                         crypto_morus640_store_a(dst, &c);
204                         crypto_morus640_update(state, &m);
205
206                         src += MORUS640_BLOCK_SIZE;
207                         dst += MORUS640_BLOCK_SIZE;
208                         size -= MORUS640_BLOCK_SIZE;
209                 }
210         } else {
211                 while (size >= MORUS640_BLOCK_SIZE) {
212                         crypto_morus640_load_u(&m, src);
213                         c = m;
214                         crypto_morus640_core(state, &c);
215                         crypto_morus640_store_u(dst, &c);
216                         crypto_morus640_update(state, &m);
217
218                         src += MORUS640_BLOCK_SIZE;
219                         dst += MORUS640_BLOCK_SIZE;
220                         size -= MORUS640_BLOCK_SIZE;
221                 }
222         }
223
224         if (size > 0) {
225                 union morus640_block_in tail;
226
227                 memcpy(tail.bytes, src, size);
228                 memset(tail.bytes + size, 0, MORUS640_BLOCK_SIZE - size);
229
230                 crypto_morus640_load_a(&m, tail.bytes);
231                 c = m;
232                 crypto_morus640_core(state, &c);
233                 crypto_morus640_store_a(tail.bytes, &c);
234                 crypto_morus640_update(state, &m);
235
236                 memcpy(dst, tail.bytes, size);
237         }
238 }
239
240 static void crypto_morus640_decrypt_chunk(struct morus640_state *state, u8 *dst,
241                                           const u8 *src, unsigned int size)
242 {
243         struct morus640_block m;
244
245         if (MORUS640_ALIGNED(src) && MORUS640_ALIGNED(dst)) {
246                 while (size >= MORUS640_BLOCK_SIZE) {
247                         crypto_morus640_load_a(&m, src);
248                         crypto_morus640_core(state, &m);
249                         crypto_morus640_store_a(dst, &m);
250                         crypto_morus640_update(state, &m);
251
252                         src += MORUS640_BLOCK_SIZE;
253                         dst += MORUS640_BLOCK_SIZE;
254                         size -= MORUS640_BLOCK_SIZE;
255                 }
256         } else {
257                 while (size >= MORUS640_BLOCK_SIZE) {
258                         crypto_morus640_load_u(&m, src);
259                         crypto_morus640_core(state, &m);
260                         crypto_morus640_store_u(dst, &m);
261                         crypto_morus640_update(state, &m);
262
263                         src += MORUS640_BLOCK_SIZE;
264                         dst += MORUS640_BLOCK_SIZE;
265                         size -= MORUS640_BLOCK_SIZE;
266                 }
267         }
268
269         if (size > 0) {
270                 union morus640_block_in tail;
271
272                 memcpy(tail.bytes, src, size);
273                 memset(tail.bytes + size, 0, MORUS640_BLOCK_SIZE - size);
274
275                 crypto_morus640_load_a(&m, tail.bytes);
276                 crypto_morus640_core(state, &m);
277                 crypto_morus640_store_a(tail.bytes, &m);
278                 memset(tail.bytes + size, 0, MORUS640_BLOCK_SIZE - size);
279                 crypto_morus640_load_a(&m, tail.bytes);
280                 crypto_morus640_update(state, &m);
281
282                 memcpy(dst, tail.bytes, size);
283         }
284 }
285
286 static void crypto_morus640_init(struct morus640_state *state,
287                                  const struct morus640_block *key,
288                                  const u8 *iv)
289 {
290         static const struct morus640_block z = {};
291
292         unsigned int i;
293
294         crypto_morus640_load(&state->s[0], iv);
295         state->s[1] = *key;
296         for (i = 0; i < MORUS_BLOCK_WORDS; i++)
297                 state->s[2].words[i] = U32_C(0xFFFFFFFF);
298         state->s[3] = crypto_morus640_const[0];
299         state->s[4] = crypto_morus640_const[1];
300
301         for (i = 0; i < 16; i++)
302                 crypto_morus640_update(state, &z);
303
304         for (i = 0; i < MORUS_BLOCK_WORDS; i++)
305                 state->s[1].words[i] ^= key->words[i];
306 }
307
308 static void crypto_morus640_process_ad(struct morus640_state *state,
309                                        struct scatterlist *sg_src,
310                                        unsigned int assoclen)
311 {
312         struct scatter_walk walk;
313         struct morus640_block m;
314         union morus640_block_in buf;
315         unsigned int pos = 0;
316
317         scatterwalk_start(&walk, sg_src);
318         while (assoclen != 0) {
319                 unsigned int size = scatterwalk_clamp(&walk, assoclen);
320                 unsigned int left = size;
321                 void *mapped = scatterwalk_map(&walk);
322                 const u8 *src = (const u8 *)mapped;
323
324                 if (pos + size >= MORUS640_BLOCK_SIZE) {
325                         if (pos > 0) {
326                                 unsigned int fill = MORUS640_BLOCK_SIZE - pos;
327                                 memcpy(buf.bytes + pos, src, fill);
328
329                                 crypto_morus640_load_a(&m, buf.bytes);
330                                 crypto_morus640_update(state, &m);
331
332                                 pos = 0;
333                                 left -= fill;
334                                 src += fill;
335                         }
336
337                         crypto_morus640_ad(state, src, left);
338                         src += left & ~(MORUS640_BLOCK_SIZE - 1);
339                         left &= MORUS640_BLOCK_SIZE - 1;
340                 }
341
342                 memcpy(buf.bytes + pos, src, left);
343
344                 pos += left;
345                 assoclen -= size;
346                 scatterwalk_unmap(mapped);
347                 scatterwalk_advance(&walk, size);
348                 scatterwalk_done(&walk, 0, assoclen);
349         }
350
351         if (pos > 0) {
352                 memset(buf.bytes + pos, 0, MORUS640_BLOCK_SIZE - pos);
353
354                 crypto_morus640_load_a(&m, buf.bytes);
355                 crypto_morus640_update(state, &m);
356         }
357 }
358
359 static void crypto_morus640_process_crypt(struct morus640_state *state,
360                                           struct aead_request *req,
361                                           const struct morus640_ops *ops)
362 {
363         struct skcipher_walk walk;
364
365         ops->skcipher_walk_init(&walk, req, false);
366
367         while (walk.nbytes) {
368                 unsigned int nbytes = walk.nbytes;
369
370                 if (nbytes < walk.total)
371                         nbytes = round_down(nbytes, walk.stride);
372
373                 ops->crypt_chunk(state, walk.dst.virt.addr, walk.src.virt.addr,
374                                  nbytes);
375
376                 skcipher_walk_done(&walk, walk.nbytes - nbytes);
377         }
378 }
379
380 static void crypto_morus640_final(struct morus640_state *state,
381                                   struct morus640_block *tag_xor,
382                                   u64 assoclen, u64 cryptlen)
383 {
384         struct morus640_block tmp;
385         unsigned int i;
386
387         tmp.words[0] = lower_32_bits(assoclen * 8);
388         tmp.words[1] = upper_32_bits(assoclen * 8);
389         tmp.words[2] = lower_32_bits(cryptlen * 8);
390         tmp.words[3] = upper_32_bits(cryptlen * 8);
391
392         for (i = 0; i < MORUS_BLOCK_WORDS; i++)
393                 state->s[4].words[i] ^= state->s[0].words[i];
394
395         for (i = 0; i < 10; i++)
396                 crypto_morus640_update(state, &tmp);
397
398         crypto_morus640_core(state, tag_xor);
399 }
400
401 static int crypto_morus640_setkey(struct crypto_aead *aead, const u8 *key,
402                                   unsigned int keylen)
403 {
404         struct morus640_ctx *ctx = crypto_aead_ctx(aead);
405
406         if (keylen != MORUS640_BLOCK_SIZE) {
407                 crypto_aead_set_flags(aead, CRYPTO_TFM_RES_BAD_KEY_LEN);
408                 return -EINVAL;
409         }
410
411         crypto_morus640_load(&ctx->key, key);
412         return 0;
413 }
414
415 static int crypto_morus640_setauthsize(struct crypto_aead *tfm,
416                                        unsigned int authsize)
417 {
418         return (authsize <= MORUS_MAX_AUTH_SIZE) ? 0 : -EINVAL;
419 }
420
421 static void crypto_morus640_crypt(struct aead_request *req,
422                                   struct morus640_block *tag_xor,
423                                   unsigned int cryptlen,
424                                   const struct morus640_ops *ops)
425 {
426         struct crypto_aead *tfm = crypto_aead_reqtfm(req);
427         struct morus640_ctx *ctx = crypto_aead_ctx(tfm);
428         struct morus640_state state;
429
430         crypto_morus640_init(&state, &ctx->key, req->iv);
431         crypto_morus640_process_ad(&state, req->src, req->assoclen);
432         crypto_morus640_process_crypt(&state, req, ops);
433         crypto_morus640_final(&state, tag_xor, req->assoclen, cryptlen);
434 }
435
436 static int crypto_morus640_encrypt(struct aead_request *req)
437 {
438         static const struct morus640_ops ops = {
439                 .skcipher_walk_init = skcipher_walk_aead_encrypt,
440                 .crypt_chunk = crypto_morus640_encrypt_chunk,
441         };
442
443         struct crypto_aead *tfm = crypto_aead_reqtfm(req);
444         struct morus640_block tag = {};
445         union morus640_block_in tag_out;
446         unsigned int authsize = crypto_aead_authsize(tfm);
447         unsigned int cryptlen = req->cryptlen;
448
449         crypto_morus640_crypt(req, &tag, cryptlen, &ops);
450         crypto_morus640_store(tag_out.bytes, &tag);
451
452         scatterwalk_map_and_copy(tag_out.bytes, req->dst,
453                                  req->assoclen + cryptlen, authsize, 1);
454         return 0;
455 }
456
457 static int crypto_morus640_decrypt(struct aead_request *req)
458 {
459         static const struct morus640_ops ops = {
460                 .skcipher_walk_init = skcipher_walk_aead_decrypt,
461                 .crypt_chunk = crypto_morus640_decrypt_chunk,
462         };
463         static const u8 zeros[MORUS640_BLOCK_SIZE] = {};
464
465         struct crypto_aead *tfm = crypto_aead_reqtfm(req);
466         union morus640_block_in tag_in;
467         struct morus640_block tag;
468         unsigned int authsize = crypto_aead_authsize(tfm);
469         unsigned int cryptlen = req->cryptlen - authsize;
470
471         scatterwalk_map_and_copy(tag_in.bytes, req->src,
472                                  req->assoclen + cryptlen, authsize, 0);
473
474         crypto_morus640_load(&tag, tag_in.bytes);
475         crypto_morus640_crypt(req, &tag, cryptlen, &ops);
476         crypto_morus640_store(tag_in.bytes, &tag);
477
478         return crypto_memneq(tag_in.bytes, zeros, authsize) ? -EBADMSG : 0;
479 }
480
481 static int crypto_morus640_init_tfm(struct crypto_aead *tfm)
482 {
483         return 0;
484 }
485
486 static void crypto_morus640_exit_tfm(struct crypto_aead *tfm)
487 {
488 }
489
490 static struct aead_alg crypto_morus640_alg = {
491         .setkey = crypto_morus640_setkey,
492         .setauthsize = crypto_morus640_setauthsize,
493         .encrypt = crypto_morus640_encrypt,
494         .decrypt = crypto_morus640_decrypt,
495         .init = crypto_morus640_init_tfm,
496         .exit = crypto_morus640_exit_tfm,
497
498         .ivsize = MORUS_NONCE_SIZE,
499         .maxauthsize = MORUS_MAX_AUTH_SIZE,
500         .chunksize = MORUS640_BLOCK_SIZE,
501
502         .base = {
503                 .cra_blocksize = 1,
504                 .cra_ctxsize = sizeof(struct morus640_ctx),
505                 .cra_alignmask = 0,
506
507                 .cra_priority = 100,
508
509                 .cra_name = "morus640",
510                 .cra_driver_name = "morus640-generic",
511
512                 .cra_module = THIS_MODULE,
513         }
514 };
515
516 static int __init crypto_morus640_module_init(void)
517 {
518         return crypto_register_aead(&crypto_morus640_alg);
519 }
520
521 static void __exit crypto_morus640_module_exit(void)
522 {
523         crypto_unregister_aead(&crypto_morus640_alg);
524 }
525
526 module_init(crypto_morus640_module_init);
527 module_exit(crypto_morus640_module_exit);
528
529 MODULE_LICENSE("GPL");
530 MODULE_AUTHOR("Ondrej Mosnacek <omosnacek@gmail.com>");
531 MODULE_DESCRIPTION("MORUS-640 AEAD algorithm");
532 MODULE_ALIAS_CRYPTO("morus640");
533 MODULE_ALIAS_CRYPTO("morus640-generic");
Unnamed repository; edit this file 'description' to name the repository.