[thirdparty/linux.git] / crypto / keywrap.c

/*
 * Key Wrapping: RFC3394 / NIST SP800-38F
 *
 * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, and the entire permission notice in its entirety,
 *    including the disclaimer of warranties.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote
 *    products derived from this software without specific prior
 *    written permission.
 *
 * ALTERNATIVELY, this product may be distributed under the terms of
 * the GNU General Public License, in which case the provisions of the GPL2
 * are required INSTEAD OF the above restrictions.  (This clause is
 * necessary due to a potential bad interaction between the GPL and
 * the restrictions contained in a BSD-style copyright.)
 *
 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
 * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
 * DAMAGE.
 */

/*
 * Note for using key wrapping:
 *
 *	* The result of the encryption operation is the ciphertext starting
 *	  with the 2nd semiblock. The first semiblock is provided as the IV.
 *	  The IV used to start the encryption operation is the default IV.
 *
 *	* The input for the decryption is the first semiblock handed in as an
 *	  IV. The ciphertext is the data starting with the 2nd semiblock. The
 *	  return code of the decryption operation will be EBADMSG in case an
 *	  integrity error occurs.
 *
 * To obtain the full result of an encryption as expected by SP800-38F, the
 * caller must allocate a buffer of plaintext + 8 bytes:
 *
 *	unsigned int datalen = ptlen + crypto_skcipher_ivsize(tfm);
 *	u8 data[datalen];
 *	u8 *iv = data;
 *	u8 *pt = data + crypto_skcipher_ivsize(tfm);
 *		<ensure that pt contains the plaintext of size ptlen>
 *	sg_init_one(&sg, pt, ptlen);
 *	skcipher_request_set_crypt(req, &sg, &sg, ptlen, iv);
 *
 *	==> After encryption, data now contains full KW result as per SP800-38F.
 *
 * In case of decryption, ciphertext now already has the expected length
 * and must be segmented appropriately:
 *
 *	unsigned int datalen = CTLEN;
 *	u8 data[datalen];
 *		<ensure that data contains full ciphertext>
 *	u8 *iv = data;
 *	u8 *ct = data + crypto_skcipher_ivsize(tfm);
 *	unsigned int ctlen = datalen - crypto_skcipher_ivsize(tfm);
 *	sg_init_one(&sg, ct, ctlen);
 *	skcipher_request_set_crypt(req, &sg, &sg, ctlen, iv);
 *
 *	==> After decryption (which hopefully does not return EBADMSG), the ct
 *	pointer now points to the plaintext of size ctlen.
 *
 * Note 2: KWP is not implemented as this would defy in-place operation.
 *	   If somebody wants to wrap non-aligned data, he should simply pad
 *	   the input with zeros to fill it up to the 8 byte boundary.
 */

#include <linux/module.h>
#include <linux/crypto.h>
#include <linux/scatterlist.h>
#include <crypto/scatterwalk.h>
#include <crypto/internal/cipher.h>
#include <crypto/internal/skcipher.h>

struct crypto_kw_block {
#define SEMIBSIZE 8
	__be64 A;
	__be64 R;
};

/*
 * Fast forward the SGL to the "end" length minus SEMIBSIZE.
 * The start in the SGL defined by the fast-forward is returned with
 * the walk variable
 */
static void crypto_kw_scatterlist_ff(struct scatter_walk *walk,
				     struct scatterlist *sg,
				     unsigned int end)
{
	unsigned int skip = 0;

	/* The caller should only operate on full SEMIBLOCKs. */
	BUG_ON(end < SEMIBSIZE);

	skip = end - SEMIBSIZE;
	while (sg) {
		if (sg->length > skip) {
			scatterwalk_start(walk, sg);
			scatterwalk_advance(walk, skip);
			break;
		}

		skip -= sg->length;
		sg = sg_next(sg);
	}
}

static int crypto_kw_decrypt(struct skcipher_request *req)
{
	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
	struct crypto_cipher *cipher = skcipher_cipher_simple(tfm);
	struct crypto_kw_block block;
	struct scatterlist *src, *dst;
	u64 t = 6 * ((req->cryptlen) >> 3);
	unsigned int i;
	int ret = 0;

	/*
	 * Require at least 2 semiblocks (note, the 3rd semiblock that is
	 * required by SP800-38F is the IV.
	 */
	if (req->cryptlen < (2 * SEMIBSIZE) || req->cryptlen % SEMIBSIZE)
		return -EINVAL;

	/* Place the IV into block A */
	memcpy(&block.A, req->iv, SEMIBSIZE);

	/*
	 * src scatterlist is read-only. dst scatterlist is r/w. During the
	 * first loop, src points to req->src and dst to req->dst. For any
	 * subsequent round, the code operates on req->dst only.
	 */
	src = req->src;
	dst = req->dst;

	for (i = 0; i < 6; i++) {
		struct scatter_walk src_walk, dst_walk;
		unsigned int nbytes = req->cryptlen;

		while (nbytes) {
			/* move pointer by nbytes in the SGL */
			crypto_kw_scatterlist_ff(&src_walk, src, nbytes);
			/* get the source block */
			scatterwalk_copychunks(&block.R, &src_walk, SEMIBSIZE,
					       false);

			/* perform KW operation: modify IV with counter */
			block.A ^= cpu_to_be64(t);
			t--;
			/* perform KW operation: decrypt block */
			crypto_cipher_decrypt_one(cipher, (u8 *)&block,
						  (u8 *)&block);

			/* move pointer by nbytes in the SGL */
			crypto_kw_scatterlist_ff(&dst_walk, dst, nbytes);
			/* Copy block->R into place */
			scatterwalk_copychunks(&block.R, &dst_walk, SEMIBSIZE,
					       true);

			nbytes -= SEMIBSIZE;
		}

		/* we now start to operate on the dst SGL only */
		src = req->dst;
		dst = req->dst;
	}

	/* Perform authentication check */
	if (block.A != cpu_to_be64(0xa6a6a6a6a6a6a6a6ULL))
		ret = -EBADMSG;

	memzero_explicit(&block, sizeof(struct crypto_kw_block));

	return ret;
}

static int crypto_kw_encrypt(struct skcipher_request *req)
{
	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
	struct crypto_cipher *cipher = skcipher_cipher_simple(tfm);
	struct crypto_kw_block block;
	struct scatterlist *src, *dst;
	u64 t = 1;
	unsigned int i;

	/*
	 * Require at least 2 semiblocks (note, the 3rd semiblock that is
	 * required by SP800-38F is the IV that occupies the first semiblock.
	 * This means that the dst memory must be one semiblock larger than src.
	 * Also ensure that the given data is aligned to semiblock.
	 */
	if (req->cryptlen < (2 * SEMIBSIZE) || req->cryptlen % SEMIBSIZE)
		return -EINVAL;

	/*
	 * Place the predefined IV into block A -- for encrypt, the caller
	 * does not need to provide an IV, but he needs to fetch the final IV.
	 */
	block.A = cpu_to_be64(0xa6a6a6a6a6a6a6a6ULL);

	/*
	 * src scatterlist is read-only. dst scatterlist is r/w. During the
	 * first loop, src points to req->src and dst to req->dst. For any
	 * subsequent round, the code operates on req->dst only.
	 */
	src = req->src;
	dst = req->dst;

	for (i = 0; i < 6; i++) {
		struct scatter_walk src_walk, dst_walk;
		unsigned int nbytes = req->cryptlen;

		scatterwalk_start(&src_walk, src);
		scatterwalk_start(&dst_walk, dst);

		while (nbytes) {
			/* get the source block */
			scatterwalk_copychunks(&block.R, &src_walk, SEMIBSIZE,
					       false);

			/* perform KW operation: encrypt block */
			crypto_cipher_encrypt_one(cipher, (u8 *)&block,
						  (u8 *)&block);
			/* perform KW operation: modify IV with counter */
			block.A ^= cpu_to_be64(t);
			t++;

			/* Copy block->R into place */
			scatterwalk_copychunks(&block.R, &dst_walk, SEMIBSIZE,
					       true);

			nbytes -= SEMIBSIZE;
		}

		/* we now start to operate on the dst SGL only */
		src = req->dst;
		dst = req->dst;
	}

	/* establish the IV for the caller to pick up */
	memcpy(req->iv, &block.A, SEMIBSIZE);

	memzero_explicit(&block, sizeof(struct crypto_kw_block));

	return 0;
}

static int crypto_kw_create(struct crypto_template *tmpl, struct rtattr **tb)
{
	struct skcipher_instance *inst;
	struct crypto_alg *alg;
	int err;

	inst = skcipher_alloc_instance_simple(tmpl, tb);
	if (IS_ERR(inst))
		return PTR_ERR(inst);

	alg = skcipher_ialg_simple(inst);

	err = -EINVAL;
	/* Section 5.1 requirement for KW */
	if (alg->cra_blocksize != sizeof(struct crypto_kw_block))
		goto out_free_inst;

	inst->alg.base.cra_blocksize = SEMIBSIZE;
	inst->alg.base.cra_alignmask = 0;
	inst->alg.ivsize = SEMIBSIZE;

	inst->alg.encrypt = crypto_kw_encrypt;
	inst->alg.decrypt = crypto_kw_decrypt;

	err = skcipher_register_instance(tmpl, inst);
	if (err) {
out_free_inst:
		inst->free(inst);
	}

	return err;
}

static struct crypto_template crypto_kw_tmpl = {
	.name = "kw",
	.create = crypto_kw_create,
	.module = THIS_MODULE,
};

static int __init crypto_kw_init(void)
{
	return crypto_register_template(&crypto_kw_tmpl);
}

static void __exit crypto_kw_exit(void)
{
	crypto_unregister_template(&crypto_kw_tmpl);
}

subsys_initcall(crypto_kw_init);
module_exit(crypto_kw_exit);

MODULE_LICENSE("Dual BSD/GPL");
MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
MODULE_DESCRIPTION("Key Wrapping (RFC3394 / NIST SP800-38F)");
MODULE_ALIAS_CRYPTO("kw");
MODULE_IMPORT_NS(CRYPTO_INTERNAL);
Commit	Line	Data
e28facde SM	1	/*
	2	* Key Wrapping: RFC3394 / NIST SP800-38F
	3	*
	4	* Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
	5	*
	6	* Redistribution and use in source and binary forms, with or without
	7	* modification, are permitted provided that the following conditions
	8	* are met:
	9	* 1. Redistributions of source code must retain the above copyright
	10	* notice, and the entire permission notice in its entirety,
	11	* including the disclaimer of warranties.
	12	* 2. Redistributions in binary form must reproduce the above copyright
	13	* notice, this list of conditions and the following disclaimer in the
	14	* documentation and/or other materials provided with the distribution.
	15	* 3. The name of the author may not be used to endorse or promote
	16	* products derived from this software without specific prior
	17	* written permission.
	18	*
	19	* ALTERNATIVELY, this product may be distributed under the terms of
	20	* the GNU General Public License, in which case the provisions of the GPL2
	21	* are required INSTEAD OF the above restrictions. (This clause is
	22	* necessary due to a potential bad interaction between the GPL and
	23	* the restrictions contained in a BSD-style copyright.)
	24	*
	25	* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
	26	* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	27	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
	28	* WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
	29	* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
	30	* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
	31	* OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
	32	* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
	33	* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	34	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
	35	* USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
	36	* DAMAGE.
	37	*/
	38
	39	/*
	40	* Note for using key wrapping:
	41	*
	42	* * The result of the encryption operation is the ciphertext starting
	43	* with the 2nd semiblock. The first semiblock is provided as the IV.
	44	* The IV used to start the encryption operation is the default IV.
	45	*
	46	* * The input for the decryption is the first semiblock handed in as an
	47	* IV. The ciphertext is the data starting with the 2nd semiblock. The
	48	* return code of the decryption operation will be EBADMSG in case an
	49	* integrity error occurs.
	50	*
	51	* To obtain the full result of an encryption as expected by SP800-38F, the
	52	* caller must allocate a buffer of plaintext + 8 bytes:
	53	*
	54	* unsigned int datalen = ptlen + crypto_skcipher_ivsize(tfm);
	55	* u8 data[datalen];
	56	* u8 *iv = data;
	57	* u8 *pt = data + crypto_skcipher_ivsize(tfm);
	58	* <ensure that pt contains the plaintext of size ptlen>
6b611d98	59	* sg_init_one(&sg, pt, ptlen);
e28facde SM	60	* skcipher_request_set_crypt(req, &sg, &sg, ptlen, iv);
	61	*
	62	* ==> After encryption, data now contains full KW result as per SP800-38F.
	63	*
	64	* In case of decryption, ciphertext now already has the expected length
	65	* and must be segmented appropriately:
	66	*
	67	* unsigned int datalen = CTLEN;
	68	* u8 data[datalen];
	69	* <ensure that data contains full ciphertext>
	70	* u8 *iv = data;
	71	* u8 *ct = data + crypto_skcipher_ivsize(tfm);
	72	* unsigned int ctlen = datalen - crypto_skcipher_ivsize(tfm);
6b611d98 EB	73	* sg_init_one(&sg, ct, ctlen);
6b611d98 EB	74	* skcipher_request_set_crypt(req, &sg, &sg, ctlen, iv);
e28facde SM	75	*
	76	* ==> After decryption (which hopefully does not return EBADMSG), the ct
	77	* pointer now points to the plaintext of size ctlen.
	78	*
	79	* Note 2: KWP is not implemented as this would defy in-place operation.
	80	* If somebody wants to wrap non-aligned data, he should simply pad
	81	* the input with zeros to fill it up to the 8 byte boundary.
	82	*/
	83
	84	#include <linux/module.h>
	85	#include <linux/crypto.h>
	86	#include <linux/scatterlist.h>
	87	#include <crypto/scatterwalk.h>
0eb76ba2	88	#include <crypto/internal/cipher.h>
e28facde SM	89	#include <crypto/internal/skcipher.h>
e28facde SM	90
e28facde SM	91	struct crypto_kw_block {
e28facde SM	92	#define SEMIBSIZE 8
9e49451d SM	93	__be64 A;
9e49451d SM	94	__be64 R;
e28facde SM	95	};
e28facde SM	96
e28facde SM	97	/*
	98	* Fast forward the SGL to the "end" length minus SEMIBSIZE.
	99	* The start in the SGL defined by the fast-forward is returned with
	100	* the walk variable
	101	*/
	102	static void crypto_kw_scatterlist_ff(struct scatter_walk *walk,
	103	struct scatterlist *sg,
	104	unsigned int end)
	105	{
	106	unsigned int skip = 0;
	107
	108	/* The caller should only operate on full SEMIBLOCKs. */
	109	BUG_ON(end < SEMIBSIZE);
	110
	111	skip = end - SEMIBSIZE;
	112	while (sg) {
	113	if (sg->length > skip) {
	114	scatterwalk_start(walk, sg);
	115	scatterwalk_advance(walk, skip);
	116	break;
c29da970	117	}
e28facde	118
c29da970	119	skip -= sg->length;
e28facde SM	120	sg = sg_next(sg);
	121	}
	122	}
	123
6b611d98	124	static int crypto_kw_decrypt(struct skcipher_request *req)
e28facde	125	{
6b611d98 EB	126	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
6b611d98 EB	127	struct crypto_cipher *cipher = skcipher_cipher_simple(tfm);
9e49451d	128	struct crypto_kw_block block;
6b611d98 EB	129	struct scatterlist src, dst;
6b611d98 EB	130	u64 t = 6 * ((req->cryptlen) >> 3);
9e49451d	131	unsigned int i;
e28facde SM	132	int ret = 0;
	133
	134	/*
	135	* Require at least 2 semiblocks (note, the 3rd semiblock that is
	136	* required by SP800-38F is the IV.
	137	*/
6b611d98	138	if (req->cryptlen < (2 * SEMIBSIZE) \|\| req->cryptlen % SEMIBSIZE)
e28facde SM	139	return -EINVAL;
	140
	141	/* Place the IV into block A */
6b611d98	142	memcpy(&block.A, req->iv, SEMIBSIZE);
e28facde SM	143
	144	/*
	145	* src scatterlist is read-only. dst scatterlist is r/w. During the
6b611d98 EB	146	* first loop, src points to req->src and dst to req->dst. For any
6b611d98 EB	147	* subsequent round, the code operates on req->dst only.
e28facde	148	*/
6b611d98 EB	149	src = req->src;
6b611d98 EB	150	dst = req->dst;
e28facde SM	151
e28facde SM	152	for (i = 0; i < 6; i++) {
e28facde	153	struct scatter_walk src_walk, dst_walk;
6b611d98	154	unsigned int nbytes = req->cryptlen;
e28facde	155
6b611d98 EB	156	while (nbytes) {
	157	/* move pointer by nbytes in the SGL */
	158	crypto_kw_scatterlist_ff(&src_walk, src, nbytes);
e28facde	159	/* get the source block */
9e49451d	160	scatterwalk_copychunks(&block.R, &src_walk, SEMIBSIZE,
e28facde SM	161	false);
e28facde SM	162
e28facde	163	/* perform KW operation: modify IV with counter */
9e49451d	164	block.A ^= cpu_to_be64(t);
e28facde SM	165	t--;
e28facde SM	166	/* perform KW operation: decrypt block */
6b611d98 EB	167	crypto_cipher_decrypt_one(cipher, (u8 *)&block,
6b611d98 EB	168	(u8 *)&block);
e28facde	169
6b611d98 EB	170	/* move pointer by nbytes in the SGL */
6b611d98 EB	171	crypto_kw_scatterlist_ff(&dst_walk, dst, nbytes);
e28facde	172	/* Copy block->R into place */
9e49451d	173	scatterwalk_copychunks(&block.R, &dst_walk, SEMIBSIZE,
e28facde SM	174	true);
e28facde SM	175
6b611d98	176	nbytes -= SEMIBSIZE;
e28facde SM	177	}
	178
	179	/* we now start to operate on the dst SGL only */
6b611d98 EB	180	src = req->dst;
6b611d98 EB	181	dst = req->dst;
e28facde SM	182	}
	183
	184	/* Perform authentication check */
c9683276	185	if (block.A != cpu_to_be64(0xa6a6a6a6a6a6a6a6ULL))
e28facde SM	186	ret = -EBADMSG;
e28facde SM	187
9e49451d	188	memzero_explicit(&block, sizeof(struct crypto_kw_block));
e28facde SM	189
	190	return ret;
	191	}
	192
6b611d98	193	static int crypto_kw_encrypt(struct skcipher_request *req)
e28facde	194	{
6b611d98 EB	195	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
6b611d98 EB	196	struct crypto_cipher *cipher = skcipher_cipher_simple(tfm);
9e49451d	197	struct crypto_kw_block block;
6b611d98	198	struct scatterlist src, dst;
9e49451d SM	199	u64 t = 1;
9e49451d SM	200	unsigned int i;
e28facde SM	201
	202	/*
	203	* Require at least 2 semiblocks (note, the 3rd semiblock that is
	204	* required by SP800-38F is the IV that occupies the first semiblock.
	205	* This means that the dst memory must be one semiblock larger than src.
	206	* Also ensure that the given data is aligned to semiblock.
	207	*/
6b611d98	208	if (req->cryptlen < (2 * SEMIBSIZE) \|\| req->cryptlen % SEMIBSIZE)
e28facde SM	209	return -EINVAL;
	210
	211	/*
	212	* Place the predefined IV into block A -- for encrypt, the caller
	213	* does not need to provide an IV, but he needs to fetch the final IV.
	214	*/
c9683276	215	block.A = cpu_to_be64(0xa6a6a6a6a6a6a6a6ULL);
e28facde SM	216
	217	/*
	218	* src scatterlist is read-only. dst scatterlist is r/w. During the
6b611d98 EB	219	* first loop, src points to req->src and dst to req->dst. For any
6b611d98 EB	220	* subsequent round, the code operates on req->dst only.
e28facde	221	*/
6b611d98 EB	222	src = req->src;
6b611d98 EB	223	dst = req->dst;
e28facde SM	224
e28facde SM	225	for (i = 0; i < 6; i++) {
e28facde	226	struct scatter_walk src_walk, dst_walk;
6b611d98	227	unsigned int nbytes = req->cryptlen;
e28facde	228
6b611d98 EB	229	scatterwalk_start(&src_walk, src);
6b611d98 EB	230	scatterwalk_start(&dst_walk, dst);
e28facde	231
6b611d98	232	while (nbytes) {
e28facde	233	/* get the source block */
9e49451d	234	scatterwalk_copychunks(&block.R, &src_walk, SEMIBSIZE,
e28facde SM	235	false);
	236
	237	/* perform KW operation: encrypt block */
6b611d98	238	crypto_cipher_encrypt_one(cipher, (u8 *)&block,
9e49451d	239	(u8 *)&block);
e28facde	240	/* perform KW operation: modify IV with counter */
9e49451d	241	block.A ^= cpu_to_be64(t);
e28facde SM	242	t++;
	243
	244	/* Copy block->R into place */
9e49451d	245	scatterwalk_copychunks(&block.R, &dst_walk, SEMIBSIZE,
e28facde SM	246	true);
e28facde SM	247
6b611d98	248	nbytes -= SEMIBSIZE;
e28facde SM	249	}
	250
	251	/* we now start to operate on the dst SGL only */
6b611d98 EB	252	src = req->dst;
6b611d98 EB	253	dst = req->dst;
e28facde SM	254	}
	255
	256	/* establish the IV for the caller to pick up */
6b611d98	257	memcpy(req->iv, &block.A, SEMIBSIZE);
e28facde	258
9e49451d	259	memzero_explicit(&block, sizeof(struct crypto_kw_block));
e28facde SM	260
	261	return 0;
	262	}
	263
6b611d98	264	static int crypto_kw_create(struct crypto_template tmpl, struct rtattr *tb)
e28facde	265	{
6b611d98 EB	266	struct skcipher_instance *inst;
6b611d98 EB	267	struct crypto_alg *alg;
e28facde SM	268	int err;
e28facde SM	269
b3c16bfc	270	inst = skcipher_alloc_instance_simple(tmpl, tb);
6b611d98 EB	271	if (IS_ERR(inst))
6b611d98 EB	272	return PTR_ERR(inst);
e28facde	273
b3c16bfc HX	274	alg = skcipher_ialg_simple(inst);
b3c16bfc HX	275
6b611d98	276	err = -EINVAL;
e28facde SM	277	/* Section 5.1 requirement for KW */
e28facde SM	278	if (alg->cra_blocksize != sizeof(struct crypto_kw_block))
6b611d98	279	goto out_free_inst;
e28facde	280
6b611d98 EB	281	inst->alg.base.cra_blocksize = SEMIBSIZE;
	282	inst->alg.base.cra_alignmask = 0;
	283	inst->alg.ivsize = SEMIBSIZE;
e28facde	284
6b611d98 EB	285	inst->alg.encrypt = crypto_kw_encrypt;
6b611d98 EB	286	inst->alg.decrypt = crypto_kw_decrypt;
e28facde	287
6b611d98	288	err = skcipher_register_instance(tmpl, inst);
b3c16bfc	289	if (err) {
6b611d98	290	out_free_inst:
b3c16bfc HX	291	inst->free(inst);
	292	}
	293
6b611d98	294	return err;
e28facde SM	295	}
	296
	297	static struct crypto_template crypto_kw_tmpl = {
	298	.name = "kw",
6b611d98	299	.create = crypto_kw_create,
e28facde SM	300	.module = THIS_MODULE,
	301	};
	302
	303	static int __init crypto_kw_init(void)
	304	{
	305	return crypto_register_template(&crypto_kw_tmpl);
	306	}
	307
	308	static void __exit crypto_kw_exit(void)
	309	{
	310	crypto_unregister_template(&crypto_kw_tmpl);
	311	}
	312
c4741b23	313	subsys_initcall(crypto_kw_init);
e28facde SM	314	module_exit(crypto_kw_exit);
	315
	316	MODULE_LICENSE("Dual BSD/GPL");
	317	MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
	318	MODULE_DESCRIPTION("Key Wrapping (RFC3394 / NIST SP800-38F)");
	319	MODULE_ALIAS_CRYPTO("kw");
0eb76ba2	320	MODULE_IMPORT_NS(CRYPTO_INTERNAL);