2  * Key Wrapping: RFC3394 / NIST SP800-38F
23  * the restrictions contained in a BSD-style copyright.)
51  * To obtain the full result of an encryption as expected by SP800-38F, the
62  *	==> After encryption, data now contains full KW result as per SP800-38F.
72  *	unsigned int ctlen = datalen - crypto_skcipher_ivsize(tfm);
79  * Note 2: KWP is not implemented as this would defy in-place operation.
80  *	   If somebody wants to wrap non-aligned data, he should simply pad
98  * The start in the SGL defined by the fast-forward is returned with
110 	skip = end - SEMIBSIZE;  in crypto_kw_scatterlist_ff()
112 		if (sg->length > skip) {  in crypto_kw_scatterlist_ff()
117 			skip -= sg->length;  in crypto_kw_scatterlist_ff()
127 	struct crypto_kw_block block;  in crypto_kw_decrypt()  local
129 	u64 t = 6 * ((req->cryptlen) >> 3);  in crypto_kw_decrypt()
135 	 * required by SP800-38F is the IV.  in crypto_kw_decrypt()
137 	if (req->cryptlen < (2 * SEMIBSIZE) || req->cryptlen % SEMIBSIZE)  in crypto_kw_decrypt()
138 		return -EINVAL;  in crypto_kw_decrypt()
140 	/* Place the IV into block A */  in crypto_kw_decrypt()
141 	memcpy(&block.A, req->iv, SEMIBSIZE);  in crypto_kw_decrypt()
144 	 * src scatterlist is read-only. dst scatterlist is r/w. During the  in crypto_kw_decrypt()
145 	 * first loop, src points to req->src and dst to req->dst. For any  in crypto_kw_decrypt()
146 	 * subsequent round, the code operates on req->dst only.  in crypto_kw_decrypt()
148 	src = req->src;  in crypto_kw_decrypt()
149 	dst = req->dst;  in crypto_kw_decrypt()
153 		unsigned int nbytes = req->cryptlen;  in crypto_kw_decrypt()
158 			/* get the source block */  in crypto_kw_decrypt()
159 			scatterwalk_copychunks(&block.R, &src_walk, SEMIBSIZE,  in crypto_kw_decrypt()
163 			block.A ^= cpu_to_be64(t);  in crypto_kw_decrypt()
164 			t--;  in crypto_kw_decrypt()
165 			/* perform KW operation: decrypt block */  in crypto_kw_decrypt()
166 			crypto_cipher_decrypt_one(cipher, (u8 *)&block,  in crypto_kw_decrypt()
167 						  (u8 *)&block);  in crypto_kw_decrypt()
171 			/* Copy block->R into place */  in crypto_kw_decrypt()
172 			scatterwalk_copychunks(&block.R, &dst_walk, SEMIBSIZE,  in crypto_kw_decrypt()
175 			nbytes -= SEMIBSIZE;  in crypto_kw_decrypt()
179 		src = req->dst;  in crypto_kw_decrypt()
180 		dst = req->dst;  in crypto_kw_decrypt()
184 	if (block.A != cpu_to_be64(0xa6a6a6a6a6a6a6a6ULL))  in crypto_kw_decrypt()
185 		ret = -EBADMSG;  in crypto_kw_decrypt()
187 	memzero_explicit(&block, sizeof(struct crypto_kw_block));  in crypto_kw_decrypt()
196 	struct crypto_kw_block block;  in crypto_kw_encrypt()  local
203 	 * required by SP800-38F is the IV that occupies the first semiblock.  in crypto_kw_encrypt()
207 	if (req->cryptlen < (2 * SEMIBSIZE) || req->cryptlen % SEMIBSIZE)  in crypto_kw_encrypt()
208 		return -EINVAL;  in crypto_kw_encrypt()
211 	 * Place the predefined IV into block A -- for encrypt, the caller  in crypto_kw_encrypt()
212 	 * does not need to provide an IV, but he needs to fetch the final IV.  in crypto_kw_encrypt()
214 	block.A = cpu_to_be64(0xa6a6a6a6a6a6a6a6ULL);  in crypto_kw_encrypt()
217 	 * src scatterlist is read-only. dst scatterlist is r/w. During the  in crypto_kw_encrypt()
218 	 * first loop, src points to req->src and dst to req->dst. For any  in crypto_kw_encrypt()
219 	 * subsequent round, the code operates on req->dst only.  in crypto_kw_encrypt()
221 	src = req->src;  in crypto_kw_encrypt()
222 	dst = req->dst;  in crypto_kw_encrypt()
226 		unsigned int nbytes = req->cryptlen;  in crypto_kw_encrypt()
232 			/* get the source block */  in crypto_kw_encrypt()
233 			scatterwalk_copychunks(&block.R, &src_walk, SEMIBSIZE,  in crypto_kw_encrypt()
236 			/* perform KW operation: encrypt block */  in crypto_kw_encrypt()
237 			crypto_cipher_encrypt_one(cipher, (u8 *)&block,  in crypto_kw_encrypt()
238 						  (u8 *)&block);  in crypto_kw_encrypt()
240 			block.A ^= cpu_to_be64(t);  in crypto_kw_encrypt()
243 			/* Copy block->R into place */  in crypto_kw_encrypt()
244 			scatterwalk_copychunks(&block.R, &dst_walk, SEMIBSIZE,  in crypto_kw_encrypt()
247 			nbytes -= SEMIBSIZE;  in crypto_kw_encrypt()
251 		src = req->dst;  in crypto_kw_encrypt()
252 		dst = req->dst;  in crypto_kw_encrypt()
256 	memcpy(req->iv, &block.A, SEMIBSIZE);  in crypto_kw_encrypt()
258 	memzero_explicit(&block, sizeof(struct crypto_kw_block));  in crypto_kw_encrypt()
275 	err = -EINVAL;  in crypto_kw_create()
277 	if (alg->cra_blocksize != sizeof(struct crypto_kw_block))  in crypto_kw_create()
280 	inst->alg.base.cra_blocksize = SEMIBSIZE;  in crypto_kw_create()
281 	inst->alg.base.cra_alignmask = 0;  in crypto_kw_create()
282 	inst->alg.ivsize = SEMIBSIZE;  in crypto_kw_create()
284 	inst->alg.encrypt = crypto_kw_encrypt;  in crypto_kw_create()
285 	inst->alg.decrypt = crypto_kw_decrypt;  in crypto_kw_create()
290 		inst->free(inst);  in crypto_kw_create()
317 MODULE_DESCRIPTION("Key Wrapping (RFC3394 / NIST SP800-38F)");