Commit | Line | Data |
---|---|---|
e4e712bb TY |
1 | // SPDX-License-Identifier: GPL-2.0-or-later |
2 | /* | |
3 | * Cryptographic API. | |
4 | * | |
5 | * ARIA Cipher Algorithm. | |
6 | * | |
7 | * Documentation of ARIA can be found in RFC 5794. | |
8 | * Copyright (c) 2022 Taehee Yoo <ap420073@gmail.com> | |
9 | * | |
10 | * Information for ARIA | |
11 | * http://210.104.33.10/ARIA/index-e.html (English) | |
12 | * http://seed.kisa.or.kr/ (Korean) | |
13 | * | |
14 | * Public domain version is distributed above. | |
15 | */ | |
16 | ||
17 | #include <crypto/aria.h> | |
18 | ||
19 | static void aria_set_encrypt_key(struct aria_ctx *ctx, const u8 *in_key, | |
20 | unsigned int key_len) | |
21 | { | |
22 | const __be32 *key = (const __be32 *)in_key; | |
23 | u32 w0[4], w1[4], w2[4], w3[4]; | |
24 | u32 reg0, reg1, reg2, reg3; | |
25 | const u32 *ck; | |
26 | int rkidx = 0; | |
27 | ||
28 | ck = &key_rc[(key_len - 16) / 8][0]; | |
29 | ||
30 | w0[0] = be32_to_cpu(key[0]); | |
31 | w0[1] = be32_to_cpu(key[1]); | |
32 | w0[2] = be32_to_cpu(key[2]); | |
33 | w0[3] = be32_to_cpu(key[3]); | |
34 | ||
35 | reg0 = w0[0] ^ ck[0]; | |
36 | reg1 = w0[1] ^ ck[1]; | |
37 | reg2 = w0[2] ^ ck[2]; | |
38 | reg3 = w0[3] ^ ck[3]; | |
39 | ||
40 | aria_subst_diff_odd(®0, ®1, ®2, ®3); | |
41 | ||
42 | if (key_len > 16) { | |
43 | w1[0] = be32_to_cpu(key[4]); | |
44 | w1[1] = be32_to_cpu(key[5]); | |
45 | if (key_len > 24) { | |
46 | w1[2] = be32_to_cpu(key[6]); | |
47 | w1[3] = be32_to_cpu(key[7]); | |
48 | } else { | |
49 | w1[2] = 0; | |
50 | w1[3] = 0; | |
51 | } | |
52 | } else { | |
53 | w1[0] = 0; | |
54 | w1[1] = 0; | |
55 | w1[2] = 0; | |
56 | w1[3] = 0; | |
57 | } | |
58 | ||
59 | w1[0] ^= reg0; | |
60 | w1[1] ^= reg1; | |
61 | w1[2] ^= reg2; | |
62 | w1[3] ^= reg3; | |
63 | ||
64 | reg0 = w1[0]; | |
65 | reg1 = w1[1]; | |
66 | reg2 = w1[2]; | |
67 | reg3 = w1[3]; | |
68 | ||
69 | reg0 ^= ck[4]; | |
70 | reg1 ^= ck[5]; | |
71 | reg2 ^= ck[6]; | |
72 | reg3 ^= ck[7]; | |
73 | ||
74 | aria_subst_diff_even(®0, ®1, ®2, ®3); | |
75 | ||
76 | reg0 ^= w0[0]; | |
77 | reg1 ^= w0[1]; | |
78 | reg2 ^= w0[2]; | |
79 | reg3 ^= w0[3]; | |
80 | ||
81 | w2[0] = reg0; | |
82 | w2[1] = reg1; | |
83 | w2[2] = reg2; | |
84 | w2[3] = reg3; | |
85 | ||
86 | reg0 ^= ck[8]; | |
87 | reg1 ^= ck[9]; | |
88 | reg2 ^= ck[10]; | |
89 | reg3 ^= ck[11]; | |
90 | ||
91 | aria_subst_diff_odd(®0, ®1, ®2, ®3); | |
92 | ||
93 | w3[0] = reg0 ^ w1[0]; | |
94 | w3[1] = reg1 ^ w1[1]; | |
95 | w3[2] = reg2 ^ w1[2]; | |
96 | w3[3] = reg3 ^ w1[3]; | |
97 | ||
98 | aria_gsrk(ctx->enc_key[rkidx], w0, w1, 19); | |
99 | rkidx++; | |
100 | aria_gsrk(ctx->enc_key[rkidx], w1, w2, 19); | |
101 | rkidx++; | |
102 | aria_gsrk(ctx->enc_key[rkidx], w2, w3, 19); | |
103 | rkidx++; | |
104 | aria_gsrk(ctx->enc_key[rkidx], w3, w0, 19); | |
105 | ||
106 | rkidx++; | |
107 | aria_gsrk(ctx->enc_key[rkidx], w0, w1, 31); | |
108 | rkidx++; | |
109 | aria_gsrk(ctx->enc_key[rkidx], w1, w2, 31); | |
110 | rkidx++; | |
111 | aria_gsrk(ctx->enc_key[rkidx], w2, w3, 31); | |
112 | rkidx++; | |
113 | aria_gsrk(ctx->enc_key[rkidx], w3, w0, 31); | |
114 | ||
115 | rkidx++; | |
116 | aria_gsrk(ctx->enc_key[rkidx], w0, w1, 67); | |
117 | rkidx++; | |
118 | aria_gsrk(ctx->enc_key[rkidx], w1, w2, 67); | |
119 | rkidx++; | |
120 | aria_gsrk(ctx->enc_key[rkidx], w2, w3, 67); | |
121 | rkidx++; | |
122 | aria_gsrk(ctx->enc_key[rkidx], w3, w0, 67); | |
123 | ||
124 | rkidx++; | |
125 | aria_gsrk(ctx->enc_key[rkidx], w0, w1, 97); | |
126 | if (key_len > 16) { | |
127 | rkidx++; | |
128 | aria_gsrk(ctx->enc_key[rkidx], w1, w2, 97); | |
129 | rkidx++; | |
130 | aria_gsrk(ctx->enc_key[rkidx], w2, w3, 97); | |
131 | ||
132 | if (key_len > 24) { | |
133 | rkidx++; | |
134 | aria_gsrk(ctx->enc_key[rkidx], w3, w0, 97); | |
135 | ||
136 | rkidx++; | |
137 | aria_gsrk(ctx->enc_key[rkidx], w0, w1, 109); | |
138 | } | |
139 | } | |
140 | } | |
141 | ||
142 | static void aria_set_decrypt_key(struct aria_ctx *ctx) | |
143 | { | |
144 | int i; | |
145 | ||
146 | for (i = 0; i < 4; i++) { | |
147 | ctx->dec_key[0][i] = ctx->enc_key[ctx->rounds][i]; | |
148 | ctx->dec_key[ctx->rounds][i] = ctx->enc_key[0][i]; | |
149 | } | |
150 | ||
151 | for (i = 1; i < ctx->rounds; i++) { | |
152 | ctx->dec_key[i][0] = aria_m(ctx->enc_key[ctx->rounds - i][0]); | |
153 | ctx->dec_key[i][1] = aria_m(ctx->enc_key[ctx->rounds - i][1]); | |
154 | ctx->dec_key[i][2] = aria_m(ctx->enc_key[ctx->rounds - i][2]); | |
155 | ctx->dec_key[i][3] = aria_m(ctx->enc_key[ctx->rounds - i][3]); | |
156 | ||
157 | aria_diff_word(&ctx->dec_key[i][0], &ctx->dec_key[i][1], | |
158 | &ctx->dec_key[i][2], &ctx->dec_key[i][3]); | |
159 | aria_diff_byte(&ctx->dec_key[i][1], | |
160 | &ctx->dec_key[i][2], &ctx->dec_key[i][3]); | |
161 | aria_diff_word(&ctx->dec_key[i][0], &ctx->dec_key[i][1], | |
162 | &ctx->dec_key[i][2], &ctx->dec_key[i][3]); | |
163 | } | |
164 | } | |
165 | ||
166 | static int aria_set_key(struct crypto_tfm *tfm, const u8 *in_key, | |
167 | unsigned int key_len) | |
168 | { | |
169 | struct aria_ctx *ctx = crypto_tfm_ctx(tfm); | |
170 | ||
171 | if (key_len != 16 && key_len != 24 && key_len != 32) | |
172 | return -EINVAL; | |
173 | ||
174 | ctx->key_length = key_len; | |
175 | ctx->rounds = (key_len + 32) / 4; | |
176 | ||
177 | aria_set_encrypt_key(ctx, in_key, key_len); | |
178 | aria_set_decrypt_key(ctx); | |
179 | ||
180 | return 0; | |
181 | } | |
182 | ||
183 | static void __aria_crypt(struct aria_ctx *ctx, u8 *out, const u8 *in, | |
184 | u32 key[][ARIA_RD_KEY_WORDS]) | |
185 | { | |
186 | const __be32 *src = (const __be32 *)in; | |
187 | __be32 *dst = (__be32 *)out; | |
188 | u32 reg0, reg1, reg2, reg3; | |
189 | int rounds, rkidx = 0; | |
190 | ||
191 | rounds = ctx->rounds; | |
192 | ||
193 | reg0 = be32_to_cpu(src[0]); | |
194 | reg1 = be32_to_cpu(src[1]); | |
195 | reg2 = be32_to_cpu(src[2]); | |
196 | reg3 = be32_to_cpu(src[3]); | |
197 | ||
198 | aria_add_round_key(key[rkidx], ®0, ®1, ®2, ®3); | |
199 | rkidx++; | |
200 | ||
201 | aria_subst_diff_odd(®0, ®1, ®2, ®3); | |
202 | aria_add_round_key(key[rkidx], ®0, ®1, ®2, ®3); | |
203 | rkidx++; | |
204 | ||
205 | while ((rounds -= 2) > 0) { | |
206 | aria_subst_diff_even(®0, ®1, ®2, ®3); | |
207 | aria_add_round_key(key[rkidx], ®0, ®1, ®2, ®3); | |
208 | rkidx++; | |
209 | ||
210 | aria_subst_diff_odd(®0, ®1, ®2, ®3); | |
211 | aria_add_round_key(key[rkidx], ®0, ®1, ®2, ®3); | |
212 | rkidx++; | |
213 | } | |
214 | ||
215 | reg0 = key[rkidx][0] ^ make_u32((u8)(x1[get_u8(reg0, 0)]), | |
216 | (u8)(x2[get_u8(reg0, 1)] >> 8), | |
217 | (u8)(s1[get_u8(reg0, 2)]), | |
218 | (u8)(s2[get_u8(reg0, 3)])); | |
219 | reg1 = key[rkidx][1] ^ make_u32((u8)(x1[get_u8(reg1, 0)]), | |
220 | (u8)(x2[get_u8(reg1, 1)] >> 8), | |
221 | (u8)(s1[get_u8(reg1, 2)]), | |
222 | (u8)(s2[get_u8(reg1, 3)])); | |
223 | reg2 = key[rkidx][2] ^ make_u32((u8)(x1[get_u8(reg2, 0)]), | |
224 | (u8)(x2[get_u8(reg2, 1)] >> 8), | |
225 | (u8)(s1[get_u8(reg2, 2)]), | |
226 | (u8)(s2[get_u8(reg2, 3)])); | |
227 | reg3 = key[rkidx][3] ^ make_u32((u8)(x1[get_u8(reg3, 0)]), | |
228 | (u8)(x2[get_u8(reg3, 1)] >> 8), | |
229 | (u8)(s1[get_u8(reg3, 2)]), | |
230 | (u8)(s2[get_u8(reg3, 3)])); | |
231 | ||
232 | dst[0] = cpu_to_be32(reg0); | |
233 | dst[1] = cpu_to_be32(reg1); | |
234 | dst[2] = cpu_to_be32(reg2); | |
235 | dst[3] = cpu_to_be32(reg3); | |
236 | } | |
237 | ||
238 | static void aria_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in) | |
239 | { | |
240 | struct aria_ctx *ctx = crypto_tfm_ctx(tfm); | |
241 | ||
242 | __aria_crypt(ctx, out, in, ctx->enc_key); | |
243 | } | |
244 | ||
245 | static void aria_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in) | |
246 | { | |
247 | struct aria_ctx *ctx = crypto_tfm_ctx(tfm); | |
248 | ||
249 | __aria_crypt(ctx, out, in, ctx->dec_key); | |
250 | } | |
251 | ||
252 | static struct crypto_alg aria_alg = { | |
253 | .cra_name = "aria", | |
254 | .cra_driver_name = "aria-generic", | |
255 | .cra_priority = 100, | |
256 | .cra_flags = CRYPTO_ALG_TYPE_CIPHER, | |
257 | .cra_blocksize = ARIA_BLOCK_SIZE, | |
258 | .cra_ctxsize = sizeof(struct aria_ctx), | |
259 | .cra_alignmask = 3, | |
260 | .cra_module = THIS_MODULE, | |
261 | .cra_u = { | |
262 | .cipher = { | |
263 | .cia_min_keysize = ARIA_MIN_KEY_SIZE, | |
264 | .cia_max_keysize = ARIA_MAX_KEY_SIZE, | |
265 | .cia_setkey = aria_set_key, | |
266 | .cia_encrypt = aria_encrypt, | |
267 | .cia_decrypt = aria_decrypt | |
268 | } | |
269 | } | |
270 | }; | |
271 | ||
272 | static int __init aria_init(void) | |
273 | { | |
274 | return crypto_register_alg(&aria_alg); | |
275 | } | |
276 | ||
277 | static void __exit aria_fini(void) | |
278 | { | |
279 | crypto_unregister_alg(&aria_alg); | |
280 | } | |
281 | ||
282 | subsys_initcall(aria_init); | |
283 | module_exit(aria_fini); | |
284 | ||
285 | MODULE_DESCRIPTION("ARIA Cipher Algorithm"); | |
286 | MODULE_LICENSE("GPL"); | |
287 | MODULE_AUTHOR("Taehee Yoo <ap420073@gmail.com>"); | |
288 | MODULE_ALIAS_CRYPTO("aria"); |