[linux-block.git] / crypto / aria.c

// SPDX-License-Identifier: GPL-2.0-or-later
/*
 * Cryptographic API.
 *
 * ARIA Cipher Algorithm.
 *
 * Documentation of ARIA can be found in RFC 5794.
 * Copyright (c) 2022 Taehee Yoo <ap420073@gmail.com>
 *
 * Information for ARIA
 *     http://210.104.33.10/ARIA/index-e.html (English)
 *     http://seed.kisa.or.kr/ (Korean)
 *
 * Public domain version is distributed above.
 */

#include <crypto/aria.h>

static void aria_set_encrypt_key(struct aria_ctx *ctx, const u8 *in_key,
				 unsigned int key_len)
{
	const __be32 *key = (const __be32 *)in_key;
	u32 w0[4], w1[4], w2[4], w3[4];
	u32 reg0, reg1, reg2, reg3;
	const u32 *ck;
	int rkidx = 0;

	ck = &key_rc[(key_len - 16) / 8][0];

	w0[0] = be32_to_cpu(key[0]);
	w0[1] = be32_to_cpu(key[1]);
	w0[2] = be32_to_cpu(key[2]);
	w0[3] = be32_to_cpu(key[3]);

	reg0 = w0[0] ^ ck[0];
	reg1 = w0[1] ^ ck[1];
	reg2 = w0[2] ^ ck[2];
	reg3 = w0[3] ^ ck[3];

	aria_subst_diff_odd(&reg0, &reg1, &reg2, &reg3);

	if (key_len > 16) {
		w1[0] = be32_to_cpu(key[4]);
		w1[1] = be32_to_cpu(key[5]);
		if (key_len > 24) {
			w1[2] = be32_to_cpu(key[6]);
			w1[3] = be32_to_cpu(key[7]);
		} else {
			w1[2] = 0;
			w1[3] = 0;
		}
	} else {
		w1[0] = 0;
		w1[1] = 0;
		w1[2] = 0;
		w1[3] = 0;
	}

	w1[0] ^= reg0;
	w1[1] ^= reg1;
	w1[2] ^= reg2;
	w1[3] ^= reg3;

	reg0 = w1[0];
	reg1 = w1[1];
	reg2 = w1[2];
	reg3 = w1[3];

	reg0 ^= ck[4];
	reg1 ^= ck[5];
	reg2 ^= ck[6];
	reg3 ^= ck[7];

	aria_subst_diff_even(&reg0, &reg1, &reg2, &reg3);

	reg0 ^= w0[0];
	reg1 ^= w0[1];
	reg2 ^= w0[2];
	reg3 ^= w0[3];

	w2[0] = reg0;
	w2[1] = reg1;
	w2[2] = reg2;
	w2[3] = reg3;

	reg0 ^= ck[8];
	reg1 ^= ck[9];
	reg2 ^= ck[10];
	reg3 ^= ck[11];

	aria_subst_diff_odd(&reg0, &reg1, &reg2, &reg3);

	w3[0] = reg0 ^ w1[0];
	w3[1] = reg1 ^ w1[1];
	w3[2] = reg2 ^ w1[2];
	w3[3] = reg3 ^ w1[3];

	aria_gsrk(ctx->enc_key[rkidx], w0, w1, 19);
	rkidx++;
	aria_gsrk(ctx->enc_key[rkidx], w1, w2, 19);
	rkidx++;
	aria_gsrk(ctx->enc_key[rkidx], w2, w3, 19);
	rkidx++;
	aria_gsrk(ctx->enc_key[rkidx], w3, w0, 19);

	rkidx++;
	aria_gsrk(ctx->enc_key[rkidx], w0, w1, 31);
	rkidx++;
	aria_gsrk(ctx->enc_key[rkidx], w1, w2, 31);
	rkidx++;
	aria_gsrk(ctx->enc_key[rkidx], w2, w3, 31);
	rkidx++;
	aria_gsrk(ctx->enc_key[rkidx], w3, w0, 31);

	rkidx++;
	aria_gsrk(ctx->enc_key[rkidx], w0, w1, 67);
	rkidx++;
	aria_gsrk(ctx->enc_key[rkidx], w1, w2, 67);
	rkidx++;
	aria_gsrk(ctx->enc_key[rkidx], w2, w3, 67);
	rkidx++;
	aria_gsrk(ctx->enc_key[rkidx], w3, w0, 67);

	rkidx++;
	aria_gsrk(ctx->enc_key[rkidx], w0, w1, 97);
	if (key_len > 16) {
		rkidx++;
		aria_gsrk(ctx->enc_key[rkidx], w1, w2, 97);
		rkidx++;
		aria_gsrk(ctx->enc_key[rkidx], w2, w3, 97);

		if (key_len > 24) {
			rkidx++;
			aria_gsrk(ctx->enc_key[rkidx], w3, w0, 97);

			rkidx++;
			aria_gsrk(ctx->enc_key[rkidx], w0, w1, 109);
		}
	}
}

static void aria_set_decrypt_key(struct aria_ctx *ctx)
{
	int i;

	for (i = 0; i < 4; i++) {
		ctx->dec_key[0][i] = ctx->enc_key[ctx->rounds][i];
		ctx->dec_key[ctx->rounds][i] = ctx->enc_key[0][i];
	}

	for (i = 1; i < ctx->rounds; i++) {
		ctx->dec_key[i][0] = aria_m(ctx->enc_key[ctx->rounds - i][0]);
		ctx->dec_key[i][1] = aria_m(ctx->enc_key[ctx->rounds - i][1]);
		ctx->dec_key[i][2] = aria_m(ctx->enc_key[ctx->rounds - i][2]);
		ctx->dec_key[i][3] = aria_m(ctx->enc_key[ctx->rounds - i][3]);

		aria_diff_word(&ctx->dec_key[i][0], &ctx->dec_key[i][1],
			       &ctx->dec_key[i][2], &ctx->dec_key[i][3]);
		aria_diff_byte(&ctx->dec_key[i][1],
			       &ctx->dec_key[i][2], &ctx->dec_key[i][3]);
		aria_diff_word(&ctx->dec_key[i][0], &ctx->dec_key[i][1],
			       &ctx->dec_key[i][2], &ctx->dec_key[i][3]);
	}
}

static int aria_set_key(struct crypto_tfm *tfm, const u8 *in_key,
			unsigned int key_len)
{
	struct aria_ctx *ctx = crypto_tfm_ctx(tfm);

	if (key_len != 16 && key_len != 24 && key_len != 32)
		return -EINVAL;

	ctx->key_length = key_len;
	ctx->rounds = (key_len + 32) / 4;

	aria_set_encrypt_key(ctx, in_key, key_len);
	aria_set_decrypt_key(ctx);

	return 0;
}

static void __aria_crypt(struct aria_ctx *ctx, u8 *out, const u8 *in,
			 u32 key[][ARIA_RD_KEY_WORDS])
{
	const __be32 *src = (const __be32 *)in;
	__be32 *dst = (__be32 *)out;
	u32 reg0, reg1, reg2, reg3;
	int rounds, rkidx = 0;

	rounds = ctx->rounds;

	reg0 = be32_to_cpu(src[0]);
	reg1 = be32_to_cpu(src[1]);
	reg2 = be32_to_cpu(src[2]);
	reg3 = be32_to_cpu(src[3]);

	aria_add_round_key(key[rkidx], &reg0, &reg1, &reg2, &reg3);
	rkidx++;

	aria_subst_diff_odd(&reg0, &reg1, &reg2, &reg3);
	aria_add_round_key(key[rkidx], &reg0, &reg1, &reg2, &reg3);
	rkidx++;

	while ((rounds -= 2) > 0) {
		aria_subst_diff_even(&reg0, &reg1, &reg2, &reg3);
		aria_add_round_key(key[rkidx], &reg0, &reg1, &reg2, &reg3);
		rkidx++;

		aria_subst_diff_odd(&reg0, &reg1, &reg2, &reg3);
		aria_add_round_key(key[rkidx], &reg0, &reg1, &reg2, &reg3);
		rkidx++;
	}

	reg0 = key[rkidx][0] ^ make_u32((u8)(x1[get_u8(reg0, 0)]),
					(u8)(x2[get_u8(reg0, 1)] >> 8),
					(u8)(s1[get_u8(reg0, 2)]),
					(u8)(s2[get_u8(reg0, 3)]));
	reg1 = key[rkidx][1] ^ make_u32((u8)(x1[get_u8(reg1, 0)]),
					(u8)(x2[get_u8(reg1, 1)] >> 8),
					(u8)(s1[get_u8(reg1, 2)]),
					(u8)(s2[get_u8(reg1, 3)]));
	reg2 = key[rkidx][2] ^ make_u32((u8)(x1[get_u8(reg2, 0)]),
					(u8)(x2[get_u8(reg2, 1)] >> 8),
					(u8)(s1[get_u8(reg2, 2)]),
					(u8)(s2[get_u8(reg2, 3)]));
	reg3 = key[rkidx][3] ^ make_u32((u8)(x1[get_u8(reg3, 0)]),
					(u8)(x2[get_u8(reg3, 1)] >> 8),
					(u8)(s1[get_u8(reg3, 2)]),
					(u8)(s2[get_u8(reg3, 3)]));

	dst[0] = cpu_to_be32(reg0);
	dst[1] = cpu_to_be32(reg1);
	dst[2] = cpu_to_be32(reg2);
	dst[3] = cpu_to_be32(reg3);
}

static void aria_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
{
	struct aria_ctx *ctx = crypto_tfm_ctx(tfm);

	__aria_crypt(ctx, out, in, ctx->enc_key);
}

static void aria_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
{
	struct aria_ctx *ctx = crypto_tfm_ctx(tfm);

	__aria_crypt(ctx, out, in, ctx->dec_key);
}

static struct crypto_alg aria_alg = {
	.cra_name		=	"aria",
	.cra_driver_name	=	"aria-generic",
	.cra_priority		=	100,
	.cra_flags		=	CRYPTO_ALG_TYPE_CIPHER,
	.cra_blocksize		=	ARIA_BLOCK_SIZE,
	.cra_ctxsize		=	sizeof(struct aria_ctx),
	.cra_alignmask		=	3,
	.cra_module		=	THIS_MODULE,
	.cra_u			=	{
		.cipher = {
			.cia_min_keysize	=	ARIA_MIN_KEY_SIZE,
			.cia_max_keysize	=	ARIA_MAX_KEY_SIZE,
			.cia_setkey		=	aria_set_key,
			.cia_encrypt		=	aria_encrypt,
			.cia_decrypt		=	aria_decrypt
		}
	}
};

static int __init aria_init(void)
{
	return crypto_register_alg(&aria_alg);
}

static void __exit aria_fini(void)
{
	crypto_unregister_alg(&aria_alg);
}

subsys_initcall(aria_init);
module_exit(aria_fini);

MODULE_DESCRIPTION("ARIA Cipher Algorithm");
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Taehee Yoo <ap420073@gmail.com>");
MODULE_ALIAS_CRYPTO("aria");
Commit	Line	Data
e4e712bb TY	1	// SPDX-License-Identifier: GPL-2.0-or-later
	2	/*
	3	* Cryptographic API.
	4	*
	5	* ARIA Cipher Algorithm.
	6	*
	7	* Documentation of ARIA can be found in RFC 5794.
	8	* Copyright (c) 2022 Taehee Yoo <ap420073@gmail.com>
	9	*
	10	* Information for ARIA
	11	* http://210.104.33.10/ARIA/index-e.html (English)
	12	* http://seed.kisa.or.kr/ (Korean)
	13	*
	14	* Public domain version is distributed above.
	15	*/
	16
	17	#include <crypto/aria.h>
	18
	19	static void aria_set_encrypt_key(struct aria_ctx ctx, const u8 in_key,
	20	unsigned int key_len)
	21	{
	22	const __be32 key = (const __be32 )in_key;
	23	u32 w0[4], w1[4], w2[4], w3[4];
	24	u32 reg0, reg1, reg2, reg3;
	25	const u32 *ck;
	26	int rkidx = 0;
	27
	28	ck = &key_rc[(key_len - 16) / 8][0];
	29
	30	w0[0] = be32_to_cpu(key[0]);
	31	w0[1] = be32_to_cpu(key[1]);
	32	w0[2] = be32_to_cpu(key[2]);
	33	w0[3] = be32_to_cpu(key[3]);
	34
	35	reg0 = w0[0] ^ ck[0];
	36	reg1 = w0[1] ^ ck[1];
	37	reg2 = w0[2] ^ ck[2];
	38	reg3 = w0[3] ^ ck[3];
	39
	40	aria_subst_diff_odd(&reg0, &reg1, &reg2, &reg3);
	41
	42	if (key_len > 16) {
	43	w1[0] = be32_to_cpu(key[4]);
	44	w1[1] = be32_to_cpu(key[5]);
	45	if (key_len > 24) {
	46	w1[2] = be32_to_cpu(key[6]);
	47	w1[3] = be32_to_cpu(key[7]);
	48	} else {
	49	w1[2] = 0;
	50	w1[3] = 0;
	51	}
	52	} else {
	53	w1[0] = 0;
	54	w1[1] = 0;
	55	w1[2] = 0;
	56	w1[3] = 0;
	57	}
	58
	59	w1[0] ^= reg0;
	60	w1[1] ^= reg1;
	61	w1[2] ^= reg2;
	62	w1[3] ^= reg3;
	63
	64	reg0 = w1[0];
65	reg1 = w1[1];
66	reg2 = w1[2];
67	reg3 = w1[3];
68
69	reg0 ^= ck[4];
70	reg1 ^= ck[5];
71	reg2 ^= ck[6];
72	reg3 ^= ck[7];
73
74	aria_subst_diff_even(&reg0, &reg1, &reg2, &reg3);
75
76	reg0 ^= w0[0];
77	reg1 ^= w0[1];
78	reg2 ^= w0[2];
79	reg3 ^= w0[3];
80
81	w2[0] = reg0;
82	w2[1] = reg1;
83	w2[2] = reg2;
84	w2[3] = reg3;
85
86	reg0 ^= ck[8];
87	reg1 ^= ck[9];
88	reg2 ^= ck[10];
89	reg3 ^= ck[11];
90
91	aria_subst_diff_odd(&reg0, &reg1, &reg2, &reg3);
92
93	w3[0] = reg0 ^ w1[0];
94	w3[1] = reg1 ^ w1[1];
95	w3[2] = reg2 ^ w1[2];
96	w3[3] = reg3 ^ w1[3];
97
98	aria_gsrk(ctx->enc_key[rkidx], w0, w1, 19);
99	rkidx++;
100	aria_gsrk(ctx->enc_key[rkidx], w1, w2, 19);
101	rkidx++;
102	aria_gsrk(ctx->enc_key[rkidx], w2, w3, 19);
103	rkidx++;
104	aria_gsrk(ctx->enc_key[rkidx], w3, w0, 19);
105
106	rkidx++;
107	aria_gsrk(ctx->enc_key[rkidx], w0, w1, 31);
108	rkidx++;
109	aria_gsrk(ctx->enc_key[rkidx], w1, w2, 31);
110	rkidx++;
111	aria_gsrk(ctx->enc_key[rkidx], w2, w3, 31);
112	rkidx++;
113	aria_gsrk(ctx->enc_key[rkidx], w3, w0, 31);
114
115	rkidx++;
116	aria_gsrk(ctx->enc_key[rkidx], w0, w1, 67);
117	rkidx++;
118	aria_gsrk(ctx->enc_key[rkidx], w1, w2, 67);
119	rkidx++;
120	aria_gsrk(ctx->enc_key[rkidx], w2, w3, 67);
121	rkidx++;
122	aria_gsrk(ctx->enc_key[rkidx], w3, w0, 67);
123
124	rkidx++;
125	aria_gsrk(ctx->enc_key[rkidx], w0, w1, 97);
126	if (key_len > 16) {
127	rkidx++;
128	aria_gsrk(ctx->enc_key[rkidx], w1, w2, 97);
129	rkidx++;
130	aria_gsrk(ctx->enc_key[rkidx], w2, w3, 97);
131
132	if (key_len > 24) {
133	rkidx++;
134	aria_gsrk(ctx->enc_key[rkidx], w3, w0, 97);
135
136	rkidx++;
137	aria_gsrk(ctx->enc_key[rkidx], w0, w1, 109);
138	}
139	}
140	}
141
142	static void aria_set_decrypt_key(struct aria_ctx *ctx)
143	{
144	int i;
145
146	for (i = 0; i < 4; i++) {
147	ctx->dec_key[0][i] = ctx->enc_key[ctx->rounds][i];
148	ctx->dec_key[ctx->rounds][i] = ctx->enc_key[0][i];
149	}
150
151	for (i = 1; i < ctx->rounds; i++) {
152	ctx->dec_key[i][0] = aria_m(ctx->enc_key[ctx->rounds - i][0]);
153	ctx->dec_key[i][1] = aria_m(ctx->enc_key[ctx->rounds - i][1]);
154	ctx->dec_key[i][2] = aria_m(ctx->enc_key[ctx->rounds - i][2]);
155	ctx->dec_key[i][3] = aria_m(ctx->enc_key[ctx->rounds - i][3]);
156
157	aria_diff_word(&ctx->dec_key[i][0], &ctx->dec_key[i][1],
158	&ctx->dec_key[i][2], &ctx->dec_key[i][3]);
159	aria_diff_byte(&ctx->dec_key[i][1],
160	&ctx->dec_key[i][2], &ctx->dec_key[i][3]);
161	aria_diff_word(&ctx->dec_key[i][0], &ctx->dec_key[i][1],
162	&ctx->dec_key[i][2], &ctx->dec_key[i][3]);
163	}
164	}
165
166	static int aria_set_key(struct crypto_tfm tfm, const u8 in_key,
167	unsigned int key_len)
168	{
169	struct aria_ctx *ctx = crypto_tfm_ctx(tfm);
170
171	if (key_len != 16 && key_len != 24 && key_len != 32)
172	return -EINVAL;
173
174	ctx->key_length = key_len;
175	ctx->rounds = (key_len + 32) / 4;
176
177	aria_set_encrypt_key(ctx, in_key, key_len);
178	aria_set_decrypt_key(ctx);
179
180	return 0;
181	}
182
183	static void __aria_crypt(struct aria_ctx ctx, u8 out, const u8 *in,
184	u32 key[][ARIA_RD_KEY_WORDS])
185	{
186	const __be32 src = (const __be32 )in;
187	__be32 dst = (__be32 )out;
188	u32 reg0, reg1, reg2, reg3;
189	int rounds, rkidx = 0;
190
191	rounds = ctx->rounds;
192
193	reg0 = be32_to_cpu(src[0]);
194	reg1 = be32_to_cpu(src[1]);
195	reg2 = be32_to_cpu(src[2]);
196	reg3 = be32_to_cpu(src[3]);
197
198	aria_add_round_key(key[rkidx], &reg0, &reg1, &reg2, &reg3);
199	rkidx++;
200
201	aria_subst_diff_odd(&reg0, &reg1, &reg2, &reg3);
202	aria_add_round_key(key[rkidx], &reg0, &reg1, &reg2, &reg3);
203	rkidx++;
204
205	while ((rounds -= 2) > 0) {
206	aria_subst_diff_even(&reg0, &reg1, &reg2, &reg3);
207	aria_add_round_key(key[rkidx], &reg0, &reg1, &reg2, &reg3);
208	rkidx++;
209
210	aria_subst_diff_odd(&reg0, &reg1, &reg2, &reg3);
211	aria_add_round_key(key[rkidx], &reg0, &reg1, &reg2, &reg3);
212	rkidx++;
213	}
214
215	reg0 = key[rkidx][0] ^ make_u32((u8)(x1[get_u8(reg0, 0)]),
216	(u8)(x2[get_u8(reg0, 1)] >> 8),
217	(u8)(s1[get_u8(reg0, 2)]),
218	(u8)(s2[get_u8(reg0, 3)]));
219	reg1 = key[rkidx][1] ^ make_u32((u8)(x1[get_u8(reg1, 0)]),
220	(u8)(x2[get_u8(reg1, 1)] >> 8),
221	(u8)(s1[get_u8(reg1, 2)]),
222	(u8)(s2[get_u8(reg1, 3)]));
223	reg2 = key[rkidx][2] ^ make_u32((u8)(x1[get_u8(reg2, 0)]),
224	(u8)(x2[get_u8(reg2, 1)] >> 8),
225	(u8)(s1[get_u8(reg2, 2)]),
226	(u8)(s2[get_u8(reg2, 3)]));
227	reg3 = key[rkidx][3] ^ make_u32((u8)(x1[get_u8(reg3, 0)]),
228	(u8)(x2[get_u8(reg3, 1)] >> 8),
229	(u8)(s1[get_u8(reg3, 2)]),
230	(u8)(s2[get_u8(reg3, 3)]));
231
232	dst[0] = cpu_to_be32(reg0);
233	dst[1] = cpu_to_be32(reg1);
234	dst[2] = cpu_to_be32(reg2);
235	dst[3] = cpu_to_be32(reg3);
236	}
237
238	static void aria_encrypt(struct crypto_tfm tfm, u8 out, const u8 *in)
239	{
240	struct aria_ctx *ctx = crypto_tfm_ctx(tfm);
241
242	__aria_crypt(ctx, out, in, ctx->enc_key);
243	}
244
245	static void aria_decrypt(struct crypto_tfm tfm, u8 out, const u8 *in)
246	{
247	struct aria_ctx *ctx = crypto_tfm_ctx(tfm);
248
249	__aria_crypt(ctx, out, in, ctx->dec_key);
250	}
251
252	static struct crypto_alg aria_alg = {
253	.cra_name = "aria",
254	.cra_driver_name = "aria-generic",
255	.cra_priority = 100,
256	.cra_flags = CRYPTO_ALG_TYPE_CIPHER,
257	.cra_blocksize = ARIA_BLOCK_SIZE,
258	.cra_ctxsize = sizeof(struct aria_ctx),
259	.cra_alignmask = 3,
260	.cra_module = THIS_MODULE,
261	.cra_u = {
262	.cipher = {
263	.cia_min_keysize = ARIA_MIN_KEY_SIZE,
264	.cia_max_keysize = ARIA_MAX_KEY_SIZE,
265	.cia_setkey = aria_set_key,
266	.cia_encrypt = aria_encrypt,
267	.cia_decrypt = aria_decrypt
268	}
269	}
270	};
271
272	static int __init aria_init(void)
273	{
274	return crypto_register_alg(&aria_alg);
275	}
276
277	static void __exit aria_fini(void)
278	{
279	crypto_unregister_alg(&aria_alg);
280	}
281
282	subsys_initcall(aria_init);
283	module_exit(aria_fini);
284
285	MODULE_DESCRIPTION("ARIA Cipher Algorithm");
286	MODULE_LICENSE("GPL");
287	MODULE_AUTHOR("Taehee Yoo <ap420073@gmail.com>");
288	MODULE_ALIAS_CRYPTO("aria");