xref: /linux/include/crypto/aes.h (revision 0892c91b81cc889c95dc03b095b9f4a6fdf93106) 
1 /* SPDX-License-Identifier: GPL-2.0 */
2 /*
3  * Common values for AES algorithms
4  */
5 
6 #ifndef _CRYPTO_AES_H
7 #define _CRYPTO_AES_H
8 
9 #include <linux/types.h>
10 #include <linux/crypto.h>
11 
12 #define AES_MIN_KEY_SIZE	16
13 #define AES_MAX_KEY_SIZE	32
14 #define AES_KEYSIZE_128		16
15 #define AES_KEYSIZE_192		24
16 #define AES_KEYSIZE_256		32
17 #define AES_BLOCK_SIZE		16
18 #define AES_MAX_KEYLENGTH	(15 * 16)
19 #define AES_MAX_KEYLENGTH_U32	(AES_MAX_KEYLENGTH / sizeof(u32))
20 
21 union aes_enckey_arch {
22 	u32 rndkeys[AES_MAX_KEYLENGTH_U32];
23 #ifdef CONFIG_CRYPTO_LIB_AES_ARCH
24 #if defined(CONFIG_PPC) && defined(CONFIG_SPE)
25 	/* Used unconditionally (when SPE AES code is enabled in kconfig) */
26 	u32 spe_enc_key[AES_MAX_KEYLENGTH_U32] __aligned(8);
27 #endif
28 #endif /* CONFIG_CRYPTO_LIB_AES_ARCH */
29 };
30 
31 union aes_invkey_arch {
32 	u32 inv_rndkeys[AES_MAX_KEYLENGTH_U32];
33 #ifdef CONFIG_CRYPTO_LIB_AES_ARCH
34 #if defined(CONFIG_PPC) && defined(CONFIG_SPE)
35 	/* Used unconditionally (when SPE AES code is enabled in kconfig) */
36 	u32 spe_dec_key[AES_MAX_KEYLENGTH_U32] __aligned(8);
37 #endif
38 #endif /* CONFIG_CRYPTO_LIB_AES_ARCH */
39 };
40 
41 /**
42  * struct aes_enckey - An AES key prepared for encryption
43  * @len: Key length in bytes: 16 for AES-128, 24 for AES-192, 32 for AES-256.
44  * @nrounds: Number of rounds: 10 for AES-128, 12 for AES-192, 14 for AES-256.
45  *	     This is '6 + @len / 4' and is cached so that AES implementations
46  *	     that need it don't have to recompute it for each en/decryption.
47  * @padding: Padding to make offsetof(@k) be a multiple of 16, so that aligning
48  *	     this struct to a 16-byte boundary results in @k also being 16-byte
49  *	     aligned.  Users aren't required to align this struct to 16 bytes,
50  *	     but it may slightly improve performance.
51  * @k: This typically contains the AES round keys as an array of '@nrounds + 1'
52  *     groups of four u32 words.  However, architecture-specific implementations
53  *     of AES may store something else here, e.g. just the raw key if it's all
54  *     they need.
55  *
56  * Note that this struct is about half the size of struct aes_key.  This is
57  * separate from struct aes_key so that modes that need only AES encryption
58  * (e.g. AES-GCM, AES-CTR, AES-CMAC, tweak key in AES-XTS) don't incur the time
59  * and space overhead of computing and caching the decryption round keys.
60  *
61  * Note that there's no decryption-only equivalent (i.e. "struct aes_deckey"),
62  * since (a) it's rare that modes need decryption-only, and (b) some AES
63  * implementations use the same @k for both encryption and decryption, either
64  * always or conditionally; in the latter case both @k and @inv_k are needed.
65  */
66 struct aes_enckey {
67 	u32 len;
68 	u32 nrounds;
69 	u32 padding[2];
70 	union aes_enckey_arch k;
71 };
72 
73 /**
74  * struct aes_key - An AES key prepared for encryption and decryption
75  * @aes_enckey: Common fields and the key prepared for encryption
76  * @inv_k: This generally contains the round keys for the AES Equivalent
77  *	   Inverse Cipher, as an array of '@nrounds + 1' groups of four u32
78  *	   words.  However, architecture-specific implementations of AES may
79  *	   store something else here.  For example, they may leave this field
80  *	   uninitialized if they use @k for both encryption and decryption.
81  */
82 struct aes_key {
83 	struct aes_enckey; /* Include all fields of aes_enckey. */
84 	union aes_invkey_arch inv_k;
85 };
86 
87 /*
88  * Please ensure that the first two fields are 16-byte aligned
89  * relative to the start of the structure, i.e., don't move them!
90  */
91 struct crypto_aes_ctx {
92 	u32 key_enc[AES_MAX_KEYLENGTH_U32];
93 	u32 key_dec[AES_MAX_KEYLENGTH_U32];
94 	u32 key_length;
95 };
96 
97 /*
98  * validate key length for AES algorithms
99  */
100 static inline int aes_check_keylen(size_t keylen)
101 {
102 	switch (keylen) {
103 	case AES_KEYSIZE_128:
104 	case AES_KEYSIZE_192:
105 	case AES_KEYSIZE_256:
106 		break;
107 	default:
108 		return -EINVAL;
109 	}
110 
111 	return 0;
112 }
113 
114 /**
115  * aes_expandkey - Expands the AES key as described in FIPS-197
116  * @ctx:	The location where the computed key will be stored.
117  * @in_key:	The supplied key.
118  * @key_len:	The length of the supplied key.
119  *
120  * Returns 0 on success. The function fails only if an invalid key size (or
121  * pointer) is supplied.
122  * The expanded key size is 240 bytes (max of 14 rounds with a unique 16 bytes
123  * key schedule plus a 16 bytes key which is used before the first round).
124  * The decryption key is prepared for the "Equivalent Inverse Cipher" as
125  * described in FIPS-197. The first slot (16 bytes) of each key (enc or dec) is
126  * for the initial combination, the second slot for the first round and so on.
127  */
128 int aes_expandkey(struct crypto_aes_ctx *ctx, const u8 *in_key,
129 		  unsigned int key_len);
130 
131 /*
132  * The following functions are temporarily exported for use by the AES mode
133  * implementations in arch/$(SRCARCH)/crypto/.  These exports will go away when
134  * that code is migrated into lib/crypto/.
135  */
136 #ifdef CONFIG_ARM64
137 int ce_aes_expandkey(struct crypto_aes_ctx *ctx, const u8 *in_key,
138 		     unsigned int key_len);
139 #elif defined(CONFIG_PPC)
140 void ppc_expand_key_128(u32 *key_enc, const u8 *key);
141 void ppc_expand_key_192(u32 *key_enc, const u8 *key);
142 void ppc_expand_key_256(u32 *key_enc, const u8 *key);
143 void ppc_generate_decrypt_key(u32 *key_dec, u32 *key_enc, unsigned int key_len);
144 void ppc_encrypt_ecb(u8 *out, const u8 *in, u32 *key_enc, u32 rounds,
145 		     u32 bytes);
146 void ppc_decrypt_ecb(u8 *out, const u8 *in, u32 *key_dec, u32 rounds,
147 		     u32 bytes);
148 void ppc_encrypt_cbc(u8 *out, const u8 *in, u32 *key_enc, u32 rounds, u32 bytes,
149 		     u8 *iv);
150 void ppc_decrypt_cbc(u8 *out, const u8 *in, u32 *key_dec, u32 rounds, u32 bytes,
151 		     u8 *iv);
152 void ppc_crypt_ctr(u8 *out, const u8 *in, u32 *key_enc, u32 rounds, u32 bytes,
153 		   u8 *iv);
154 void ppc_encrypt_xts(u8 *out, const u8 *in, u32 *key_enc, u32 rounds, u32 bytes,
155 		     u8 *iv, u32 *key_twk);
156 void ppc_decrypt_xts(u8 *out, const u8 *in, u32 *key_dec, u32 rounds, u32 bytes,
157 		     u8 *iv, u32 *key_twk);
158 #endif
159 
160 /**
161  * aes_preparekey() - Prepare an AES key for encryption and decryption
162  * @key: (output) The key structure to initialize
163  * @in_key: The raw AES key
164  * @key_len: Length of the raw key in bytes.  Should be either AES_KEYSIZE_128,
165  *	     AES_KEYSIZE_192, or AES_KEYSIZE_256.
166  *
167  * This prepares an AES key for both the encryption and decryption directions of
168  * the block cipher.  Typically this involves expanding the raw key into both
169  * the standard round keys and the Equivalent Inverse Cipher round keys, but
170  * some architecture-specific implementations don't do the full expansion here.
171  *
172  * The caller is responsible for zeroizing both the struct aes_key and the raw
173  * key once they are no longer needed.
174  *
175  * If you don't need decryption support, use aes_prepareenckey() instead.
176  *
177  * Return: 0 on success or -EINVAL if the given key length is invalid.  No other
178  *	   errors are possible, so callers that always pass a valid key length
179  *	   don't need to check for errors.
180  *
181  * Context: Any context.
182  */
183 int aes_preparekey(struct aes_key *key, const u8 *in_key, size_t key_len);
184 
185 /**
186  * aes_prepareenckey() - Prepare an AES key for encryption-only
187  * @key: (output) The key structure to initialize
188  * @in_key: The raw AES key
189  * @key_len: Length of the raw key in bytes.  Should be either AES_KEYSIZE_128,
190  *	     AES_KEYSIZE_192, or AES_KEYSIZE_256.
191  *
192  * This prepares an AES key for only the encryption direction of the block
193  * cipher.  Typically this involves expanding the raw key into only the standard
194  * round keys, resulting in a struct about half the size of struct aes_key.
195  *
196  * The caller is responsible for zeroizing both the struct aes_enckey and the
197  * raw key once they are no longer needed.
198  *
199  * Note that while the resulting prepared key supports only AES encryption, it
200  * can still be used for decrypting in a mode of operation that uses AES in only
201  * the encryption (forward) direction, for example counter mode.
202  *
203  * Return: 0 on success or -EINVAL if the given key length is invalid.  No other
204  *	   errors are possible, so callers that always pass a valid key length
205  *	   don't need to check for errors.
206  *
207  * Context: Any context.
208  */
209 int aes_prepareenckey(struct aes_enckey *key, const u8 *in_key, size_t key_len);
210 
211 typedef union {
212 	const struct aes_enckey *enc_key;
213 	const struct aes_key *full_key;
214 } aes_encrypt_arg __attribute__ ((__transparent_union__));
215 
216 /**
217  * aes_encrypt() - Encrypt a single AES block
218  * @key: The AES key, as a pointer to either an encryption-only key
219  *	 (struct aes_enckey) or a full, bidirectional key (struct aes_key).
220  * @out: Buffer to store the ciphertext block
221  * @in: Buffer containing the plaintext block
222  *
223  * Context: Any context.
224  */
225 #define aes_encrypt(key, out, in) \
226 	_Generic((key), \
227 		 struct crypto_aes_ctx *: aes_encrypt_old((const struct crypto_aes_ctx *)(key), (out), (in)), \
228 		 const struct crypto_aes_ctx *: aes_encrypt_old((const struct crypto_aes_ctx *)(key), (out), (in)), \
229 		 struct aes_enckey *: aes_encrypt_new((const struct aes_enckey *)(key), (out), (in)), \
230 		 const struct aes_enckey *: aes_encrypt_new((const struct aes_enckey *)(key), (out), (in)), \
231 		 struct aes_key *: aes_encrypt_new((const struct aes_key *)(key), (out), (in)), \
232 		 const struct aes_key *: aes_encrypt_new((const struct aes_key *)(key), (out), (in)))
233 void aes_encrypt_old(const struct crypto_aes_ctx *ctx, u8 *out, const u8 *in);
234 void aes_encrypt_new(aes_encrypt_arg key, u8 out[at_least AES_BLOCK_SIZE],
235 		     const u8 in[at_least AES_BLOCK_SIZE]);
236 
237 /**
238  * aes_decrypt() - Decrypt a single AES block
239  * @key: The AES key, previously initialized by aes_preparekey()
240  * @out: Buffer to store the plaintext block
241  * @in: Buffer containing the ciphertext block
242  *
243  * Context: Any context.
244  */
245 #define aes_decrypt(key, out, in) \
246 	_Generic((key), \
247 		 struct crypto_aes_ctx *: aes_decrypt_old((const struct crypto_aes_ctx *)(key), (out), (in)), \
248 		 const struct crypto_aes_ctx *: aes_decrypt_old((const struct crypto_aes_ctx *)(key), (out), (in)), \
249 		 struct aes_key *: aes_decrypt_new((const struct aes_key *)(key), (out), (in)), \
250 		 const struct aes_key *: aes_decrypt_new((const struct aes_key *)(key), (out), (in)))
251 void aes_decrypt_old(const struct crypto_aes_ctx *ctx, u8 *out, const u8 *in);
252 void aes_decrypt_new(const struct aes_key *key, u8 out[at_least AES_BLOCK_SIZE],
253 		     const u8 in[at_least AES_BLOCK_SIZE]);
254 
255 extern const u8 crypto_aes_sbox[];
256 extern const u8 crypto_aes_inv_sbox[];
257 extern const u32 aes_enc_tab[256];
258 extern const u32 aes_dec_tab[256];
259 
260 void aescfb_encrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src,
261 		    int len, const u8 iv[AES_BLOCK_SIZE]);
262 void aescfb_decrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src,
263 		    int len, const u8 iv[AES_BLOCK_SIZE]);
264 
265 #endif
266