1 /* SPDX-License-Identifier: GPL-2.0 */ 2 /* 3 * Common values for AES algorithms 4 */ 5 6 #ifndef _CRYPTO_AES_H 7 #define _CRYPTO_AES_H 8 9 #include <linux/types.h> 10 #include <linux/crypto.h> 11 12 #define AES_MIN_KEY_SIZE 16 13 #define AES_MAX_KEY_SIZE 32 14 #define AES_KEYSIZE_128 16 15 #define AES_KEYSIZE_192 24 16 #define AES_KEYSIZE_256 32 17 #define AES_BLOCK_SIZE 16 18 #define AES_MAX_KEYLENGTH (15 * 16) 19 #define AES_MAX_KEYLENGTH_U32 (AES_MAX_KEYLENGTH / sizeof(u32)) 20 21 union aes_enckey_arch { 22 u32 rndkeys[AES_MAX_KEYLENGTH_U32]; 23 }; 24 25 union aes_invkey_arch { 26 u32 inv_rndkeys[AES_MAX_KEYLENGTH_U32]; 27 }; 28 29 /** 30 * struct aes_enckey - An AES key prepared for encryption 31 * @len: Key length in bytes: 16 for AES-128, 24 for AES-192, 32 for AES-256. 32 * @nrounds: Number of rounds: 10 for AES-128, 12 for AES-192, 14 for AES-256. 33 * This is '6 + @len / 4' and is cached so that AES implementations 34 * that need it don't have to recompute it for each en/decryption. 35 * @padding: Padding to make offsetof(@k) be a multiple of 16, so that aligning 36 * this struct to a 16-byte boundary results in @k also being 16-byte 37 * aligned. Users aren't required to align this struct to 16 bytes, 38 * but it may slightly improve performance. 39 * @k: This typically contains the AES round keys as an array of '@nrounds + 1' 40 * groups of four u32 words. However, architecture-specific implementations 41 * of AES may store something else here, e.g. just the raw key if it's all 42 * they need. 43 * 44 * Note that this struct is about half the size of struct aes_key. This is 45 * separate from struct aes_key so that modes that need only AES encryption 46 * (e.g. AES-GCM, AES-CTR, AES-CMAC, tweak key in AES-XTS) don't incur the time 47 * and space overhead of computing and caching the decryption round keys. 48 * 49 * Note that there's no decryption-only equivalent (i.e. "struct aes_deckey"), 50 * since (a) it's rare that modes need decryption-only, and (b) some AES 51 * implementations use the same @k for both encryption and decryption, either 52 * always or conditionally; in the latter case both @k and @inv_k are needed. 53 */ 54 struct aes_enckey { 55 u32 len; 56 u32 nrounds; 57 u32 padding[2]; 58 union aes_enckey_arch k; 59 }; 60 61 /** 62 * struct aes_key - An AES key prepared for encryption and decryption 63 * @aes_enckey: Common fields and the key prepared for encryption 64 * @inv_k: This generally contains the round keys for the AES Equivalent 65 * Inverse Cipher, as an array of '@nrounds + 1' groups of four u32 66 * words. However, architecture-specific implementations of AES may 67 * store something else here. For example, they may leave this field 68 * uninitialized if they use @k for both encryption and decryption. 69 */ 70 struct aes_key { 71 struct aes_enckey; /* Include all fields of aes_enckey. */ 72 union aes_invkey_arch inv_k; 73 }; 74 75 /* 76 * Please ensure that the first two fields are 16-byte aligned 77 * relative to the start of the structure, i.e., don't move them! 78 */ 79 struct crypto_aes_ctx { 80 u32 key_enc[AES_MAX_KEYLENGTH_U32]; 81 u32 key_dec[AES_MAX_KEYLENGTH_U32]; 82 u32 key_length; 83 }; 84 85 /* 86 * validate key length for AES algorithms 87 */ 88 static inline int aes_check_keylen(size_t keylen) 89 { 90 switch (keylen) { 91 case AES_KEYSIZE_128: 92 case AES_KEYSIZE_192: 93 case AES_KEYSIZE_256: 94 break; 95 default: 96 return -EINVAL; 97 } 98 99 return 0; 100 } 101 102 /** 103 * aes_expandkey - Expands the AES key as described in FIPS-197 104 * @ctx: The location where the computed key will be stored. 105 * @in_key: The supplied key. 106 * @key_len: The length of the supplied key. 107 * 108 * Returns 0 on success. The function fails only if an invalid key size (or 109 * pointer) is supplied. 110 * The expanded key size is 240 bytes (max of 14 rounds with a unique 16 bytes 111 * key schedule plus a 16 bytes key which is used before the first round). 112 * The decryption key is prepared for the "Equivalent Inverse Cipher" as 113 * described in FIPS-197. The first slot (16 bytes) of each key (enc or dec) is 114 * for the initial combination, the second slot for the first round and so on. 115 */ 116 int aes_expandkey(struct crypto_aes_ctx *ctx, const u8 *in_key, 117 unsigned int key_len); 118 119 /* 120 * The following functions are temporarily exported for use by the AES mode 121 * implementations in arch/$(SRCARCH)/crypto/. These exports will go away when 122 * that code is migrated into lib/crypto/. 123 */ 124 #ifdef CONFIG_ARM64 125 int ce_aes_expandkey(struct crypto_aes_ctx *ctx, const u8 *in_key, 126 unsigned int key_len); 127 #endif 128 129 /** 130 * aes_preparekey() - Prepare an AES key for encryption and decryption 131 * @key: (output) The key structure to initialize 132 * @in_key: The raw AES key 133 * @key_len: Length of the raw key in bytes. Should be either AES_KEYSIZE_128, 134 * AES_KEYSIZE_192, or AES_KEYSIZE_256. 135 * 136 * This prepares an AES key for both the encryption and decryption directions of 137 * the block cipher. Typically this involves expanding the raw key into both 138 * the standard round keys and the Equivalent Inverse Cipher round keys, but 139 * some architecture-specific implementations don't do the full expansion here. 140 * 141 * The caller is responsible for zeroizing both the struct aes_key and the raw 142 * key once they are no longer needed. 143 * 144 * If you don't need decryption support, use aes_prepareenckey() instead. 145 * 146 * Return: 0 on success or -EINVAL if the given key length is invalid. No other 147 * errors are possible, so callers that always pass a valid key length 148 * don't need to check for errors. 149 * 150 * Context: Any context. 151 */ 152 int aes_preparekey(struct aes_key *key, const u8 *in_key, size_t key_len); 153 154 /** 155 * aes_prepareenckey() - Prepare an AES key for encryption-only 156 * @key: (output) The key structure to initialize 157 * @in_key: The raw AES key 158 * @key_len: Length of the raw key in bytes. Should be either AES_KEYSIZE_128, 159 * AES_KEYSIZE_192, or AES_KEYSIZE_256. 160 * 161 * This prepares an AES key for only the encryption direction of the block 162 * cipher. Typically this involves expanding the raw key into only the standard 163 * round keys, resulting in a struct about half the size of struct aes_key. 164 * 165 * The caller is responsible for zeroizing both the struct aes_enckey and the 166 * raw key once they are no longer needed. 167 * 168 * Note that while the resulting prepared key supports only AES encryption, it 169 * can still be used for decrypting in a mode of operation that uses AES in only 170 * the encryption (forward) direction, for example counter mode. 171 * 172 * Return: 0 on success or -EINVAL if the given key length is invalid. No other 173 * errors are possible, so callers that always pass a valid key length 174 * don't need to check for errors. 175 * 176 * Context: Any context. 177 */ 178 int aes_prepareenckey(struct aes_enckey *key, const u8 *in_key, size_t key_len); 179 180 typedef union { 181 const struct aes_enckey *enc_key; 182 const struct aes_key *full_key; 183 } aes_encrypt_arg __attribute__ ((__transparent_union__)); 184 185 /** 186 * aes_encrypt() - Encrypt a single AES block 187 * @key: The AES key, as a pointer to either an encryption-only key 188 * (struct aes_enckey) or a full, bidirectional key (struct aes_key). 189 * @out: Buffer to store the ciphertext block 190 * @in: Buffer containing the plaintext block 191 * 192 * Context: Any context. 193 */ 194 #define aes_encrypt(key, out, in) \ 195 _Generic((key), \ 196 struct crypto_aes_ctx *: aes_encrypt_old((const struct crypto_aes_ctx *)(key), (out), (in)), \ 197 const struct crypto_aes_ctx *: aes_encrypt_old((const struct crypto_aes_ctx *)(key), (out), (in)), \ 198 struct aes_enckey *: aes_encrypt_new((const struct aes_enckey *)(key), (out), (in)), \ 199 const struct aes_enckey *: aes_encrypt_new((const struct aes_enckey *)(key), (out), (in)), \ 200 struct aes_key *: aes_encrypt_new((const struct aes_key *)(key), (out), (in)), \ 201 const struct aes_key *: aes_encrypt_new((const struct aes_key *)(key), (out), (in))) 202 void aes_encrypt_old(const struct crypto_aes_ctx *ctx, u8 *out, const u8 *in); 203 void aes_encrypt_new(aes_encrypt_arg key, u8 out[at_least AES_BLOCK_SIZE], 204 const u8 in[at_least AES_BLOCK_SIZE]); 205 206 /** 207 * aes_decrypt() - Decrypt a single AES block 208 * @key: The AES key, previously initialized by aes_preparekey() 209 * @out: Buffer to store the plaintext block 210 * @in: Buffer containing the ciphertext block 211 * 212 * Context: Any context. 213 */ 214 #define aes_decrypt(key, out, in) \ 215 _Generic((key), \ 216 struct crypto_aes_ctx *: aes_decrypt_old((const struct crypto_aes_ctx *)(key), (out), (in)), \ 217 const struct crypto_aes_ctx *: aes_decrypt_old((const struct crypto_aes_ctx *)(key), (out), (in)), \ 218 struct aes_key *: aes_decrypt_new((const struct aes_key *)(key), (out), (in)), \ 219 const struct aes_key *: aes_decrypt_new((const struct aes_key *)(key), (out), (in))) 220 void aes_decrypt_old(const struct crypto_aes_ctx *ctx, u8 *out, const u8 *in); 221 void aes_decrypt_new(const struct aes_key *key, u8 out[at_least AES_BLOCK_SIZE], 222 const u8 in[at_least AES_BLOCK_SIZE]); 223 224 extern const u8 crypto_aes_sbox[]; 225 extern const u8 crypto_aes_inv_sbox[]; 226 extern const u32 aes_enc_tab[256]; 227 extern const u32 aes_dec_tab[256]; 228 229 void aescfb_encrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src, 230 int len, const u8 iv[AES_BLOCK_SIZE]); 231 void aescfb_decrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src, 232 int len, const u8 iv[AES_BLOCK_SIZE]); 233 234 #endif 235