1 /* SPDX-License-Identifier: GPL-2.0 */ 2 /* 3 * Common values for AES algorithms 4 */ 5 6 #ifndef _CRYPTO_AES_H 7 #define _CRYPTO_AES_H 8 9 #include <linux/types.h> 10 #include <linux/crypto.h> 11 12 #define AES_MIN_KEY_SIZE 16 13 #define AES_MAX_KEY_SIZE 32 14 #define AES_KEYSIZE_128 16 15 #define AES_KEYSIZE_192 24 16 #define AES_KEYSIZE_256 32 17 #define AES_BLOCK_SIZE 16 18 #define AES_MAX_KEYLENGTH (15 * 16) 19 #define AES_MAX_KEYLENGTH_U32 (AES_MAX_KEYLENGTH / sizeof(u32)) 20 21 /* 22 * The POWER8 VSX optimized AES assembly code is borrowed from OpenSSL and 23 * inherits OpenSSL's AES_KEY format, which stores the number of rounds after 24 * the round keys. That assembly code is difficult to change. So for 25 * compatibility purposes we reserve space for the extra nrounds field on PPC64. 26 * 27 * Note: when prepared for decryption, the round keys are just the reversed 28 * standard round keys, not the round keys for the Equivalent Inverse Cipher. 29 */ 30 struct p8_aes_key { 31 u32 rndkeys[AES_MAX_KEYLENGTH_U32]; 32 int nrounds; 33 }; 34 35 union aes_enckey_arch { 36 u32 rndkeys[AES_MAX_KEYLENGTH_U32]; 37 #ifdef CONFIG_CRYPTO_LIB_AES_ARCH 38 #if defined(CONFIG_PPC) && defined(CONFIG_SPE) 39 /* Used unconditionally (when SPE AES code is enabled in kconfig) */ 40 u32 spe_enc_key[AES_MAX_KEYLENGTH_U32] __aligned(8); 41 #elif defined(CONFIG_PPC) 42 /* 43 * Kernels that include the POWER8 VSX optimized AES code use this field 44 * when that code is usable at key preparation time. Otherwise they 45 * fall back to rndkeys. In the latter case, p8.nrounds (which doesn't 46 * overlap rndkeys) is set to 0 to differentiate the two formats. 47 */ 48 struct p8_aes_key p8; 49 #endif 50 #endif /* CONFIG_CRYPTO_LIB_AES_ARCH */ 51 }; 52 53 union aes_invkey_arch { 54 u32 inv_rndkeys[AES_MAX_KEYLENGTH_U32]; 55 #ifdef CONFIG_CRYPTO_LIB_AES_ARCH 56 #if defined(CONFIG_PPC) && defined(CONFIG_SPE) 57 /* Used unconditionally (when SPE AES code is enabled in kconfig) */ 58 u32 spe_dec_key[AES_MAX_KEYLENGTH_U32] __aligned(8); 59 #elif defined(CONFIG_PPC) 60 /* Used conditionally, analogous to aes_enckey_arch::p8 */ 61 struct p8_aes_key p8; 62 #endif 63 #endif /* CONFIG_CRYPTO_LIB_AES_ARCH */ 64 }; 65 66 /** 67 * struct aes_enckey - An AES key prepared for encryption 68 * @len: Key length in bytes: 16 for AES-128, 24 for AES-192, 32 for AES-256. 69 * @nrounds: Number of rounds: 10 for AES-128, 12 for AES-192, 14 for AES-256. 70 * This is '6 + @len / 4' and is cached so that AES implementations 71 * that need it don't have to recompute it for each en/decryption. 72 * @padding: Padding to make offsetof(@k) be a multiple of 16, so that aligning 73 * this struct to a 16-byte boundary results in @k also being 16-byte 74 * aligned. Users aren't required to align this struct to 16 bytes, 75 * but it may slightly improve performance. 76 * @k: This typically contains the AES round keys as an array of '@nrounds + 1' 77 * groups of four u32 words. However, architecture-specific implementations 78 * of AES may store something else here, e.g. just the raw key if it's all 79 * they need. 80 * 81 * Note that this struct is about half the size of struct aes_key. This is 82 * separate from struct aes_key so that modes that need only AES encryption 83 * (e.g. AES-GCM, AES-CTR, AES-CMAC, tweak key in AES-XTS) don't incur the time 84 * and space overhead of computing and caching the decryption round keys. 85 * 86 * Note that there's no decryption-only equivalent (i.e. "struct aes_deckey"), 87 * since (a) it's rare that modes need decryption-only, and (b) some AES 88 * implementations use the same @k for both encryption and decryption, either 89 * always or conditionally; in the latter case both @k and @inv_k are needed. 90 */ 91 struct aes_enckey { 92 u32 len; 93 u32 nrounds; 94 u32 padding[2]; 95 union aes_enckey_arch k; 96 }; 97 98 /** 99 * struct aes_key - An AES key prepared for encryption and decryption 100 * @aes_enckey: Common fields and the key prepared for encryption 101 * @inv_k: This generally contains the round keys for the AES Equivalent 102 * Inverse Cipher, as an array of '@nrounds + 1' groups of four u32 103 * words. However, architecture-specific implementations of AES may 104 * store something else here. For example, they may leave this field 105 * uninitialized if they use @k for both encryption and decryption. 106 */ 107 struct aes_key { 108 struct aes_enckey; /* Include all fields of aes_enckey. */ 109 union aes_invkey_arch inv_k; 110 }; 111 112 /* 113 * Please ensure that the first two fields are 16-byte aligned 114 * relative to the start of the structure, i.e., don't move them! 115 */ 116 struct crypto_aes_ctx { 117 u32 key_enc[AES_MAX_KEYLENGTH_U32]; 118 u32 key_dec[AES_MAX_KEYLENGTH_U32]; 119 u32 key_length; 120 }; 121 122 /* 123 * validate key length for AES algorithms 124 */ 125 static inline int aes_check_keylen(size_t keylen) 126 { 127 switch (keylen) { 128 case AES_KEYSIZE_128: 129 case AES_KEYSIZE_192: 130 case AES_KEYSIZE_256: 131 break; 132 default: 133 return -EINVAL; 134 } 135 136 return 0; 137 } 138 139 /** 140 * aes_expandkey - Expands the AES key as described in FIPS-197 141 * @ctx: The location where the computed key will be stored. 142 * @in_key: The supplied key. 143 * @key_len: The length of the supplied key. 144 * 145 * Returns 0 on success. The function fails only if an invalid key size (or 146 * pointer) is supplied. 147 * The expanded key size is 240 bytes (max of 14 rounds with a unique 16 bytes 148 * key schedule plus a 16 bytes key which is used before the first round). 149 * The decryption key is prepared for the "Equivalent Inverse Cipher" as 150 * described in FIPS-197. The first slot (16 bytes) of each key (enc or dec) is 151 * for the initial combination, the second slot for the first round and so on. 152 */ 153 int aes_expandkey(struct crypto_aes_ctx *ctx, const u8 *in_key, 154 unsigned int key_len); 155 156 /* 157 * The following functions are temporarily exported for use by the AES mode 158 * implementations in arch/$(SRCARCH)/crypto/. These exports will go away when 159 * that code is migrated into lib/crypto/. 160 */ 161 #ifdef CONFIG_ARM64 162 int ce_aes_expandkey(struct crypto_aes_ctx *ctx, const u8 *in_key, 163 unsigned int key_len); 164 #elif defined(CONFIG_PPC) 165 void ppc_expand_key_128(u32 *key_enc, const u8 *key); 166 void ppc_expand_key_192(u32 *key_enc, const u8 *key); 167 void ppc_expand_key_256(u32 *key_enc, const u8 *key); 168 void ppc_generate_decrypt_key(u32 *key_dec, u32 *key_enc, unsigned int key_len); 169 void ppc_encrypt_ecb(u8 *out, const u8 *in, u32 *key_enc, u32 rounds, 170 u32 bytes); 171 void ppc_decrypt_ecb(u8 *out, const u8 *in, u32 *key_dec, u32 rounds, 172 u32 bytes); 173 void ppc_encrypt_cbc(u8 *out, const u8 *in, u32 *key_enc, u32 rounds, u32 bytes, 174 u8 *iv); 175 void ppc_decrypt_cbc(u8 *out, const u8 *in, u32 *key_dec, u32 rounds, u32 bytes, 176 u8 *iv); 177 void ppc_crypt_ctr(u8 *out, const u8 *in, u32 *key_enc, u32 rounds, u32 bytes, 178 u8 *iv); 179 void ppc_encrypt_xts(u8 *out, const u8 *in, u32 *key_enc, u32 rounds, u32 bytes, 180 u8 *iv, u32 *key_twk); 181 void ppc_decrypt_xts(u8 *out, const u8 *in, u32 *key_dec, u32 rounds, u32 bytes, 182 u8 *iv, u32 *key_twk); 183 int aes_p8_set_encrypt_key(const u8 *userKey, const int bits, 184 struct p8_aes_key *key); 185 int aes_p8_set_decrypt_key(const u8 *userKey, const int bits, 186 struct p8_aes_key *key); 187 void aes_p8_encrypt(const u8 *in, u8 *out, const struct p8_aes_key *key); 188 void aes_p8_decrypt(const u8 *in, u8 *out, const struct p8_aes_key *key); 189 void aes_p8_cbc_encrypt(const u8 *in, u8 *out, size_t len, 190 const struct p8_aes_key *key, u8 *iv, const int enc); 191 void aes_p8_ctr32_encrypt_blocks(const u8 *in, u8 *out, size_t len, 192 const struct p8_aes_key *key, const u8 *iv); 193 void aes_p8_xts_encrypt(const u8 *in, u8 *out, size_t len, 194 const struct p8_aes_key *key1, 195 const struct p8_aes_key *key2, u8 *iv); 196 void aes_p8_xts_decrypt(const u8 *in, u8 *out, size_t len, 197 const struct p8_aes_key *key1, 198 const struct p8_aes_key *key2, u8 *iv); 199 #endif 200 201 /** 202 * aes_preparekey() - Prepare an AES key for encryption and decryption 203 * @key: (output) The key structure to initialize 204 * @in_key: The raw AES key 205 * @key_len: Length of the raw key in bytes. Should be either AES_KEYSIZE_128, 206 * AES_KEYSIZE_192, or AES_KEYSIZE_256. 207 * 208 * This prepares an AES key for both the encryption and decryption directions of 209 * the block cipher. Typically this involves expanding the raw key into both 210 * the standard round keys and the Equivalent Inverse Cipher round keys, but 211 * some architecture-specific implementations don't do the full expansion here. 212 * 213 * The caller is responsible for zeroizing both the struct aes_key and the raw 214 * key once they are no longer needed. 215 * 216 * If you don't need decryption support, use aes_prepareenckey() instead. 217 * 218 * Return: 0 on success or -EINVAL if the given key length is invalid. No other 219 * errors are possible, so callers that always pass a valid key length 220 * don't need to check for errors. 221 * 222 * Context: Any context. 223 */ 224 int aes_preparekey(struct aes_key *key, const u8 *in_key, size_t key_len); 225 226 /** 227 * aes_prepareenckey() - Prepare an AES key for encryption-only 228 * @key: (output) The key structure to initialize 229 * @in_key: The raw AES key 230 * @key_len: Length of the raw key in bytes. Should be either AES_KEYSIZE_128, 231 * AES_KEYSIZE_192, or AES_KEYSIZE_256. 232 * 233 * This prepares an AES key for only the encryption direction of the block 234 * cipher. Typically this involves expanding the raw key into only the standard 235 * round keys, resulting in a struct about half the size of struct aes_key. 236 * 237 * The caller is responsible for zeroizing both the struct aes_enckey and the 238 * raw key once they are no longer needed. 239 * 240 * Note that while the resulting prepared key supports only AES encryption, it 241 * can still be used for decrypting in a mode of operation that uses AES in only 242 * the encryption (forward) direction, for example counter mode. 243 * 244 * Return: 0 on success or -EINVAL if the given key length is invalid. No other 245 * errors are possible, so callers that always pass a valid key length 246 * don't need to check for errors. 247 * 248 * Context: Any context. 249 */ 250 int aes_prepareenckey(struct aes_enckey *key, const u8 *in_key, size_t key_len); 251 252 typedef union { 253 const struct aes_enckey *enc_key; 254 const struct aes_key *full_key; 255 } aes_encrypt_arg __attribute__ ((__transparent_union__)); 256 257 /** 258 * aes_encrypt() - Encrypt a single AES block 259 * @key: The AES key, as a pointer to either an encryption-only key 260 * (struct aes_enckey) or a full, bidirectional key (struct aes_key). 261 * @out: Buffer to store the ciphertext block 262 * @in: Buffer containing the plaintext block 263 * 264 * Context: Any context. 265 */ 266 #define aes_encrypt(key, out, in) \ 267 _Generic((key), \ 268 struct crypto_aes_ctx *: aes_encrypt_old((const struct crypto_aes_ctx *)(key), (out), (in)), \ 269 const struct crypto_aes_ctx *: aes_encrypt_old((const struct crypto_aes_ctx *)(key), (out), (in)), \ 270 struct aes_enckey *: aes_encrypt_new((const struct aes_enckey *)(key), (out), (in)), \ 271 const struct aes_enckey *: aes_encrypt_new((const struct aes_enckey *)(key), (out), (in)), \ 272 struct aes_key *: aes_encrypt_new((const struct aes_key *)(key), (out), (in)), \ 273 const struct aes_key *: aes_encrypt_new((const struct aes_key *)(key), (out), (in))) 274 void aes_encrypt_old(const struct crypto_aes_ctx *ctx, u8 *out, const u8 *in); 275 void aes_encrypt_new(aes_encrypt_arg key, u8 out[at_least AES_BLOCK_SIZE], 276 const u8 in[at_least AES_BLOCK_SIZE]); 277 278 /** 279 * aes_decrypt() - Decrypt a single AES block 280 * @key: The AES key, previously initialized by aes_preparekey() 281 * @out: Buffer to store the plaintext block 282 * @in: Buffer containing the ciphertext block 283 * 284 * Context: Any context. 285 */ 286 #define aes_decrypt(key, out, in) \ 287 _Generic((key), \ 288 struct crypto_aes_ctx *: aes_decrypt_old((const struct crypto_aes_ctx *)(key), (out), (in)), \ 289 const struct crypto_aes_ctx *: aes_decrypt_old((const struct crypto_aes_ctx *)(key), (out), (in)), \ 290 struct aes_key *: aes_decrypt_new((const struct aes_key *)(key), (out), (in)), \ 291 const struct aes_key *: aes_decrypt_new((const struct aes_key *)(key), (out), (in))) 292 void aes_decrypt_old(const struct crypto_aes_ctx *ctx, u8 *out, const u8 *in); 293 void aes_decrypt_new(const struct aes_key *key, u8 out[at_least AES_BLOCK_SIZE], 294 const u8 in[at_least AES_BLOCK_SIZE]); 295 296 extern const u8 crypto_aes_sbox[]; 297 extern const u8 crypto_aes_inv_sbox[]; 298 extern const u32 aes_enc_tab[256]; 299 extern const u32 aes_dec_tab[256]; 300 301 void aescfb_encrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src, 302 int len, const u8 iv[AES_BLOCK_SIZE]); 303 void aescfb_decrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src, 304 int len, const u8 iv[AES_BLOCK_SIZE]); 305 306 #endif 307