1 /* SPDX-License-Identifier: GPL-2.0 */ 2 /* 3 * Common values for AES algorithms 4 */ 5 6 #ifndef _CRYPTO_AES_H 7 #define _CRYPTO_AES_H 8 9 #include <linux/types.h> 10 #include <linux/crypto.h> 11 12 #define AES_MIN_KEY_SIZE 16 13 #define AES_MAX_KEY_SIZE 32 14 #define AES_KEYSIZE_128 16 15 #define AES_KEYSIZE_192 24 16 #define AES_KEYSIZE_256 32 17 #define AES_BLOCK_SIZE 16 18 #define AES_MAX_KEYLENGTH (15 * 16) 19 #define AES_MAX_KEYLENGTH_U32 (AES_MAX_KEYLENGTH / sizeof(u32)) 20 21 /* 22 * The POWER8 VSX optimized AES assembly code is borrowed from OpenSSL and 23 * inherits OpenSSL's AES_KEY format, which stores the number of rounds after 24 * the round keys. That assembly code is difficult to change. So for 25 * compatibility purposes we reserve space for the extra nrounds field on PPC64. 26 * 27 * Note: when prepared for decryption, the round keys are just the reversed 28 * standard round keys, not the round keys for the Equivalent Inverse Cipher. 29 */ 30 struct p8_aes_key { 31 u32 rndkeys[AES_MAX_KEYLENGTH_U32]; 32 int nrounds; 33 }; 34 35 union aes_enckey_arch { 36 u32 rndkeys[AES_MAX_KEYLENGTH_U32]; 37 #ifdef CONFIG_CRYPTO_LIB_AES_ARCH 38 #if defined(CONFIG_PPC) && defined(CONFIG_SPE) 39 /* Used unconditionally (when SPE AES code is enabled in kconfig) */ 40 u32 spe_enc_key[AES_MAX_KEYLENGTH_U32] __aligned(8); 41 #elif defined(CONFIG_PPC) 42 /* 43 * Kernels that include the POWER8 VSX optimized AES code use this field 44 * when that code is usable at key preparation time. Otherwise they 45 * fall back to rndkeys. In the latter case, p8.nrounds (which doesn't 46 * overlap rndkeys) is set to 0 to differentiate the two formats. 47 */ 48 struct p8_aes_key p8; 49 #elif defined(CONFIG_S390) 50 /* Used when the CPU supports CPACF AES for this key's length */ 51 u8 raw_key[AES_MAX_KEY_SIZE]; 52 #elif defined(CONFIG_SPARC64) 53 /* Used when the CPU supports the SPARC64 AES opcodes */ 54 u64 sparc_rndkeys[AES_MAX_KEYLENGTH / sizeof(u64)]; 55 #endif 56 #endif /* CONFIG_CRYPTO_LIB_AES_ARCH */ 57 }; 58 59 union aes_invkey_arch { 60 u32 inv_rndkeys[AES_MAX_KEYLENGTH_U32]; 61 #ifdef CONFIG_CRYPTO_LIB_AES_ARCH 62 #if defined(CONFIG_PPC) && defined(CONFIG_SPE) 63 /* Used unconditionally (when SPE AES code is enabled in kconfig) */ 64 u32 spe_dec_key[AES_MAX_KEYLENGTH_U32] __aligned(8); 65 #elif defined(CONFIG_PPC) 66 /* Used conditionally, analogous to aes_enckey_arch::p8 */ 67 struct p8_aes_key p8; 68 #endif 69 #endif /* CONFIG_CRYPTO_LIB_AES_ARCH */ 70 }; 71 72 /** 73 * struct aes_enckey - An AES key prepared for encryption 74 * @len: Key length in bytes: 16 for AES-128, 24 for AES-192, 32 for AES-256. 75 * @nrounds: Number of rounds: 10 for AES-128, 12 for AES-192, 14 for AES-256. 76 * This is '6 + @len / 4' and is cached so that AES implementations 77 * that need it don't have to recompute it for each en/decryption. 78 * @padding: Padding to make offsetof(@k) be a multiple of 16, so that aligning 79 * this struct to a 16-byte boundary results in @k also being 16-byte 80 * aligned. Users aren't required to align this struct to 16 bytes, 81 * but it may slightly improve performance. 82 * @k: This typically contains the AES round keys as an array of '@nrounds + 1' 83 * groups of four u32 words. However, architecture-specific implementations 84 * of AES may store something else here, e.g. just the raw key if it's all 85 * they need. 86 * 87 * Note that this struct is about half the size of struct aes_key. This is 88 * separate from struct aes_key so that modes that need only AES encryption 89 * (e.g. AES-GCM, AES-CTR, AES-CMAC, tweak key in AES-XTS) don't incur the time 90 * and space overhead of computing and caching the decryption round keys. 91 * 92 * Note that there's no decryption-only equivalent (i.e. "struct aes_deckey"), 93 * since (a) it's rare that modes need decryption-only, and (b) some AES 94 * implementations use the same @k for both encryption and decryption, either 95 * always or conditionally; in the latter case both @k and @inv_k are needed. 96 */ 97 struct aes_enckey { 98 u32 len; 99 u32 nrounds; 100 u32 padding[2]; 101 union aes_enckey_arch k; 102 }; 103 104 /** 105 * struct aes_key - An AES key prepared for encryption and decryption 106 * @aes_enckey: Common fields and the key prepared for encryption 107 * @inv_k: This generally contains the round keys for the AES Equivalent 108 * Inverse Cipher, as an array of '@nrounds + 1' groups of four u32 109 * words. However, architecture-specific implementations of AES may 110 * store something else here. For example, they may leave this field 111 * uninitialized if they use @k for both encryption and decryption. 112 */ 113 struct aes_key { 114 struct aes_enckey; /* Include all fields of aes_enckey. */ 115 union aes_invkey_arch inv_k; 116 }; 117 118 /* 119 * Please ensure that the first two fields are 16-byte aligned 120 * relative to the start of the structure, i.e., don't move them! 121 */ 122 struct crypto_aes_ctx { 123 u32 key_enc[AES_MAX_KEYLENGTH_U32]; 124 u32 key_dec[AES_MAX_KEYLENGTH_U32]; 125 u32 key_length; 126 }; 127 128 /* 129 * validate key length for AES algorithms 130 */ 131 static inline int aes_check_keylen(size_t keylen) 132 { 133 switch (keylen) { 134 case AES_KEYSIZE_128: 135 case AES_KEYSIZE_192: 136 case AES_KEYSIZE_256: 137 break; 138 default: 139 return -EINVAL; 140 } 141 142 return 0; 143 } 144 145 /** 146 * aes_expandkey - Expands the AES key as described in FIPS-197 147 * @ctx: The location where the computed key will be stored. 148 * @in_key: The supplied key. 149 * @key_len: The length of the supplied key. 150 * 151 * Returns 0 on success. The function fails only if an invalid key size (or 152 * pointer) is supplied. 153 * The expanded key size is 240 bytes (max of 14 rounds with a unique 16 bytes 154 * key schedule plus a 16 bytes key which is used before the first round). 155 * The decryption key is prepared for the "Equivalent Inverse Cipher" as 156 * described in FIPS-197. The first slot (16 bytes) of each key (enc or dec) is 157 * for the initial combination, the second slot for the first round and so on. 158 */ 159 int aes_expandkey(struct crypto_aes_ctx *ctx, const u8 *in_key, 160 unsigned int key_len); 161 162 /* 163 * The following functions are temporarily exported for use by the AES mode 164 * implementations in arch/$(SRCARCH)/crypto/. These exports will go away when 165 * that code is migrated into lib/crypto/. 166 */ 167 #ifdef CONFIG_ARM64 168 int ce_aes_expandkey(struct crypto_aes_ctx *ctx, const u8 *in_key, 169 unsigned int key_len); 170 asmlinkage void neon_aes_ecb_encrypt(u8 out[], u8 const in[], u32 const rk[], 171 int rounds, int blocks); 172 asmlinkage void neon_aes_ecb_decrypt(u8 out[], u8 const in[], u32 const rk[], 173 int rounds, int blocks); 174 asmlinkage void neon_aes_cbc_encrypt(u8 out[], u8 const in[], u32 const rk[], 175 int rounds, int blocks, u8 iv[]); 176 asmlinkage void neon_aes_cbc_decrypt(u8 out[], u8 const in[], u32 const rk[], 177 int rounds, int blocks, u8 iv[]); 178 asmlinkage void neon_aes_cbc_cts_encrypt(u8 out[], u8 const in[], 179 u32 const rk[], int rounds, int bytes, 180 u8 const iv[]); 181 asmlinkage void neon_aes_cbc_cts_decrypt(u8 out[], u8 const in[], 182 u32 const rk[], int rounds, int bytes, 183 u8 const iv[]); 184 asmlinkage void neon_aes_ctr_encrypt(u8 out[], u8 const in[], u32 const rk[], 185 int rounds, int bytes, u8 ctr[]); 186 asmlinkage void neon_aes_xctr_encrypt(u8 out[], u8 const in[], u32 const rk[], 187 int rounds, int bytes, u8 ctr[], 188 int byte_ctr); 189 asmlinkage void neon_aes_xts_encrypt(u8 out[], u8 const in[], u32 const rk1[], 190 int rounds, int bytes, u32 const rk2[], 191 u8 iv[], int first); 192 asmlinkage void neon_aes_xts_decrypt(u8 out[], u8 const in[], u32 const rk1[], 193 int rounds, int bytes, u32 const rk2[], 194 u8 iv[], int first); 195 asmlinkage void neon_aes_essiv_cbc_encrypt(u8 out[], u8 const in[], 196 u32 const rk1[], int rounds, 197 int blocks, u8 iv[], 198 u32 const rk2[]); 199 asmlinkage void neon_aes_essiv_cbc_decrypt(u8 out[], u8 const in[], 200 u32 const rk1[], int rounds, 201 int blocks, u8 iv[], 202 u32 const rk2[]); 203 204 asmlinkage void ce_aes_ecb_encrypt(u8 out[], u8 const in[], u32 const rk[], 205 int rounds, int blocks); 206 asmlinkage void ce_aes_ecb_decrypt(u8 out[], u8 const in[], u32 const rk[], 207 int rounds, int blocks); 208 asmlinkage void ce_aes_cbc_encrypt(u8 out[], u8 const in[], u32 const rk[], 209 int rounds, int blocks, u8 iv[]); 210 asmlinkage void ce_aes_cbc_decrypt(u8 out[], u8 const in[], u32 const rk[], 211 int rounds, int blocks, u8 iv[]); 212 asmlinkage void ce_aes_cbc_cts_encrypt(u8 out[], u8 const in[], u32 const rk[], 213 int rounds, int bytes, u8 const iv[]); 214 asmlinkage void ce_aes_cbc_cts_decrypt(u8 out[], u8 const in[], u32 const rk[], 215 int rounds, int bytes, u8 const iv[]); 216 asmlinkage void ce_aes_ctr_encrypt(u8 out[], u8 const in[], u32 const rk[], 217 int rounds, int bytes, u8 ctr[]); 218 asmlinkage void ce_aes_xctr_encrypt(u8 out[], u8 const in[], u32 const rk[], 219 int rounds, int bytes, u8 ctr[], 220 int byte_ctr); 221 asmlinkage void ce_aes_xts_encrypt(u8 out[], u8 const in[], u32 const rk1[], 222 int rounds, int bytes, u32 const rk2[], 223 u8 iv[], int first); 224 asmlinkage void ce_aes_xts_decrypt(u8 out[], u8 const in[], u32 const rk1[], 225 int rounds, int bytes, u32 const rk2[], 226 u8 iv[], int first); 227 asmlinkage void ce_aes_essiv_cbc_encrypt(u8 out[], u8 const in[], 228 u32 const rk1[], int rounds, 229 int blocks, u8 iv[], u32 const rk2[]); 230 asmlinkage void ce_aes_essiv_cbc_decrypt(u8 out[], u8 const in[], 231 u32 const rk1[], int rounds, 232 int blocks, u8 iv[], u32 const rk2[]); 233 asmlinkage void ce_aes_mac_update(u8 const in[], u32 const rk[], int rounds, 234 size_t blocks, u8 dg[], int enc_before, 235 int enc_after); 236 #elif defined(CONFIG_PPC) 237 void ppc_expand_key_128(u32 *key_enc, const u8 *key); 238 void ppc_expand_key_192(u32 *key_enc, const u8 *key); 239 void ppc_expand_key_256(u32 *key_enc, const u8 *key); 240 void ppc_generate_decrypt_key(u32 *key_dec, u32 *key_enc, unsigned int key_len); 241 void ppc_encrypt_ecb(u8 *out, const u8 *in, u32 *key_enc, u32 rounds, 242 u32 bytes); 243 void ppc_decrypt_ecb(u8 *out, const u8 *in, u32 *key_dec, u32 rounds, 244 u32 bytes); 245 void ppc_encrypt_cbc(u8 *out, const u8 *in, u32 *key_enc, u32 rounds, u32 bytes, 246 u8 *iv); 247 void ppc_decrypt_cbc(u8 *out, const u8 *in, u32 *key_dec, u32 rounds, u32 bytes, 248 u8 *iv); 249 void ppc_crypt_ctr(u8 *out, const u8 *in, u32 *key_enc, u32 rounds, u32 bytes, 250 u8 *iv); 251 void ppc_encrypt_xts(u8 *out, const u8 *in, u32 *key_enc, u32 rounds, u32 bytes, 252 u8 *iv, u32 *key_twk); 253 void ppc_decrypt_xts(u8 *out, const u8 *in, u32 *key_dec, u32 rounds, u32 bytes, 254 u8 *iv, u32 *key_twk); 255 int aes_p8_set_encrypt_key(const u8 *userKey, const int bits, 256 struct p8_aes_key *key); 257 int aes_p8_set_decrypt_key(const u8 *userKey, const int bits, 258 struct p8_aes_key *key); 259 void aes_p8_encrypt(const u8 *in, u8 *out, const struct p8_aes_key *key); 260 void aes_p8_decrypt(const u8 *in, u8 *out, const struct p8_aes_key *key); 261 void aes_p8_cbc_encrypt(const u8 *in, u8 *out, size_t len, 262 const struct p8_aes_key *key, u8 *iv, const int enc); 263 void aes_p8_ctr32_encrypt_blocks(const u8 *in, u8 *out, size_t len, 264 const struct p8_aes_key *key, const u8 *iv); 265 void aes_p8_xts_encrypt(const u8 *in, u8 *out, size_t len, 266 const struct p8_aes_key *key1, 267 const struct p8_aes_key *key2, u8 *iv); 268 void aes_p8_xts_decrypt(const u8 *in, u8 *out, size_t len, 269 const struct p8_aes_key *key1, 270 const struct p8_aes_key *key2, u8 *iv); 271 #elif defined(CONFIG_SPARC64) 272 void aes_sparc64_key_expand(const u32 *in_key, u64 *output_key, 273 unsigned int key_len); 274 void aes_sparc64_load_encrypt_keys_128(const u64 *key); 275 void aes_sparc64_load_encrypt_keys_192(const u64 *key); 276 void aes_sparc64_load_encrypt_keys_256(const u64 *key); 277 void aes_sparc64_load_decrypt_keys_128(const u64 *key); 278 void aes_sparc64_load_decrypt_keys_192(const u64 *key); 279 void aes_sparc64_load_decrypt_keys_256(const u64 *key); 280 void aes_sparc64_ecb_encrypt_128(const u64 *key, const u64 *input, u64 *output, 281 unsigned int len); 282 void aes_sparc64_ecb_encrypt_192(const u64 *key, const u64 *input, u64 *output, 283 unsigned int len); 284 void aes_sparc64_ecb_encrypt_256(const u64 *key, const u64 *input, u64 *output, 285 unsigned int len); 286 void aes_sparc64_ecb_decrypt_128(const u64 *key, const u64 *input, u64 *output, 287 unsigned int len); 288 void aes_sparc64_ecb_decrypt_192(const u64 *key, const u64 *input, u64 *output, 289 unsigned int len); 290 void aes_sparc64_ecb_decrypt_256(const u64 *key, const u64 *input, u64 *output, 291 unsigned int len); 292 void aes_sparc64_cbc_encrypt_128(const u64 *key, const u64 *input, u64 *output, 293 unsigned int len, u64 *iv); 294 void aes_sparc64_cbc_encrypt_192(const u64 *key, const u64 *input, u64 *output, 295 unsigned int len, u64 *iv); 296 void aes_sparc64_cbc_encrypt_256(const u64 *key, const u64 *input, u64 *output, 297 unsigned int len, u64 *iv); 298 void aes_sparc64_cbc_decrypt_128(const u64 *key, const u64 *input, u64 *output, 299 unsigned int len, u64 *iv); 300 void aes_sparc64_cbc_decrypt_192(const u64 *key, const u64 *input, u64 *output, 301 unsigned int len, u64 *iv); 302 void aes_sparc64_cbc_decrypt_256(const u64 *key, const u64 *input, u64 *output, 303 unsigned int len, u64 *iv); 304 void aes_sparc64_ctr_crypt_128(const u64 *key, const u64 *input, u64 *output, 305 unsigned int len, u64 *iv); 306 void aes_sparc64_ctr_crypt_192(const u64 *key, const u64 *input, u64 *output, 307 unsigned int len, u64 *iv); 308 void aes_sparc64_ctr_crypt_256(const u64 *key, const u64 *input, u64 *output, 309 unsigned int len, u64 *iv); 310 #endif 311 312 /** 313 * aes_preparekey() - Prepare an AES key for encryption and decryption 314 * @key: (output) The key structure to initialize 315 * @in_key: The raw AES key 316 * @key_len: Length of the raw key in bytes. Should be either AES_KEYSIZE_128, 317 * AES_KEYSIZE_192, or AES_KEYSIZE_256. 318 * 319 * This prepares an AES key for both the encryption and decryption directions of 320 * the block cipher. Typically this involves expanding the raw key into both 321 * the standard round keys and the Equivalent Inverse Cipher round keys, but 322 * some architecture-specific implementations don't do the full expansion here. 323 * 324 * The caller is responsible for zeroizing both the struct aes_key and the raw 325 * key once they are no longer needed. 326 * 327 * If you don't need decryption support, use aes_prepareenckey() instead. 328 * 329 * Return: 0 on success or -EINVAL if the given key length is invalid. No other 330 * errors are possible, so callers that always pass a valid key length 331 * don't need to check for errors. 332 * 333 * Context: Any context. 334 */ 335 int aes_preparekey(struct aes_key *key, const u8 *in_key, size_t key_len); 336 337 /** 338 * aes_prepareenckey() - Prepare an AES key for encryption-only 339 * @key: (output) The key structure to initialize 340 * @in_key: The raw AES key 341 * @key_len: Length of the raw key in bytes. Should be either AES_KEYSIZE_128, 342 * AES_KEYSIZE_192, or AES_KEYSIZE_256. 343 * 344 * This prepares an AES key for only the encryption direction of the block 345 * cipher. Typically this involves expanding the raw key into only the standard 346 * round keys, resulting in a struct about half the size of struct aes_key. 347 * 348 * The caller is responsible for zeroizing both the struct aes_enckey and the 349 * raw key once they are no longer needed. 350 * 351 * Note that while the resulting prepared key supports only AES encryption, it 352 * can still be used for decrypting in a mode of operation that uses AES in only 353 * the encryption (forward) direction, for example counter mode. 354 * 355 * Return: 0 on success or -EINVAL if the given key length is invalid. No other 356 * errors are possible, so callers that always pass a valid key length 357 * don't need to check for errors. 358 * 359 * Context: Any context. 360 */ 361 int aes_prepareenckey(struct aes_enckey *key, const u8 *in_key, size_t key_len); 362 363 typedef union { 364 const struct aes_enckey *enc_key; 365 const struct aes_key *full_key; 366 } aes_encrypt_arg __attribute__ ((__transparent_union__)); 367 368 /** 369 * aes_encrypt() - Encrypt a single AES block 370 * @key: The AES key, as a pointer to either an encryption-only key 371 * (struct aes_enckey) or a full, bidirectional key (struct aes_key). 372 * @out: Buffer to store the ciphertext block 373 * @in: Buffer containing the plaintext block 374 * 375 * Context: Any context. 376 */ 377 void aes_encrypt(aes_encrypt_arg key, u8 out[at_least AES_BLOCK_SIZE], 378 const u8 in[at_least AES_BLOCK_SIZE]); 379 380 /** 381 * aes_decrypt() - Decrypt a single AES block 382 * @key: The AES key, previously initialized by aes_preparekey() 383 * @out: Buffer to store the plaintext block 384 * @in: Buffer containing the ciphertext block 385 * 386 * Context: Any context. 387 */ 388 void aes_decrypt(const struct aes_key *key, u8 out[at_least AES_BLOCK_SIZE], 389 const u8 in[at_least AES_BLOCK_SIZE]); 390 391 extern const u8 crypto_aes_sbox[]; 392 extern const u8 crypto_aes_inv_sbox[]; 393 extern const u32 aes_enc_tab[256]; 394 extern const u32 aes_dec_tab[256]; 395 396 void aescfb_encrypt(const struct aes_enckey *key, u8 *dst, const u8 *src, 397 int len, const u8 iv[AES_BLOCK_SIZE]); 398 void aescfb_decrypt(const struct aes_enckey *key, u8 *dst, const u8 *src, 399 int len, const u8 iv[AES_BLOCK_SIZE]); 400 401 #endif 402