1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * Minimal library implementation of AES in CFB mode 4 * 5 * Copyright 2023 Google LLC 6 */ 7 8 #include <crypto/aes.h> 9 #include <crypto/algapi.h> 10 #include <linux/export.h> 11 #include <linux/module.h> 12 #include <asm/irqflags.h> 13 14 static void aescfb_encrypt_block(const struct crypto_aes_ctx *ctx, void *dst, 15 const void *src) 16 { 17 unsigned long flags; 18 19 /* 20 * In AES-CFB, the AES encryption operates on known 'plaintext' (the IV 21 * and ciphertext), making it susceptible to timing attacks on the 22 * encryption key. The AES library already mitigates this risk to some 23 * extent by pulling the entire S-box into the caches before doing any 24 * substitutions, but this strategy is more effective when running with 25 * interrupts disabled. 26 */ 27 local_irq_save(flags); 28 aes_encrypt(ctx, dst, src); 29 local_irq_restore(flags); 30 } 31 32 /** 33 * aescfb_encrypt - Perform AES-CFB encryption on a block of data 34 * 35 * @ctx: The AES-CFB key schedule 36 * @dst: Pointer to the ciphertext output buffer 37 * @src: Pointer the plaintext (may equal @dst for encryption in place) 38 * @len: The size in bytes of the plaintext and ciphertext. 39 * @iv: The initialization vector (IV) to use for this block of data 40 */ 41 void aescfb_encrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src, 42 int len, const u8 iv[AES_BLOCK_SIZE]) 43 { 44 u8 ks[AES_BLOCK_SIZE]; 45 const u8 *v = iv; 46 47 while (len > 0) { 48 aescfb_encrypt_block(ctx, ks, v); 49 crypto_xor_cpy(dst, src, ks, min(len, AES_BLOCK_SIZE)); 50 v = dst; 51 52 dst += AES_BLOCK_SIZE; 53 src += AES_BLOCK_SIZE; 54 len -= AES_BLOCK_SIZE; 55 } 56 57 memzero_explicit(ks, sizeof(ks)); 58 } 59 EXPORT_SYMBOL(aescfb_encrypt); 60 61 /** 62 * aescfb_decrypt - Perform AES-CFB decryption on a block of data 63 * 64 * @ctx: The AES-CFB key schedule 65 * @dst: Pointer to the plaintext output buffer 66 * @src: Pointer the ciphertext (may equal @dst for decryption in place) 67 * @len: The size in bytes of the plaintext and ciphertext. 68 * @iv: The initialization vector (IV) to use for this block of data 69 */ 70 void aescfb_decrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src, 71 int len, const u8 iv[AES_BLOCK_SIZE]) 72 { 73 u8 ks[2][AES_BLOCK_SIZE]; 74 75 aescfb_encrypt_block(ctx, ks[0], iv); 76 77 for (int i = 0; len > 0; i ^= 1) { 78 if (len > AES_BLOCK_SIZE) 79 /* 80 * Generate the keystream for the next block before 81 * performing the XOR, as that may update in place and 82 * overwrite the ciphertext. 83 */ 84 aescfb_encrypt_block(ctx, ks[!i], src); 85 86 crypto_xor_cpy(dst, src, ks[i], min(len, AES_BLOCK_SIZE)); 87 88 dst += AES_BLOCK_SIZE; 89 src += AES_BLOCK_SIZE; 90 len -= AES_BLOCK_SIZE; 91 } 92 93 memzero_explicit(ks, sizeof(ks)); 94 } 95 EXPORT_SYMBOL(aescfb_decrypt); 96 97 MODULE_DESCRIPTION("Generic AES-CFB library"); 98 MODULE_AUTHOR("Ard Biesheuvel <ardb@kernel.org>"); 99 MODULE_LICENSE("GPL"); 100 101 #ifdef CONFIG_CRYPTO_SELFTESTS 102 103 /* 104 * Test code below. Vectors taken from crypto/testmgr.h 105 */ 106 107 static struct { 108 u8 ptext[64] __nonstring; 109 u8 ctext[64] __nonstring; 110 111 u8 key[AES_MAX_KEY_SIZE] __nonstring; 112 u8 iv[AES_BLOCK_SIZE] __nonstring; 113 114 int klen; 115 int len; 116 } const aescfb_tv[] __initconst = { 117 { /* From NIST SP800-38A */ 118 .key = "\x2b\x7e\x15\x16\x28\xae\xd2\xa6" 119 "\xab\xf7\x15\x88\x09\xcf\x4f\x3c", 120 .klen = 16, 121 .iv = "\x00\x01\x02\x03\x04\x05\x06\x07" 122 "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f", 123 .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96" 124 "\xe9\x3d\x7e\x11\x73\x93\x17\x2a" 125 "\xae\x2d\x8a\x57\x1e\x03\xac\x9c" 126 "\x9e\xb7\x6f\xac\x45\xaf\x8e\x51" 127 "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11" 128 "\xe5\xfb\xc1\x19\x1a\x0a\x52\xef" 129 "\xf6\x9f\x24\x45\xdf\x4f\x9b\x17" 130 "\xad\x2b\x41\x7b\xe6\x6c\x37\x10", 131 .ctext = "\x3b\x3f\xd9\x2e\xb7\x2d\xad\x20" 132 "\x33\x34\x49\xf8\xe8\x3c\xfb\x4a" 133 "\xc8\xa6\x45\x37\xa0\xb3\xa9\x3f" 134 "\xcd\xe3\xcd\xad\x9f\x1c\xe5\x8b" 135 "\x26\x75\x1f\x67\xa3\xcb\xb1\x40" 136 "\xb1\x80\x8c\xf1\x87\xa4\xf4\xdf" 137 "\xc0\x4b\x05\x35\x7c\x5d\x1c\x0e" 138 "\xea\xc4\xc6\x6f\x9f\xf7\xf2\xe6", 139 .len = 64, 140 }, { 141 .key = "\x8e\x73\xb0\xf7\xda\x0e\x64\x52" 142 "\xc8\x10\xf3\x2b\x80\x90\x79\xe5" 143 "\x62\xf8\xea\xd2\x52\x2c\x6b\x7b", 144 .klen = 24, 145 .iv = "\x00\x01\x02\x03\x04\x05\x06\x07" 146 "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f", 147 .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96" 148 "\xe9\x3d\x7e\x11\x73\x93\x17\x2a" 149 "\xae\x2d\x8a\x57\x1e\x03\xac\x9c" 150 "\x9e\xb7\x6f\xac\x45\xaf\x8e\x51" 151 "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11" 152 "\xe5\xfb\xc1\x19\x1a\x0a\x52\xef" 153 "\xf6\x9f\x24\x45\xdf\x4f\x9b\x17" 154 "\xad\x2b\x41\x7b\xe6\x6c\x37\x10", 155 .ctext = "\xcd\xc8\x0d\x6f\xdd\xf1\x8c\xab" 156 "\x34\xc2\x59\x09\xc9\x9a\x41\x74" 157 "\x67\xce\x7f\x7f\x81\x17\x36\x21" 158 "\x96\x1a\x2b\x70\x17\x1d\x3d\x7a" 159 "\x2e\x1e\x8a\x1d\xd5\x9b\x88\xb1" 160 "\xc8\xe6\x0f\xed\x1e\xfa\xc4\xc9" 161 "\xc0\x5f\x9f\x9c\xa9\x83\x4f\xa0" 162 "\x42\xae\x8f\xba\x58\x4b\x09\xff", 163 .len = 64, 164 }, { 165 .key = "\x60\x3d\xeb\x10\x15\xca\x71\xbe" 166 "\x2b\x73\xae\xf0\x85\x7d\x77\x81" 167 "\x1f\x35\x2c\x07\x3b\x61\x08\xd7" 168 "\x2d\x98\x10\xa3\x09\x14\xdf\xf4", 169 .klen = 32, 170 .iv = "\x00\x01\x02\x03\x04\x05\x06\x07" 171 "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f", 172 .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96" 173 "\xe9\x3d\x7e\x11\x73\x93\x17\x2a" 174 "\xae\x2d\x8a\x57\x1e\x03\xac\x9c" 175 "\x9e\xb7\x6f\xac\x45\xaf\x8e\x51" 176 "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11" 177 "\xe5\xfb\xc1\x19\x1a\x0a\x52\xef" 178 "\xf6\x9f\x24\x45\xdf\x4f\x9b\x17" 179 "\xad\x2b\x41\x7b\xe6\x6c\x37\x10", 180 .ctext = "\xdc\x7e\x84\xbf\xda\x79\x16\x4b" 181 "\x7e\xcd\x84\x86\x98\x5d\x38\x60" 182 "\x39\xff\xed\x14\x3b\x28\xb1\xc8" 183 "\x32\x11\x3c\x63\x31\xe5\x40\x7b" 184 "\xdf\x10\x13\x24\x15\xe5\x4b\x92" 185 "\xa1\x3e\xd0\xa8\x26\x7a\xe2\xf9" 186 "\x75\xa3\x85\x74\x1a\xb9\xce\xf8" 187 "\x20\x31\x62\x3d\x55\xb1\xe4\x71", 188 .len = 64, 189 }, { /* > 16 bytes, not a multiple of 16 bytes */ 190 .key = "\x2b\x7e\x15\x16\x28\xae\xd2\xa6" 191 "\xab\xf7\x15\x88\x09\xcf\x4f\x3c", 192 .klen = 16, 193 .iv = "\x00\x01\x02\x03\x04\x05\x06\x07" 194 "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f", 195 .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96" 196 "\xe9\x3d\x7e\x11\x73\x93\x17\x2a" 197 "\xae", 198 .ctext = "\x3b\x3f\xd9\x2e\xb7\x2d\xad\x20" 199 "\x33\x34\x49\xf8\xe8\x3c\xfb\x4a" 200 "\xc8", 201 .len = 17, 202 }, { /* < 16 bytes */ 203 .key = "\x2b\x7e\x15\x16\x28\xae\xd2\xa6" 204 "\xab\xf7\x15\x88\x09\xcf\x4f\x3c", 205 .klen = 16, 206 .iv = "\x00\x01\x02\x03\x04\x05\x06\x07" 207 "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f", 208 .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f", 209 .ctext = "\x3b\x3f\xd9\x2e\xb7\x2d\xad", 210 .len = 7, 211 }, 212 }; 213 214 static int __init libaescfb_init(void) 215 { 216 for (int i = 0; i < ARRAY_SIZE(aescfb_tv); i++) { 217 struct crypto_aes_ctx ctx; 218 u8 buf[64]; 219 220 if (aes_expandkey(&ctx, aescfb_tv[i].key, aescfb_tv[i].klen)) { 221 pr_err("aes_expandkey() failed on vector %d\n", i); 222 return -ENODEV; 223 } 224 225 aescfb_encrypt(&ctx, buf, aescfb_tv[i].ptext, aescfb_tv[i].len, 226 aescfb_tv[i].iv); 227 if (memcmp(buf, aescfb_tv[i].ctext, aescfb_tv[i].len)) { 228 pr_err("aescfb_encrypt() #1 failed on vector %d\n", i); 229 return -ENODEV; 230 } 231 232 /* decrypt in place */ 233 aescfb_decrypt(&ctx, buf, buf, aescfb_tv[i].len, aescfb_tv[i].iv); 234 if (memcmp(buf, aescfb_tv[i].ptext, aescfb_tv[i].len)) { 235 pr_err("aescfb_decrypt() failed on vector %d\n", i); 236 return -ENODEV; 237 } 238 239 /* encrypt in place */ 240 aescfb_encrypt(&ctx, buf, buf, aescfb_tv[i].len, aescfb_tv[i].iv); 241 if (memcmp(buf, aescfb_tv[i].ctext, aescfb_tv[i].len)) { 242 pr_err("aescfb_encrypt() #2 failed on vector %d\n", i); 243 244 return -ENODEV; 245 } 246 247 } 248 return 0; 249 } 250 module_init(libaescfb_init); 251 252 static void __exit libaescfb_exit(void) 253 { 254 } 255 module_exit(libaescfb_exit); 256 #endif 257