1 /* SPDX-License-Identifier: GPL-2.0 */
2 /*
3 * Common values for AES algorithms
4 */
5
6 #ifndef _CRYPTO_AES_H
7 #define _CRYPTO_AES_H
8
9 #include <linux/types.h>
10 #include <linux/crypto.h>
11
12 #define AES_MIN_KEY_SIZE 16
13 #define AES_MAX_KEY_SIZE 32
14 #define AES_KEYSIZE_128 16
15 #define AES_KEYSIZE_192 24
16 #define AES_KEYSIZE_256 32
17 #define AES_BLOCK_SIZE 16
18 #define AES_MAX_KEYLENGTH (15 * 16)
19 #define AES_MAX_KEYLENGTH_U32 (AES_MAX_KEYLENGTH / sizeof(u32))
20
21 /*
22 * The POWER8 VSX optimized AES assembly code is borrowed from OpenSSL and
23 * inherits OpenSSL's AES_KEY format, which stores the number of rounds after
24 * the round keys. That assembly code is difficult to change. So for
25 * compatibility purposes we reserve space for the extra nrounds field on PPC64.
26 *
27 * Note: when prepared for decryption, the round keys are just the reversed
28 * standard round keys, not the round keys for the Equivalent Inverse Cipher.
29 */
30 struct p8_aes_key {
31 u32 rndkeys[AES_MAX_KEYLENGTH_U32];
32 int nrounds;
33 };
34
35 union aes_enckey_arch {
36 u32 rndkeys[AES_MAX_KEYLENGTH_U32];
37 #ifdef CONFIG_CRYPTO_LIB_AES_ARCH
38 #if defined(CONFIG_PPC) && defined(CONFIG_SPE)
39 /* Used unconditionally (when SPE AES code is enabled in kconfig) */
40 u32 spe_enc_key[AES_MAX_KEYLENGTH_U32] __aligned(8);
41 #elif defined(CONFIG_PPC)
42 /*
43 * Kernels that include the POWER8 VSX optimized AES code use this field
44 * when that code is usable at key preparation time. Otherwise they
45 * fall back to rndkeys. In the latter case, p8.nrounds (which doesn't
46 * overlap rndkeys) is set to 0 to differentiate the two formats.
47 */
48 struct p8_aes_key p8;
49 #elif defined(CONFIG_S390)
50 /* Used when the CPU supports CPACF AES for this key's length */
51 u8 raw_key[AES_MAX_KEY_SIZE];
52 #elif defined(CONFIG_SPARC64)
53 /* Used when the CPU supports the SPARC64 AES opcodes */
54 u64 sparc_rndkeys[AES_MAX_KEYLENGTH / sizeof(u64)];
55 #endif
56 #endif /* CONFIG_CRYPTO_LIB_AES_ARCH */
57 };
58
59 union aes_invkey_arch {
60 u32 inv_rndkeys[AES_MAX_KEYLENGTH_U32];
61 #ifdef CONFIG_CRYPTO_LIB_AES_ARCH
62 #if defined(CONFIG_PPC) && defined(CONFIG_SPE)
63 /* Used unconditionally (when SPE AES code is enabled in kconfig) */
64 u32 spe_dec_key[AES_MAX_KEYLENGTH_U32] __aligned(8);
65 #elif defined(CONFIG_PPC)
66 /* Used conditionally, analogous to aes_enckey_arch::p8 */
67 struct p8_aes_key p8;
68 #endif
69 #endif /* CONFIG_CRYPTO_LIB_AES_ARCH */
70 };
71
72 /**
73 * struct aes_enckey - An AES key prepared for encryption
74 * @len: Key length in bytes: 16 for AES-128, 24 for AES-192, 32 for AES-256.
75 * @nrounds: Number of rounds: 10 for AES-128, 12 for AES-192, 14 for AES-256.
76 * This is '6 + @len / 4' and is cached so that AES implementations
77 * that need it don't have to recompute it for each en/decryption.
78 * @padding: Padding to make offsetof(@k) be a multiple of 16, so that aligning
79 * this struct to a 16-byte boundary results in @k also being 16-byte
80 * aligned. Users aren't required to align this struct to 16 bytes,
81 * but it may slightly improve performance.
82 * @k: This typically contains the AES round keys as an array of '@nrounds + 1'
83 * groups of four u32 words. However, architecture-specific implementations
84 * of AES may store something else here, e.g. just the raw key if it's all
85 * they need.
86 *
87 * Note that this struct is about half the size of struct aes_key. This is
88 * separate from struct aes_key so that modes that need only AES encryption
89 * (e.g. AES-GCM, AES-CTR, AES-CMAC, tweak key in AES-XTS) don't incur the time
90 * and space overhead of computing and caching the decryption round keys.
91 *
92 * Note that there's no decryption-only equivalent (i.e. "struct aes_deckey"),
93 * since (a) it's rare that modes need decryption-only, and (b) some AES
94 * implementations use the same @k for both encryption and decryption, either
95 * always or conditionally; in the latter case both @k and @inv_k are needed.
96 */
97 struct aes_enckey {
98 u32 len;
99 u32 nrounds;
100 u32 padding[2];
101 union aes_enckey_arch k;
102 };
103
104 /**
105 * struct aes_key - An AES key prepared for encryption and decryption
106 * @aes_enckey: Common fields and the key prepared for encryption
107 * @inv_k: This generally contains the round keys for the AES Equivalent
108 * Inverse Cipher, as an array of '@nrounds + 1' groups of four u32
109 * words. However, architecture-specific implementations of AES may
110 * store something else here. For example, they may leave this field
111 * uninitialized if they use @k for both encryption and decryption.
112 */
113 struct aes_key {
114 struct aes_enckey; /* Include all fields of aes_enckey. */
115 union aes_invkey_arch inv_k;
116 };
117
118 /*
119 * Please ensure that the first two fields are 16-byte aligned
120 * relative to the start of the structure, i.e., don't move them!
121 */
122 struct crypto_aes_ctx {
123 u32 key_enc[AES_MAX_KEYLENGTH_U32];
124 u32 key_dec[AES_MAX_KEYLENGTH_U32];
125 u32 key_length;
126 };
127
128 /*
129 * validate key length for AES algorithms
130 */
aes_check_keylen(size_t keylen)131 static inline int aes_check_keylen(size_t keylen)
132 {
133 switch (keylen) {
134 case AES_KEYSIZE_128:
135 case AES_KEYSIZE_192:
136 case AES_KEYSIZE_256:
137 break;
138 default:
139 return -EINVAL;
140 }
141
142 return 0;
143 }
144
145 /**
146 * aes_expandkey - Expands the AES key as described in FIPS-197
147 * @ctx: The location where the computed key will be stored.
148 * @in_key: The supplied key.
149 * @key_len: The length of the supplied key.
150 *
151 * Returns 0 on success. The function fails only if an invalid key size (or
152 * pointer) is supplied.
153 * The expanded key size is 240 bytes (max of 14 rounds with a unique 16 bytes
154 * key schedule plus a 16 bytes key which is used before the first round).
155 * The decryption key is prepared for the "Equivalent Inverse Cipher" as
156 * described in FIPS-197. The first slot (16 bytes) of each key (enc or dec) is
157 * for the initial combination, the second slot for the first round and so on.
158 */
159 int aes_expandkey(struct crypto_aes_ctx *ctx, const u8 *in_key,
160 unsigned int key_len);
161
162 /*
163 * The following functions are temporarily exported for use by the AES mode
164 * implementations in arch/$(SRCARCH)/crypto/. These exports will go away when
165 * that code is migrated into lib/crypto/.
166 */
167 #ifdef CONFIG_ARM64
168 int ce_aes_expandkey(struct crypto_aes_ctx *ctx, const u8 *in_key,
169 unsigned int key_len);
170 #elif defined(CONFIG_PPC)
171 void ppc_expand_key_128(u32 *key_enc, const u8 *key);
172 void ppc_expand_key_192(u32 *key_enc, const u8 *key);
173 void ppc_expand_key_256(u32 *key_enc, const u8 *key);
174 void ppc_generate_decrypt_key(u32 *key_dec, u32 *key_enc, unsigned int key_len);
175 void ppc_encrypt_ecb(u8 *out, const u8 *in, u32 *key_enc, u32 rounds,
176 u32 bytes);
177 void ppc_decrypt_ecb(u8 *out, const u8 *in, u32 *key_dec, u32 rounds,
178 u32 bytes);
179 void ppc_encrypt_cbc(u8 *out, const u8 *in, u32 *key_enc, u32 rounds, u32 bytes,
180 u8 *iv);
181 void ppc_decrypt_cbc(u8 *out, const u8 *in, u32 *key_dec, u32 rounds, u32 bytes,
182 u8 *iv);
183 void ppc_crypt_ctr(u8 *out, const u8 *in, u32 *key_enc, u32 rounds, u32 bytes,
184 u8 *iv);
185 void ppc_encrypt_xts(u8 *out, const u8 *in, u32 *key_enc, u32 rounds, u32 bytes,
186 u8 *iv, u32 *key_twk);
187 void ppc_decrypt_xts(u8 *out, const u8 *in, u32 *key_dec, u32 rounds, u32 bytes,
188 u8 *iv, u32 *key_twk);
189 int aes_p8_set_encrypt_key(const u8 *userKey, const int bits,
190 struct p8_aes_key *key);
191 int aes_p8_set_decrypt_key(const u8 *userKey, const int bits,
192 struct p8_aes_key *key);
193 void aes_p8_encrypt(const u8 *in, u8 *out, const struct p8_aes_key *key);
194 void aes_p8_decrypt(const u8 *in, u8 *out, const struct p8_aes_key *key);
195 void aes_p8_cbc_encrypt(const u8 *in, u8 *out, size_t len,
196 const struct p8_aes_key *key, u8 *iv, const int enc);
197 void aes_p8_ctr32_encrypt_blocks(const u8 *in, u8 *out, size_t len,
198 const struct p8_aes_key *key, const u8 *iv);
199 void aes_p8_xts_encrypt(const u8 *in, u8 *out, size_t len,
200 const struct p8_aes_key *key1,
201 const struct p8_aes_key *key2, u8 *iv);
202 void aes_p8_xts_decrypt(const u8 *in, u8 *out, size_t len,
203 const struct p8_aes_key *key1,
204 const struct p8_aes_key *key2, u8 *iv);
205 #elif defined(CONFIG_SPARC64)
206 void aes_sparc64_key_expand(const u32 *in_key, u64 *output_key,
207 unsigned int key_len);
208 void aes_sparc64_load_encrypt_keys_128(const u64 *key);
209 void aes_sparc64_load_encrypt_keys_192(const u64 *key);
210 void aes_sparc64_load_encrypt_keys_256(const u64 *key);
211 void aes_sparc64_load_decrypt_keys_128(const u64 *key);
212 void aes_sparc64_load_decrypt_keys_192(const u64 *key);
213 void aes_sparc64_load_decrypt_keys_256(const u64 *key);
214 void aes_sparc64_ecb_encrypt_128(const u64 *key, const u64 *input, u64 *output,
215 unsigned int len);
216 void aes_sparc64_ecb_encrypt_192(const u64 *key, const u64 *input, u64 *output,
217 unsigned int len);
218 void aes_sparc64_ecb_encrypt_256(const u64 *key, const u64 *input, u64 *output,
219 unsigned int len);
220 void aes_sparc64_ecb_decrypt_128(const u64 *key, const u64 *input, u64 *output,
221 unsigned int len);
222 void aes_sparc64_ecb_decrypt_192(const u64 *key, const u64 *input, u64 *output,
223 unsigned int len);
224 void aes_sparc64_ecb_decrypt_256(const u64 *key, const u64 *input, u64 *output,
225 unsigned int len);
226 void aes_sparc64_cbc_encrypt_128(const u64 *key, const u64 *input, u64 *output,
227 unsigned int len, u64 *iv);
228 void aes_sparc64_cbc_encrypt_192(const u64 *key, const u64 *input, u64 *output,
229 unsigned int len, u64 *iv);
230 void aes_sparc64_cbc_encrypt_256(const u64 *key, const u64 *input, u64 *output,
231 unsigned int len, u64 *iv);
232 void aes_sparc64_cbc_decrypt_128(const u64 *key, const u64 *input, u64 *output,
233 unsigned int len, u64 *iv);
234 void aes_sparc64_cbc_decrypt_192(const u64 *key, const u64 *input, u64 *output,
235 unsigned int len, u64 *iv);
236 void aes_sparc64_cbc_decrypt_256(const u64 *key, const u64 *input, u64 *output,
237 unsigned int len, u64 *iv);
238 void aes_sparc64_ctr_crypt_128(const u64 *key, const u64 *input, u64 *output,
239 unsigned int len, u64 *iv);
240 void aes_sparc64_ctr_crypt_192(const u64 *key, const u64 *input, u64 *output,
241 unsigned int len, u64 *iv);
242 void aes_sparc64_ctr_crypt_256(const u64 *key, const u64 *input, u64 *output,
243 unsigned int len, u64 *iv);
244 #endif
245
246 /**
247 * aes_preparekey() - Prepare an AES key for encryption and decryption
248 * @key: (output) The key structure to initialize
249 * @in_key: The raw AES key
250 * @key_len: Length of the raw key in bytes. Should be either AES_KEYSIZE_128,
251 * AES_KEYSIZE_192, or AES_KEYSIZE_256.
252 *
253 * This prepares an AES key for both the encryption and decryption directions of
254 * the block cipher. Typically this involves expanding the raw key into both
255 * the standard round keys and the Equivalent Inverse Cipher round keys, but
256 * some architecture-specific implementations don't do the full expansion here.
257 *
258 * The caller is responsible for zeroizing both the struct aes_key and the raw
259 * key once they are no longer needed.
260 *
261 * If you don't need decryption support, use aes_prepareenckey() instead.
262 *
263 * Return: 0 on success or -EINVAL if the given key length is invalid. No other
264 * errors are possible, so callers that always pass a valid key length
265 * don't need to check for errors.
266 *
267 * Context: Any context.
268 */
269 int aes_preparekey(struct aes_key *key, const u8 *in_key, size_t key_len);
270
271 /**
272 * aes_prepareenckey() - Prepare an AES key for encryption-only
273 * @key: (output) The key structure to initialize
274 * @in_key: The raw AES key
275 * @key_len: Length of the raw key in bytes. Should be either AES_KEYSIZE_128,
276 * AES_KEYSIZE_192, or AES_KEYSIZE_256.
277 *
278 * This prepares an AES key for only the encryption direction of the block
279 * cipher. Typically this involves expanding the raw key into only the standard
280 * round keys, resulting in a struct about half the size of struct aes_key.
281 *
282 * The caller is responsible for zeroizing both the struct aes_enckey and the
283 * raw key once they are no longer needed.
284 *
285 * Note that while the resulting prepared key supports only AES encryption, it
286 * can still be used for decrypting in a mode of operation that uses AES in only
287 * the encryption (forward) direction, for example counter mode.
288 *
289 * Return: 0 on success or -EINVAL if the given key length is invalid. No other
290 * errors are possible, so callers that always pass a valid key length
291 * don't need to check for errors.
292 *
293 * Context: Any context.
294 */
295 int aes_prepareenckey(struct aes_enckey *key, const u8 *in_key, size_t key_len);
296
297 typedef union {
298 const struct aes_enckey *enc_key;
299 const struct aes_key *full_key;
300 } aes_encrypt_arg __attribute__ ((__transparent_union__));
301
302 /**
303 * aes_encrypt() - Encrypt a single AES block
304 * @key: The AES key, as a pointer to either an encryption-only key
305 * (struct aes_enckey) or a full, bidirectional key (struct aes_key).
306 * @out: Buffer to store the ciphertext block
307 * @in: Buffer containing the plaintext block
308 *
309 * Context: Any context.
310 */
311 void aes_encrypt(aes_encrypt_arg key, u8 out[at_least AES_BLOCK_SIZE],
312 const u8 in[at_least AES_BLOCK_SIZE]);
313
314 /**
315 * aes_decrypt() - Decrypt a single AES block
316 * @key: The AES key, previously initialized by aes_preparekey()
317 * @out: Buffer to store the plaintext block
318 * @in: Buffer containing the ciphertext block
319 *
320 * Context: Any context.
321 */
322 void aes_decrypt(const struct aes_key *key, u8 out[at_least AES_BLOCK_SIZE],
323 const u8 in[at_least AES_BLOCK_SIZE]);
324
325 extern const u8 crypto_aes_sbox[];
326 extern const u8 crypto_aes_inv_sbox[];
327 extern const u32 aes_enc_tab[256];
328 extern const u32 aes_dec_tab[256];
329
330 void aescfb_encrypt(const struct aes_enckey *key, u8 *dst, const u8 *src,
331 int len, const u8 iv[AES_BLOCK_SIZE]);
332 void aescfb_decrypt(const struct aes_enckey *key, u8 *dst, const u8 *src,
333 int len, const u8 iv[AES_BLOCK_SIZE]);
334
335 #endif
336