1 /* 2 * Cryptographic API. 3 * 4 * AES Cipher Algorithm. 5 * 6 * Based on Brian Gladman's code. 7 * 8 * Linux developers: 9 * Alexander Kjeldaas <astor@fast.no> 10 * Herbert Valerio Riedel <hvr@hvrlab.org> 11 * Kyle McMartin <kyle@debian.org> 12 * Adam J. Richter <adam@yggdrasil.com> (conversion to 2.5 API). 13 * 14 * This program is free software; you can redistribute it and/or modify 15 * it under the terms of the GNU General Public License as published by 16 * the Free Software Foundation; either version 2 of the License, or 17 * (at your option) any later version. 18 * 19 * --------------------------------------------------------------------------- 20 * Copyright (c) 2002, Dr Brian Gladman <brg@gladman.me.uk>, Worcester, UK. 21 * All rights reserved. 22 * 23 * LICENSE TERMS 24 * 25 * The free distribution and use of this software in both source and binary 26 * form is allowed (with or without changes) provided that: 27 * 28 * 1. distributions of this source code include the above copyright 29 * notice, this list of conditions and the following disclaimer; 30 * 31 * 2. distributions in binary form include the above copyright 32 * notice, this list of conditions and the following disclaimer 33 * in the documentation and/or other associated materials; 34 * 35 * 3. the copyright holder's name is not used to endorse products 36 * built using this software without specific written permission. 37 * 38 * ALTERNATIVELY, provided that this notice is retained in full, this product 39 * may be distributed under the terms of the GNU General Public License (GPL), 40 * in which case the provisions of the GPL apply INSTEAD OF those given above. 41 * 42 * DISCLAIMER 43 * 44 * This software is provided 'as is' with no explicit or implied warranties 45 * in respect of its properties, including, but not limited to, correctness 46 * and/or fitness for purpose. 47 * --------------------------------------------------------------------------- 48 */ 49 50 #include <crypto/aes.h> 51 #include <linux/module.h> 52 #include <linux/init.h> 53 #include <linux/types.h> 54 #include <linux/errno.h> 55 #include <linux/crypto.h> 56 #include <asm/byteorder.h> 57 58 static inline u8 byte(const u32 x, const unsigned n) 59 { 60 return x >> (n << 3); 61 } 62 63 static u8 pow_tab[256] __initdata; 64 static u8 log_tab[256] __initdata; 65 static u8 sbx_tab[256] __initdata; 66 static u8 isb_tab[256] __initdata; 67 static u32 rco_tab[10]; 68 69 u32 crypto_ft_tab[4][256]; 70 u32 crypto_fl_tab[4][256]; 71 u32 crypto_it_tab[4][256]; 72 u32 crypto_il_tab[4][256]; 73 74 EXPORT_SYMBOL_GPL(crypto_ft_tab); 75 EXPORT_SYMBOL_GPL(crypto_fl_tab); 76 EXPORT_SYMBOL_GPL(crypto_it_tab); 77 EXPORT_SYMBOL_GPL(crypto_il_tab); 78 79 static inline u8 __init f_mult(u8 a, u8 b) 80 { 81 u8 aa = log_tab[a], cc = aa + log_tab[b]; 82 83 return pow_tab[cc + (cc < aa ? 1 : 0)]; 84 } 85 86 #define ff_mult(a, b) (a && b ? f_mult(a, b) : 0) 87 88 static void __init gen_tabs(void) 89 { 90 u32 i, t; 91 u8 p, q; 92 93 /* 94 * log and power tables for GF(2**8) finite field with 95 * 0x011b as modular polynomial - the simplest primitive 96 * root is 0x03, used here to generate the tables 97 */ 98 99 for (i = 0, p = 1; i < 256; ++i) { 100 pow_tab[i] = (u8) p; 101 log_tab[p] = (u8) i; 102 103 p ^= (p << 1) ^ (p & 0x80 ? 0x01b : 0); 104 } 105 106 log_tab[1] = 0; 107 108 for (i = 0, p = 1; i < 10; ++i) { 109 rco_tab[i] = p; 110 111 p = (p << 1) ^ (p & 0x80 ? 0x01b : 0); 112 } 113 114 for (i = 0; i < 256; ++i) { 115 p = (i ? pow_tab[255 - log_tab[i]] : 0); 116 q = ((p >> 7) | (p << 1)) ^ ((p >> 6) | (p << 2)); 117 p ^= 0x63 ^ q ^ ((q >> 6) | (q << 2)); 118 sbx_tab[i] = p; 119 isb_tab[p] = (u8) i; 120 } 121 122 for (i = 0; i < 256; ++i) { 123 p = sbx_tab[i]; 124 125 t = p; 126 crypto_fl_tab[0][i] = t; 127 crypto_fl_tab[1][i] = rol32(t, 8); 128 crypto_fl_tab[2][i] = rol32(t, 16); 129 crypto_fl_tab[3][i] = rol32(t, 24); 130 131 t = ((u32) ff_mult(2, p)) | 132 ((u32) p << 8) | 133 ((u32) p << 16) | ((u32) ff_mult(3, p) << 24); 134 135 crypto_ft_tab[0][i] = t; 136 crypto_ft_tab[1][i] = rol32(t, 8); 137 crypto_ft_tab[2][i] = rol32(t, 16); 138 crypto_ft_tab[3][i] = rol32(t, 24); 139 140 p = isb_tab[i]; 141 142 t = p; 143 crypto_il_tab[0][i] = t; 144 crypto_il_tab[1][i] = rol32(t, 8); 145 crypto_il_tab[2][i] = rol32(t, 16); 146 crypto_il_tab[3][i] = rol32(t, 24); 147 148 t = ((u32) ff_mult(14, p)) | 149 ((u32) ff_mult(9, p) << 8) | 150 ((u32) ff_mult(13, p) << 16) | 151 ((u32) ff_mult(11, p) << 24); 152 153 crypto_it_tab[0][i] = t; 154 crypto_it_tab[1][i] = rol32(t, 8); 155 crypto_it_tab[2][i] = rol32(t, 16); 156 crypto_it_tab[3][i] = rol32(t, 24); 157 } 158 } 159 160 /* initialise the key schedule from the user supplied key */ 161 162 #define star_x(x) (((x) & 0x7f7f7f7f) << 1) ^ ((((x) & 0x80808080) >> 7) * 0x1b) 163 164 #define imix_col(y,x) do { \ 165 u = star_x(x); \ 166 v = star_x(u); \ 167 w = star_x(v); \ 168 t = w ^ (x); \ 169 (y) = u ^ v ^ w; \ 170 (y) ^= ror32(u ^ t, 8) ^ \ 171 ror32(v ^ t, 16) ^ \ 172 ror32(t, 24); \ 173 } while (0) 174 175 #define ls_box(x) \ 176 crypto_fl_tab[0][byte(x, 0)] ^ \ 177 crypto_fl_tab[1][byte(x, 1)] ^ \ 178 crypto_fl_tab[2][byte(x, 2)] ^ \ 179 crypto_fl_tab[3][byte(x, 3)] 180 181 #define loop4(i) do { \ 182 t = ror32(t, 8); \ 183 t = ls_box(t) ^ rco_tab[i]; \ 184 t ^= ctx->key_enc[4 * i]; \ 185 ctx->key_enc[4 * i + 4] = t; \ 186 t ^= ctx->key_enc[4 * i + 1]; \ 187 ctx->key_enc[4 * i + 5] = t; \ 188 t ^= ctx->key_enc[4 * i + 2]; \ 189 ctx->key_enc[4 * i + 6] = t; \ 190 t ^= ctx->key_enc[4 * i + 3]; \ 191 ctx->key_enc[4 * i + 7] = t; \ 192 } while (0) 193 194 #define loop6(i) do { \ 195 t = ror32(t, 8); \ 196 t = ls_box(t) ^ rco_tab[i]; \ 197 t ^= ctx->key_enc[6 * i]; \ 198 ctx->key_enc[6 * i + 6] = t; \ 199 t ^= ctx->key_enc[6 * i + 1]; \ 200 ctx->key_enc[6 * i + 7] = t; \ 201 t ^= ctx->key_enc[6 * i + 2]; \ 202 ctx->key_enc[6 * i + 8] = t; \ 203 t ^= ctx->key_enc[6 * i + 3]; \ 204 ctx->key_enc[6 * i + 9] = t; \ 205 t ^= ctx->key_enc[6 * i + 4]; \ 206 ctx->key_enc[6 * i + 10] = t; \ 207 t ^= ctx->key_enc[6 * i + 5]; \ 208 ctx->key_enc[6 * i + 11] = t; \ 209 } while (0) 210 211 #define loop8(i) do { \ 212 t = ror32(t, 8); \ 213 t = ls_box(t) ^ rco_tab[i]; \ 214 t ^= ctx->key_enc[8 * i]; \ 215 ctx->key_enc[8 * i + 8] = t; \ 216 t ^= ctx->key_enc[8 * i + 1]; \ 217 ctx->key_enc[8 * i + 9] = t; \ 218 t ^= ctx->key_enc[8 * i + 2]; \ 219 ctx->key_enc[8 * i + 10] = t; \ 220 t ^= ctx->key_enc[8 * i + 3]; \ 221 ctx->key_enc[8 * i + 11] = t; \ 222 t = ctx->key_enc[8 * i + 4] ^ ls_box(t); \ 223 ctx->key_enc[8 * i + 12] = t; \ 224 t ^= ctx->key_enc[8 * i + 5]; \ 225 ctx->key_enc[8 * i + 13] = t; \ 226 t ^= ctx->key_enc[8 * i + 6]; \ 227 ctx->key_enc[8 * i + 14] = t; \ 228 t ^= ctx->key_enc[8 * i + 7]; \ 229 ctx->key_enc[8 * i + 15] = t; \ 230 } while (0) 231 232 /** 233 * crypto_aes_expand_key - Expands the AES key as described in FIPS-197 234 * @ctx: The location where the computed key will be stored. 235 * @in_key: The supplied key. 236 * @key_len: The length of the supplied key. 237 * 238 * Returns 0 on success. The function fails only if an invalid key size (or 239 * pointer) is supplied. 240 * The expanded key size is 240 bytes (max of 14 rounds with a unique 16 bytes 241 * key schedule plus a 16 bytes key which is used before the first round). 242 * The decryption key is prepared for the "Equivalent Inverse Cipher" as 243 * described in FIPS-197. The first slot (16 bytes) of each key (enc or dec) is 244 * for the initial combination, the second slot for the first round and so on. 245 */ 246 int crypto_aes_expand_key(struct crypto_aes_ctx *ctx, const u8 *in_key, 247 unsigned int key_len) 248 { 249 const __le32 *key = (const __le32 *)in_key; 250 u32 i, t, u, v, w, j; 251 252 if (key_len != AES_KEYSIZE_128 && key_len != AES_KEYSIZE_192 && 253 key_len != AES_KEYSIZE_256) 254 return -EINVAL; 255 256 ctx->key_length = key_len; 257 258 ctx->key_dec[key_len + 24] = ctx->key_enc[0] = le32_to_cpu(key[0]); 259 ctx->key_dec[key_len + 25] = ctx->key_enc[1] = le32_to_cpu(key[1]); 260 ctx->key_dec[key_len + 26] = ctx->key_enc[2] = le32_to_cpu(key[2]); 261 ctx->key_dec[key_len + 27] = ctx->key_enc[3] = le32_to_cpu(key[3]); 262 263 switch (key_len) { 264 case AES_KEYSIZE_128: 265 t = ctx->key_enc[3]; 266 for (i = 0; i < 10; ++i) 267 loop4(i); 268 break; 269 270 case AES_KEYSIZE_192: 271 ctx->key_enc[4] = le32_to_cpu(key[4]); 272 t = ctx->key_enc[5] = le32_to_cpu(key[5]); 273 for (i = 0; i < 8; ++i) 274 loop6(i); 275 break; 276 277 case AES_KEYSIZE_256: 278 ctx->key_enc[4] = le32_to_cpu(key[4]); 279 ctx->key_enc[5] = le32_to_cpu(key[5]); 280 ctx->key_enc[6] = le32_to_cpu(key[6]); 281 t = ctx->key_enc[7] = le32_to_cpu(key[7]); 282 for (i = 0; i < 7; ++i) 283 loop8(i); 284 break; 285 } 286 287 ctx->key_dec[0] = ctx->key_enc[key_len + 24]; 288 ctx->key_dec[1] = ctx->key_enc[key_len + 25]; 289 ctx->key_dec[2] = ctx->key_enc[key_len + 26]; 290 ctx->key_dec[3] = ctx->key_enc[key_len + 27]; 291 292 for (i = 4; i < key_len + 24; ++i) { 293 j = key_len + 24 - (i & ~3) + (i & 3); 294 imix_col(ctx->key_dec[j], ctx->key_enc[i]); 295 } 296 return 0; 297 } 298 EXPORT_SYMBOL_GPL(crypto_aes_expand_key); 299 300 /** 301 * crypto_aes_set_key - Set the AES key. 302 * @tfm: The %crypto_tfm that is used in the context. 303 * @in_key: The input key. 304 * @key_len: The size of the key. 305 * 306 * Returns 0 on success, on failure the %CRYPTO_TFM_RES_BAD_KEY_LEN flag in tfm 307 * is set. The function uses crypto_aes_expand_key() to expand the key. 308 * &crypto_aes_ctx _must_ be the private data embedded in @tfm which is 309 * retrieved with crypto_tfm_ctx(). 310 */ 311 int crypto_aes_set_key(struct crypto_tfm *tfm, const u8 *in_key, 312 unsigned int key_len) 313 { 314 struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm); 315 u32 *flags = &tfm->crt_flags; 316 int ret; 317 318 ret = crypto_aes_expand_key(ctx, in_key, key_len); 319 if (!ret) 320 return 0; 321 322 *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN; 323 return -EINVAL; 324 } 325 EXPORT_SYMBOL_GPL(crypto_aes_set_key); 326 327 /* encrypt a block of text */ 328 329 #define f_rn(bo, bi, n, k) do { \ 330 bo[n] = crypto_ft_tab[0][byte(bi[n], 0)] ^ \ 331 crypto_ft_tab[1][byte(bi[(n + 1) & 3], 1)] ^ \ 332 crypto_ft_tab[2][byte(bi[(n + 2) & 3], 2)] ^ \ 333 crypto_ft_tab[3][byte(bi[(n + 3) & 3], 3)] ^ *(k + n); \ 334 } while (0) 335 336 #define f_nround(bo, bi, k) do {\ 337 f_rn(bo, bi, 0, k); \ 338 f_rn(bo, bi, 1, k); \ 339 f_rn(bo, bi, 2, k); \ 340 f_rn(bo, bi, 3, k); \ 341 k += 4; \ 342 } while (0) 343 344 #define f_rl(bo, bi, n, k) do { \ 345 bo[n] = crypto_fl_tab[0][byte(bi[n], 0)] ^ \ 346 crypto_fl_tab[1][byte(bi[(n + 1) & 3], 1)] ^ \ 347 crypto_fl_tab[2][byte(bi[(n + 2) & 3], 2)] ^ \ 348 crypto_fl_tab[3][byte(bi[(n + 3) & 3], 3)] ^ *(k + n); \ 349 } while (0) 350 351 #define f_lround(bo, bi, k) do {\ 352 f_rl(bo, bi, 0, k); \ 353 f_rl(bo, bi, 1, k); \ 354 f_rl(bo, bi, 2, k); \ 355 f_rl(bo, bi, 3, k); \ 356 } while (0) 357 358 static void aes_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in) 359 { 360 const struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm); 361 const __le32 *src = (const __le32 *)in; 362 __le32 *dst = (__le32 *)out; 363 u32 b0[4], b1[4]; 364 const u32 *kp = ctx->key_enc + 4; 365 const int key_len = ctx->key_length; 366 367 b0[0] = le32_to_cpu(src[0]) ^ ctx->key_enc[0]; 368 b0[1] = le32_to_cpu(src[1]) ^ ctx->key_enc[1]; 369 b0[2] = le32_to_cpu(src[2]) ^ ctx->key_enc[2]; 370 b0[3] = le32_to_cpu(src[3]) ^ ctx->key_enc[3]; 371 372 if (key_len > 24) { 373 f_nround(b1, b0, kp); 374 f_nround(b0, b1, kp); 375 } 376 377 if (key_len > 16) { 378 f_nround(b1, b0, kp); 379 f_nround(b0, b1, kp); 380 } 381 382 f_nround(b1, b0, kp); 383 f_nround(b0, b1, kp); 384 f_nround(b1, b0, kp); 385 f_nround(b0, b1, kp); 386 f_nround(b1, b0, kp); 387 f_nround(b0, b1, kp); 388 f_nround(b1, b0, kp); 389 f_nround(b0, b1, kp); 390 f_nround(b1, b0, kp); 391 f_lround(b0, b1, kp); 392 393 dst[0] = cpu_to_le32(b0[0]); 394 dst[1] = cpu_to_le32(b0[1]); 395 dst[2] = cpu_to_le32(b0[2]); 396 dst[3] = cpu_to_le32(b0[3]); 397 } 398 399 /* decrypt a block of text */ 400 401 #define i_rn(bo, bi, n, k) do { \ 402 bo[n] = crypto_it_tab[0][byte(bi[n], 0)] ^ \ 403 crypto_it_tab[1][byte(bi[(n + 3) & 3], 1)] ^ \ 404 crypto_it_tab[2][byte(bi[(n + 2) & 3], 2)] ^ \ 405 crypto_it_tab[3][byte(bi[(n + 1) & 3], 3)] ^ *(k + n); \ 406 } while (0) 407 408 #define i_nround(bo, bi, k) do {\ 409 i_rn(bo, bi, 0, k); \ 410 i_rn(bo, bi, 1, k); \ 411 i_rn(bo, bi, 2, k); \ 412 i_rn(bo, bi, 3, k); \ 413 k += 4; \ 414 } while (0) 415 416 #define i_rl(bo, bi, n, k) do { \ 417 bo[n] = crypto_il_tab[0][byte(bi[n], 0)] ^ \ 418 crypto_il_tab[1][byte(bi[(n + 3) & 3], 1)] ^ \ 419 crypto_il_tab[2][byte(bi[(n + 2) & 3], 2)] ^ \ 420 crypto_il_tab[3][byte(bi[(n + 1) & 3], 3)] ^ *(k + n); \ 421 } while (0) 422 423 #define i_lround(bo, bi, k) do {\ 424 i_rl(bo, bi, 0, k); \ 425 i_rl(bo, bi, 1, k); \ 426 i_rl(bo, bi, 2, k); \ 427 i_rl(bo, bi, 3, k); \ 428 } while (0) 429 430 static void aes_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in) 431 { 432 const struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm); 433 const __le32 *src = (const __le32 *)in; 434 __le32 *dst = (__le32 *)out; 435 u32 b0[4], b1[4]; 436 const int key_len = ctx->key_length; 437 const u32 *kp = ctx->key_dec + 4; 438 439 b0[0] = le32_to_cpu(src[0]) ^ ctx->key_dec[0]; 440 b0[1] = le32_to_cpu(src[1]) ^ ctx->key_dec[1]; 441 b0[2] = le32_to_cpu(src[2]) ^ ctx->key_dec[2]; 442 b0[3] = le32_to_cpu(src[3]) ^ ctx->key_dec[3]; 443 444 if (key_len > 24) { 445 i_nround(b1, b0, kp); 446 i_nround(b0, b1, kp); 447 } 448 449 if (key_len > 16) { 450 i_nround(b1, b0, kp); 451 i_nround(b0, b1, kp); 452 } 453 454 i_nround(b1, b0, kp); 455 i_nround(b0, b1, kp); 456 i_nround(b1, b0, kp); 457 i_nround(b0, b1, kp); 458 i_nround(b1, b0, kp); 459 i_nround(b0, b1, kp); 460 i_nround(b1, b0, kp); 461 i_nround(b0, b1, kp); 462 i_nround(b1, b0, kp); 463 i_lround(b0, b1, kp); 464 465 dst[0] = cpu_to_le32(b0[0]); 466 dst[1] = cpu_to_le32(b0[1]); 467 dst[2] = cpu_to_le32(b0[2]); 468 dst[3] = cpu_to_le32(b0[3]); 469 } 470 471 static struct crypto_alg aes_alg = { 472 .cra_name = "aes", 473 .cra_driver_name = "aes-generic", 474 .cra_priority = 100, 475 .cra_flags = CRYPTO_ALG_TYPE_CIPHER, 476 .cra_blocksize = AES_BLOCK_SIZE, 477 .cra_ctxsize = sizeof(struct crypto_aes_ctx), 478 .cra_alignmask = 3, 479 .cra_module = THIS_MODULE, 480 .cra_list = LIST_HEAD_INIT(aes_alg.cra_list), 481 .cra_u = { 482 .cipher = { 483 .cia_min_keysize = AES_MIN_KEY_SIZE, 484 .cia_max_keysize = AES_MAX_KEY_SIZE, 485 .cia_setkey = crypto_aes_set_key, 486 .cia_encrypt = aes_encrypt, 487 .cia_decrypt = aes_decrypt 488 } 489 } 490 }; 491 492 static int __init aes_init(void) 493 { 494 gen_tabs(); 495 return crypto_register_alg(&aes_alg); 496 } 497 498 static void __exit aes_fini(void) 499 { 500 crypto_unregister_alg(&aes_alg); 501 } 502 503 module_init(aes_init); 504 module_exit(aes_fini); 505 506 MODULE_DESCRIPTION("Rijndael (AES) Cipher Algorithm"); 507 MODULE_LICENSE("Dual BSD/GPL"); 508 MODULE_ALIAS("aes"); 509