xref: /openbmc/linux/crypto/aes_generic.c (revision 5427663f) 
1 /*
2  * Cryptographic API.
3  *
4  * AES Cipher Algorithm.
5  *
6  * Based on Brian Gladman's code.
7  *
8  * Linux developers:
9  *  Alexander Kjeldaas <astor@fast.no>
10  *  Herbert Valerio Riedel <hvr@hvrlab.org>
11  *  Kyle McMartin <kyle@debian.org>
12  *  Adam J. Richter <adam@yggdrasil.com> (conversion to 2.5 API).
13  *
14  * This program is free software; you can redistribute it and/or modify
15  * it under the terms of the GNU General Public License as published by
16  * the Free Software Foundation; either version 2 of the License, or
17  * (at your option) any later version.
18  *
19  * ---------------------------------------------------------------------------
20  * Copyright (c) 2002, Dr Brian Gladman <brg@gladman.me.uk>, Worcester, UK.
21  * All rights reserved.
22  *
23  * LICENSE TERMS
24  *
25  * The free distribution and use of this software in both source and binary
26  * form is allowed (with or without changes) provided that:
27  *
28  *   1. distributions of this source code include the above copyright
29  *      notice, this list of conditions and the following disclaimer;
30  *
31  *   2. distributions in binary form include the above copyright
32  *      notice, this list of conditions and the following disclaimer
33  *      in the documentation and/or other associated materials;
34  *
35  *   3. the copyright holder's name is not used to endorse products
36  *      built using this software without specific written permission.
37  *
38  * ALTERNATIVELY, provided that this notice is retained in full, this product
39  * may be distributed under the terms of the GNU General Public License (GPL),
40  * in which case the provisions of the GPL apply INSTEAD OF those given above.
41  *
42  * DISCLAIMER
43  *
44  * This software is provided 'as is' with no explicit or implied warranties
45  * in respect of its properties, including, but not limited to, correctness
46  * and/or fitness for purpose.
47  * ---------------------------------------------------------------------------
48  */
49 
50 #include <crypto/aes.h>
51 #include <linux/module.h>
52 #include <linux/init.h>
53 #include <linux/types.h>
54 #include <linux/errno.h>
55 #include <linux/crypto.h>
56 #include <asm/byteorder.h>
57 
58 static inline u8 byte(const u32 x, const unsigned n)
59 {
60 	return x >> (n << 3);
61 }
62 
63 static u8 pow_tab[256] __initdata;
64 static u8 log_tab[256] __initdata;
65 static u8 sbx_tab[256] __initdata;
66 static u8 isb_tab[256] __initdata;
67 static u32 rco_tab[10];
68 
69 u32 crypto_ft_tab[4][256];
70 u32 crypto_fl_tab[4][256];
71 u32 crypto_it_tab[4][256];
72 u32 crypto_il_tab[4][256];
73 
74 EXPORT_SYMBOL_GPL(crypto_ft_tab);
75 EXPORT_SYMBOL_GPL(crypto_fl_tab);
76 EXPORT_SYMBOL_GPL(crypto_it_tab);
77 EXPORT_SYMBOL_GPL(crypto_il_tab);
78 
79 static inline u8 __init f_mult(u8 a, u8 b)
80 {
81 	u8 aa = log_tab[a], cc = aa + log_tab[b];
82 
83 	return pow_tab[cc + (cc < aa ? 1 : 0)];
84 }
85 
86 #define ff_mult(a, b)	(a && b ? f_mult(a, b) : 0)
87 
88 static void __init gen_tabs(void)
89 {
90 	u32 i, t;
91 	u8 p, q;
92 
93 	/*
94 	 * log and power tables for GF(2**8) finite field with
95 	 * 0x011b as modular polynomial - the simplest primitive
96 	 * root is 0x03, used here to generate the tables
97 	 */
98 
99 	for (i = 0, p = 1; i < 256; ++i) {
100 		pow_tab[i] = (u8) p;
101 		log_tab[p] = (u8) i;
102 
103 		p ^= (p << 1) ^ (p & 0x80 ? 0x01b : 0);
104 	}
105 
106 	log_tab[1] = 0;
107 
108 	for (i = 0, p = 1; i < 10; ++i) {
109 		rco_tab[i] = p;
110 
111 		p = (p << 1) ^ (p & 0x80 ? 0x01b : 0);
112 	}
113 
114 	for (i = 0; i < 256; ++i) {
115 		p = (i ? pow_tab[255 - log_tab[i]] : 0);
116 		q = ((p >> 7) | (p << 1)) ^ ((p >> 6) | (p << 2));
117 		p ^= 0x63 ^ q ^ ((q >> 6) | (q << 2));
118 		sbx_tab[i] = p;
119 		isb_tab[p] = (u8) i;
120 	}
121 
122 	for (i = 0; i < 256; ++i) {
123 		p = sbx_tab[i];
124 
125 		t = p;
126 		crypto_fl_tab[0][i] = t;
127 		crypto_fl_tab[1][i] = rol32(t, 8);
128 		crypto_fl_tab[2][i] = rol32(t, 16);
129 		crypto_fl_tab[3][i] = rol32(t, 24);
130 
131 		t = ((u32) ff_mult(2, p)) |
132 		    ((u32) p << 8) |
133 		    ((u32) p << 16) | ((u32) ff_mult(3, p) << 24);
134 
135 		crypto_ft_tab[0][i] = t;
136 		crypto_ft_tab[1][i] = rol32(t, 8);
137 		crypto_ft_tab[2][i] = rol32(t, 16);
138 		crypto_ft_tab[3][i] = rol32(t, 24);
139 
140 		p = isb_tab[i];
141 
142 		t = p;
143 		crypto_il_tab[0][i] = t;
144 		crypto_il_tab[1][i] = rol32(t, 8);
145 		crypto_il_tab[2][i] = rol32(t, 16);
146 		crypto_il_tab[3][i] = rol32(t, 24);
147 
148 		t = ((u32) ff_mult(14, p)) |
149 		    ((u32) ff_mult(9, p) << 8) |
150 		    ((u32) ff_mult(13, p) << 16) |
151 		    ((u32) ff_mult(11, p) << 24);
152 
153 		crypto_it_tab[0][i] = t;
154 		crypto_it_tab[1][i] = rol32(t, 8);
155 		crypto_it_tab[2][i] = rol32(t, 16);
156 		crypto_it_tab[3][i] = rol32(t, 24);
157 	}
158 }
159 
160 /* initialise the key schedule from the user supplied key */
161 
162 #define star_x(x) (((x) & 0x7f7f7f7f) << 1) ^ ((((x) & 0x80808080) >> 7) * 0x1b)
163 
164 #define imix_col(y,x)	do {		\
165 	u	= star_x(x);		\
166 	v	= star_x(u);		\
167 	w	= star_x(v);		\
168 	t	= w ^ (x);		\
169 	(y)	= u ^ v ^ w;		\
170 	(y)	^= ror32(u ^ t, 8) ^	\
171 		ror32(v ^ t, 16) ^	\
172 		ror32(t, 24);		\
173 } while (0)
174 
175 #define ls_box(x)		\
176 	crypto_fl_tab[0][byte(x, 0)] ^	\
177 	crypto_fl_tab[1][byte(x, 1)] ^	\
178 	crypto_fl_tab[2][byte(x, 2)] ^	\
179 	crypto_fl_tab[3][byte(x, 3)]
180 
181 #define loop4(i)	do {		\
182 	t = ror32(t, 8);		\
183 	t = ls_box(t) ^ rco_tab[i];	\
184 	t ^= ctx->key_enc[4 * i];		\
185 	ctx->key_enc[4 * i + 4] = t;		\
186 	t ^= ctx->key_enc[4 * i + 1];		\
187 	ctx->key_enc[4 * i + 5] = t;		\
188 	t ^= ctx->key_enc[4 * i + 2];		\
189 	ctx->key_enc[4 * i + 6] = t;		\
190 	t ^= ctx->key_enc[4 * i + 3];		\
191 	ctx->key_enc[4 * i + 7] = t;		\
192 } while (0)
193 
194 #define loop6(i)	do {		\
195 	t = ror32(t, 8);		\
196 	t = ls_box(t) ^ rco_tab[i];	\
197 	t ^= ctx->key_enc[6 * i];		\
198 	ctx->key_enc[6 * i + 6] = t;		\
199 	t ^= ctx->key_enc[6 * i + 1];		\
200 	ctx->key_enc[6 * i + 7] = t;		\
201 	t ^= ctx->key_enc[6 * i + 2];		\
202 	ctx->key_enc[6 * i + 8] = t;		\
203 	t ^= ctx->key_enc[6 * i + 3];		\
204 	ctx->key_enc[6 * i + 9] = t;		\
205 	t ^= ctx->key_enc[6 * i + 4];		\
206 	ctx->key_enc[6 * i + 10] = t;		\
207 	t ^= ctx->key_enc[6 * i + 5];		\
208 	ctx->key_enc[6 * i + 11] = t;		\
209 } while (0)
210 
211 #define loop8(i)	do {			\
212 	t = ror32(t, 8);			\
213 	t = ls_box(t) ^ rco_tab[i];		\
214 	t ^= ctx->key_enc[8 * i];			\
215 	ctx->key_enc[8 * i + 8] = t;			\
216 	t ^= ctx->key_enc[8 * i + 1];			\
217 	ctx->key_enc[8 * i + 9] = t;			\
218 	t ^= ctx->key_enc[8 * i + 2];			\
219 	ctx->key_enc[8 * i + 10] = t;			\
220 	t ^= ctx->key_enc[8 * i + 3];			\
221 	ctx->key_enc[8 * i + 11] = t;			\
222 	t  = ctx->key_enc[8 * i + 4] ^ ls_box(t);	\
223 	ctx->key_enc[8 * i + 12] = t;			\
224 	t ^= ctx->key_enc[8 * i + 5];			\
225 	ctx->key_enc[8 * i + 13] = t;			\
226 	t ^= ctx->key_enc[8 * i + 6];			\
227 	ctx->key_enc[8 * i + 14] = t;			\
228 	t ^= ctx->key_enc[8 * i + 7];			\
229 	ctx->key_enc[8 * i + 15] = t;			\
230 } while (0)
231 
232 /**
233  * crypto_aes_expand_key - Expands the AES key as described in FIPS-197
234  * @ctx:	The location where the computed key will be stored.
235  * @in_key:	The supplied key.
236  * @key_len:	The length of the supplied key.
237  *
238  * Returns 0 on success. The function fails only if an invalid key size (or
239  * pointer) is supplied.
240  * The expanded key size is 240 bytes (max of 14 rounds with a unique 16 bytes
241  * key schedule plus a 16 bytes key which is used before the first round).
242  * The decryption key is prepared for the "Equivalent Inverse Cipher" as
243  * described in FIPS-197. The first slot (16 bytes) of each key (enc or dec) is
244  * for the initial combination, the second slot for the first round and so on.
245  */
246 int crypto_aes_expand_key(struct crypto_aes_ctx *ctx, const u8 *in_key,
247 		unsigned int key_len)
248 {
249 	const __le32 *key = (const __le32 *)in_key;
250 	u32 i, t, u, v, w, j;
251 
252 	if (key_len != AES_KEYSIZE_128 && key_len != AES_KEYSIZE_192 &&
253 			key_len != AES_KEYSIZE_256)
254 		return -EINVAL;
255 
256 	ctx->key_length = key_len;
257 
258 	ctx->key_dec[key_len + 24] = ctx->key_enc[0] = le32_to_cpu(key[0]);
259 	ctx->key_dec[key_len + 25] = ctx->key_enc[1] = le32_to_cpu(key[1]);
260 	ctx->key_dec[key_len + 26] = ctx->key_enc[2] = le32_to_cpu(key[2]);
261 	ctx->key_dec[key_len + 27] = ctx->key_enc[3] = le32_to_cpu(key[3]);
262 
263 	switch (key_len) {
264 	case AES_KEYSIZE_128:
265 		t = ctx->key_enc[3];
266 		for (i = 0; i < 10; ++i)
267 			loop4(i);
268 		break;
269 
270 	case AES_KEYSIZE_192:
271 		ctx->key_enc[4] = le32_to_cpu(key[4]);
272 		t = ctx->key_enc[5] = le32_to_cpu(key[5]);
273 		for (i = 0; i < 8; ++i)
274 			loop6(i);
275 		break;
276 
277 	case AES_KEYSIZE_256:
278 		ctx->key_enc[4] = le32_to_cpu(key[4]);
279 		ctx->key_enc[5] = le32_to_cpu(key[5]);
280 		ctx->key_enc[6] = le32_to_cpu(key[6]);
281 		t = ctx->key_enc[7] = le32_to_cpu(key[7]);
282 		for (i = 0; i < 7; ++i)
283 			loop8(i);
284 		break;
285 	}
286 
287 	ctx->key_dec[0] = ctx->key_enc[key_len + 24];
288 	ctx->key_dec[1] = ctx->key_enc[key_len + 25];
289 	ctx->key_dec[2] = ctx->key_enc[key_len + 26];
290 	ctx->key_dec[3] = ctx->key_enc[key_len + 27];
291 
292 	for (i = 4; i < key_len + 24; ++i) {
293 		j = key_len + 24 - (i & ~3) + (i & 3);
294 		imix_col(ctx->key_dec[j], ctx->key_enc[i]);
295 	}
296 	return 0;
297 }
298 EXPORT_SYMBOL_GPL(crypto_aes_expand_key);
299 
300 /**
301  * crypto_aes_set_key - Set the AES key.
302  * @tfm:	The %crypto_tfm that is used in the context.
303  * @in_key:	The input key.
304  * @key_len:	The size of the key.
305  *
306  * Returns 0 on success, on failure the %CRYPTO_TFM_RES_BAD_KEY_LEN flag in tfm
307  * is set. The function uses crypto_aes_expand_key() to expand the key.
308  * &crypto_aes_ctx _must_ be the private data embedded in @tfm which is
309  * retrieved with crypto_tfm_ctx().
310  */
311 int crypto_aes_set_key(struct crypto_tfm *tfm, const u8 *in_key,
312 		unsigned int key_len)
313 {
314 	struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm);
315 	u32 *flags = &tfm->crt_flags;
316 	int ret;
317 
318 	ret = crypto_aes_expand_key(ctx, in_key, key_len);
319 	if (!ret)
320 		return 0;
321 
322 	*flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
323 	return -EINVAL;
324 }
325 EXPORT_SYMBOL_GPL(crypto_aes_set_key);
326 
327 /* encrypt a block of text */
328 
329 #define f_rn(bo, bi, n, k)	do {				\
330 	bo[n] = crypto_ft_tab[0][byte(bi[n], 0)] ^			\
331 		crypto_ft_tab[1][byte(bi[(n + 1) & 3], 1)] ^		\
332 		crypto_ft_tab[2][byte(bi[(n + 2) & 3], 2)] ^		\
333 		crypto_ft_tab[3][byte(bi[(n + 3) & 3], 3)] ^ *(k + n);	\
334 } while (0)
335 
336 #define f_nround(bo, bi, k)	do {\
337 	f_rn(bo, bi, 0, k);	\
338 	f_rn(bo, bi, 1, k);	\
339 	f_rn(bo, bi, 2, k);	\
340 	f_rn(bo, bi, 3, k);	\
341 	k += 4;			\
342 } while (0)
343 
344 #define f_rl(bo, bi, n, k)	do {				\
345 	bo[n] = crypto_fl_tab[0][byte(bi[n], 0)] ^			\
346 		crypto_fl_tab[1][byte(bi[(n + 1) & 3], 1)] ^		\
347 		crypto_fl_tab[2][byte(bi[(n + 2) & 3], 2)] ^		\
348 		crypto_fl_tab[3][byte(bi[(n + 3) & 3], 3)] ^ *(k + n);	\
349 } while (0)
350 
351 #define f_lround(bo, bi, k)	do {\
352 	f_rl(bo, bi, 0, k);	\
353 	f_rl(bo, bi, 1, k);	\
354 	f_rl(bo, bi, 2, k);	\
355 	f_rl(bo, bi, 3, k);	\
356 } while (0)
357 
358 static void aes_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
359 {
360 	const struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm);
361 	const __le32 *src = (const __le32 *)in;
362 	__le32 *dst = (__le32 *)out;
363 	u32 b0[4], b1[4];
364 	const u32 *kp = ctx->key_enc + 4;
365 	const int key_len = ctx->key_length;
366 
367 	b0[0] = le32_to_cpu(src[0]) ^ ctx->key_enc[0];
368 	b0[1] = le32_to_cpu(src[1]) ^ ctx->key_enc[1];
369 	b0[2] = le32_to_cpu(src[2]) ^ ctx->key_enc[2];
370 	b0[3] = le32_to_cpu(src[3]) ^ ctx->key_enc[3];
371 
372 	if (key_len > 24) {
373 		f_nround(b1, b0, kp);
374 		f_nround(b0, b1, kp);
375 	}
376 
377 	if (key_len > 16) {
378 		f_nround(b1, b0, kp);
379 		f_nround(b0, b1, kp);
380 	}
381 
382 	f_nround(b1, b0, kp);
383 	f_nround(b0, b1, kp);
384 	f_nround(b1, b0, kp);
385 	f_nround(b0, b1, kp);
386 	f_nround(b1, b0, kp);
387 	f_nround(b0, b1, kp);
388 	f_nround(b1, b0, kp);
389 	f_nround(b0, b1, kp);
390 	f_nround(b1, b0, kp);
391 	f_lround(b0, b1, kp);
392 
393 	dst[0] = cpu_to_le32(b0[0]);
394 	dst[1] = cpu_to_le32(b0[1]);
395 	dst[2] = cpu_to_le32(b0[2]);
396 	dst[3] = cpu_to_le32(b0[3]);
397 }
398 
399 /* decrypt a block of text */
400 
401 #define i_rn(bo, bi, n, k)	do {				\
402 	bo[n] = crypto_it_tab[0][byte(bi[n], 0)] ^			\
403 		crypto_it_tab[1][byte(bi[(n + 3) & 3], 1)] ^		\
404 		crypto_it_tab[2][byte(bi[(n + 2) & 3], 2)] ^		\
405 		crypto_it_tab[3][byte(bi[(n + 1) & 3], 3)] ^ *(k + n);	\
406 } while (0)
407 
408 #define i_nround(bo, bi, k)	do {\
409 	i_rn(bo, bi, 0, k);	\
410 	i_rn(bo, bi, 1, k);	\
411 	i_rn(bo, bi, 2, k);	\
412 	i_rn(bo, bi, 3, k);	\
413 	k += 4;			\
414 } while (0)
415 
416 #define i_rl(bo, bi, n, k)	do {			\
417 	bo[n] = crypto_il_tab[0][byte(bi[n], 0)] ^		\
418 	crypto_il_tab[1][byte(bi[(n + 3) & 3], 1)] ^		\
419 	crypto_il_tab[2][byte(bi[(n + 2) & 3], 2)] ^		\
420 	crypto_il_tab[3][byte(bi[(n + 1) & 3], 3)] ^ *(k + n);	\
421 } while (0)
422 
423 #define i_lround(bo, bi, k)	do {\
424 	i_rl(bo, bi, 0, k);	\
425 	i_rl(bo, bi, 1, k);	\
426 	i_rl(bo, bi, 2, k);	\
427 	i_rl(bo, bi, 3, k);	\
428 } while (0)
429 
430 static void aes_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
431 {
432 	const struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm);
433 	const __le32 *src = (const __le32 *)in;
434 	__le32 *dst = (__le32 *)out;
435 	u32 b0[4], b1[4];
436 	const int key_len = ctx->key_length;
437 	const u32 *kp = ctx->key_dec + 4;
438 
439 	b0[0] = le32_to_cpu(src[0]) ^  ctx->key_dec[0];
440 	b0[1] = le32_to_cpu(src[1]) ^  ctx->key_dec[1];
441 	b0[2] = le32_to_cpu(src[2]) ^  ctx->key_dec[2];
442 	b0[3] = le32_to_cpu(src[3]) ^  ctx->key_dec[3];
443 
444 	if (key_len > 24) {
445 		i_nround(b1, b0, kp);
446 		i_nround(b0, b1, kp);
447 	}
448 
449 	if (key_len > 16) {
450 		i_nround(b1, b0, kp);
451 		i_nround(b0, b1, kp);
452 	}
453 
454 	i_nround(b1, b0, kp);
455 	i_nround(b0, b1, kp);
456 	i_nround(b1, b0, kp);
457 	i_nround(b0, b1, kp);
458 	i_nround(b1, b0, kp);
459 	i_nround(b0, b1, kp);
460 	i_nround(b1, b0, kp);
461 	i_nround(b0, b1, kp);
462 	i_nround(b1, b0, kp);
463 	i_lround(b0, b1, kp);
464 
465 	dst[0] = cpu_to_le32(b0[0]);
466 	dst[1] = cpu_to_le32(b0[1]);
467 	dst[2] = cpu_to_le32(b0[2]);
468 	dst[3] = cpu_to_le32(b0[3]);
469 }
470 
471 static struct crypto_alg aes_alg = {
472 	.cra_name		=	"aes",
473 	.cra_driver_name	=	"aes-generic",
474 	.cra_priority		=	100,
475 	.cra_flags		=	CRYPTO_ALG_TYPE_CIPHER,
476 	.cra_blocksize		=	AES_BLOCK_SIZE,
477 	.cra_ctxsize		=	sizeof(struct crypto_aes_ctx),
478 	.cra_alignmask		=	3,
479 	.cra_module		=	THIS_MODULE,
480 	.cra_list		=	LIST_HEAD_INIT(aes_alg.cra_list),
481 	.cra_u			=	{
482 		.cipher = {
483 			.cia_min_keysize	=	AES_MIN_KEY_SIZE,
484 			.cia_max_keysize	=	AES_MAX_KEY_SIZE,
485 			.cia_setkey		=	crypto_aes_set_key,
486 			.cia_encrypt		=	aes_encrypt,
487 			.cia_decrypt		=	aes_decrypt
488 		}
489 	}
490 };
491 
492 static int __init aes_init(void)
493 {
494 	gen_tabs();
495 	return crypto_register_alg(&aes_alg);
496 }
497 
498 static void __exit aes_fini(void)
499 {
500 	crypto_unregister_alg(&aes_alg);
501 }
502 
503 module_init(aes_init);
504 module_exit(aes_fini);
505 
506 MODULE_DESCRIPTION("Rijndael (AES) Cipher Algorithm");
507 MODULE_LICENSE("Dual BSD/GPL");
508 MODULE_ALIAS("aes");
509