Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
1/* SPDX-License-Identifier: GPL-2.0 */
2/*
3 * Common values for AES algorithms
4 */
5
6#ifndef _CRYPTO_AES_H
7#define _CRYPTO_AES_H
8
9#include <linux/types.h>
10#include <linux/crypto.h>
11
12#define AES_MIN_KEY_SIZE 16
13#define AES_MAX_KEY_SIZE 32
14#define AES_KEYSIZE_128 16
15#define AES_KEYSIZE_192 24
16#define AES_KEYSIZE_256 32
17#define AES_BLOCK_SIZE 16
18#define AES_MAX_KEYLENGTH (15 * 16)
19#define AES_MAX_KEYLENGTH_U32 (AES_MAX_KEYLENGTH / sizeof(u32))
20
21/*
22 * The POWER8 VSX optimized AES assembly code is borrowed from OpenSSL and
23 * inherits OpenSSL's AES_KEY format, which stores the number of rounds after
24 * the round keys. That assembly code is difficult to change. So for
25 * compatibility purposes we reserve space for the extra nrounds field on PPC64.
26 *
27 * Note: when prepared for decryption, the round keys are just the reversed
28 * standard round keys, not the round keys for the Equivalent Inverse Cipher.
29 */
30struct p8_aes_key {
31 u32 rndkeys[AES_MAX_KEYLENGTH_U32];
32 int nrounds;
33};
34
35union aes_enckey_arch {
36 u32 rndkeys[AES_MAX_KEYLENGTH_U32];
37#ifdef CONFIG_CRYPTO_LIB_AES_ARCH
38#if defined(CONFIG_PPC) && defined(CONFIG_SPE)
39 /* Used unconditionally (when SPE AES code is enabled in kconfig) */
40 u32 spe_enc_key[AES_MAX_KEYLENGTH_U32] __aligned(8);
41#elif defined(CONFIG_PPC)
42 /*
43 * Kernels that include the POWER8 VSX optimized AES code use this field
44 * when that code is usable at key preparation time. Otherwise they
45 * fall back to rndkeys. In the latter case, p8.nrounds (which doesn't
46 * overlap rndkeys) is set to 0 to differentiate the two formats.
47 */
48 struct p8_aes_key p8;
49#elif defined(CONFIG_S390)
50 /* Used when the CPU supports CPACF AES for this key's length */
51 u8 raw_key[AES_MAX_KEY_SIZE];
52#elif defined(CONFIG_SPARC64)
53 /* Used when the CPU supports the SPARC64 AES opcodes */
54 u64 sparc_rndkeys[AES_MAX_KEYLENGTH / sizeof(u64)];
55#endif
56#endif /* CONFIG_CRYPTO_LIB_AES_ARCH */
57};
58
59union aes_invkey_arch {
60 u32 inv_rndkeys[AES_MAX_KEYLENGTH_U32];
61#ifdef CONFIG_CRYPTO_LIB_AES_ARCH
62#if defined(CONFIG_PPC) && defined(CONFIG_SPE)
63 /* Used unconditionally (when SPE AES code is enabled in kconfig) */
64 u32 spe_dec_key[AES_MAX_KEYLENGTH_U32] __aligned(8);
65#elif defined(CONFIG_PPC)
66 /* Used conditionally, analogous to aes_enckey_arch::p8 */
67 struct p8_aes_key p8;
68#endif
69#endif /* CONFIG_CRYPTO_LIB_AES_ARCH */
70};
71
72/**
73 * struct aes_enckey - An AES key prepared for encryption
74 * @len: Key length in bytes: 16 for AES-128, 24 for AES-192, 32 for AES-256.
75 * @nrounds: Number of rounds: 10 for AES-128, 12 for AES-192, 14 for AES-256.
76 * This is '6 + @len / 4' and is cached so that AES implementations
77 * that need it don't have to recompute it for each en/decryption.
78 * @padding: Padding to make offsetof(@k) be a multiple of 16, so that aligning
79 * this struct to a 16-byte boundary results in @k also being 16-byte
80 * aligned. Users aren't required to align this struct to 16 bytes,
81 * but it may slightly improve performance.
82 * @k: This typically contains the AES round keys as an array of '@nrounds + 1'
83 * groups of four u32 words. However, architecture-specific implementations
84 * of AES may store something else here, e.g. just the raw key if it's all
85 * they need.
86 *
87 * Note that this struct is about half the size of struct aes_key. This is
88 * separate from struct aes_key so that modes that need only AES encryption
89 * (e.g. AES-GCM, AES-CTR, AES-CMAC, tweak key in AES-XTS) don't incur the time
90 * and space overhead of computing and caching the decryption round keys.
91 *
92 * Note that there's no decryption-only equivalent (i.e. "struct aes_deckey"),
93 * since (a) it's rare that modes need decryption-only, and (b) some AES
94 * implementations use the same @k for both encryption and decryption, either
95 * always or conditionally; in the latter case both @k and @inv_k are needed.
96 */
97struct aes_enckey {
98 u32 len;
99 u32 nrounds;
100 u32 padding[2];
101 union aes_enckey_arch k;
102};
103
104/**
105 * struct aes_key - An AES key prepared for encryption and decryption
106 * @aes_enckey: Common fields and the key prepared for encryption
107 * @inv_k: This generally contains the round keys for the AES Equivalent
108 * Inverse Cipher, as an array of '@nrounds + 1' groups of four u32
109 * words. However, architecture-specific implementations of AES may
110 * store something else here. For example, they may leave this field
111 * uninitialized if they use @k for both encryption and decryption.
112 */
113struct aes_key {
114 struct aes_enckey; /* Include all fields of aes_enckey. */
115 union aes_invkey_arch inv_k;
116};
117
118/*
119 * Please ensure that the first two fields are 16-byte aligned
120 * relative to the start of the structure, i.e., don't move them!
121 */
122struct crypto_aes_ctx {
123 u32 key_enc[AES_MAX_KEYLENGTH_U32];
124 u32 key_dec[AES_MAX_KEYLENGTH_U32];
125 u32 key_length;
126};
127
128/*
129 * validate key length for AES algorithms
130 */
131static inline int aes_check_keylen(size_t keylen)
132{
133 switch (keylen) {
134 case AES_KEYSIZE_128:
135 case AES_KEYSIZE_192:
136 case AES_KEYSIZE_256:
137 break;
138 default:
139 return -EINVAL;
140 }
141
142 return 0;
143}
144
145/**
146 * aes_expandkey - Expands the AES key as described in FIPS-197
147 * @ctx: The location where the computed key will be stored.
148 * @in_key: The supplied key.
149 * @key_len: The length of the supplied key.
150 *
151 * Returns 0 on success. The function fails only if an invalid key size (or
152 * pointer) is supplied.
153 * The expanded key size is 240 bytes (max of 14 rounds with a unique 16 bytes
154 * key schedule plus a 16 bytes key which is used before the first round).
155 * The decryption key is prepared for the "Equivalent Inverse Cipher" as
156 * described in FIPS-197. The first slot (16 bytes) of each key (enc or dec) is
157 * for the initial combination, the second slot for the first round and so on.
158 */
159int aes_expandkey(struct crypto_aes_ctx *ctx, const u8 *in_key,
160 unsigned int key_len);
161
162/*
163 * The following functions are temporarily exported for use by the AES mode
164 * implementations in arch/$(SRCARCH)/crypto/. These exports will go away when
165 * that code is migrated into lib/crypto/.
166 */
167#ifdef CONFIG_ARM64
168int ce_aes_expandkey(struct crypto_aes_ctx *ctx, const u8 *in_key,
169 unsigned int key_len);
170asmlinkage void neon_aes_ecb_encrypt(u8 out[], u8 const in[], u32 const rk[],
171 int rounds, int blocks);
172asmlinkage void neon_aes_ecb_decrypt(u8 out[], u8 const in[], u32 const rk[],
173 int rounds, int blocks);
174asmlinkage void neon_aes_cbc_encrypt(u8 out[], u8 const in[], u32 const rk[],
175 int rounds, int blocks, u8 iv[]);
176asmlinkage void neon_aes_cbc_decrypt(u8 out[], u8 const in[], u32 const rk[],
177 int rounds, int blocks, u8 iv[]);
178asmlinkage void neon_aes_cbc_cts_encrypt(u8 out[], u8 const in[],
179 u32 const rk[], int rounds, int bytes,
180 u8 const iv[]);
181asmlinkage void neon_aes_cbc_cts_decrypt(u8 out[], u8 const in[],
182 u32 const rk[], int rounds, int bytes,
183 u8 const iv[]);
184asmlinkage void neon_aes_ctr_encrypt(u8 out[], u8 const in[], u32 const rk[],
185 int rounds, int bytes, u8 ctr[]);
186asmlinkage void neon_aes_xctr_encrypt(u8 out[], u8 const in[], u32 const rk[],
187 int rounds, int bytes, u8 ctr[],
188 int byte_ctr);
189asmlinkage void neon_aes_xts_encrypt(u8 out[], u8 const in[], u32 const rk1[],
190 int rounds, int bytes, u32 const rk2[],
191 u8 iv[], int first);
192asmlinkage void neon_aes_xts_decrypt(u8 out[], u8 const in[], u32 const rk1[],
193 int rounds, int bytes, u32 const rk2[],
194 u8 iv[], int first);
195asmlinkage void neon_aes_essiv_cbc_encrypt(u8 out[], u8 const in[],
196 u32 const rk1[], int rounds,
197 int blocks, u8 iv[],
198 u32 const rk2[]);
199asmlinkage void neon_aes_essiv_cbc_decrypt(u8 out[], u8 const in[],
200 u32 const rk1[], int rounds,
201 int blocks, u8 iv[],
202 u32 const rk2[]);
203
204asmlinkage void ce_aes_ecb_encrypt(u8 out[], u8 const in[], u32 const rk[],
205 int rounds, int blocks);
206asmlinkage void ce_aes_ecb_decrypt(u8 out[], u8 const in[], u32 const rk[],
207 int rounds, int blocks);
208asmlinkage void ce_aes_cbc_encrypt(u8 out[], u8 const in[], u32 const rk[],
209 int rounds, int blocks, u8 iv[]);
210asmlinkage void ce_aes_cbc_decrypt(u8 out[], u8 const in[], u32 const rk[],
211 int rounds, int blocks, u8 iv[]);
212asmlinkage void ce_aes_cbc_cts_encrypt(u8 out[], u8 const in[], u32 const rk[],
213 int rounds, int bytes, u8 const iv[]);
214asmlinkage void ce_aes_cbc_cts_decrypt(u8 out[], u8 const in[], u32 const rk[],
215 int rounds, int bytes, u8 const iv[]);
216asmlinkage void ce_aes_ctr_encrypt(u8 out[], u8 const in[], u32 const rk[],
217 int rounds, int bytes, u8 ctr[]);
218asmlinkage void ce_aes_xctr_encrypt(u8 out[], u8 const in[], u32 const rk[],
219 int rounds, int bytes, u8 ctr[],
220 int byte_ctr);
221asmlinkage void ce_aes_xts_encrypt(u8 out[], u8 const in[], u32 const rk1[],
222 int rounds, int bytes, u32 const rk2[],
223 u8 iv[], int first);
224asmlinkage void ce_aes_xts_decrypt(u8 out[], u8 const in[], u32 const rk1[],
225 int rounds, int bytes, u32 const rk2[],
226 u8 iv[], int first);
227asmlinkage void ce_aes_essiv_cbc_encrypt(u8 out[], u8 const in[],
228 u32 const rk1[], int rounds,
229 int blocks, u8 iv[], u32 const rk2[]);
230asmlinkage void ce_aes_essiv_cbc_decrypt(u8 out[], u8 const in[],
231 u32 const rk1[], int rounds,
232 int blocks, u8 iv[], u32 const rk2[]);
233asmlinkage void ce_aes_mac_update(u8 const in[], u32 const rk[], int rounds,
234 size_t blocks, u8 dg[], int enc_before,
235 int enc_after);
236#elif defined(CONFIG_PPC)
237void ppc_expand_key_128(u32 *key_enc, const u8 *key);
238void ppc_expand_key_192(u32 *key_enc, const u8 *key);
239void ppc_expand_key_256(u32 *key_enc, const u8 *key);
240void ppc_generate_decrypt_key(u32 *key_dec, u32 *key_enc, unsigned int key_len);
241void ppc_encrypt_ecb(u8 *out, const u8 *in, u32 *key_enc, u32 rounds,
242 u32 bytes);
243void ppc_decrypt_ecb(u8 *out, const u8 *in, u32 *key_dec, u32 rounds,
244 u32 bytes);
245void ppc_encrypt_cbc(u8 *out, const u8 *in, u32 *key_enc, u32 rounds, u32 bytes,
246 u8 *iv);
247void ppc_decrypt_cbc(u8 *out, const u8 *in, u32 *key_dec, u32 rounds, u32 bytes,
248 u8 *iv);
249void ppc_crypt_ctr(u8 *out, const u8 *in, u32 *key_enc, u32 rounds, u32 bytes,
250 u8 *iv);
251void ppc_encrypt_xts(u8 *out, const u8 *in, u32 *key_enc, u32 rounds, u32 bytes,
252 u8 *iv, u32 *key_twk);
253void ppc_decrypt_xts(u8 *out, const u8 *in, u32 *key_dec, u32 rounds, u32 bytes,
254 u8 *iv, u32 *key_twk);
255int aes_p8_set_encrypt_key(const u8 *userKey, const int bits,
256 struct p8_aes_key *key);
257int aes_p8_set_decrypt_key(const u8 *userKey, const int bits,
258 struct p8_aes_key *key);
259void aes_p8_encrypt(const u8 *in, u8 *out, const struct p8_aes_key *key);
260void aes_p8_decrypt(const u8 *in, u8 *out, const struct p8_aes_key *key);
261void aes_p8_cbc_encrypt(const u8 *in, u8 *out, size_t len,
262 const struct p8_aes_key *key, u8 *iv, const int enc);
263void aes_p8_ctr32_encrypt_blocks(const u8 *in, u8 *out, size_t len,
264 const struct p8_aes_key *key, const u8 *iv);
265void aes_p8_xts_encrypt(const u8 *in, u8 *out, size_t len,
266 const struct p8_aes_key *key1,
267 const struct p8_aes_key *key2, u8 *iv);
268void aes_p8_xts_decrypt(const u8 *in, u8 *out, size_t len,
269 const struct p8_aes_key *key1,
270 const struct p8_aes_key *key2, u8 *iv);
271#elif defined(CONFIG_SPARC64)
272void aes_sparc64_key_expand(const u32 *in_key, u64 *output_key,
273 unsigned int key_len);
274void aes_sparc64_load_encrypt_keys_128(const u64 *key);
275void aes_sparc64_load_encrypt_keys_192(const u64 *key);
276void aes_sparc64_load_encrypt_keys_256(const u64 *key);
277void aes_sparc64_load_decrypt_keys_128(const u64 *key);
278void aes_sparc64_load_decrypt_keys_192(const u64 *key);
279void aes_sparc64_load_decrypt_keys_256(const u64 *key);
280void aes_sparc64_ecb_encrypt_128(const u64 *key, const u64 *input, u64 *output,
281 unsigned int len);
282void aes_sparc64_ecb_encrypt_192(const u64 *key, const u64 *input, u64 *output,
283 unsigned int len);
284void aes_sparc64_ecb_encrypt_256(const u64 *key, const u64 *input, u64 *output,
285 unsigned int len);
286void aes_sparc64_ecb_decrypt_128(const u64 *key, const u64 *input, u64 *output,
287 unsigned int len);
288void aes_sparc64_ecb_decrypt_192(const u64 *key, const u64 *input, u64 *output,
289 unsigned int len);
290void aes_sparc64_ecb_decrypt_256(const u64 *key, const u64 *input, u64 *output,
291 unsigned int len);
292void aes_sparc64_cbc_encrypt_128(const u64 *key, const u64 *input, u64 *output,
293 unsigned int len, u64 *iv);
294void aes_sparc64_cbc_encrypt_192(const u64 *key, const u64 *input, u64 *output,
295 unsigned int len, u64 *iv);
296void aes_sparc64_cbc_encrypt_256(const u64 *key, const u64 *input, u64 *output,
297 unsigned int len, u64 *iv);
298void aes_sparc64_cbc_decrypt_128(const u64 *key, const u64 *input, u64 *output,
299 unsigned int len, u64 *iv);
300void aes_sparc64_cbc_decrypt_192(const u64 *key, const u64 *input, u64 *output,
301 unsigned int len, u64 *iv);
302void aes_sparc64_cbc_decrypt_256(const u64 *key, const u64 *input, u64 *output,
303 unsigned int len, u64 *iv);
304void aes_sparc64_ctr_crypt_128(const u64 *key, const u64 *input, u64 *output,
305 unsigned int len, u64 *iv);
306void aes_sparc64_ctr_crypt_192(const u64 *key, const u64 *input, u64 *output,
307 unsigned int len, u64 *iv);
308void aes_sparc64_ctr_crypt_256(const u64 *key, const u64 *input, u64 *output,
309 unsigned int len, u64 *iv);
310#endif
311
312/**
313 * aes_preparekey() - Prepare an AES key for encryption and decryption
314 * @key: (output) The key structure to initialize
315 * @in_key: The raw AES key
316 * @key_len: Length of the raw key in bytes. Should be either AES_KEYSIZE_128,
317 * AES_KEYSIZE_192, or AES_KEYSIZE_256.
318 *
319 * This prepares an AES key for both the encryption and decryption directions of
320 * the block cipher. Typically this involves expanding the raw key into both
321 * the standard round keys and the Equivalent Inverse Cipher round keys, but
322 * some architecture-specific implementations don't do the full expansion here.
323 *
324 * The caller is responsible for zeroizing both the struct aes_key and the raw
325 * key once they are no longer needed.
326 *
327 * If you don't need decryption support, use aes_prepareenckey() instead.
328 *
329 * Return: 0 on success or -EINVAL if the given key length is invalid. No other
330 * errors are possible, so callers that always pass a valid key length
331 * don't need to check for errors.
332 *
333 * Context: Any context.
334 */
335int aes_preparekey(struct aes_key *key, const u8 *in_key, size_t key_len);
336
337/**
338 * aes_prepareenckey() - Prepare an AES key for encryption-only
339 * @key: (output) The key structure to initialize
340 * @in_key: The raw AES key
341 * @key_len: Length of the raw key in bytes. Should be either AES_KEYSIZE_128,
342 * AES_KEYSIZE_192, or AES_KEYSIZE_256.
343 *
344 * This prepares an AES key for only the encryption direction of the block
345 * cipher. Typically this involves expanding the raw key into only the standard
346 * round keys, resulting in a struct about half the size of struct aes_key.
347 *
348 * The caller is responsible for zeroizing both the struct aes_enckey and the
349 * raw key once they are no longer needed.
350 *
351 * Note that while the resulting prepared key supports only AES encryption, it
352 * can still be used for decrypting in a mode of operation that uses AES in only
353 * the encryption (forward) direction, for example counter mode.
354 *
355 * Return: 0 on success or -EINVAL if the given key length is invalid. No other
356 * errors are possible, so callers that always pass a valid key length
357 * don't need to check for errors.
358 *
359 * Context: Any context.
360 */
361int aes_prepareenckey(struct aes_enckey *key, const u8 *in_key, size_t key_len);
362
363typedef union {
364 const struct aes_enckey *enc_key;
365 const struct aes_key *full_key;
366} aes_encrypt_arg __attribute__ ((__transparent_union__));
367
368/**
369 * aes_encrypt() - Encrypt a single AES block
370 * @key: The AES key, as a pointer to either an encryption-only key
371 * (struct aes_enckey) or a full, bidirectional key (struct aes_key).
372 * @out: Buffer to store the ciphertext block
373 * @in: Buffer containing the plaintext block
374 *
375 * Context: Any context.
376 */
377void aes_encrypt(aes_encrypt_arg key, u8 out[at_least AES_BLOCK_SIZE],
378 const u8 in[at_least AES_BLOCK_SIZE]);
379
380/**
381 * aes_decrypt() - Decrypt a single AES block
382 * @key: The AES key, previously initialized by aes_preparekey()
383 * @out: Buffer to store the plaintext block
384 * @in: Buffer containing the ciphertext block
385 *
386 * Context: Any context.
387 */
388void aes_decrypt(const struct aes_key *key, u8 out[at_least AES_BLOCK_SIZE],
389 const u8 in[at_least AES_BLOCK_SIZE]);
390
391extern const u8 crypto_aes_sbox[];
392extern const u8 crypto_aes_inv_sbox[];
393extern const u32 aes_enc_tab[256];
394extern const u32 aes_dec_tab[256];
395
396void aescfb_encrypt(const struct aes_enckey *key, u8 *dst, const u8 *src,
397 int len, const u8 iv[AES_BLOCK_SIZE]);
398void aescfb_decrypt(const struct aes_enckey *key, u8 *dst, const u8 *src,
399 int len, const u8 iv[AES_BLOCK_SIZE]);
400
401#endif