aes_generic.c revision 5427663f498e19b441277de72ce7a685511f247c 
1/*
2 * Cryptographic API.
3 *
4 * AES Cipher Algorithm.
5 *
6 * Based on Brian Gladman's code.
7 *
8 * Linux developers:
9 *  Alexander Kjeldaas <astor@fast.no>
10 *  Herbert Valerio Riedel <hvr@hvrlab.org>
11 *  Kyle McMartin <kyle@debian.org>
12 *  Adam J. Richter <adam@yggdrasil.com> (conversion to 2.5 API).
13 *
14 * This program is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License as published by
16 * the Free Software Foundation; either version 2 of the License, or
17 * (at your option) any later version.
18 *
19 * ---------------------------------------------------------------------------
20 * Copyright (c) 2002, Dr Brian Gladman <brg@gladman.me.uk>, Worcester, UK.
21 * All rights reserved.
22 *
23 * LICENSE TERMS
24 *
25 * The free distribution and use of this software in both source and binary
26 * form is allowed (with or without changes) provided that:
27 *
28 *   1. distributions of this source code include the above copyright
29 *      notice, this list of conditions and the following disclaimer;
30 *
31 *   2. distributions in binary form include the above copyright
32 *      notice, this list of conditions and the following disclaimer
33 *      in the documentation and/or other associated materials;
34 *
35 *   3. the copyright holder's name is not used to endorse products
36 *      built using this software without specific written permission.
37 *
38 * ALTERNATIVELY, provided that this notice is retained in full, this product
39 * may be distributed under the terms of the GNU General Public License (GPL),
40 * in which case the provisions of the GPL apply INSTEAD OF those given above.
41 *
42 * DISCLAIMER
43 *
44 * This software is provided 'as is' with no explicit or implied warranties
45 * in respect of its properties, including, but not limited to, correctness
46 * and/or fitness for purpose.
47 * ---------------------------------------------------------------------------
48 */
49
50#include <crypto/aes.h>
51#include <linux/module.h>
52#include <linux/init.h>
53#include <linux/types.h>
54#include <linux/errno.h>
55#include <linux/crypto.h>
56#include <asm/byteorder.h>
57
58static inline u8 byte(const u32 x, const unsigned n)
59{
60	return x >> (n << 3);
61}
62
63static u8 pow_tab[256] __initdata;
64static u8 log_tab[256] __initdata;
65static u8 sbx_tab[256] __initdata;
66static u8 isb_tab[256] __initdata;
67static u32 rco_tab[10];
68
69u32 crypto_ft_tab[4][256];
70u32 crypto_fl_tab[4][256];
71u32 crypto_it_tab[4][256];
72u32 crypto_il_tab[4][256];
73
74EXPORT_SYMBOL_GPL(crypto_ft_tab);
75EXPORT_SYMBOL_GPL(crypto_fl_tab);
76EXPORT_SYMBOL_GPL(crypto_it_tab);
77EXPORT_SYMBOL_GPL(crypto_il_tab);
78
79static inline u8 __init f_mult(u8 a, u8 b)
80{
81	u8 aa = log_tab[a], cc = aa + log_tab[b];
82
83	return pow_tab[cc + (cc < aa ? 1 : 0)];
84}
85
86#define ff_mult(a, b)	(a && b ? f_mult(a, b) : 0)
87
88static void __init gen_tabs(void)
89{
90	u32 i, t;
91	u8 p, q;
92
93	/*
94	 * log and power tables for GF(2**8) finite field with
95	 * 0x011b as modular polynomial - the simplest primitive
96	 * root is 0x03, used here to generate the tables
97	 */
98
99	for (i = 0, p = 1; i < 256; ++i) {
100		pow_tab[i] = (u8) p;
101		log_tab[p] = (u8) i;
102
103		p ^= (p << 1) ^ (p & 0x80 ? 0x01b : 0);
104	}
105
106	log_tab[1] = 0;
107
108	for (i = 0, p = 1; i < 10; ++i) {
109		rco_tab[i] = p;
110
111		p = (p << 1) ^ (p & 0x80 ? 0x01b : 0);
112	}
113
114	for (i = 0; i < 256; ++i) {
115		p = (i ? pow_tab[255 - log_tab[i]] : 0);
116		q = ((p >> 7) | (p << 1)) ^ ((p >> 6) | (p << 2));
117		p ^= 0x63 ^ q ^ ((q >> 6) | (q << 2));
118		sbx_tab[i] = p;
119		isb_tab[p] = (u8) i;
120	}
121
122	for (i = 0; i < 256; ++i) {
123		p = sbx_tab[i];
124
125		t = p;
126		crypto_fl_tab[0][i] = t;
127		crypto_fl_tab[1][i] = rol32(t, 8);
128		crypto_fl_tab[2][i] = rol32(t, 16);
129		crypto_fl_tab[3][i] = rol32(t, 24);
130
131		t = ((u32) ff_mult(2, p)) |
132		    ((u32) p << 8) |
133		    ((u32) p << 16) | ((u32) ff_mult(3, p) << 24);
134
135		crypto_ft_tab[0][i] = t;
136		crypto_ft_tab[1][i] = rol32(t, 8);
137		crypto_ft_tab[2][i] = rol32(t, 16);
138		crypto_ft_tab[3][i] = rol32(t, 24);
139
140		p = isb_tab[i];
141
142		t = p;
143		crypto_il_tab[0][i] = t;
144		crypto_il_tab[1][i] = rol32(t, 8);
145		crypto_il_tab[2][i] = rol32(t, 16);
146		crypto_il_tab[3][i] = rol32(t, 24);
147
148		t = ((u32) ff_mult(14, p)) |
149		    ((u32) ff_mult(9, p) << 8) |
150		    ((u32) ff_mult(13, p) << 16) |
151		    ((u32) ff_mult(11, p) << 24);
152
153		crypto_it_tab[0][i] = t;
154		crypto_it_tab[1][i] = rol32(t, 8);
155		crypto_it_tab[2][i] = rol32(t, 16);
156		crypto_it_tab[3][i] = rol32(t, 24);
157	}
158}
159
160/* initialise the key schedule from the user supplied key */
161
162#define star_x(x) (((x) & 0x7f7f7f7f) << 1) ^ ((((x) & 0x80808080) >> 7) * 0x1b)
163
164#define imix_col(y,x)	do {		\
165	u	= star_x(x);		\
166	v	= star_x(u);		\
167	w	= star_x(v);		\
168	t	= w ^ (x);		\
169	(y)	= u ^ v ^ w;		\
170	(y)	^= ror32(u ^ t, 8) ^	\
171		ror32(v ^ t, 16) ^	\
172		ror32(t, 24);		\
173} while (0)
174
175#define ls_box(x)		\
176	crypto_fl_tab[0][byte(x, 0)] ^	\
177	crypto_fl_tab[1][byte(x, 1)] ^	\
178	crypto_fl_tab[2][byte(x, 2)] ^	\
179	crypto_fl_tab[3][byte(x, 3)]
180
181#define loop4(i)	do {		\
182	t = ror32(t, 8);		\
183	t = ls_box(t) ^ rco_tab[i];	\
184	t ^= ctx->key_enc[4 * i];		\
185	ctx->key_enc[4 * i + 4] = t;		\
186	t ^= ctx->key_enc[4 * i + 1];		\
187	ctx->key_enc[4 * i + 5] = t;		\
188	t ^= ctx->key_enc[4 * i + 2];		\
189	ctx->key_enc[4 * i + 6] = t;		\
190	t ^= ctx->key_enc[4 * i + 3];		\
191	ctx->key_enc[4 * i + 7] = t;		\
192} while (0)
193
194#define loop6(i)	do {		\
195	t = ror32(t, 8);		\
196	t = ls_box(t) ^ rco_tab[i];	\
197	t ^= ctx->key_enc[6 * i];		\
198	ctx->key_enc[6 * i + 6] = t;		\
199	t ^= ctx->key_enc[6 * i + 1];		\
200	ctx->key_enc[6 * i + 7] = t;		\
201	t ^= ctx->key_enc[6 * i + 2];		\
202	ctx->key_enc[6 * i + 8] = t;		\
203	t ^= ctx->key_enc[6 * i + 3];		\
204	ctx->key_enc[6 * i + 9] = t;		\
205	t ^= ctx->key_enc[6 * i + 4];		\
206	ctx->key_enc[6 * i + 10] = t;		\
207	t ^= ctx->key_enc[6 * i + 5];		\
208	ctx->key_enc[6 * i + 11] = t;		\
209} while (0)
210
211#define loop8(i)	do {			\
212	t = ror32(t, 8);			\
213	t = ls_box(t) ^ rco_tab[i];		\
214	t ^= ctx->key_enc[8 * i];			\
215	ctx->key_enc[8 * i + 8] = t;			\
216	t ^= ctx->key_enc[8 * i + 1];			\
217	ctx->key_enc[8 * i + 9] = t;			\
218	t ^= ctx->key_enc[8 * i + 2];			\
219	ctx->key_enc[8 * i + 10] = t;			\
220	t ^= ctx->key_enc[8 * i + 3];			\
221	ctx->key_enc[8 * i + 11] = t;			\
222	t  = ctx->key_enc[8 * i + 4] ^ ls_box(t);	\
223	ctx->key_enc[8 * i + 12] = t;			\
224	t ^= ctx->key_enc[8 * i + 5];			\
225	ctx->key_enc[8 * i + 13] = t;			\
226	t ^= ctx->key_enc[8 * i + 6];			\
227	ctx->key_enc[8 * i + 14] = t;			\
228	t ^= ctx->key_enc[8 * i + 7];			\
229	ctx->key_enc[8 * i + 15] = t;			\
230} while (0)
231
232/**
233 * crypto_aes_expand_key - Expands the AES key as described in FIPS-197
234 * @ctx:	The location where the computed key will be stored.
235 * @in_key:	The supplied key.
236 * @key_len:	The length of the supplied key.
237 *
238 * Returns 0 on success. The function fails only if an invalid key size (or
239 * pointer) is supplied.
240 * The expanded key size is 240 bytes (max of 14 rounds with a unique 16 bytes
241 * key schedule plus a 16 bytes key which is used before the first round).
242 * The decryption key is prepared for the "Equivalent Inverse Cipher" as
243 * described in FIPS-197. The first slot (16 bytes) of each key (enc or dec) is
244 * for the initial combination, the second slot for the first round and so on.
245 */
246int crypto_aes_expand_key(struct crypto_aes_ctx *ctx, const u8 *in_key,
247		unsigned int key_len)
248{
249	const __le32 *key = (const __le32 *)in_key;
250	u32 i, t, u, v, w, j;
251
252	if (key_len != AES_KEYSIZE_128 && key_len != AES_KEYSIZE_192 &&
253			key_len != AES_KEYSIZE_256)
254		return -EINVAL;
255
256	ctx->key_length = key_len;
257
258	ctx->key_dec[key_len + 24] = ctx->key_enc[0] = le32_to_cpu(key[0]);
259	ctx->key_dec[key_len + 25] = ctx->key_enc[1] = le32_to_cpu(key[1]);
260	ctx->key_dec[key_len + 26] = ctx->key_enc[2] = le32_to_cpu(key[2]);
261	ctx->key_dec[key_len + 27] = ctx->key_enc[3] = le32_to_cpu(key[3]);
262
263	switch (key_len) {
264	case AES_KEYSIZE_128:
265		t = ctx->key_enc[3];
266		for (i = 0; i < 10; ++i)
267			loop4(i);
268		break;
269
270	case AES_KEYSIZE_192:
271		ctx->key_enc[4] = le32_to_cpu(key[4]);
272		t = ctx->key_enc[5] = le32_to_cpu(key[5]);
273		for (i = 0; i < 8; ++i)
274			loop6(i);
275		break;
276
277	case AES_KEYSIZE_256:
278		ctx->key_enc[4] = le32_to_cpu(key[4]);
279		ctx->key_enc[5] = le32_to_cpu(key[5]);
280		ctx->key_enc[6] = le32_to_cpu(key[6]);
281		t = ctx->key_enc[7] = le32_to_cpu(key[7]);
282		for (i = 0; i < 7; ++i)
283			loop8(i);
284		break;
285	}
286
287	ctx->key_dec[0] = ctx->key_enc[key_len + 24];
288	ctx->key_dec[1] = ctx->key_enc[key_len + 25];
289	ctx->key_dec[2] = ctx->key_enc[key_len + 26];
290	ctx->key_dec[3] = ctx->key_enc[key_len + 27];
291
292	for (i = 4; i < key_len + 24; ++i) {
293		j = key_len + 24 - (i & ~3) + (i & 3);
294		imix_col(ctx->key_dec[j], ctx->key_enc[i]);
295	}
296	return 0;
297}
298EXPORT_SYMBOL_GPL(crypto_aes_expand_key);
299
300/**
301 * crypto_aes_set_key - Set the AES key.
302 * @tfm:	The %crypto_tfm that is used in the context.
303 * @in_key:	The input key.
304 * @key_len:	The size of the key.
305 *
306 * Returns 0 on success, on failure the %CRYPTO_TFM_RES_BAD_KEY_LEN flag in tfm
307 * is set. The function uses crypto_aes_expand_key() to expand the key.
308 * &crypto_aes_ctx _must_ be the private data embedded in @tfm which is
309 * retrieved with crypto_tfm_ctx().
310 */
311int crypto_aes_set_key(struct crypto_tfm *tfm, const u8 *in_key,
312		unsigned int key_len)
313{
314	struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm);
315	u32 *flags = &tfm->crt_flags;
316	int ret;
317
318	ret = crypto_aes_expand_key(ctx, in_key, key_len);
319	if (!ret)
320		return 0;
321
322	*flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
323	return -EINVAL;
324}
325EXPORT_SYMBOL_GPL(crypto_aes_set_key);
326
327/* encrypt a block of text */
328
329#define f_rn(bo, bi, n, k)	do {				\
330	bo[n] = crypto_ft_tab[0][byte(bi[n], 0)] ^			\
331		crypto_ft_tab[1][byte(bi[(n + 1) & 3], 1)] ^		\
332		crypto_ft_tab[2][byte(bi[(n + 2) & 3], 2)] ^		\
333		crypto_ft_tab[3][byte(bi[(n + 3) & 3], 3)] ^ *(k + n);	\
334} while (0)
335
336#define f_nround(bo, bi, k)	do {\
337	f_rn(bo, bi, 0, k);	\
338	f_rn(bo, bi, 1, k);	\
339	f_rn(bo, bi, 2, k);	\
340	f_rn(bo, bi, 3, k);	\
341	k += 4;			\
342} while (0)
343
344#define f_rl(bo, bi, n, k)	do {				\
345	bo[n] = crypto_fl_tab[0][byte(bi[n], 0)] ^			\
346		crypto_fl_tab[1][byte(bi[(n + 1) & 3], 1)] ^		\
347		crypto_fl_tab[2][byte(bi[(n + 2) & 3], 2)] ^		\
348		crypto_fl_tab[3][byte(bi[(n + 3) & 3], 3)] ^ *(k + n);	\
349} while (0)
350
351#define f_lround(bo, bi, k)	do {\
352	f_rl(bo, bi, 0, k);	\
353	f_rl(bo, bi, 1, k);	\
354	f_rl(bo, bi, 2, k);	\
355	f_rl(bo, bi, 3, k);	\
356} while (0)
357
358static void aes_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
359{
360	const struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm);
361	const __le32 *src = (const __le32 *)in;
362	__le32 *dst = (__le32 *)out;
363	u32 b0[4], b1[4];
364	const u32 *kp = ctx->key_enc + 4;
365	const int key_len = ctx->key_length;
366
367	b0[0] = le32_to_cpu(src[0]) ^ ctx->key_enc[0];
368	b0[1] = le32_to_cpu(src[1]) ^ ctx->key_enc[1];
369	b0[2] = le32_to_cpu(src[2]) ^ ctx->key_enc[2];
370	b0[3] = le32_to_cpu(src[3]) ^ ctx->key_enc[3];
371
372	if (key_len > 24) {
373		f_nround(b1, b0, kp);
374		f_nround(b0, b1, kp);
375	}
376
377	if (key_len > 16) {
378		f_nround(b1, b0, kp);
379		f_nround(b0, b1, kp);
380	}
381
382	f_nround(b1, b0, kp);
383	f_nround(b0, b1, kp);
384	f_nround(b1, b0, kp);
385	f_nround(b0, b1, kp);
386	f_nround(b1, b0, kp);
387	f_nround(b0, b1, kp);
388	f_nround(b1, b0, kp);
389	f_nround(b0, b1, kp);
390	f_nround(b1, b0, kp);
391	f_lround(b0, b1, kp);
392
393	dst[0] = cpu_to_le32(b0[0]);
394	dst[1] = cpu_to_le32(b0[1]);
395	dst[2] = cpu_to_le32(b0[2]);
396	dst[3] = cpu_to_le32(b0[3]);
397}
398
399/* decrypt a block of text */
400
401#define i_rn(bo, bi, n, k)	do {				\
402	bo[n] = crypto_it_tab[0][byte(bi[n], 0)] ^			\
403		crypto_it_tab[1][byte(bi[(n + 3) & 3], 1)] ^		\
404		crypto_it_tab[2][byte(bi[(n + 2) & 3], 2)] ^		\
405		crypto_it_tab[3][byte(bi[(n + 1) & 3], 3)] ^ *(k + n);	\
406} while (0)
407
408#define i_nround(bo, bi, k)	do {\
409	i_rn(bo, bi, 0, k);	\
410	i_rn(bo, bi, 1, k);	\
411	i_rn(bo, bi, 2, k);	\
412	i_rn(bo, bi, 3, k);	\
413	k += 4;			\
414} while (0)
415
416#define i_rl(bo, bi, n, k)	do {			\
417	bo[n] = crypto_il_tab[0][byte(bi[n], 0)] ^		\
418	crypto_il_tab[1][byte(bi[(n + 3) & 3], 1)] ^		\
419	crypto_il_tab[2][byte(bi[(n + 2) & 3], 2)] ^		\
420	crypto_il_tab[3][byte(bi[(n + 1) & 3], 3)] ^ *(k + n);	\
421} while (0)
422
423#define i_lround(bo, bi, k)	do {\
424	i_rl(bo, bi, 0, k);	\
425	i_rl(bo, bi, 1, k);	\
426	i_rl(bo, bi, 2, k);	\
427	i_rl(bo, bi, 3, k);	\
428} while (0)
429
430static void aes_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
431{
432	const struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm);
433	const __le32 *src = (const __le32 *)in;
434	__le32 *dst = (__le32 *)out;
435	u32 b0[4], b1[4];
436	const int key_len = ctx->key_length;
437	const u32 *kp = ctx->key_dec + 4;
438
439	b0[0] = le32_to_cpu(src[0]) ^  ctx->key_dec[0];
440	b0[1] = le32_to_cpu(src[1]) ^  ctx->key_dec[1];
441	b0[2] = le32_to_cpu(src[2]) ^  ctx->key_dec[2];
442	b0[3] = le32_to_cpu(src[3]) ^  ctx->key_dec[3];
443
444	if (key_len > 24) {
445		i_nround(b1, b0, kp);
446		i_nround(b0, b1, kp);
447	}
448
449	if (key_len > 16) {
450		i_nround(b1, b0, kp);
451		i_nround(b0, b1, kp);
452	}
453
454	i_nround(b1, b0, kp);
455	i_nround(b0, b1, kp);
456	i_nround(b1, b0, kp);
457	i_nround(b0, b1, kp);
458	i_nround(b1, b0, kp);
459	i_nround(b0, b1, kp);
460	i_nround(b1, b0, kp);
461	i_nround(b0, b1, kp);
462	i_nround(b1, b0, kp);
463	i_lround(b0, b1, kp);
464
465	dst[0] = cpu_to_le32(b0[0]);
466	dst[1] = cpu_to_le32(b0[1]);
467	dst[2] = cpu_to_le32(b0[2]);
468	dst[3] = cpu_to_le32(b0[3]);
469}
470
471static struct crypto_alg aes_alg = {
472	.cra_name		=	"aes",
473	.cra_driver_name	=	"aes-generic",
474	.cra_priority		=	100,
475	.cra_flags		=	CRYPTO_ALG_TYPE_CIPHER,
476	.cra_blocksize		=	AES_BLOCK_SIZE,
477	.cra_ctxsize		=	sizeof(struct crypto_aes_ctx),
478	.cra_alignmask		=	3,
479	.cra_module		=	THIS_MODULE,
480	.cra_list		=	LIST_HEAD_INIT(aes_alg.cra_list),
481	.cra_u			=	{
482		.cipher = {
483			.cia_min_keysize	=	AES_MIN_KEY_SIZE,
484			.cia_max_keysize	=	AES_MAX_KEY_SIZE,
485			.cia_setkey		=	crypto_aes_set_key,
486			.cia_encrypt		=	aes_encrypt,
487			.cia_decrypt		=	aes_decrypt
488		}
489	}
490};
491
492static int __init aes_init(void)
493{
494	gen_tabs();
495	return crypto_register_alg(&aes_alg);
496}
497
498static void __exit aes_fini(void)
499{
500	crypto_unregister_alg(&aes_alg);
501}
502
503module_init(aes_init);
504module_exit(aes_fini);
505
506MODULE_DESCRIPTION("Rijndael (AES) Cipher Algorithm");
507MODULE_LICENSE("Dual BSD/GPL");
508MODULE_ALIAS("aes");
509