1/*
2 * Cryptographic API.
3 *
4 * AES Cipher Algorithm.
5 *
6 * Based on Brian Gladman's code.
7 *
8 * Linux developers:
9 *  Alexander Kjeldaas <astor@fast.no>
10 *  Herbert Valerio Riedel <hvr@hvrlab.org>
11 *  Kyle McMartin <kyle@debian.org>
12 *  Adam J. Richter <adam@yggdrasil.com> (conversion to 2.5 API).
13 *
14 * This program is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License as published by
16 * the Free Software Foundation; either version 2 of the License, or
17 * (at your option) any later version.
18 *
19 * ---------------------------------------------------------------------------
20 * Copyright (c) 2002, Dr Brian Gladman <brg@gladman.me.uk>, Worcester, UK.
21 * All rights reserved.
22 *
23 * LICENSE TERMS
24 *
25 * The free distribution and use of this software in both source and binary
26 * form is allowed (with or without changes) provided that:
27 *
28 *   1. distributions of this source code include the above copyright
29 *      notice, this list of conditions and the following disclaimer;
30 *
31 *   2. distributions in binary form include the above copyright
32 *      notice, this list of conditions and the following disclaimer
33 *      in the documentation and/or other associated materials;
34 *
35 *   3. the copyright holder's name is not used to endorse products
36 *      built using this software without specific written permission.
37 *
38 * ALTERNATIVELY, provided that this notice is retained in full, this product
39 * may be distributed under the terms of the GNU General Public License (GPL),
40 * in which case the provisions of the GPL apply INSTEAD OF those given above.
41 *
42 * DISCLAIMER
43 *
44 * This software is provided 'as is' with no explicit or implied warranties
45 * in respect of its properties, including, but not limited to, correctness
46 * and/or fitness for purpose.
47 * ---------------------------------------------------------------------------
48 */
49
50/* Some changes from the Gladman version:
51    s/RIJNDAEL(e_key)/E_KEY/g
52    s/RIJNDAEL(d_key)/D_KEY/g
53*/
54
55#include <linux/module.h>
56#include <linux/init.h>
57#include <linux/types.h>
58#include <linux/errno.h>
59//#include <linux/crypto.h>
60#include "rtl_crypto.h"
61#include <asm/byteorder.h>
62
63#define AES_MIN_KEY_SIZE	16
64#define AES_MAX_KEY_SIZE	32
65
66#define AES_BLOCK_SIZE		16
67
68static inline
69u32 generic_rotr32 (const u32 x, const unsigned bits)
70{
71	const unsigned n = bits % 32;
72	return (x >> n) | (x << (32 - n));
73}
74
75static inline
76u32 generic_rotl32 (const u32 x, const unsigned bits)
77{
78	const unsigned n = bits % 32;
79	return (x << n) | (x >> (32 - n));
80}
81
82#define rotl generic_rotl32
83#define rotr generic_rotr32
84
85/*
86 * #define byte(x, nr) ((unsigned char)((x) >> (nr*8)))
87 */
88inline static u8
89byte(const u32 x, const unsigned n)
90{
91	return x >> (n << 3);
92}
93
94#define u32_in(x) le32_to_cpu(*(const u32 *)(x))
95#define u32_out(to, from) (*(u32 *)(to) = cpu_to_le32(from))
96
97struct aes_ctx {
98	int key_length;
99	u32 E[60];
100	u32 D[60];
101};
102
103#define E_KEY ctx->E
104#define D_KEY ctx->D
105
106static u8 pow_tab[256] __initdata;
107static u8 log_tab[256] __initdata;
108static u8 sbx_tab[256] __initdata;
109static u8 isb_tab[256] __initdata;
110static u32 rco_tab[10];
111static u32 ft_tab[4][256];
112static u32 it_tab[4][256];
113
114static u32 fl_tab[4][256];
115static u32 il_tab[4][256];
116
117static inline u8 __init
118f_mult (u8 a, u8 b)
119{
120	u8 aa = log_tab[a], cc = aa + log_tab[b];
121
122	return pow_tab[cc + (cc < aa ? 1 : 0)];
123}
124
125#define ff_mult(a,b)    (a && b ? f_mult(a, b) : 0)
126
127#define f_rn(bo, bi, n, k)					\
128    bo[n] =  ft_tab[0][byte(bi[n],0)] ^				\
129	     ft_tab[1][byte(bi[(n + 1) & 3],1)] ^		\
130	     ft_tab[2][byte(bi[(n + 2) & 3],2)] ^		\
131	     ft_tab[3][byte(bi[(n + 3) & 3],3)] ^ *(k + n)
132
133#define i_rn(bo, bi, n, k)					\
134    bo[n] =  it_tab[0][byte(bi[n],0)] ^				\
135	     it_tab[1][byte(bi[(n + 3) & 3],1)] ^		\
136	     it_tab[2][byte(bi[(n + 2) & 3],2)] ^		\
137	     it_tab[3][byte(bi[(n + 1) & 3],3)] ^ *(k + n)
138
139#define ls_box(x)				\
140    ( fl_tab[0][byte(x, 0)] ^			\
141      fl_tab[1][byte(x, 1)] ^			\
142      fl_tab[2][byte(x, 2)] ^			\
143      fl_tab[3][byte(x, 3)] )
144
145#define f_rl(bo, bi, n, k)					\
146    bo[n] =  fl_tab[0][byte(bi[n],0)] ^				\
147	     fl_tab[1][byte(bi[(n + 1) & 3],1)] ^		\
148	     fl_tab[2][byte(bi[(n + 2) & 3],2)] ^		\
149	     fl_tab[3][byte(bi[(n + 3) & 3],3)] ^ *(k + n)
150
151#define i_rl(bo, bi, n, k)					\
152    bo[n] =  il_tab[0][byte(bi[n],0)] ^				\
153	     il_tab[1][byte(bi[(n + 3) & 3],1)] ^		\
154	     il_tab[2][byte(bi[(n + 2) & 3],2)] ^		\
155	     il_tab[3][byte(bi[(n + 1) & 3],3)] ^ *(k + n)
156
157static void __init
158gen_tabs (void)
159{
160	u32 i, t;
161	u8 p, q;
162
163	/* log and power tables for GF(2**8) finite field with
164	   0x011b as modular polynomial - the simplest primitive
165	   root is 0x03, used here to generate the tables */
166
167	for (i = 0, p = 1; i < 256; ++i) {
168		pow_tab[i] = (u8) p;
169		log_tab[p] = (u8) i;
170
171		p ^= (p << 1) ^ (p & 0x80 ? 0x01b : 0);
172	}
173
174	log_tab[1] = 0;
175
176	for (i = 0, p = 1; i < 10; ++i) {
177		rco_tab[i] = p;
178
179		p = (p << 1) ^ (p & 0x80 ? 0x01b : 0);
180	}
181
182	for (i = 0; i < 256; ++i) {
183		p = (i ? pow_tab[255 - log_tab[i]] : 0);
184		q = ((p >> 7) | (p << 1)) ^ ((p >> 6) | (p << 2));
185		p ^= 0x63 ^ q ^ ((q >> 6) | (q << 2));
186		sbx_tab[i] = p;
187		isb_tab[p] = (u8) i;
188	}
189
190	for (i = 0; i < 256; ++i) {
191		p = sbx_tab[i];
192
193		t = p;
194		fl_tab[0][i] = t;
195		fl_tab[1][i] = rotl (t, 8);
196		fl_tab[2][i] = rotl (t, 16);
197		fl_tab[3][i] = rotl (t, 24);
198
199		t = ((u32) ff_mult (2, p)) |
200		    ((u32) p << 8) |
201		    ((u32) p << 16) | ((u32) ff_mult (3, p) << 24);
202
203		ft_tab[0][i] = t;
204		ft_tab[1][i] = rotl (t, 8);
205		ft_tab[2][i] = rotl (t, 16);
206		ft_tab[3][i] = rotl (t, 24);
207
208		p = isb_tab[i];
209
210		t = p;
211		il_tab[0][i] = t;
212		il_tab[1][i] = rotl (t, 8);
213		il_tab[2][i] = rotl (t, 16);
214		il_tab[3][i] = rotl (t, 24);
215
216		t = ((u32) ff_mult (14, p)) |
217		    ((u32) ff_mult (9, p) << 8) |
218		    ((u32) ff_mult (13, p) << 16) |
219		    ((u32) ff_mult (11, p) << 24);
220
221		it_tab[0][i] = t;
222		it_tab[1][i] = rotl (t, 8);
223		it_tab[2][i] = rotl (t, 16);
224		it_tab[3][i] = rotl (t, 24);
225	}
226}
227
228#define star_x(x) (((x) & 0x7f7f7f7f) << 1) ^ ((((x) & 0x80808080) >> 7) * 0x1b)
229
230#define imix_col(y,x)       \
231    u   = star_x(x);        \
232    v   = star_x(u);        \
233    w   = star_x(v);        \
234    t   = w ^ (x);          \
235   (y)  = u ^ v ^ w;        \
236   (y) ^= rotr(u ^ t,  8) ^ \
237	  rotr(v ^ t, 16) ^ \
238	  rotr(t,24)
239
240/* initialise the key schedule from the user supplied key */
241
242#define loop4(i)                                    \
243{   t = rotr(t,  8); t = ls_box(t) ^ rco_tab[i];    \
244    t ^= E_KEY[4 * i];     E_KEY[4 * i + 4] = t;    \
245    t ^= E_KEY[4 * i + 1]; E_KEY[4 * i + 5] = t;    \
246    t ^= E_KEY[4 * i + 2]; E_KEY[4 * i + 6] = t;    \
247    t ^= E_KEY[4 * i + 3]; E_KEY[4 * i + 7] = t;    \
248}
249
250#define loop6(i)                                    \
251{   t = rotr(t,  8); t = ls_box(t) ^ rco_tab[i];    \
252    t ^= E_KEY[6 * i];     E_KEY[6 * i + 6] = t;    \
253    t ^= E_KEY[6 * i + 1]; E_KEY[6 * i + 7] = t;    \
254    t ^= E_KEY[6 * i + 2]; E_KEY[6 * i + 8] = t;    \
255    t ^= E_KEY[6 * i + 3]; E_KEY[6 * i + 9] = t;    \
256    t ^= E_KEY[6 * i + 4]; E_KEY[6 * i + 10] = t;   \
257    t ^= E_KEY[6 * i + 5]; E_KEY[6 * i + 11] = t;   \
258}
259
260#define loop8(i)                                    \
261{   t = rotr(t,  8); ; t = ls_box(t) ^ rco_tab[i];  \
262    t ^= E_KEY[8 * i];     E_KEY[8 * i + 8] = t;    \
263    t ^= E_KEY[8 * i + 1]; E_KEY[8 * i + 9] = t;    \
264    t ^= E_KEY[8 * i + 2]; E_KEY[8 * i + 10] = t;   \
265    t ^= E_KEY[8 * i + 3]; E_KEY[8 * i + 11] = t;   \
266    t  = E_KEY[8 * i + 4] ^ ls_box(t);    \
267    E_KEY[8 * i + 12] = t;                \
268    t ^= E_KEY[8 * i + 5]; E_KEY[8 * i + 13] = t;   \
269    t ^= E_KEY[8 * i + 6]; E_KEY[8 * i + 14] = t;   \
270    t ^= E_KEY[8 * i + 7]; E_KEY[8 * i + 15] = t;   \
271}
272
273static int
274aes_set_key(void *ctx_arg, const u8 *in_key, unsigned int key_len, u32 *flags)
275{
276	struct aes_ctx *ctx = ctx_arg;
277	u32 i, t, u, v, w;
278
279	if (key_len != 16 && key_len != 24 && key_len != 32) {
280		*flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
281		return -EINVAL;
282	}
283
284	ctx->key_length = key_len;
285
286	E_KEY[0] = u32_in (in_key);
287	E_KEY[1] = u32_in (in_key + 4);
288	E_KEY[2] = u32_in (in_key + 8);
289	E_KEY[3] = u32_in (in_key + 12);
290
291	switch (key_len) {
292	case 16:
293		t = E_KEY[3];
294		for (i = 0; i < 10; ++i)
295			loop4 (i);
296		break;
297
298	case 24:
299		E_KEY[4] = u32_in (in_key + 16);
300		t = E_KEY[5] = u32_in (in_key + 20);
301		for (i = 0; i < 8; ++i)
302			loop6 (i);
303		break;
304
305	case 32:
306		E_KEY[4] = u32_in (in_key + 16);
307		E_KEY[5] = u32_in (in_key + 20);
308		E_KEY[6] = u32_in (in_key + 24);
309		t = E_KEY[7] = u32_in (in_key + 28);
310		for (i = 0; i < 7; ++i)
311			loop8 (i);
312		break;
313	}
314
315	D_KEY[0] = E_KEY[0];
316	D_KEY[1] = E_KEY[1];
317	D_KEY[2] = E_KEY[2];
318	D_KEY[3] = E_KEY[3];
319
320	for (i = 4; i < key_len + 24; ++i) {
321		imix_col (D_KEY[i], E_KEY[i]);
322	}
323
324	return 0;
325}
326
327/* encrypt a block of text */
328
329#define f_nround(bo, bi, k) \
330    f_rn(bo, bi, 0, k);     \
331    f_rn(bo, bi, 1, k);     \
332    f_rn(bo, bi, 2, k);     \
333    f_rn(bo, bi, 3, k);     \
334    k += 4
335
336#define f_lround(bo, bi, k) \
337    f_rl(bo, bi, 0, k);     \
338    f_rl(bo, bi, 1, k);     \
339    f_rl(bo, bi, 2, k);     \
340    f_rl(bo, bi, 3, k)
341
342static void aes_encrypt(void *ctx_arg, u8 *out, const u8 *in)
343{
344	const struct aes_ctx *ctx = ctx_arg;
345	u32 b0[4], b1[4];
346	const u32 *kp = E_KEY + 4;
347
348	b0[0] = u32_in (in) ^ E_KEY[0];
349	b0[1] = u32_in (in + 4) ^ E_KEY[1];
350	b0[2] = u32_in (in + 8) ^ E_KEY[2];
351	b0[3] = u32_in (in + 12) ^ E_KEY[3];
352
353	if (ctx->key_length > 24) {
354		f_nround (b1, b0, kp);
355		f_nround (b0, b1, kp);
356	}
357
358	if (ctx->key_length > 16) {
359		f_nround (b1, b0, kp);
360		f_nround (b0, b1, kp);
361	}
362
363	f_nround (b1, b0, kp);
364	f_nround (b0, b1, kp);
365	f_nround (b1, b0, kp);
366	f_nround (b0, b1, kp);
367	f_nround (b1, b0, kp);
368	f_nround (b0, b1, kp);
369	f_nround (b1, b0, kp);
370	f_nround (b0, b1, kp);
371	f_nround (b1, b0, kp);
372	f_lround (b0, b1, kp);
373
374	u32_out (out, b0[0]);
375	u32_out (out + 4, b0[1]);
376	u32_out (out + 8, b0[2]);
377	u32_out (out + 12, b0[3]);
378}
379
380/* decrypt a block of text */
381
382#define i_nround(bo, bi, k) \
383    i_rn(bo, bi, 0, k);     \
384    i_rn(bo, bi, 1, k);     \
385    i_rn(bo, bi, 2, k);     \
386    i_rn(bo, bi, 3, k);     \
387    k -= 4
388
389#define i_lround(bo, bi, k) \
390    i_rl(bo, bi, 0, k);     \
391    i_rl(bo, bi, 1, k);     \
392    i_rl(bo, bi, 2, k);     \
393    i_rl(bo, bi, 3, k)
394
395static void aes_decrypt(void *ctx_arg, u8 *out, const u8 *in)
396{
397	const struct aes_ctx *ctx = ctx_arg;
398	u32 b0[4], b1[4];
399	const int key_len = ctx->key_length;
400	const u32 *kp = D_KEY + key_len + 20;
401
402	b0[0] = u32_in (in) ^ E_KEY[key_len + 24];
403	b0[1] = u32_in (in + 4) ^ E_KEY[key_len + 25];
404	b0[2] = u32_in (in + 8) ^ E_KEY[key_len + 26];
405	b0[3] = u32_in (in + 12) ^ E_KEY[key_len + 27];
406
407	if (key_len > 24) {
408		i_nround (b1, b0, kp);
409		i_nround (b0, b1, kp);
410	}
411
412	if (key_len > 16) {
413		i_nround (b1, b0, kp);
414		i_nround (b0, b1, kp);
415	}
416
417	i_nround (b1, b0, kp);
418	i_nround (b0, b1, kp);
419	i_nround (b1, b0, kp);
420	i_nround (b0, b1, kp);
421	i_nround (b1, b0, kp);
422	i_nround (b0, b1, kp);
423	i_nround (b1, b0, kp);
424	i_nround (b0, b1, kp);
425	i_nround (b1, b0, kp);
426	i_lround (b0, b1, kp);
427
428	u32_out (out, b0[0]);
429	u32_out (out + 4, b0[1]);
430	u32_out (out + 8, b0[2]);
431	u32_out (out + 12, b0[3]);
432}
433
434
435static struct crypto_alg aes_alg = {
436	.cra_name		=	"aes",
437	.cra_flags		=	CRYPTO_ALG_TYPE_CIPHER,
438	.cra_blocksize		=	AES_BLOCK_SIZE,
439	.cra_ctxsize		=	sizeof(struct aes_ctx),
440	.cra_module		=	THIS_MODULE,
441	.cra_list		=	LIST_HEAD_INIT(aes_alg.cra_list),
442	.cra_u			=	{
443		.cipher = {
444			.cia_min_keysize	=	AES_MIN_KEY_SIZE,
445			.cia_max_keysize	=	AES_MAX_KEY_SIZE,
446			.cia_setkey		= 	aes_set_key,
447			.cia_encrypt		=	aes_encrypt,
448			.cia_decrypt		=	aes_decrypt
449		}
450	}
451};
452
453static int __init aes_init(void)
454{
455	gen_tabs();
456	return crypto_register_alg(&aes_alg);
457}
458
459static void __exit aes_fini(void)
460{
461	crypto_unregister_alg(&aes_alg);
462}
463
464module_init(aes_init);
465module_exit(aes_fini);
466
467MODULE_DESCRIPTION("Rijndael (AES) Cipher Algorithm");
468MODULE_LICENSE("Dual BSD/GPL");
469
470