aes-glue.c 28 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /*
  3. * linux/arch/arm64/crypto/aes-glue.c - wrapper code for ARMv8 AES
  4. *
  5. * Copyright (C) 2013 - 2017 Linaro Ltd <ard.biesheuvel@linaro.org>
  6. */
  7. #include <crypto/aes.h>
  8. #include <crypto/ctr.h>
  9. #include <crypto/internal/hash.h>
  10. #include <crypto/internal/skcipher.h>
  11. #include <crypto/scatterwalk.h>
  12. #include <crypto/sha2.h>
  13. #include <crypto/utils.h>
  14. #include <crypto/xts.h>
  15. #include <linux/cpufeature.h>
  16. #include <linux/kernel.h>
  17. #include <linux/module.h>
  18. #include <linux/string.h>
  19. #include <asm/hwcap.h>
  20. #include <asm/simd.h>
  21. #ifdef USE_V8_CRYPTO_EXTENSIONS
  22. #define MODE "ce"
  23. #define PRIO 300
  24. #define aes_expandkey ce_aes_expandkey
  25. #define aes_ecb_encrypt ce_aes_ecb_encrypt
  26. #define aes_ecb_decrypt ce_aes_ecb_decrypt
  27. #define aes_cbc_encrypt ce_aes_cbc_encrypt
  28. #define aes_cbc_decrypt ce_aes_cbc_decrypt
  29. #define aes_cbc_cts_encrypt ce_aes_cbc_cts_encrypt
  30. #define aes_cbc_cts_decrypt ce_aes_cbc_cts_decrypt
  31. #define aes_essiv_cbc_encrypt ce_aes_essiv_cbc_encrypt
  32. #define aes_essiv_cbc_decrypt ce_aes_essiv_cbc_decrypt
  33. #define aes_ctr_encrypt ce_aes_ctr_encrypt
  34. #define aes_xctr_encrypt ce_aes_xctr_encrypt
  35. #define aes_xts_encrypt ce_aes_xts_encrypt
  36. #define aes_xts_decrypt ce_aes_xts_decrypt
  37. #define aes_mac_update ce_aes_mac_update
  38. MODULE_DESCRIPTION("AES-ECB/CBC/CTR/XTS/XCTR using ARMv8 Crypto Extensions");
  39. #else
  40. #define MODE "neon"
  41. #define PRIO 200
  42. #define aes_ecb_encrypt neon_aes_ecb_encrypt
  43. #define aes_ecb_decrypt neon_aes_ecb_decrypt
  44. #define aes_cbc_encrypt neon_aes_cbc_encrypt
  45. #define aes_cbc_decrypt neon_aes_cbc_decrypt
  46. #define aes_cbc_cts_encrypt neon_aes_cbc_cts_encrypt
  47. #define aes_cbc_cts_decrypt neon_aes_cbc_cts_decrypt
  48. #define aes_essiv_cbc_encrypt neon_aes_essiv_cbc_encrypt
  49. #define aes_essiv_cbc_decrypt neon_aes_essiv_cbc_decrypt
  50. #define aes_ctr_encrypt neon_aes_ctr_encrypt
  51. #define aes_xctr_encrypt neon_aes_xctr_encrypt
  52. #define aes_xts_encrypt neon_aes_xts_encrypt
  53. #define aes_xts_decrypt neon_aes_xts_decrypt
  54. #define aes_mac_update neon_aes_mac_update
  55. MODULE_DESCRIPTION("AES-ECB/CBC/CTR/XTS/XCTR using ARMv8 NEON");
  56. #endif
  57. #if defined(USE_V8_CRYPTO_EXTENSIONS) || !IS_ENABLED(CONFIG_CRYPTO_AES_ARM64_BS)
  58. MODULE_ALIAS_CRYPTO("ecb(aes)");
  59. MODULE_ALIAS_CRYPTO("cbc(aes)");
  60. MODULE_ALIAS_CRYPTO("ctr(aes)");
  61. MODULE_ALIAS_CRYPTO("xts(aes)");
  62. MODULE_ALIAS_CRYPTO("xctr(aes)");
  63. #endif
  64. MODULE_ALIAS_CRYPTO("cts(cbc(aes))");
  65. MODULE_ALIAS_CRYPTO("essiv(cbc(aes),sha256)");
  66. MODULE_ALIAS_CRYPTO("cmac(aes)");
  67. MODULE_ALIAS_CRYPTO("xcbc(aes)");
  68. MODULE_ALIAS_CRYPTO("cbcmac(aes)");
  69. MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@linaro.org>");
  70. MODULE_LICENSE("GPL v2");
  71. /* defined in aes-modes.S */
  72. asmlinkage void aes_ecb_encrypt(u8 out[], u8 const in[], u32 const rk[],
  73. int rounds, int blocks);
  74. asmlinkage void aes_ecb_decrypt(u8 out[], u8 const in[], u32 const rk[],
  75. int rounds, int blocks);
  76. asmlinkage void aes_cbc_encrypt(u8 out[], u8 const in[], u32 const rk[],
  77. int rounds, int blocks, u8 iv[]);
  78. asmlinkage void aes_cbc_decrypt(u8 out[], u8 const in[], u32 const rk[],
  79. int rounds, int blocks, u8 iv[]);
  80. asmlinkage void aes_cbc_cts_encrypt(u8 out[], u8 const in[], u32 const rk[],
  81. int rounds, int bytes, u8 const iv[]);
  82. asmlinkage void aes_cbc_cts_decrypt(u8 out[], u8 const in[], u32 const rk[],
  83. int rounds, int bytes, u8 const iv[]);
  84. asmlinkage void aes_ctr_encrypt(u8 out[], u8 const in[], u32 const rk[],
  85. int rounds, int bytes, u8 ctr[]);
  86. asmlinkage void aes_xctr_encrypt(u8 out[], u8 const in[], u32 const rk[],
  87. int rounds, int bytes, u8 ctr[], int byte_ctr);
  88. asmlinkage void aes_xts_encrypt(u8 out[], u8 const in[], u32 const rk1[],
  89. int rounds, int bytes, u32 const rk2[], u8 iv[],
  90. int first);
  91. asmlinkage void aes_xts_decrypt(u8 out[], u8 const in[], u32 const rk1[],
  92. int rounds, int bytes, u32 const rk2[], u8 iv[],
  93. int first);
  94. asmlinkage void aes_essiv_cbc_encrypt(u8 out[], u8 const in[], u32 const rk1[],
  95. int rounds, int blocks, u8 iv[],
  96. u32 const rk2[]);
  97. asmlinkage void aes_essiv_cbc_decrypt(u8 out[], u8 const in[], u32 const rk1[],
  98. int rounds, int blocks, u8 iv[],
  99. u32 const rk2[]);
  100. asmlinkage int aes_mac_update(u8 const in[], u32 const rk[], int rounds,
  101. int blocks, u8 dg[], int enc_before,
  102. int enc_after);
  103. struct crypto_aes_xts_ctx {
  104. struct crypto_aes_ctx key1;
  105. struct crypto_aes_ctx __aligned(8) key2;
  106. };
  107. struct crypto_aes_essiv_cbc_ctx {
  108. struct crypto_aes_ctx key1;
  109. struct crypto_aes_ctx __aligned(8) key2;
  110. };
  111. struct mac_tfm_ctx {
  112. struct crypto_aes_ctx key;
  113. u8 __aligned(8) consts[];
  114. };
  115. struct mac_desc_ctx {
  116. u8 dg[AES_BLOCK_SIZE];
  117. };
  118. static int skcipher_aes_setkey(struct crypto_skcipher *tfm, const u8 *in_key,
  119. unsigned int key_len)
  120. {
  121. struct crypto_aes_ctx *ctx = crypto_skcipher_ctx(tfm);
  122. return aes_expandkey(ctx, in_key, key_len);
  123. }
  124. static int __maybe_unused xts_set_key(struct crypto_skcipher *tfm,
  125. const u8 *in_key, unsigned int key_len)
  126. {
  127. struct crypto_aes_xts_ctx *ctx = crypto_skcipher_ctx(tfm);
  128. int ret;
  129. ret = xts_verify_key(tfm, in_key, key_len);
  130. if (ret)
  131. return ret;
  132. ret = aes_expandkey(&ctx->key1, in_key, key_len / 2);
  133. if (!ret)
  134. ret = aes_expandkey(&ctx->key2, &in_key[key_len / 2],
  135. key_len / 2);
  136. return ret;
  137. }
  138. static int __maybe_unused essiv_cbc_set_key(struct crypto_skcipher *tfm,
  139. const u8 *in_key,
  140. unsigned int key_len)
  141. {
  142. struct crypto_aes_essiv_cbc_ctx *ctx = crypto_skcipher_ctx(tfm);
  143. u8 digest[SHA256_DIGEST_SIZE];
  144. int ret;
  145. ret = aes_expandkey(&ctx->key1, in_key, key_len);
  146. if (ret)
  147. return ret;
  148. sha256(in_key, key_len, digest);
  149. return aes_expandkey(&ctx->key2, digest, sizeof(digest));
  150. }
  151. static int __maybe_unused ecb_encrypt(struct skcipher_request *req)
  152. {
  153. struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
  154. struct crypto_aes_ctx *ctx = crypto_skcipher_ctx(tfm);
  155. int err, rounds = 6 + ctx->key_length / 4;
  156. struct skcipher_walk walk;
  157. unsigned int blocks;
  158. err = skcipher_walk_virt(&walk, req, false);
  159. while ((blocks = (walk.nbytes / AES_BLOCK_SIZE))) {
  160. scoped_ksimd()
  161. aes_ecb_encrypt(walk.dst.virt.addr, walk.src.virt.addr,
  162. ctx->key_enc, rounds, blocks);
  163. err = skcipher_walk_done(&walk, walk.nbytes % AES_BLOCK_SIZE);
  164. }
  165. return err;
  166. }
  167. static int __maybe_unused ecb_decrypt(struct skcipher_request *req)
  168. {
  169. struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
  170. struct crypto_aes_ctx *ctx = crypto_skcipher_ctx(tfm);
  171. int err, rounds = 6 + ctx->key_length / 4;
  172. struct skcipher_walk walk;
  173. unsigned int blocks;
  174. err = skcipher_walk_virt(&walk, req, false);
  175. while ((blocks = (walk.nbytes / AES_BLOCK_SIZE))) {
  176. scoped_ksimd()
  177. aes_ecb_decrypt(walk.dst.virt.addr, walk.src.virt.addr,
  178. ctx->key_dec, rounds, blocks);
  179. err = skcipher_walk_done(&walk, walk.nbytes % AES_BLOCK_SIZE);
  180. }
  181. return err;
  182. }
  183. static int cbc_encrypt_walk(struct skcipher_request *req,
  184. struct skcipher_walk *walk)
  185. {
  186. struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
  187. struct crypto_aes_ctx *ctx = crypto_skcipher_ctx(tfm);
  188. int err = 0, rounds = 6 + ctx->key_length / 4;
  189. unsigned int blocks;
  190. while ((blocks = (walk->nbytes / AES_BLOCK_SIZE))) {
  191. scoped_ksimd()
  192. aes_cbc_encrypt(walk->dst.virt.addr, walk->src.virt.addr,
  193. ctx->key_enc, rounds, blocks, walk->iv);
  194. err = skcipher_walk_done(walk, walk->nbytes % AES_BLOCK_SIZE);
  195. }
  196. return err;
  197. }
  198. static int __maybe_unused cbc_encrypt(struct skcipher_request *req)
  199. {
  200. struct skcipher_walk walk;
  201. int err;
  202. err = skcipher_walk_virt(&walk, req, false);
  203. if (err)
  204. return err;
  205. return cbc_encrypt_walk(req, &walk);
  206. }
  207. static int cbc_decrypt_walk(struct skcipher_request *req,
  208. struct skcipher_walk *walk)
  209. {
  210. struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
  211. struct crypto_aes_ctx *ctx = crypto_skcipher_ctx(tfm);
  212. int err = 0, rounds = 6 + ctx->key_length / 4;
  213. unsigned int blocks;
  214. while ((blocks = (walk->nbytes / AES_BLOCK_SIZE))) {
  215. scoped_ksimd()
  216. aes_cbc_decrypt(walk->dst.virt.addr, walk->src.virt.addr,
  217. ctx->key_dec, rounds, blocks, walk->iv);
  218. err = skcipher_walk_done(walk, walk->nbytes % AES_BLOCK_SIZE);
  219. }
  220. return err;
  221. }
  222. static int __maybe_unused cbc_decrypt(struct skcipher_request *req)
  223. {
  224. struct skcipher_walk walk;
  225. int err;
  226. err = skcipher_walk_virt(&walk, req, false);
  227. if (err)
  228. return err;
  229. return cbc_decrypt_walk(req, &walk);
  230. }
  231. static int cts_cbc_encrypt(struct skcipher_request *req)
  232. {
  233. struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
  234. struct crypto_aes_ctx *ctx = crypto_skcipher_ctx(tfm);
  235. int err, rounds = 6 + ctx->key_length / 4;
  236. int cbc_blocks = DIV_ROUND_UP(req->cryptlen, AES_BLOCK_SIZE) - 2;
  237. struct scatterlist *src = req->src, *dst = req->dst;
  238. struct scatterlist sg_src[2], sg_dst[2];
  239. struct skcipher_request subreq;
  240. struct skcipher_walk walk;
  241. skcipher_request_set_tfm(&subreq, tfm);
  242. skcipher_request_set_callback(&subreq, skcipher_request_flags(req),
  243. NULL, NULL);
  244. if (req->cryptlen <= AES_BLOCK_SIZE) {
  245. if (req->cryptlen < AES_BLOCK_SIZE)
  246. return -EINVAL;
  247. cbc_blocks = 1;
  248. }
  249. if (cbc_blocks > 0) {
  250. skcipher_request_set_crypt(&subreq, req->src, req->dst,
  251. cbc_blocks * AES_BLOCK_SIZE,
  252. req->iv);
  253. err = skcipher_walk_virt(&walk, &subreq, false) ?:
  254. cbc_encrypt_walk(&subreq, &walk);
  255. if (err)
  256. return err;
  257. if (req->cryptlen == AES_BLOCK_SIZE)
  258. return 0;
  259. dst = src = scatterwalk_ffwd(sg_src, req->src, subreq.cryptlen);
  260. if (req->dst != req->src)
  261. dst = scatterwalk_ffwd(sg_dst, req->dst,
  262. subreq.cryptlen);
  263. }
  264. /* handle ciphertext stealing */
  265. skcipher_request_set_crypt(&subreq, src, dst,
  266. req->cryptlen - cbc_blocks * AES_BLOCK_SIZE,
  267. req->iv);
  268. err = skcipher_walk_virt(&walk, &subreq, false);
  269. if (err)
  270. return err;
  271. scoped_ksimd()
  272. aes_cbc_cts_encrypt(walk.dst.virt.addr, walk.src.virt.addr,
  273. ctx->key_enc, rounds, walk.nbytes, walk.iv);
  274. return skcipher_walk_done(&walk, 0);
  275. }
  276. static int cts_cbc_decrypt(struct skcipher_request *req)
  277. {
  278. struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
  279. struct crypto_aes_ctx *ctx = crypto_skcipher_ctx(tfm);
  280. int err, rounds = 6 + ctx->key_length / 4;
  281. int cbc_blocks = DIV_ROUND_UP(req->cryptlen, AES_BLOCK_SIZE) - 2;
  282. struct scatterlist *src = req->src, *dst = req->dst;
  283. struct scatterlist sg_src[2], sg_dst[2];
  284. struct skcipher_request subreq;
  285. struct skcipher_walk walk;
  286. skcipher_request_set_tfm(&subreq, tfm);
  287. skcipher_request_set_callback(&subreq, skcipher_request_flags(req),
  288. NULL, NULL);
  289. if (req->cryptlen <= AES_BLOCK_SIZE) {
  290. if (req->cryptlen < AES_BLOCK_SIZE)
  291. return -EINVAL;
  292. cbc_blocks = 1;
  293. }
  294. if (cbc_blocks > 0) {
  295. skcipher_request_set_crypt(&subreq, req->src, req->dst,
  296. cbc_blocks * AES_BLOCK_SIZE,
  297. req->iv);
  298. err = skcipher_walk_virt(&walk, &subreq, false) ?:
  299. cbc_decrypt_walk(&subreq, &walk);
  300. if (err)
  301. return err;
  302. if (req->cryptlen == AES_BLOCK_SIZE)
  303. return 0;
  304. dst = src = scatterwalk_ffwd(sg_src, req->src, subreq.cryptlen);
  305. if (req->dst != req->src)
  306. dst = scatterwalk_ffwd(sg_dst, req->dst,
  307. subreq.cryptlen);
  308. }
  309. /* handle ciphertext stealing */
  310. skcipher_request_set_crypt(&subreq, src, dst,
  311. req->cryptlen - cbc_blocks * AES_BLOCK_SIZE,
  312. req->iv);
  313. err = skcipher_walk_virt(&walk, &subreq, false);
  314. if (err)
  315. return err;
  316. scoped_ksimd()
  317. aes_cbc_cts_decrypt(walk.dst.virt.addr, walk.src.virt.addr,
  318. ctx->key_dec, rounds, walk.nbytes, walk.iv);
  319. return skcipher_walk_done(&walk, 0);
  320. }
  321. static int __maybe_unused essiv_cbc_encrypt(struct skcipher_request *req)
  322. {
  323. struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
  324. struct crypto_aes_essiv_cbc_ctx *ctx = crypto_skcipher_ctx(tfm);
  325. int err, rounds = 6 + ctx->key1.key_length / 4;
  326. struct skcipher_walk walk;
  327. unsigned int blocks;
  328. err = skcipher_walk_virt(&walk, req, false);
  329. blocks = walk.nbytes / AES_BLOCK_SIZE;
  330. if (blocks) {
  331. scoped_ksimd()
  332. aes_essiv_cbc_encrypt(walk.dst.virt.addr,
  333. walk.src.virt.addr,
  334. ctx->key1.key_enc, rounds, blocks,
  335. req->iv, ctx->key2.key_enc);
  336. err = skcipher_walk_done(&walk, walk.nbytes % AES_BLOCK_SIZE);
  337. }
  338. return err ?: cbc_encrypt_walk(req, &walk);
  339. }
  340. static int __maybe_unused essiv_cbc_decrypt(struct skcipher_request *req)
  341. {
  342. struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
  343. struct crypto_aes_essiv_cbc_ctx *ctx = crypto_skcipher_ctx(tfm);
  344. int err, rounds = 6 + ctx->key1.key_length / 4;
  345. struct skcipher_walk walk;
  346. unsigned int blocks;
  347. err = skcipher_walk_virt(&walk, req, false);
  348. blocks = walk.nbytes / AES_BLOCK_SIZE;
  349. if (blocks) {
  350. scoped_ksimd()
  351. aes_essiv_cbc_decrypt(walk.dst.virt.addr,
  352. walk.src.virt.addr,
  353. ctx->key1.key_dec, rounds, blocks,
  354. req->iv, ctx->key2.key_enc);
  355. err = skcipher_walk_done(&walk, walk.nbytes % AES_BLOCK_SIZE);
  356. }
  357. return err ?: cbc_decrypt_walk(req, &walk);
  358. }
  359. static int __maybe_unused xctr_encrypt(struct skcipher_request *req)
  360. {
  361. struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
  362. struct crypto_aes_ctx *ctx = crypto_skcipher_ctx(tfm);
  363. int err, rounds = 6 + ctx->key_length / 4;
  364. struct skcipher_walk walk;
  365. unsigned int byte_ctr = 0;
  366. err = skcipher_walk_virt(&walk, req, false);
  367. while (walk.nbytes > 0) {
  368. const u8 *src = walk.src.virt.addr;
  369. unsigned int nbytes = walk.nbytes;
  370. u8 *dst = walk.dst.virt.addr;
  371. u8 buf[AES_BLOCK_SIZE];
  372. /*
  373. * If given less than 16 bytes, we must copy the partial block
  374. * into a temporary buffer of 16 bytes to avoid out of bounds
  375. * reads and writes. Furthermore, this code is somewhat unusual
  376. * in that it expects the end of the data to be at the end of
  377. * the temporary buffer, rather than the start of the data at
  378. * the start of the temporary buffer.
  379. */
  380. if (unlikely(nbytes < AES_BLOCK_SIZE))
  381. src = dst = memcpy(buf + sizeof(buf) - nbytes,
  382. src, nbytes);
  383. else if (nbytes < walk.total)
  384. nbytes &= ~(AES_BLOCK_SIZE - 1);
  385. scoped_ksimd()
  386. aes_xctr_encrypt(dst, src, ctx->key_enc, rounds, nbytes,
  387. walk.iv, byte_ctr);
  388. if (unlikely(nbytes < AES_BLOCK_SIZE))
  389. memcpy(walk.dst.virt.addr,
  390. buf + sizeof(buf) - nbytes, nbytes);
  391. byte_ctr += nbytes;
  392. err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
  393. }
  394. return err;
  395. }
  396. static int __maybe_unused ctr_encrypt(struct skcipher_request *req)
  397. {
  398. struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
  399. struct crypto_aes_ctx *ctx = crypto_skcipher_ctx(tfm);
  400. int err, rounds = 6 + ctx->key_length / 4;
  401. struct skcipher_walk walk;
  402. err = skcipher_walk_virt(&walk, req, false);
  403. while (walk.nbytes > 0) {
  404. const u8 *src = walk.src.virt.addr;
  405. unsigned int nbytes = walk.nbytes;
  406. u8 *dst = walk.dst.virt.addr;
  407. u8 buf[AES_BLOCK_SIZE];
  408. /*
  409. * If given less than 16 bytes, we must copy the partial block
  410. * into a temporary buffer of 16 bytes to avoid out of bounds
  411. * reads and writes. Furthermore, this code is somewhat unusual
  412. * in that it expects the end of the data to be at the end of
  413. * the temporary buffer, rather than the start of the data at
  414. * the start of the temporary buffer.
  415. */
  416. if (unlikely(nbytes < AES_BLOCK_SIZE))
  417. src = dst = memcpy(buf + sizeof(buf) - nbytes,
  418. src, nbytes);
  419. else if (nbytes < walk.total)
  420. nbytes &= ~(AES_BLOCK_SIZE - 1);
  421. scoped_ksimd()
  422. aes_ctr_encrypt(dst, src, ctx->key_enc, rounds, nbytes,
  423. walk.iv);
  424. if (unlikely(nbytes < AES_BLOCK_SIZE))
  425. memcpy(walk.dst.virt.addr,
  426. buf + sizeof(buf) - nbytes, nbytes);
  427. err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
  428. }
  429. return err;
  430. }
  431. static int __maybe_unused xts_encrypt(struct skcipher_request *req)
  432. {
  433. struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
  434. struct crypto_aes_xts_ctx *ctx = crypto_skcipher_ctx(tfm);
  435. int err, first, rounds = 6 + ctx->key1.key_length / 4;
  436. int tail = req->cryptlen % AES_BLOCK_SIZE;
  437. struct scatterlist sg_src[2], sg_dst[2];
  438. struct skcipher_request subreq;
  439. struct scatterlist *src, *dst;
  440. struct skcipher_walk walk;
  441. if (req->cryptlen < AES_BLOCK_SIZE)
  442. return -EINVAL;
  443. err = skcipher_walk_virt(&walk, req, false);
  444. if (unlikely(tail > 0 && walk.nbytes < walk.total)) {
  445. int xts_blocks = DIV_ROUND_UP(req->cryptlen,
  446. AES_BLOCK_SIZE) - 2;
  447. skcipher_walk_abort(&walk);
  448. skcipher_request_set_tfm(&subreq, tfm);
  449. skcipher_request_set_callback(&subreq,
  450. skcipher_request_flags(req),
  451. NULL, NULL);
  452. skcipher_request_set_crypt(&subreq, req->src, req->dst,
  453. xts_blocks * AES_BLOCK_SIZE,
  454. req->iv);
  455. req = &subreq;
  456. err = skcipher_walk_virt(&walk, req, false);
  457. } else {
  458. tail = 0;
  459. }
  460. scoped_ksimd() {
  461. for (first = 1; walk.nbytes >= AES_BLOCK_SIZE; first = 0) {
  462. int nbytes = walk.nbytes;
  463. if (walk.nbytes < walk.total)
  464. nbytes &= ~(AES_BLOCK_SIZE - 1);
  465. aes_xts_encrypt(walk.dst.virt.addr, walk.src.virt.addr,
  466. ctx->key1.key_enc, rounds, nbytes,
  467. ctx->key2.key_enc, walk.iv, first);
  468. err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
  469. }
  470. if (err || likely(!tail))
  471. return err;
  472. dst = src = scatterwalk_ffwd(sg_src, req->src, req->cryptlen);
  473. if (req->dst != req->src)
  474. dst = scatterwalk_ffwd(sg_dst, req->dst, req->cryptlen);
  475. skcipher_request_set_crypt(req, src, dst, AES_BLOCK_SIZE + tail,
  476. req->iv);
  477. err = skcipher_walk_virt(&walk, &subreq, false);
  478. if (err)
  479. return err;
  480. aes_xts_encrypt(walk.dst.virt.addr, walk.src.virt.addr,
  481. ctx->key1.key_enc, rounds, walk.nbytes,
  482. ctx->key2.key_enc, walk.iv, first);
  483. }
  484. return skcipher_walk_done(&walk, 0);
  485. }
  486. static int __maybe_unused xts_decrypt(struct skcipher_request *req)
  487. {
  488. struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
  489. struct crypto_aes_xts_ctx *ctx = crypto_skcipher_ctx(tfm);
  490. int err, first, rounds = 6 + ctx->key1.key_length / 4;
  491. int tail = req->cryptlen % AES_BLOCK_SIZE;
  492. struct scatterlist sg_src[2], sg_dst[2];
  493. struct skcipher_request subreq;
  494. struct scatterlist *src, *dst;
  495. struct skcipher_walk walk;
  496. if (req->cryptlen < AES_BLOCK_SIZE)
  497. return -EINVAL;
  498. err = skcipher_walk_virt(&walk, req, false);
  499. if (unlikely(tail > 0 && walk.nbytes < walk.total)) {
  500. int xts_blocks = DIV_ROUND_UP(req->cryptlen,
  501. AES_BLOCK_SIZE) - 2;
  502. skcipher_walk_abort(&walk);
  503. skcipher_request_set_tfm(&subreq, tfm);
  504. skcipher_request_set_callback(&subreq,
  505. skcipher_request_flags(req),
  506. NULL, NULL);
  507. skcipher_request_set_crypt(&subreq, req->src, req->dst,
  508. xts_blocks * AES_BLOCK_SIZE,
  509. req->iv);
  510. req = &subreq;
  511. err = skcipher_walk_virt(&walk, req, false);
  512. } else {
  513. tail = 0;
  514. }
  515. scoped_ksimd() {
  516. for (first = 1; walk.nbytes >= AES_BLOCK_SIZE; first = 0) {
  517. int nbytes = walk.nbytes;
  518. if (walk.nbytes < walk.total)
  519. nbytes &= ~(AES_BLOCK_SIZE - 1);
  520. aes_xts_decrypt(walk.dst.virt.addr, walk.src.virt.addr,
  521. ctx->key1.key_dec, rounds, nbytes,
  522. ctx->key2.key_enc, walk.iv, first);
  523. err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
  524. }
  525. if (err || likely(!tail))
  526. return err;
  527. dst = src = scatterwalk_ffwd(sg_src, req->src, req->cryptlen);
  528. if (req->dst != req->src)
  529. dst = scatterwalk_ffwd(sg_dst, req->dst, req->cryptlen);
  530. skcipher_request_set_crypt(req, src, dst, AES_BLOCK_SIZE + tail,
  531. req->iv);
  532. err = skcipher_walk_virt(&walk, &subreq, false);
  533. if (err)
  534. return err;
  535. aes_xts_decrypt(walk.dst.virt.addr, walk.src.virt.addr,
  536. ctx->key1.key_dec, rounds, walk.nbytes,
  537. ctx->key2.key_enc, walk.iv, first);
  538. }
  539. return skcipher_walk_done(&walk, 0);
  540. }
  541. static struct skcipher_alg aes_algs[] = { {
  542. #if defined(USE_V8_CRYPTO_EXTENSIONS) || !IS_ENABLED(CONFIG_CRYPTO_AES_ARM64_BS)
  543. .base = {
  544. .cra_name = "ecb(aes)",
  545. .cra_driver_name = "ecb-aes-" MODE,
  546. .cra_priority = PRIO,
  547. .cra_blocksize = AES_BLOCK_SIZE,
  548. .cra_ctxsize = sizeof(struct crypto_aes_ctx),
  549. .cra_module = THIS_MODULE,
  550. },
  551. .min_keysize = AES_MIN_KEY_SIZE,
  552. .max_keysize = AES_MAX_KEY_SIZE,
  553. .setkey = skcipher_aes_setkey,
  554. .encrypt = ecb_encrypt,
  555. .decrypt = ecb_decrypt,
  556. }, {
  557. .base = {
  558. .cra_name = "cbc(aes)",
  559. .cra_driver_name = "cbc-aes-" MODE,
  560. .cra_priority = PRIO,
  561. .cra_blocksize = AES_BLOCK_SIZE,
  562. .cra_ctxsize = sizeof(struct crypto_aes_ctx),
  563. .cra_module = THIS_MODULE,
  564. },
  565. .min_keysize = AES_MIN_KEY_SIZE,
  566. .max_keysize = AES_MAX_KEY_SIZE,
  567. .ivsize = AES_BLOCK_SIZE,
  568. .setkey = skcipher_aes_setkey,
  569. .encrypt = cbc_encrypt,
  570. .decrypt = cbc_decrypt,
  571. }, {
  572. .base = {
  573. .cra_name = "ctr(aes)",
  574. .cra_driver_name = "ctr-aes-" MODE,
  575. .cra_priority = PRIO,
  576. .cra_blocksize = 1,
  577. .cra_ctxsize = sizeof(struct crypto_aes_ctx),
  578. .cra_module = THIS_MODULE,
  579. },
  580. .min_keysize = AES_MIN_KEY_SIZE,
  581. .max_keysize = AES_MAX_KEY_SIZE,
  582. .ivsize = AES_BLOCK_SIZE,
  583. .chunksize = AES_BLOCK_SIZE,
  584. .setkey = skcipher_aes_setkey,
  585. .encrypt = ctr_encrypt,
  586. .decrypt = ctr_encrypt,
  587. }, {
  588. .base = {
  589. .cra_name = "xctr(aes)",
  590. .cra_driver_name = "xctr-aes-" MODE,
  591. .cra_priority = PRIO,
  592. .cra_blocksize = 1,
  593. .cra_ctxsize = sizeof(struct crypto_aes_ctx),
  594. .cra_module = THIS_MODULE,
  595. },
  596. .min_keysize = AES_MIN_KEY_SIZE,
  597. .max_keysize = AES_MAX_KEY_SIZE,
  598. .ivsize = AES_BLOCK_SIZE,
  599. .chunksize = AES_BLOCK_SIZE,
  600. .setkey = skcipher_aes_setkey,
  601. .encrypt = xctr_encrypt,
  602. .decrypt = xctr_encrypt,
  603. }, {
  604. .base = {
  605. .cra_name = "xts(aes)",
  606. .cra_driver_name = "xts-aes-" MODE,
  607. .cra_priority = PRIO,
  608. .cra_blocksize = AES_BLOCK_SIZE,
  609. .cra_ctxsize = sizeof(struct crypto_aes_xts_ctx),
  610. .cra_module = THIS_MODULE,
  611. },
  612. .min_keysize = 2 * AES_MIN_KEY_SIZE,
  613. .max_keysize = 2 * AES_MAX_KEY_SIZE,
  614. .ivsize = AES_BLOCK_SIZE,
  615. .walksize = 2 * AES_BLOCK_SIZE,
  616. .setkey = xts_set_key,
  617. .encrypt = xts_encrypt,
  618. .decrypt = xts_decrypt,
  619. }, {
  620. #endif
  621. .base = {
  622. .cra_name = "cts(cbc(aes))",
  623. .cra_driver_name = "cts-cbc-aes-" MODE,
  624. .cra_priority = PRIO,
  625. .cra_blocksize = AES_BLOCK_SIZE,
  626. .cra_ctxsize = sizeof(struct crypto_aes_ctx),
  627. .cra_module = THIS_MODULE,
  628. },
  629. .min_keysize = AES_MIN_KEY_SIZE,
  630. .max_keysize = AES_MAX_KEY_SIZE,
  631. .ivsize = AES_BLOCK_SIZE,
  632. .walksize = 2 * AES_BLOCK_SIZE,
  633. .setkey = skcipher_aes_setkey,
  634. .encrypt = cts_cbc_encrypt,
  635. .decrypt = cts_cbc_decrypt,
  636. }, {
  637. .base = {
  638. .cra_name = "essiv(cbc(aes),sha256)",
  639. .cra_driver_name = "essiv-cbc-aes-sha256-" MODE,
  640. .cra_priority = PRIO + 1,
  641. .cra_blocksize = AES_BLOCK_SIZE,
  642. .cra_ctxsize = sizeof(struct crypto_aes_essiv_cbc_ctx),
  643. .cra_module = THIS_MODULE,
  644. },
  645. .min_keysize = AES_MIN_KEY_SIZE,
  646. .max_keysize = AES_MAX_KEY_SIZE,
  647. .ivsize = AES_BLOCK_SIZE,
  648. .setkey = essiv_cbc_set_key,
  649. .encrypt = essiv_cbc_encrypt,
  650. .decrypt = essiv_cbc_decrypt,
  651. } };
  652. static int cbcmac_setkey(struct crypto_shash *tfm, const u8 *in_key,
  653. unsigned int key_len)
  654. {
  655. struct mac_tfm_ctx *ctx = crypto_shash_ctx(tfm);
  656. return aes_expandkey(&ctx->key, in_key, key_len);
  657. }
  658. static void cmac_gf128_mul_by_x(be128 *y, const be128 *x)
  659. {
  660. u64 a = be64_to_cpu(x->a);
  661. u64 b = be64_to_cpu(x->b);
  662. y->a = cpu_to_be64((a << 1) | (b >> 63));
  663. y->b = cpu_to_be64((b << 1) ^ ((a >> 63) ? 0x87 : 0));
  664. }
  665. static int cmac_setkey(struct crypto_shash *tfm, const u8 *in_key,
  666. unsigned int key_len)
  667. {
  668. struct mac_tfm_ctx *ctx = crypto_shash_ctx(tfm);
  669. be128 *consts = (be128 *)ctx->consts;
  670. int rounds = 6 + key_len / 4;
  671. int err;
  672. err = cbcmac_setkey(tfm, in_key, key_len);
  673. if (err)
  674. return err;
  675. /* encrypt the zero vector */
  676. scoped_ksimd()
  677. aes_ecb_encrypt(ctx->consts, (u8[AES_BLOCK_SIZE]){},
  678. ctx->key.key_enc, rounds, 1);
  679. cmac_gf128_mul_by_x(consts, consts);
  680. cmac_gf128_mul_by_x(consts + 1, consts);
  681. return 0;
  682. }
  683. static int xcbc_setkey(struct crypto_shash *tfm, const u8 *in_key,
  684. unsigned int key_len)
  685. {
  686. static u8 const ks[3][AES_BLOCK_SIZE] = {
  687. { [0 ... AES_BLOCK_SIZE - 1] = 0x1 },
  688. { [0 ... AES_BLOCK_SIZE - 1] = 0x2 },
  689. { [0 ... AES_BLOCK_SIZE - 1] = 0x3 },
  690. };
  691. struct mac_tfm_ctx *ctx = crypto_shash_ctx(tfm);
  692. int rounds = 6 + key_len / 4;
  693. u8 key[AES_BLOCK_SIZE];
  694. int err;
  695. err = cbcmac_setkey(tfm, in_key, key_len);
  696. if (err)
  697. return err;
  698. scoped_ksimd() {
  699. aes_ecb_encrypt(key, ks[0], ctx->key.key_enc, rounds, 1);
  700. aes_ecb_encrypt(ctx->consts, ks[1], ctx->key.key_enc, rounds, 2);
  701. }
  702. return cbcmac_setkey(tfm, key, sizeof(key));
  703. }
  704. static int mac_init(struct shash_desc *desc)
  705. {
  706. struct mac_desc_ctx *ctx = shash_desc_ctx(desc);
  707. memset(ctx->dg, 0, AES_BLOCK_SIZE);
  708. return 0;
  709. }
  710. static void mac_do_update(struct crypto_aes_ctx *ctx, u8 const in[], int blocks,
  711. u8 dg[], int enc_before)
  712. {
  713. int rounds = 6 + ctx->key_length / 4;
  714. int rem;
  715. do {
  716. scoped_ksimd()
  717. rem = aes_mac_update(in, ctx->key_enc, rounds, blocks,
  718. dg, enc_before, !enc_before);
  719. in += (blocks - rem) * AES_BLOCK_SIZE;
  720. blocks = rem;
  721. } while (blocks);
  722. }
  723. static int mac_update(struct shash_desc *desc, const u8 *p, unsigned int len)
  724. {
  725. struct mac_tfm_ctx *tctx = crypto_shash_ctx(desc->tfm);
  726. struct mac_desc_ctx *ctx = shash_desc_ctx(desc);
  727. int blocks = len / AES_BLOCK_SIZE;
  728. len %= AES_BLOCK_SIZE;
  729. mac_do_update(&tctx->key, p, blocks, ctx->dg, 0);
  730. return len;
  731. }
  732. static int cbcmac_finup(struct shash_desc *desc, const u8 *src,
  733. unsigned int len, u8 *out)
  734. {
  735. struct mac_tfm_ctx *tctx = crypto_shash_ctx(desc->tfm);
  736. struct mac_desc_ctx *ctx = shash_desc_ctx(desc);
  737. if (len) {
  738. crypto_xor(ctx->dg, src, len);
  739. mac_do_update(&tctx->key, NULL, 0, ctx->dg, 1);
  740. }
  741. memcpy(out, ctx->dg, AES_BLOCK_SIZE);
  742. return 0;
  743. }
  744. static int cmac_finup(struct shash_desc *desc, const u8 *src, unsigned int len,
  745. u8 *out)
  746. {
  747. struct mac_tfm_ctx *tctx = crypto_shash_ctx(desc->tfm);
  748. struct mac_desc_ctx *ctx = shash_desc_ctx(desc);
  749. u8 *consts = tctx->consts;
  750. crypto_xor(ctx->dg, src, len);
  751. if (len != AES_BLOCK_SIZE) {
  752. ctx->dg[len] ^= 0x80;
  753. consts += AES_BLOCK_SIZE;
  754. }
  755. mac_do_update(&tctx->key, consts, 1, ctx->dg, 0);
  756. memcpy(out, ctx->dg, AES_BLOCK_SIZE);
  757. return 0;
  758. }
  759. static struct shash_alg mac_algs[] = { {
  760. .base.cra_name = "cmac(aes)",
  761. .base.cra_driver_name = "cmac-aes-" MODE,
  762. .base.cra_priority = PRIO,
  763. .base.cra_flags = CRYPTO_AHASH_ALG_BLOCK_ONLY |
  764. CRYPTO_AHASH_ALG_FINAL_NONZERO,
  765. .base.cra_blocksize = AES_BLOCK_SIZE,
  766. .base.cra_ctxsize = sizeof(struct mac_tfm_ctx) +
  767. 2 * AES_BLOCK_SIZE,
  768. .base.cra_module = THIS_MODULE,
  769. .digestsize = AES_BLOCK_SIZE,
  770. .init = mac_init,
  771. .update = mac_update,
  772. .finup = cmac_finup,
  773. .setkey = cmac_setkey,
  774. .descsize = sizeof(struct mac_desc_ctx),
  775. }, {
  776. .base.cra_name = "xcbc(aes)",
  777. .base.cra_driver_name = "xcbc-aes-" MODE,
  778. .base.cra_priority = PRIO,
  779. .base.cra_flags = CRYPTO_AHASH_ALG_BLOCK_ONLY |
  780. CRYPTO_AHASH_ALG_FINAL_NONZERO,
  781. .base.cra_blocksize = AES_BLOCK_SIZE,
  782. .base.cra_ctxsize = sizeof(struct mac_tfm_ctx) +
  783. 2 * AES_BLOCK_SIZE,
  784. .base.cra_module = THIS_MODULE,
  785. .digestsize = AES_BLOCK_SIZE,
  786. .init = mac_init,
  787. .update = mac_update,
  788. .finup = cmac_finup,
  789. .setkey = xcbc_setkey,
  790. .descsize = sizeof(struct mac_desc_ctx),
  791. }, {
  792. .base.cra_name = "cbcmac(aes)",
  793. .base.cra_driver_name = "cbcmac-aes-" MODE,
  794. .base.cra_priority = PRIO,
  795. .base.cra_flags = CRYPTO_AHASH_ALG_BLOCK_ONLY,
  796. .base.cra_blocksize = AES_BLOCK_SIZE,
  797. .base.cra_ctxsize = sizeof(struct mac_tfm_ctx),
  798. .base.cra_module = THIS_MODULE,
  799. .digestsize = AES_BLOCK_SIZE,
  800. .init = mac_init,
  801. .update = mac_update,
  802. .finup = cbcmac_finup,
  803. .setkey = cbcmac_setkey,
  804. .descsize = sizeof(struct mac_desc_ctx),
  805. } };
  806. static void aes_exit(void)
  807. {
  808. crypto_unregister_shashes(mac_algs, ARRAY_SIZE(mac_algs));
  809. crypto_unregister_skciphers(aes_algs, ARRAY_SIZE(aes_algs));
  810. }
  811. static int __init aes_init(void)
  812. {
  813. int err;
  814. err = crypto_register_skciphers(aes_algs, ARRAY_SIZE(aes_algs));
  815. if (err)
  816. return err;
  817. err = crypto_register_shashes(mac_algs, ARRAY_SIZE(mac_algs));
  818. if (err)
  819. goto unregister_ciphers;
  820. return 0;
  821. unregister_ciphers:
  822. crypto_unregister_skciphers(aes_algs, ARRAY_SIZE(aes_algs));
  823. return err;
  824. }
  825. #ifdef USE_V8_CRYPTO_EXTENSIONS
  826. module_cpu_feature_match(AES, aes_init);
  827. EXPORT_SYMBOL_NS(ce_aes_mac_update, "CRYPTO_INTERNAL");
  828. #else
  829. module_init(aes_init);
  830. EXPORT_SYMBOL(neon_aes_ecb_encrypt);
  831. EXPORT_SYMBOL(neon_aes_cbc_encrypt);
  832. EXPORT_SYMBOL(neon_aes_ctr_encrypt);
  833. EXPORT_SYMBOL(neon_aes_xts_encrypt);
  834. EXPORT_SYMBOL(neon_aes_xts_decrypt);
  835. #endif
  836. module_exit(aes_exit);