aescfb.c 7.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256
  1. // SPDX-License-Identifier: GPL-2.0
  2. /*
  3. * Minimal library implementation of AES in CFB mode
  4. *
  5. * Copyright 2023 Google LLC
  6. */
  7. #include <crypto/aes.h>
  8. #include <crypto/algapi.h>
  9. #include <linux/export.h>
  10. #include <linux/module.h>
  11. #include <asm/irqflags.h>
  12. static void aescfb_encrypt_block(const struct aes_enckey *key, void *dst,
  13. const void *src)
  14. {
  15. unsigned long flags;
  16. /*
  17. * In AES-CFB, the AES encryption operates on known 'plaintext' (the IV
  18. * and ciphertext), making it susceptible to timing attacks on the
  19. * encryption key. The AES library already mitigates this risk to some
  20. * extent by pulling the entire S-box into the caches before doing any
  21. * substitutions, but this strategy is more effective when running with
  22. * interrupts disabled.
  23. */
  24. local_irq_save(flags);
  25. aes_encrypt(key, dst, src);
  26. local_irq_restore(flags);
  27. }
  28. /**
  29. * aescfb_encrypt - Perform AES-CFB encryption on a block of data
  30. *
  31. * @key: The AES-CFB key schedule
  32. * @dst: Pointer to the ciphertext output buffer
  33. * @src: Pointer the plaintext (may equal @dst for encryption in place)
  34. * @len: The size in bytes of the plaintext and ciphertext.
  35. * @iv: The initialization vector (IV) to use for this block of data
  36. */
  37. void aescfb_encrypt(const struct aes_enckey *key, u8 *dst, const u8 *src,
  38. int len, const u8 iv[AES_BLOCK_SIZE])
  39. {
  40. u8 ks[AES_BLOCK_SIZE];
  41. const u8 *v = iv;
  42. while (len > 0) {
  43. aescfb_encrypt_block(key, ks, v);
  44. crypto_xor_cpy(dst, src, ks, min(len, AES_BLOCK_SIZE));
  45. v = dst;
  46. dst += AES_BLOCK_SIZE;
  47. src += AES_BLOCK_SIZE;
  48. len -= AES_BLOCK_SIZE;
  49. }
  50. memzero_explicit(ks, sizeof(ks));
  51. }
  52. EXPORT_SYMBOL(aescfb_encrypt);
  53. /**
  54. * aescfb_decrypt - Perform AES-CFB decryption on a block of data
  55. *
  56. * @key: The AES-CFB key schedule
  57. * @dst: Pointer to the plaintext output buffer
  58. * @src: Pointer the ciphertext (may equal @dst for decryption in place)
  59. * @len: The size in bytes of the plaintext and ciphertext.
  60. * @iv: The initialization vector (IV) to use for this block of data
  61. */
  62. void aescfb_decrypt(const struct aes_enckey *key, u8 *dst, const u8 *src,
  63. int len, const u8 iv[AES_BLOCK_SIZE])
  64. {
  65. u8 ks[2][AES_BLOCK_SIZE];
  66. aescfb_encrypt_block(key, ks[0], iv);
  67. for (int i = 0; len > 0; i ^= 1) {
  68. if (len > AES_BLOCK_SIZE)
  69. /*
  70. * Generate the keystream for the next block before
  71. * performing the XOR, as that may update in place and
  72. * overwrite the ciphertext.
  73. */
  74. aescfb_encrypt_block(key, ks[!i], src);
  75. crypto_xor_cpy(dst, src, ks[i], min(len, AES_BLOCK_SIZE));
  76. dst += AES_BLOCK_SIZE;
  77. src += AES_BLOCK_SIZE;
  78. len -= AES_BLOCK_SIZE;
  79. }
  80. memzero_explicit(ks, sizeof(ks));
  81. }
  82. EXPORT_SYMBOL(aescfb_decrypt);
  83. MODULE_DESCRIPTION("Generic AES-CFB library");
  84. MODULE_AUTHOR("Ard Biesheuvel <ardb@kernel.org>");
  85. MODULE_LICENSE("GPL");
  86. #ifdef CONFIG_CRYPTO_SELFTESTS
  87. /*
  88. * Test code below. Vectors taken from crypto/testmgr.h
  89. */
  90. static struct {
  91. u8 ptext[64] __nonstring;
  92. u8 ctext[64] __nonstring;
  93. u8 key[AES_MAX_KEY_SIZE] __nonstring;
  94. u8 iv[AES_BLOCK_SIZE] __nonstring;
  95. int klen;
  96. int len;
  97. } const aescfb_tv[] __initconst = {
  98. { /* From NIST SP800-38A */
  99. .key = "\x2b\x7e\x15\x16\x28\xae\xd2\xa6"
  100. "\xab\xf7\x15\x88\x09\xcf\x4f\x3c",
  101. .klen = 16,
  102. .iv = "\x00\x01\x02\x03\x04\x05\x06\x07"
  103. "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
  104. .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96"
  105. "\xe9\x3d\x7e\x11\x73\x93\x17\x2a"
  106. "\xae\x2d\x8a\x57\x1e\x03\xac\x9c"
  107. "\x9e\xb7\x6f\xac\x45\xaf\x8e\x51"
  108. "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11"
  109. "\xe5\xfb\xc1\x19\x1a\x0a\x52\xef"
  110. "\xf6\x9f\x24\x45\xdf\x4f\x9b\x17"
  111. "\xad\x2b\x41\x7b\xe6\x6c\x37\x10",
  112. .ctext = "\x3b\x3f\xd9\x2e\xb7\x2d\xad\x20"
  113. "\x33\x34\x49\xf8\xe8\x3c\xfb\x4a"
  114. "\xc8\xa6\x45\x37\xa0\xb3\xa9\x3f"
  115. "\xcd\xe3\xcd\xad\x9f\x1c\xe5\x8b"
  116. "\x26\x75\x1f\x67\xa3\xcb\xb1\x40"
  117. "\xb1\x80\x8c\xf1\x87\xa4\xf4\xdf"
  118. "\xc0\x4b\x05\x35\x7c\x5d\x1c\x0e"
  119. "\xea\xc4\xc6\x6f\x9f\xf7\xf2\xe6",
  120. .len = 64,
  121. }, {
  122. .key = "\x8e\x73\xb0\xf7\xda\x0e\x64\x52"
  123. "\xc8\x10\xf3\x2b\x80\x90\x79\xe5"
  124. "\x62\xf8\xea\xd2\x52\x2c\x6b\x7b",
  125. .klen = 24,
  126. .iv = "\x00\x01\x02\x03\x04\x05\x06\x07"
  127. "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
  128. .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96"
  129. "\xe9\x3d\x7e\x11\x73\x93\x17\x2a"
  130. "\xae\x2d\x8a\x57\x1e\x03\xac\x9c"
  131. "\x9e\xb7\x6f\xac\x45\xaf\x8e\x51"
  132. "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11"
  133. "\xe5\xfb\xc1\x19\x1a\x0a\x52\xef"
  134. "\xf6\x9f\x24\x45\xdf\x4f\x9b\x17"
  135. "\xad\x2b\x41\x7b\xe6\x6c\x37\x10",
  136. .ctext = "\xcd\xc8\x0d\x6f\xdd\xf1\x8c\xab"
  137. "\x34\xc2\x59\x09\xc9\x9a\x41\x74"
  138. "\x67\xce\x7f\x7f\x81\x17\x36\x21"
  139. "\x96\x1a\x2b\x70\x17\x1d\x3d\x7a"
  140. "\x2e\x1e\x8a\x1d\xd5\x9b\x88\xb1"
  141. "\xc8\xe6\x0f\xed\x1e\xfa\xc4\xc9"
  142. "\xc0\x5f\x9f\x9c\xa9\x83\x4f\xa0"
  143. "\x42\xae\x8f\xba\x58\x4b\x09\xff",
  144. .len = 64,
  145. }, {
  146. .key = "\x60\x3d\xeb\x10\x15\xca\x71\xbe"
  147. "\x2b\x73\xae\xf0\x85\x7d\x77\x81"
  148. "\x1f\x35\x2c\x07\x3b\x61\x08\xd7"
  149. "\x2d\x98\x10\xa3\x09\x14\xdf\xf4",
  150. .klen = 32,
  151. .iv = "\x00\x01\x02\x03\x04\x05\x06\x07"
  152. "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
  153. .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96"
  154. "\xe9\x3d\x7e\x11\x73\x93\x17\x2a"
  155. "\xae\x2d\x8a\x57\x1e\x03\xac\x9c"
  156. "\x9e\xb7\x6f\xac\x45\xaf\x8e\x51"
  157. "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11"
  158. "\xe5\xfb\xc1\x19\x1a\x0a\x52\xef"
  159. "\xf6\x9f\x24\x45\xdf\x4f\x9b\x17"
  160. "\xad\x2b\x41\x7b\xe6\x6c\x37\x10",
  161. .ctext = "\xdc\x7e\x84\xbf\xda\x79\x16\x4b"
  162. "\x7e\xcd\x84\x86\x98\x5d\x38\x60"
  163. "\x39\xff\xed\x14\x3b\x28\xb1\xc8"
  164. "\x32\x11\x3c\x63\x31\xe5\x40\x7b"
  165. "\xdf\x10\x13\x24\x15\xe5\x4b\x92"
  166. "\xa1\x3e\xd0\xa8\x26\x7a\xe2\xf9"
  167. "\x75\xa3\x85\x74\x1a\xb9\xce\xf8"
  168. "\x20\x31\x62\x3d\x55\xb1\xe4\x71",
  169. .len = 64,
  170. }, { /* > 16 bytes, not a multiple of 16 bytes */
  171. .key = "\x2b\x7e\x15\x16\x28\xae\xd2\xa6"
  172. "\xab\xf7\x15\x88\x09\xcf\x4f\x3c",
  173. .klen = 16,
  174. .iv = "\x00\x01\x02\x03\x04\x05\x06\x07"
  175. "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
  176. .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96"
  177. "\xe9\x3d\x7e\x11\x73\x93\x17\x2a"
  178. "\xae",
  179. .ctext = "\x3b\x3f\xd9\x2e\xb7\x2d\xad\x20"
  180. "\x33\x34\x49\xf8\xe8\x3c\xfb\x4a"
  181. "\xc8",
  182. .len = 17,
  183. }, { /* < 16 bytes */
  184. .key = "\x2b\x7e\x15\x16\x28\xae\xd2\xa6"
  185. "\xab\xf7\x15\x88\x09\xcf\x4f\x3c",
  186. .klen = 16,
  187. .iv = "\x00\x01\x02\x03\x04\x05\x06\x07"
  188. "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
  189. .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f",
  190. .ctext = "\x3b\x3f\xd9\x2e\xb7\x2d\xad",
  191. .len = 7,
  192. },
  193. };
  194. static int __init libaescfb_init(void)
  195. {
  196. for (int i = 0; i < ARRAY_SIZE(aescfb_tv); i++) {
  197. struct aes_enckey key;
  198. u8 buf[64];
  199. if (aes_prepareenckey(&key, aescfb_tv[i].key, aescfb_tv[i].klen)) {
  200. pr_err("aes_prepareenckey() failed on vector %d\n", i);
  201. return -ENODEV;
  202. }
  203. aescfb_encrypt(&key, buf, aescfb_tv[i].ptext, aescfb_tv[i].len,
  204. aescfb_tv[i].iv);
  205. if (memcmp(buf, aescfb_tv[i].ctext, aescfb_tv[i].len)) {
  206. pr_err("aescfb_encrypt() #1 failed on vector %d\n", i);
  207. return -ENODEV;
  208. }
  209. /* decrypt in place */
  210. aescfb_decrypt(&key, buf, buf, aescfb_tv[i].len, aescfb_tv[i].iv);
  211. if (memcmp(buf, aescfb_tv[i].ptext, aescfb_tv[i].len)) {
  212. pr_err("aescfb_decrypt() failed on vector %d\n", i);
  213. return -ENODEV;
  214. }
  215. /* encrypt in place */
  216. aescfb_encrypt(&key, buf, buf, aescfb_tv[i].len, aescfb_tv[i].iv);
  217. if (memcmp(buf, aescfb_tv[i].ctext, aescfb_tv[i].len)) {
  218. pr_err("aescfb_encrypt() #2 failed on vector %d\n", i);
  219. return -ENODEV;
  220. }
  221. }
  222. return 0;
  223. }
  224. module_init(libaescfb_init);
  225. static void __exit libaescfb_exit(void)
  226. {
  227. }
  228. module_exit(libaescfb_exit);
  229. #endif