1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * Minimal library implementation of AES in CFB mode
4 *
5 * Copyright 2023 Google LLC
6 */
7
8 #include <linux/module.h>
9
10 #include <crypto/algapi.h>
11 #include <crypto/aes.h>
12
13 #include <asm/irqflags.h>
14
aescfb_encrypt_block(const struct crypto_aes_ctx * ctx,void * dst,const void * src)15 static void aescfb_encrypt_block(const struct crypto_aes_ctx *ctx, void *dst,
16 const void *src)
17 {
18 unsigned long flags;
19
20 /*
21 * In AES-CFB, the AES encryption operates on known 'plaintext' (the IV
22 * and ciphertext), making it susceptible to timing attacks on the
23 * encryption key. The AES library already mitigates this risk to some
24 * extent by pulling the entire S-box into the caches before doing any
25 * substitutions, but this strategy is more effective when running with
26 * interrupts disabled.
27 */
28 local_irq_save(flags);
29 aes_encrypt(ctx, dst, src);
30 local_irq_restore(flags);
31 }
32
33 /**
34 * aescfb_encrypt - Perform AES-CFB encryption on a block of data
35 *
36 * @ctx: The AES-CFB key schedule
37 * @dst: Pointer to the ciphertext output buffer
38 * @src: Pointer the plaintext (may equal @dst for encryption in place)
39 * @len: The size in bytes of the plaintext and ciphertext.
40 * @iv: The initialization vector (IV) to use for this block of data
41 */
aescfb_encrypt(const struct crypto_aes_ctx * ctx,u8 * dst,const u8 * src,int len,const u8 iv[AES_BLOCK_SIZE])42 void aescfb_encrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src,
43 int len, const u8 iv[AES_BLOCK_SIZE])
44 {
45 u8 ks[AES_BLOCK_SIZE];
46 const u8 *v = iv;
47
48 while (len > 0) {
49 aescfb_encrypt_block(ctx, ks, v);
50 crypto_xor_cpy(dst, src, ks, min(len, AES_BLOCK_SIZE));
51 v = dst;
52
53 dst += AES_BLOCK_SIZE;
54 src += AES_BLOCK_SIZE;
55 len -= AES_BLOCK_SIZE;
56 }
57
58 memzero_explicit(ks, sizeof(ks));
59 }
60 EXPORT_SYMBOL(aescfb_encrypt);
61
62 /**
63 * aescfb_decrypt - Perform AES-CFB decryption on a block of data
64 *
65 * @ctx: The AES-CFB key schedule
66 * @dst: Pointer to the plaintext output buffer
67 * @src: Pointer the ciphertext (may equal @dst for decryption in place)
68 * @len: The size in bytes of the plaintext and ciphertext.
69 * @iv: The initialization vector (IV) to use for this block of data
70 */
aescfb_decrypt(const struct crypto_aes_ctx * ctx,u8 * dst,const u8 * src,int len,const u8 iv[AES_BLOCK_SIZE])71 void aescfb_decrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src,
72 int len, const u8 iv[AES_BLOCK_SIZE])
73 {
74 u8 ks[2][AES_BLOCK_SIZE];
75
76 aescfb_encrypt_block(ctx, ks[0], iv);
77
78 for (int i = 0; len > 0; i ^= 1) {
79 if (len > AES_BLOCK_SIZE)
80 /*
81 * Generate the keystream for the next block before
82 * performing the XOR, as that may update in place and
83 * overwrite the ciphertext.
84 */
85 aescfb_encrypt_block(ctx, ks[!i], src);
86
87 crypto_xor_cpy(dst, src, ks[i], min(len, AES_BLOCK_SIZE));
88
89 dst += AES_BLOCK_SIZE;
90 src += AES_BLOCK_SIZE;
91 len -= AES_BLOCK_SIZE;
92 }
93
94 memzero_explicit(ks, sizeof(ks));
95 }
96 EXPORT_SYMBOL(aescfb_decrypt);
97
98 MODULE_DESCRIPTION("Generic AES-CFB library");
99 MODULE_AUTHOR("Ard Biesheuvel <ardb@kernel.org>");
100 MODULE_LICENSE("GPL");
101
102 #ifndef CONFIG_CRYPTO_MANAGER_DISABLE_TESTS
103
104 /*
105 * Test code below. Vectors taken from crypto/testmgr.h
106 */
107
108 static struct {
109 u8 ptext[64];
110 u8 ctext[64];
111
112 u8 key[AES_MAX_KEY_SIZE];
113 u8 iv[AES_BLOCK_SIZE];
114
115 int klen;
116 int len;
117 } const aescfb_tv[] __initconst = {
118 { /* From NIST SP800-38A */
119 .key = "\x2b\x7e\x15\x16\x28\xae\xd2\xa6"
120 "\xab\xf7\x15\x88\x09\xcf\x4f\x3c",
121 .klen = 16,
122 .iv = "\x00\x01\x02\x03\x04\x05\x06\x07"
123 "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
124 .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96"
125 "\xe9\x3d\x7e\x11\x73\x93\x17\x2a"
126 "\xae\x2d\x8a\x57\x1e\x03\xac\x9c"
127 "\x9e\xb7\x6f\xac\x45\xaf\x8e\x51"
128 "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11"
129 "\xe5\xfb\xc1\x19\x1a\x0a\x52\xef"
130 "\xf6\x9f\x24\x45\xdf\x4f\x9b\x17"
131 "\xad\x2b\x41\x7b\xe6\x6c\x37\x10",
132 .ctext = "\x3b\x3f\xd9\x2e\xb7\x2d\xad\x20"
133 "\x33\x34\x49\xf8\xe8\x3c\xfb\x4a"
134 "\xc8\xa6\x45\x37\xa0\xb3\xa9\x3f"
135 "\xcd\xe3\xcd\xad\x9f\x1c\xe5\x8b"
136 "\x26\x75\x1f\x67\xa3\xcb\xb1\x40"
137 "\xb1\x80\x8c\xf1\x87\xa4\xf4\xdf"
138 "\xc0\x4b\x05\x35\x7c\x5d\x1c\x0e"
139 "\xea\xc4\xc6\x6f\x9f\xf7\xf2\xe6",
140 .len = 64,
141 }, {
142 .key = "\x8e\x73\xb0\xf7\xda\x0e\x64\x52"
143 "\xc8\x10\xf3\x2b\x80\x90\x79\xe5"
144 "\x62\xf8\xea\xd2\x52\x2c\x6b\x7b",
145 .klen = 24,
146 .iv = "\x00\x01\x02\x03\x04\x05\x06\x07"
147 "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
148 .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96"
149 "\xe9\x3d\x7e\x11\x73\x93\x17\x2a"
150 "\xae\x2d\x8a\x57\x1e\x03\xac\x9c"
151 "\x9e\xb7\x6f\xac\x45\xaf\x8e\x51"
152 "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11"
153 "\xe5\xfb\xc1\x19\x1a\x0a\x52\xef"
154 "\xf6\x9f\x24\x45\xdf\x4f\x9b\x17"
155 "\xad\x2b\x41\x7b\xe6\x6c\x37\x10",
156 .ctext = "\xcd\xc8\x0d\x6f\xdd\xf1\x8c\xab"
157 "\x34\xc2\x59\x09\xc9\x9a\x41\x74"
158 "\x67\xce\x7f\x7f\x81\x17\x36\x21"
159 "\x96\x1a\x2b\x70\x17\x1d\x3d\x7a"
160 "\x2e\x1e\x8a\x1d\xd5\x9b\x88\xb1"
161 "\xc8\xe6\x0f\xed\x1e\xfa\xc4\xc9"
162 "\xc0\x5f\x9f\x9c\xa9\x83\x4f\xa0"
163 "\x42\xae\x8f\xba\x58\x4b\x09\xff",
164 .len = 64,
165 }, {
166 .key = "\x60\x3d\xeb\x10\x15\xca\x71\xbe"
167 "\x2b\x73\xae\xf0\x85\x7d\x77\x81"
168 "\x1f\x35\x2c\x07\x3b\x61\x08\xd7"
169 "\x2d\x98\x10\xa3\x09\x14\xdf\xf4",
170 .klen = 32,
171 .iv = "\x00\x01\x02\x03\x04\x05\x06\x07"
172 "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
173 .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96"
174 "\xe9\x3d\x7e\x11\x73\x93\x17\x2a"
175 "\xae\x2d\x8a\x57\x1e\x03\xac\x9c"
176 "\x9e\xb7\x6f\xac\x45\xaf\x8e\x51"
177 "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11"
178 "\xe5\xfb\xc1\x19\x1a\x0a\x52\xef"
179 "\xf6\x9f\x24\x45\xdf\x4f\x9b\x17"
180 "\xad\x2b\x41\x7b\xe6\x6c\x37\x10",
181 .ctext = "\xdc\x7e\x84\xbf\xda\x79\x16\x4b"
182 "\x7e\xcd\x84\x86\x98\x5d\x38\x60"
183 "\x39\xff\xed\x14\x3b\x28\xb1\xc8"
184 "\x32\x11\x3c\x63\x31\xe5\x40\x7b"
185 "\xdf\x10\x13\x24\x15\xe5\x4b\x92"
186 "\xa1\x3e\xd0\xa8\x26\x7a\xe2\xf9"
187 "\x75\xa3\x85\x74\x1a\xb9\xce\xf8"
188 "\x20\x31\x62\x3d\x55\xb1\xe4\x71",
189 .len = 64,
190 }, { /* > 16 bytes, not a multiple of 16 bytes */
191 .key = "\x2b\x7e\x15\x16\x28\xae\xd2\xa6"
192 "\xab\xf7\x15\x88\x09\xcf\x4f\x3c",
193 .klen = 16,
194 .iv = "\x00\x01\x02\x03\x04\x05\x06\x07"
195 "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
196 .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96"
197 "\xe9\x3d\x7e\x11\x73\x93\x17\x2a"
198 "\xae",
199 .ctext = "\x3b\x3f\xd9\x2e\xb7\x2d\xad\x20"
200 "\x33\x34\x49\xf8\xe8\x3c\xfb\x4a"
201 "\xc8",
202 .len = 17,
203 }, { /* < 16 bytes */
204 .key = "\x2b\x7e\x15\x16\x28\xae\xd2\xa6"
205 "\xab\xf7\x15\x88\x09\xcf\x4f\x3c",
206 .klen = 16,
207 .iv = "\x00\x01\x02\x03\x04\x05\x06\x07"
208 "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
209 .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f",
210 .ctext = "\x3b\x3f\xd9\x2e\xb7\x2d\xad",
211 .len = 7,
212 },
213 };
214
libaescfb_init(void)215 static int __init libaescfb_init(void)
216 {
217 for (int i = 0; i < ARRAY_SIZE(aescfb_tv); i++) {
218 struct crypto_aes_ctx ctx;
219 u8 buf[64];
220
221 if (aes_expandkey(&ctx, aescfb_tv[i].key, aescfb_tv[i].klen)) {
222 pr_err("aes_expandkey() failed on vector %d\n", i);
223 return -ENODEV;
224 }
225
226 aescfb_encrypt(&ctx, buf, aescfb_tv[i].ptext, aescfb_tv[i].len,
227 aescfb_tv[i].iv);
228 if (memcmp(buf, aescfb_tv[i].ctext, aescfb_tv[i].len)) {
229 pr_err("aescfb_encrypt() #1 failed on vector %d\n", i);
230 return -ENODEV;
231 }
232
233 /* decrypt in place */
234 aescfb_decrypt(&ctx, buf, buf, aescfb_tv[i].len, aescfb_tv[i].iv);
235 if (memcmp(buf, aescfb_tv[i].ptext, aescfb_tv[i].len)) {
236 pr_err("aescfb_decrypt() failed on vector %d\n", i);
237 return -ENODEV;
238 }
239
240 /* encrypt in place */
241 aescfb_encrypt(&ctx, buf, buf, aescfb_tv[i].len, aescfb_tv[i].iv);
242 if (memcmp(buf, aescfb_tv[i].ctext, aescfb_tv[i].len)) {
243 pr_err("aescfb_encrypt() #2 failed on vector %d\n", i);
244
245 return -ENODEV;
246 }
247
248 }
249 return 0;
250 }
251 module_init(libaescfb_init);
252
libaescfb_exit(void)253 static void __exit libaescfb_exit(void)
254 {
255 }
256 module_exit(libaescfb_exit);
257 #endif
258