1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* |
3 | * Minimal library implementation of AES in CFB mode |
4 | * |
5 | * Copyright 2023 Google LLC |
6 | */ |
7 | |
8 | #include <linux/module.h> |
9 | |
10 | #include <crypto/algapi.h> |
11 | #include <crypto/aes.h> |
12 | |
13 | #include <asm/irqflags.h> |
14 | |
15 | static void aescfb_encrypt_block(const struct crypto_aes_ctx *ctx, void *dst, |
16 | const void *src) |
17 | { |
18 | unsigned long flags; |
19 | |
20 | /* |
21 | * In AES-CFB, the AES encryption operates on known 'plaintext' (the IV |
22 | * and ciphertext), making it susceptible to timing attacks on the |
23 | * encryption key. The AES library already mitigates this risk to some |
24 | * extent by pulling the entire S-box into the caches before doing any |
25 | * substitutions, but this strategy is more effective when running with |
26 | * interrupts disabled. |
27 | */ |
28 | local_irq_save(flags); |
29 | aes_encrypt(ctx, out: dst, in: src); |
30 | local_irq_restore(flags); |
31 | } |
32 | |
33 | /** |
34 | * aescfb_encrypt - Perform AES-CFB encryption on a block of data |
35 | * |
36 | * @ctx: The AES-CFB key schedule |
37 | * @dst: Pointer to the ciphertext output buffer |
38 | * @src: Pointer the plaintext (may equal @dst for encryption in place) |
39 | * @len: The size in bytes of the plaintext and ciphertext. |
40 | * @iv: The initialization vector (IV) to use for this block of data |
41 | */ |
42 | void aescfb_encrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src, |
43 | int len, const u8 iv[AES_BLOCK_SIZE]) |
44 | { |
45 | u8 ks[AES_BLOCK_SIZE]; |
46 | const u8 *v = iv; |
47 | |
48 | while (len > 0) { |
49 | aescfb_encrypt_block(ctx, dst: ks, src: v); |
50 | crypto_xor_cpy(dst, src1: src, src2: ks, min(len, AES_BLOCK_SIZE)); |
51 | v = dst; |
52 | |
53 | dst += AES_BLOCK_SIZE; |
54 | src += AES_BLOCK_SIZE; |
55 | len -= AES_BLOCK_SIZE; |
56 | } |
57 | |
58 | memzero_explicit(s: ks, count: sizeof(ks)); |
59 | } |
60 | EXPORT_SYMBOL(aescfb_encrypt); |
61 | |
62 | /** |
63 | * aescfb_decrypt - Perform AES-CFB decryption on a block of data |
64 | * |
65 | * @ctx: The AES-CFB key schedule |
66 | * @dst: Pointer to the plaintext output buffer |
67 | * @src: Pointer the ciphertext (may equal @dst for decryption in place) |
68 | * @len: The size in bytes of the plaintext and ciphertext. |
69 | * @iv: The initialization vector (IV) to use for this block of data |
70 | */ |
71 | void aescfb_decrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src, |
72 | int len, const u8 iv[AES_BLOCK_SIZE]) |
73 | { |
74 | u8 ks[2][AES_BLOCK_SIZE]; |
75 | |
76 | aescfb_encrypt_block(ctx, dst: ks[0], src: iv); |
77 | |
78 | for (int i = 0; len > 0; i ^= 1) { |
79 | if (len > AES_BLOCK_SIZE) |
80 | /* |
81 | * Generate the keystream for the next block before |
82 | * performing the XOR, as that may update in place and |
83 | * overwrite the ciphertext. |
84 | */ |
85 | aescfb_encrypt_block(ctx, dst: ks[!i], src); |
86 | |
87 | crypto_xor_cpy(dst, src1: src, src2: ks[i], min(len, AES_BLOCK_SIZE)); |
88 | |
89 | dst += AES_BLOCK_SIZE; |
90 | src += AES_BLOCK_SIZE; |
91 | len -= AES_BLOCK_SIZE; |
92 | } |
93 | |
94 | memzero_explicit(s: ks, count: sizeof(ks)); |
95 | } |
96 | EXPORT_SYMBOL(aescfb_decrypt); |
97 | |
98 | MODULE_DESCRIPTION("Generic AES-CFB library" ); |
99 | MODULE_AUTHOR("Ard Biesheuvel <ardb@kernel.org>" ); |
100 | MODULE_LICENSE("GPL" ); |
101 | |
102 | #ifdef CONFIG_CRYPTO_SELFTESTS |
103 | |
104 | /* |
105 | * Test code below. Vectors taken from crypto/testmgr.h |
106 | */ |
107 | |
108 | static struct { |
109 | u8 ptext[64]; |
110 | u8 ctext[64]; |
111 | |
112 | u8 key[AES_MAX_KEY_SIZE]; |
113 | u8 iv[AES_BLOCK_SIZE]; |
114 | |
115 | int klen; |
116 | int len; |
117 | } const aescfb_tv[] __initconst = { |
118 | { /* From NIST SP800-38A */ |
119 | .key = "\x2b\x7e\x15\x16\x28\xae\xd2\xa6" |
120 | "\xab\xf7\x15\x88\x09\xcf\x4f\x3c" , |
121 | .klen = 16, |
122 | .iv = "\x00\x01\x02\x03\x04\x05\x06\x07" |
123 | "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" , |
124 | .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96" |
125 | "\xe9\x3d\x7e\x11\x73\x93\x17\x2a" |
126 | "\xae\x2d\x8a\x57\x1e\x03\xac\x9c" |
127 | "\x9e\xb7\x6f\xac\x45\xaf\x8e\x51" |
128 | "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11" |
129 | "\xe5\xfb\xc1\x19\x1a\x0a\x52\xef" |
130 | "\xf6\x9f\x24\x45\xdf\x4f\x9b\x17" |
131 | "\xad\x2b\x41\x7b\xe6\x6c\x37\x10" , |
132 | .ctext = "\x3b\x3f\xd9\x2e\xb7\x2d\xad\x20" |
133 | "\x33\x34\x49\xf8\xe8\x3c\xfb\x4a" |
134 | "\xc8\xa6\x45\x37\xa0\xb3\xa9\x3f" |
135 | "\xcd\xe3\xcd\xad\x9f\x1c\xe5\x8b" |
136 | "\x26\x75\x1f\x67\xa3\xcb\xb1\x40" |
137 | "\xb1\x80\x8c\xf1\x87\xa4\xf4\xdf" |
138 | "\xc0\x4b\x05\x35\x7c\x5d\x1c\x0e" |
139 | "\xea\xc4\xc6\x6f\x9f\xf7\xf2\xe6" , |
140 | .len = 64, |
141 | }, { |
142 | .key = "\x8e\x73\xb0\xf7\xda\x0e\x64\x52" |
143 | "\xc8\x10\xf3\x2b\x80\x90\x79\xe5" |
144 | "\x62\xf8\xea\xd2\x52\x2c\x6b\x7b" , |
145 | .klen = 24, |
146 | .iv = "\x00\x01\x02\x03\x04\x05\x06\x07" |
147 | "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" , |
148 | .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96" |
149 | "\xe9\x3d\x7e\x11\x73\x93\x17\x2a" |
150 | "\xae\x2d\x8a\x57\x1e\x03\xac\x9c" |
151 | "\x9e\xb7\x6f\xac\x45\xaf\x8e\x51" |
152 | "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11" |
153 | "\xe5\xfb\xc1\x19\x1a\x0a\x52\xef" |
154 | "\xf6\x9f\x24\x45\xdf\x4f\x9b\x17" |
155 | "\xad\x2b\x41\x7b\xe6\x6c\x37\x10" , |
156 | .ctext = "\xcd\xc8\x0d\x6f\xdd\xf1\x8c\xab" |
157 | "\x34\xc2\x59\x09\xc9\x9a\x41\x74" |
158 | "\x67\xce\x7f\x7f\x81\x17\x36\x21" |
159 | "\x96\x1a\x2b\x70\x17\x1d\x3d\x7a" |
160 | "\x2e\x1e\x8a\x1d\xd5\x9b\x88\xb1" |
161 | "\xc8\xe6\x0f\xed\x1e\xfa\xc4\xc9" |
162 | "\xc0\x5f\x9f\x9c\xa9\x83\x4f\xa0" |
163 | "\x42\xae\x8f\xba\x58\x4b\x09\xff" , |
164 | .len = 64, |
165 | }, { |
166 | .key = "\x60\x3d\xeb\x10\x15\xca\x71\xbe" |
167 | "\x2b\x73\xae\xf0\x85\x7d\x77\x81" |
168 | "\x1f\x35\x2c\x07\x3b\x61\x08\xd7" |
169 | "\x2d\x98\x10\xa3\x09\x14\xdf\xf4" , |
170 | .klen = 32, |
171 | .iv = "\x00\x01\x02\x03\x04\x05\x06\x07" |
172 | "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" , |
173 | .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96" |
174 | "\xe9\x3d\x7e\x11\x73\x93\x17\x2a" |
175 | "\xae\x2d\x8a\x57\x1e\x03\xac\x9c" |
176 | "\x9e\xb7\x6f\xac\x45\xaf\x8e\x51" |
177 | "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11" |
178 | "\xe5\xfb\xc1\x19\x1a\x0a\x52\xef" |
179 | "\xf6\x9f\x24\x45\xdf\x4f\x9b\x17" |
180 | "\xad\x2b\x41\x7b\xe6\x6c\x37\x10" , |
181 | .ctext = "\xdc\x7e\x84\xbf\xda\x79\x16\x4b" |
182 | "\x7e\xcd\x84\x86\x98\x5d\x38\x60" |
183 | "\x39\xff\xed\x14\x3b\x28\xb1\xc8" |
184 | "\x32\x11\x3c\x63\x31\xe5\x40\x7b" |
185 | "\xdf\x10\x13\x24\x15\xe5\x4b\x92" |
186 | "\xa1\x3e\xd0\xa8\x26\x7a\xe2\xf9" |
187 | "\x75\xa3\x85\x74\x1a\xb9\xce\xf8" |
188 | "\x20\x31\x62\x3d\x55\xb1\xe4\x71" , |
189 | .len = 64, |
190 | }, { /* > 16 bytes, not a multiple of 16 bytes */ |
191 | .key = "\x2b\x7e\x15\x16\x28\xae\xd2\xa6" |
192 | "\xab\xf7\x15\x88\x09\xcf\x4f\x3c" , |
193 | .klen = 16, |
194 | .iv = "\x00\x01\x02\x03\x04\x05\x06\x07" |
195 | "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" , |
196 | .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96" |
197 | "\xe9\x3d\x7e\x11\x73\x93\x17\x2a" |
198 | "\xae" , |
199 | .ctext = "\x3b\x3f\xd9\x2e\xb7\x2d\xad\x20" |
200 | "\x33\x34\x49\xf8\xe8\x3c\xfb\x4a" |
201 | "\xc8" , |
202 | .len = 17, |
203 | }, { /* < 16 bytes */ |
204 | .key = "\x2b\x7e\x15\x16\x28\xae\xd2\xa6" |
205 | "\xab\xf7\x15\x88\x09\xcf\x4f\x3c" , |
206 | .klen = 16, |
207 | .iv = "\x00\x01\x02\x03\x04\x05\x06\x07" |
208 | "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" , |
209 | .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f" , |
210 | .ctext = "\x3b\x3f\xd9\x2e\xb7\x2d\xad" , |
211 | .len = 7, |
212 | }, |
213 | }; |
214 | |
215 | static int __init libaescfb_init(void) |
216 | { |
217 | for (int i = 0; i < ARRAY_SIZE(aescfb_tv); i++) { |
218 | struct crypto_aes_ctx ctx; |
219 | u8 buf[64]; |
220 | |
221 | if (aes_expandkey(ctx: &ctx, in_key: aescfb_tv[i].key, key_len: aescfb_tv[i].klen)) { |
222 | pr_err("aes_expandkey() failed on vector %d\n" , i); |
223 | return -ENODEV; |
224 | } |
225 | |
226 | aescfb_encrypt(&ctx, buf, aescfb_tv[i].ptext, aescfb_tv[i].len, |
227 | aescfb_tv[i].iv); |
228 | if (memcmp(p: buf, q: aescfb_tv[i].ctext, size: aescfb_tv[i].len)) { |
229 | pr_err("aescfb_encrypt() #1 failed on vector %d\n" , i); |
230 | return -ENODEV; |
231 | } |
232 | |
233 | /* decrypt in place */ |
234 | aescfb_decrypt(&ctx, buf, buf, aescfb_tv[i].len, aescfb_tv[i].iv); |
235 | if (memcmp(p: buf, q: aescfb_tv[i].ptext, size: aescfb_tv[i].len)) { |
236 | pr_err("aescfb_decrypt() failed on vector %d\n" , i); |
237 | return -ENODEV; |
238 | } |
239 | |
240 | /* encrypt in place */ |
241 | aescfb_encrypt(&ctx, buf, buf, aescfb_tv[i].len, aescfb_tv[i].iv); |
242 | if (memcmp(p: buf, q: aescfb_tv[i].ctext, size: aescfb_tv[i].len)) { |
243 | pr_err("aescfb_encrypt() #2 failed on vector %d\n" , i); |
244 | |
245 | return -ENODEV; |
246 | } |
247 | |
248 | } |
249 | return 0; |
250 | } |
251 | module_init(libaescfb_init); |
252 | |
253 | static void __exit libaescfb_exit(void) |
254 | { |
255 | } |
256 | module_exit(libaescfb_exit); |
257 | #endif |
258 | |