~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/lib/crypto/aes.c

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /lib/crypto/aes.c (Version linux-6.12-rc7) and /lib/crypto/aes.c (Version linux-6.6.60)


  1 // SPDX-License-Identifier: GPL-2.0                 1 // SPDX-License-Identifier: GPL-2.0
  2 /*                                                  2 /*
  3  * Copyright (C) 2017-2019 Linaro Ltd <ard.bie      3  * Copyright (C) 2017-2019 Linaro Ltd <ard.biesheuvel@linaro.org>
  4  */                                                 4  */
  5                                                     5 
  6 #include <crypto/aes.h>                             6 #include <crypto/aes.h>
  7 #include <linux/crypto.h>                           7 #include <linux/crypto.h>
  8 #include <linux/module.h>                           8 #include <linux/module.h>
  9 #include <linux/unaligned.h>                   !!   9 #include <asm/unaligned.h>
 10                                                    10 
 11 /*                                                 11 /*
 12  * Emit the sbox as volatile const to prevent      12  * Emit the sbox as volatile const to prevent the compiler from doing
 13  * constant folding on sbox references involvi     13  * constant folding on sbox references involving fixed indexes.
 14  */                                                14  */
 15 static volatile const u8 __cacheline_aligned a     15 static volatile const u8 __cacheline_aligned aes_sbox[] = {
 16         0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x     16         0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5,
 17         0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0x     17         0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
 18         0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x     18         0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0,
 19         0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x     19         0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
 20         0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0x     20         0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc,
 21         0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x     21         0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
 22         0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x     22         0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a,
 23         0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0x     23         0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
 24         0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x     24         0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0,
 25         0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x     25         0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
 26         0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0x     26         0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b,
 27         0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x     27         0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
 28         0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x     28         0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85,
 29         0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x     29         0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
 30         0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x     30         0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5,
 31         0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0x     31         0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
 32         0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x     32         0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17,
 33         0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x     33         0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
 34         0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x     34         0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88,
 35         0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x     35         0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
 36         0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x     36         0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c,
 37         0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0x     37         0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
 38         0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x     38         0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9,
 39         0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0x     39         0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
 40         0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0x     40         0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6,
 41         0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x     41         0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
 42         0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0x     42         0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e,
 43         0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x     43         0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
 44         0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x     44         0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94,
 45         0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x     45         0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
 46         0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x     46         0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68,
 47         0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0x     47         0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16,
 48 };                                                 48 };
 49                                                    49 
 50 static volatile const u8 __cacheline_aligned a     50 static volatile const u8 __cacheline_aligned aes_inv_sbox[] = {
 51         0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0x     51         0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38,
 52         0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0x     52         0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
 53         0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0x     53         0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87,
 54         0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0x     54         0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb,
 55         0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x     55         0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d,
 56         0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0x     56         0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,
 57         0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x     57         0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2,
 58         0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0x     58         0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25,
 59         0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x     59         0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16,
 60         0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0x     60         0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92,
 61         0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0x     61         0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda,
 62         0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x     62         0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84,
 63         0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0x     63         0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a,
 64         0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x     64         0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06,
 65         0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x     65         0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02,
 66         0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x     66         0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b,
 67         0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0x     67         0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea,
 68         0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0x     68         0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73,
 69         0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x     69         0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85,
 70         0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0x     70         0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e,
 71         0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0x     71         0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89,
 72         0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0x     72         0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b,
 73         0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x     73         0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20,
 74         0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x     74         0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4,
 75         0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0x     75         0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31,
 76         0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0x     76         0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f,
 77         0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x     77         0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d,
 78         0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x     78         0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef,
 79         0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0x     79         0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0,
 80         0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x     80         0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
 81         0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0x     81         0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26,
 82         0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x     82         0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d,
 83 };                                                 83 };
 84                                                    84 
 85 extern const u8 crypto_aes_sbox[256] __alias(a     85 extern const u8 crypto_aes_sbox[256] __alias(aes_sbox);
 86 extern const u8 crypto_aes_inv_sbox[256] __ali     86 extern const u8 crypto_aes_inv_sbox[256] __alias(aes_inv_sbox);
 87                                                    87 
 88 EXPORT_SYMBOL(crypto_aes_sbox);                    88 EXPORT_SYMBOL(crypto_aes_sbox);
 89 EXPORT_SYMBOL(crypto_aes_inv_sbox);                89 EXPORT_SYMBOL(crypto_aes_inv_sbox);
 90                                                    90 
 91 static u32 mul_by_x(u32 w)                         91 static u32 mul_by_x(u32 w)
 92 {                                                  92 {
 93         u32 x = w & 0x7f7f7f7f;                    93         u32 x = w & 0x7f7f7f7f;
 94         u32 y = w & 0x80808080;                    94         u32 y = w & 0x80808080;
 95                                                    95 
 96         /* multiply by polynomial 'x' (0b10) i     96         /* multiply by polynomial 'x' (0b10) in GF(2^8) */
 97         return (x << 1) ^ (y >> 7) * 0x1b;         97         return (x << 1) ^ (y >> 7) * 0x1b;
 98 }                                                  98 }
 99                                                    99 
100 static u32 mul_by_x2(u32 w)                       100 static u32 mul_by_x2(u32 w)
101 {                                                 101 {
102         u32 x = w & 0x3f3f3f3f;                   102         u32 x = w & 0x3f3f3f3f;
103         u32 y = w & 0x80808080;                   103         u32 y = w & 0x80808080;
104         u32 z = w & 0x40404040;                   104         u32 z = w & 0x40404040;
105                                                   105 
106         /* multiply by polynomial 'x^2' (0b100    106         /* multiply by polynomial 'x^2' (0b100) in GF(2^8) */
107         return (x << 2) ^ (y >> 7) * 0x36 ^ (z    107         return (x << 2) ^ (y >> 7) * 0x36 ^ (z >> 6) * 0x1b;
108 }                                                 108 }
109                                                   109 
110 static u32 mix_columns(u32 x)                     110 static u32 mix_columns(u32 x)
111 {                                                 111 {
112         /*                                        112         /*
113          * Perform the following matrix multip    113          * Perform the following matrix multiplication in GF(2^8)
114          *                                        114          *
115          * | 0x2 0x3 0x1 0x1 |   | x[0] |         115          * | 0x2 0x3 0x1 0x1 |   | x[0] |
116          * | 0x1 0x2 0x3 0x1 |   | x[1] |         116          * | 0x1 0x2 0x3 0x1 |   | x[1] |
117          * | 0x1 0x1 0x2 0x3 | x | x[2] |         117          * | 0x1 0x1 0x2 0x3 | x | x[2] |
118          * | 0x3 0x1 0x1 0x2 |   | x[3] |         118          * | 0x3 0x1 0x1 0x2 |   | x[3] |
119          */                                       119          */
120         u32 y = mul_by_x(x) ^ ror32(x, 16);       120         u32 y = mul_by_x(x) ^ ror32(x, 16);
121                                                   121 
122         return y ^ ror32(x ^ y, 8);               122         return y ^ ror32(x ^ y, 8);
123 }                                                 123 }
124                                                   124 
125 static u32 inv_mix_columns(u32 x)                 125 static u32 inv_mix_columns(u32 x)
126 {                                                 126 {
127         /*                                        127         /*
128          * Perform the following matrix multip    128          * Perform the following matrix multiplication in GF(2^8)
129          *                                        129          *
130          * | 0xe 0xb 0xd 0x9 |   | x[0] |         130          * | 0xe 0xb 0xd 0x9 |   | x[0] |
131          * | 0x9 0xe 0xb 0xd |   | x[1] |         131          * | 0x9 0xe 0xb 0xd |   | x[1] |
132          * | 0xd 0x9 0xe 0xb | x | x[2] |         132          * | 0xd 0x9 0xe 0xb | x | x[2] |
133          * | 0xb 0xd 0x9 0xe |   | x[3] |         133          * | 0xb 0xd 0x9 0xe |   | x[3] |
134          *                                        134          *
135          * which can conveniently be reduced t    135          * which can conveniently be reduced to
136          *                                        136          *
137          * | 0x2 0x3 0x1 0x1 |   | 0x5 0x0 0x4    137          * | 0x2 0x3 0x1 0x1 |   | 0x5 0x0 0x4 0x0 |   | x[0] |
138          * | 0x1 0x2 0x3 0x1 |   | 0x0 0x5 0x0    138          * | 0x1 0x2 0x3 0x1 |   | 0x0 0x5 0x0 0x4 |   | x[1] |
139          * | 0x1 0x1 0x2 0x3 | x | 0x4 0x0 0x5    139          * | 0x1 0x1 0x2 0x3 | x | 0x4 0x0 0x5 0x0 | x | x[2] |
140          * | 0x3 0x1 0x1 0x2 |   | 0x0 0x4 0x0    140          * | 0x3 0x1 0x1 0x2 |   | 0x0 0x4 0x0 0x5 |   | x[3] |
141          */                                       141          */
142         u32 y = mul_by_x2(x);                     142         u32 y = mul_by_x2(x);
143                                                   143 
144         return mix_columns(x ^ y ^ ror32(y, 16    144         return mix_columns(x ^ y ^ ror32(y, 16));
145 }                                                 145 }
146                                                   146 
147 static __always_inline u32 subshift(u32 in[],     147 static __always_inline u32 subshift(u32 in[], int pos)
148 {                                                 148 {
149         return (aes_sbox[in[pos] & 0xff]) ^       149         return (aes_sbox[in[pos] & 0xff]) ^
150                (aes_sbox[(in[(pos + 1) % 4] >>    150                (aes_sbox[(in[(pos + 1) % 4] >>  8) & 0xff] <<  8) ^
151                (aes_sbox[(in[(pos + 2) % 4] >>    151                (aes_sbox[(in[(pos + 2) % 4] >> 16) & 0xff] << 16) ^
152                (aes_sbox[(in[(pos + 3) % 4] >>    152                (aes_sbox[(in[(pos + 3) % 4] >> 24) & 0xff] << 24);
153 }                                                 153 }
154                                                   154 
155 static __always_inline u32 inv_subshift(u32 in    155 static __always_inline u32 inv_subshift(u32 in[], int pos)
156 {                                                 156 {
157         return (aes_inv_sbox[in[pos] & 0xff])     157         return (aes_inv_sbox[in[pos] & 0xff]) ^
158                (aes_inv_sbox[(in[(pos + 3) % 4    158                (aes_inv_sbox[(in[(pos + 3) % 4] >>  8) & 0xff] <<  8) ^
159                (aes_inv_sbox[(in[(pos + 2) % 4    159                (aes_inv_sbox[(in[(pos + 2) % 4] >> 16) & 0xff] << 16) ^
160                (aes_inv_sbox[(in[(pos + 1) % 4    160                (aes_inv_sbox[(in[(pos + 1) % 4] >> 24) & 0xff] << 24);
161 }                                                 161 }
162                                                   162 
163 static u32 subw(u32 in)                           163 static u32 subw(u32 in)
164 {                                                 164 {
165         return (aes_sbox[in & 0xff]) ^            165         return (aes_sbox[in & 0xff]) ^
166                (aes_sbox[(in >>  8) & 0xff] <<    166                (aes_sbox[(in >>  8) & 0xff] <<  8) ^
167                (aes_sbox[(in >> 16) & 0xff] <<    167                (aes_sbox[(in >> 16) & 0xff] << 16) ^
168                (aes_sbox[(in >> 24) & 0xff] <<    168                (aes_sbox[(in >> 24) & 0xff] << 24);
169 }                                                 169 }
170                                                   170 
171 /**                                               171 /**
172  * aes_expandkey - Expands the AES key as desc    172  * aes_expandkey - Expands the AES key as described in FIPS-197
173  * @ctx:        The location where the compute    173  * @ctx:        The location where the computed key will be stored.
174  * @in_key:     The supplied key.                 174  * @in_key:     The supplied key.
175  * @key_len:    The length of the supplied key    175  * @key_len:    The length of the supplied key.
176  *                                                176  *
177  * Returns 0 on success. The function fails on    177  * Returns 0 on success. The function fails only if an invalid key size (or
178  * pointer) is supplied.                          178  * pointer) is supplied.
179  * The expanded key size is 240 bytes (max of     179  * The expanded key size is 240 bytes (max of 14 rounds with a unique 16 bytes
180  * key schedule plus a 16 bytes key which is u    180  * key schedule plus a 16 bytes key which is used before the first round).
181  * The decryption key is prepared for the "Equ    181  * The decryption key is prepared for the "Equivalent Inverse Cipher" as
182  * described in FIPS-197. The first slot (16 b    182  * described in FIPS-197. The first slot (16 bytes) of each key (enc or dec) is
183  * for the initial combination, the second slo    183  * for the initial combination, the second slot for the first round and so on.
184  */                                               184  */
185 int aes_expandkey(struct crypto_aes_ctx *ctx,     185 int aes_expandkey(struct crypto_aes_ctx *ctx, const u8 *in_key,
186                   unsigned int key_len)           186                   unsigned int key_len)
187 {                                                 187 {
188         u32 kwords = key_len / sizeof(u32);       188         u32 kwords = key_len / sizeof(u32);
189         u32 rc, i, j;                             189         u32 rc, i, j;
190         int err;                                  190         int err;
191                                                   191 
192         err = aes_check_keylen(key_len);          192         err = aes_check_keylen(key_len);
193         if (err)                                  193         if (err)
194                 return err;                       194                 return err;
195                                                   195 
196         ctx->key_length = key_len;                196         ctx->key_length = key_len;
197                                                   197 
198         for (i = 0; i < kwords; i++)              198         for (i = 0; i < kwords; i++)
199                 ctx->key_enc[i] = get_unaligne    199                 ctx->key_enc[i] = get_unaligned_le32(in_key + i * sizeof(u32));
200                                                   200 
201         for (i = 0, rc = 1; i < 10; i++, rc =     201         for (i = 0, rc = 1; i < 10; i++, rc = mul_by_x(rc)) {
202                 u32 *rki = ctx->key_enc + (i *    202                 u32 *rki = ctx->key_enc + (i * kwords);
203                 u32 *rko = rki + kwords;          203                 u32 *rko = rki + kwords;
204                                                   204 
205                 rko[0] = ror32(subw(rki[kwords    205                 rko[0] = ror32(subw(rki[kwords - 1]), 8) ^ rc ^ rki[0];
206                 rko[1] = rko[0] ^ rki[1];         206                 rko[1] = rko[0] ^ rki[1];
207                 rko[2] = rko[1] ^ rki[2];         207                 rko[2] = rko[1] ^ rki[2];
208                 rko[3] = rko[2] ^ rki[3];         208                 rko[3] = rko[2] ^ rki[3];
209                                                   209 
210                 if (key_len == AES_KEYSIZE_192    210                 if (key_len == AES_KEYSIZE_192) {
211                         if (i >= 7)               211                         if (i >= 7)
212                                 break;            212                                 break;
213                         rko[4] = rko[3] ^ rki[    213                         rko[4] = rko[3] ^ rki[4];
214                         rko[5] = rko[4] ^ rki[    214                         rko[5] = rko[4] ^ rki[5];
215                 } else if (key_len == AES_KEYS    215                 } else if (key_len == AES_KEYSIZE_256) {
216                         if (i >= 6)               216                         if (i >= 6)
217                                 break;            217                                 break;
218                         rko[4] = subw(rko[3])     218                         rko[4] = subw(rko[3]) ^ rki[4];
219                         rko[5] = rko[4] ^ rki[    219                         rko[5] = rko[4] ^ rki[5];
220                         rko[6] = rko[5] ^ rki[    220                         rko[6] = rko[5] ^ rki[6];
221                         rko[7] = rko[6] ^ rki[    221                         rko[7] = rko[6] ^ rki[7];
222                 }                                 222                 }
223         }                                         223         }
224                                                   224 
225         /*                                        225         /*
226          * Generate the decryption keys for th    226          * Generate the decryption keys for the Equivalent Inverse Cipher.
227          * This involves reversing the order o    227          * This involves reversing the order of the round keys, and applying
228          * the Inverse Mix Columns transformat    228          * the Inverse Mix Columns transformation to all but the first and
229          * the last one.                          229          * the last one.
230          */                                       230          */
231         ctx->key_dec[0] = ctx->key_enc[key_len    231         ctx->key_dec[0] = ctx->key_enc[key_len + 24];
232         ctx->key_dec[1] = ctx->key_enc[key_len    232         ctx->key_dec[1] = ctx->key_enc[key_len + 25];
233         ctx->key_dec[2] = ctx->key_enc[key_len    233         ctx->key_dec[2] = ctx->key_enc[key_len + 26];
234         ctx->key_dec[3] = ctx->key_enc[key_len    234         ctx->key_dec[3] = ctx->key_enc[key_len + 27];
235                                                   235 
236         for (i = 4, j = key_len + 20; j > 0; i    236         for (i = 4, j = key_len + 20; j > 0; i += 4, j -= 4) {
237                 ctx->key_dec[i]     = inv_mix_    237                 ctx->key_dec[i]     = inv_mix_columns(ctx->key_enc[j]);
238                 ctx->key_dec[i + 1] = inv_mix_    238                 ctx->key_dec[i + 1] = inv_mix_columns(ctx->key_enc[j + 1]);
239                 ctx->key_dec[i + 2] = inv_mix_    239                 ctx->key_dec[i + 2] = inv_mix_columns(ctx->key_enc[j + 2]);
240                 ctx->key_dec[i + 3] = inv_mix_    240                 ctx->key_dec[i + 3] = inv_mix_columns(ctx->key_enc[j + 3]);
241         }                                         241         }
242                                                   242 
243         ctx->key_dec[i]     = ctx->key_enc[0];    243         ctx->key_dec[i]     = ctx->key_enc[0];
244         ctx->key_dec[i + 1] = ctx->key_enc[1];    244         ctx->key_dec[i + 1] = ctx->key_enc[1];
245         ctx->key_dec[i + 2] = ctx->key_enc[2];    245         ctx->key_dec[i + 2] = ctx->key_enc[2];
246         ctx->key_dec[i + 3] = ctx->key_enc[3];    246         ctx->key_dec[i + 3] = ctx->key_enc[3];
247                                                   247 
248         return 0;                                 248         return 0;
249 }                                                 249 }
250 EXPORT_SYMBOL(aes_expandkey);                     250 EXPORT_SYMBOL(aes_expandkey);
251                                                   251 
252 /**                                               252 /**
253  * aes_encrypt - Encrypt a single AES block       253  * aes_encrypt - Encrypt a single AES block
254  * @ctx:        Context struct containing the     254  * @ctx:        Context struct containing the key schedule
255  * @out:        Buffer to store the ciphertext    255  * @out:        Buffer to store the ciphertext
256  * @in:         Buffer containing the plaintex    256  * @in:         Buffer containing the plaintext
257  */                                               257  */
258 void aes_encrypt(const struct crypto_aes_ctx *    258 void aes_encrypt(const struct crypto_aes_ctx *ctx, u8 *out, const u8 *in)
259 {                                                 259 {
260         const u32 *rkp = ctx->key_enc + 4;        260         const u32 *rkp = ctx->key_enc + 4;
261         int rounds = 6 + ctx->key_length / 4;     261         int rounds = 6 + ctx->key_length / 4;
262         u32 st0[4], st1[4];                       262         u32 st0[4], st1[4];
263         int round;                                263         int round;
264                                                   264 
265         st0[0] = ctx->key_enc[0] ^ get_unalign    265         st0[0] = ctx->key_enc[0] ^ get_unaligned_le32(in);
266         st0[1] = ctx->key_enc[1] ^ get_unalign    266         st0[1] = ctx->key_enc[1] ^ get_unaligned_le32(in + 4);
267         st0[2] = ctx->key_enc[2] ^ get_unalign    267         st0[2] = ctx->key_enc[2] ^ get_unaligned_le32(in + 8);
268         st0[3] = ctx->key_enc[3] ^ get_unalign    268         st0[3] = ctx->key_enc[3] ^ get_unaligned_le32(in + 12);
269                                                   269 
270         /*                                        270         /*
271          * Force the compiler to emit data ind    271          * Force the compiler to emit data independent Sbox references,
272          * by xoring the input with Sbox value    272          * by xoring the input with Sbox values that are known to add up
273          * to zero. This pulls the entire Sbox    273          * to zero. This pulls the entire Sbox into the D-cache before any
274          * data dependent lookups are done.       274          * data dependent lookups are done.
275          */                                       275          */
276         st0[0] ^= aes_sbox[ 0] ^ aes_sbox[ 64]    276         st0[0] ^= aes_sbox[ 0] ^ aes_sbox[ 64] ^ aes_sbox[134] ^ aes_sbox[195];
277         st0[1] ^= aes_sbox[16] ^ aes_sbox[ 82]    277         st0[1] ^= aes_sbox[16] ^ aes_sbox[ 82] ^ aes_sbox[158] ^ aes_sbox[221];
278         st0[2] ^= aes_sbox[32] ^ aes_sbox[ 96]    278         st0[2] ^= aes_sbox[32] ^ aes_sbox[ 96] ^ aes_sbox[160] ^ aes_sbox[234];
279         st0[3] ^= aes_sbox[48] ^ aes_sbox[112]    279         st0[3] ^= aes_sbox[48] ^ aes_sbox[112] ^ aes_sbox[186] ^ aes_sbox[241];
280                                                   280 
281         for (round = 0;; round += 2, rkp += 8)    281         for (round = 0;; round += 2, rkp += 8) {
282                 st1[0] = mix_columns(subshift(    282                 st1[0] = mix_columns(subshift(st0, 0)) ^ rkp[0];
283                 st1[1] = mix_columns(subshift(    283                 st1[1] = mix_columns(subshift(st0, 1)) ^ rkp[1];
284                 st1[2] = mix_columns(subshift(    284                 st1[2] = mix_columns(subshift(st0, 2)) ^ rkp[2];
285                 st1[3] = mix_columns(subshift(    285                 st1[3] = mix_columns(subshift(st0, 3)) ^ rkp[3];
286                                                   286 
287                 if (round == rounds - 2)          287                 if (round == rounds - 2)
288                         break;                    288                         break;
289                                                   289 
290                 st0[0] = mix_columns(subshift(    290                 st0[0] = mix_columns(subshift(st1, 0)) ^ rkp[4];
291                 st0[1] = mix_columns(subshift(    291                 st0[1] = mix_columns(subshift(st1, 1)) ^ rkp[5];
292                 st0[2] = mix_columns(subshift(    292                 st0[2] = mix_columns(subshift(st1, 2)) ^ rkp[6];
293                 st0[3] = mix_columns(subshift(    293                 st0[3] = mix_columns(subshift(st1, 3)) ^ rkp[7];
294         }                                         294         }
295                                                   295 
296         put_unaligned_le32(subshift(st1, 0) ^     296         put_unaligned_le32(subshift(st1, 0) ^ rkp[4], out);
297         put_unaligned_le32(subshift(st1, 1) ^     297         put_unaligned_le32(subshift(st1, 1) ^ rkp[5], out + 4);
298         put_unaligned_le32(subshift(st1, 2) ^     298         put_unaligned_le32(subshift(st1, 2) ^ rkp[6], out + 8);
299         put_unaligned_le32(subshift(st1, 3) ^     299         put_unaligned_le32(subshift(st1, 3) ^ rkp[7], out + 12);
300 }                                                 300 }
301 EXPORT_SYMBOL(aes_encrypt);                       301 EXPORT_SYMBOL(aes_encrypt);
302                                                   302 
303 /**                                               303 /**
304  * aes_decrypt - Decrypt a single AES block       304  * aes_decrypt - Decrypt a single AES block
305  * @ctx:        Context struct containing the     305  * @ctx:        Context struct containing the key schedule
306  * @out:        Buffer to store the plaintext     306  * @out:        Buffer to store the plaintext
307  * @in:         Buffer containing the cipherte    307  * @in:         Buffer containing the ciphertext
308  */                                               308  */
309 void aes_decrypt(const struct crypto_aes_ctx *    309 void aes_decrypt(const struct crypto_aes_ctx *ctx, u8 *out, const u8 *in)
310 {                                                 310 {
311         const u32 *rkp = ctx->key_dec + 4;        311         const u32 *rkp = ctx->key_dec + 4;
312         int rounds = 6 + ctx->key_length / 4;     312         int rounds = 6 + ctx->key_length / 4;
313         u32 st0[4], st1[4];                       313         u32 st0[4], st1[4];
314         int round;                                314         int round;
315                                                   315 
316         st0[0] = ctx->key_dec[0] ^ get_unalign    316         st0[0] = ctx->key_dec[0] ^ get_unaligned_le32(in);
317         st0[1] = ctx->key_dec[1] ^ get_unalign    317         st0[1] = ctx->key_dec[1] ^ get_unaligned_le32(in + 4);
318         st0[2] = ctx->key_dec[2] ^ get_unalign    318         st0[2] = ctx->key_dec[2] ^ get_unaligned_le32(in + 8);
319         st0[3] = ctx->key_dec[3] ^ get_unalign    319         st0[3] = ctx->key_dec[3] ^ get_unaligned_le32(in + 12);
320                                                   320 
321         /*                                        321         /*
322          * Force the compiler to emit data ind    322          * Force the compiler to emit data independent Sbox references,
323          * by xoring the input with Sbox value    323          * by xoring the input with Sbox values that are known to add up
324          * to zero. This pulls the entire Sbox    324          * to zero. This pulls the entire Sbox into the D-cache before any
325          * data dependent lookups are done.       325          * data dependent lookups are done.
326          */                                       326          */
327         st0[0] ^= aes_inv_sbox[ 0] ^ aes_inv_s    327         st0[0] ^= aes_inv_sbox[ 0] ^ aes_inv_sbox[ 64] ^ aes_inv_sbox[129] ^ aes_inv_sbox[200];
328         st0[1] ^= aes_inv_sbox[16] ^ aes_inv_s    328         st0[1] ^= aes_inv_sbox[16] ^ aes_inv_sbox[ 83] ^ aes_inv_sbox[150] ^ aes_inv_sbox[212];
329         st0[2] ^= aes_inv_sbox[32] ^ aes_inv_s    329         st0[2] ^= aes_inv_sbox[32] ^ aes_inv_sbox[ 96] ^ aes_inv_sbox[160] ^ aes_inv_sbox[236];
330         st0[3] ^= aes_inv_sbox[48] ^ aes_inv_s    330         st0[3] ^= aes_inv_sbox[48] ^ aes_inv_sbox[112] ^ aes_inv_sbox[187] ^ aes_inv_sbox[247];
331                                                   331 
332         for (round = 0;; round += 2, rkp += 8)    332         for (round = 0;; round += 2, rkp += 8) {
333                 st1[0] = inv_mix_columns(inv_s    333                 st1[0] = inv_mix_columns(inv_subshift(st0, 0)) ^ rkp[0];
334                 st1[1] = inv_mix_columns(inv_s    334                 st1[1] = inv_mix_columns(inv_subshift(st0, 1)) ^ rkp[1];
335                 st1[2] = inv_mix_columns(inv_s    335                 st1[2] = inv_mix_columns(inv_subshift(st0, 2)) ^ rkp[2];
336                 st1[3] = inv_mix_columns(inv_s    336                 st1[3] = inv_mix_columns(inv_subshift(st0, 3)) ^ rkp[3];
337                                                   337 
338                 if (round == rounds - 2)          338                 if (round == rounds - 2)
339                         break;                    339                         break;
340                                                   340 
341                 st0[0] = inv_mix_columns(inv_s    341                 st0[0] = inv_mix_columns(inv_subshift(st1, 0)) ^ rkp[4];
342                 st0[1] = inv_mix_columns(inv_s    342                 st0[1] = inv_mix_columns(inv_subshift(st1, 1)) ^ rkp[5];
343                 st0[2] = inv_mix_columns(inv_s    343                 st0[2] = inv_mix_columns(inv_subshift(st1, 2)) ^ rkp[6];
344                 st0[3] = inv_mix_columns(inv_s    344                 st0[3] = inv_mix_columns(inv_subshift(st1, 3)) ^ rkp[7];
345         }                                         345         }
346                                                   346 
347         put_unaligned_le32(inv_subshift(st1, 0    347         put_unaligned_le32(inv_subshift(st1, 0) ^ rkp[4], out);
348         put_unaligned_le32(inv_subshift(st1, 1    348         put_unaligned_le32(inv_subshift(st1, 1) ^ rkp[5], out + 4);
349         put_unaligned_le32(inv_subshift(st1, 2    349         put_unaligned_le32(inv_subshift(st1, 2) ^ rkp[6], out + 8);
350         put_unaligned_le32(inv_subshift(st1, 3    350         put_unaligned_le32(inv_subshift(st1, 3) ^ rkp[7], out + 12);
351 }                                                 351 }
352 EXPORT_SYMBOL(aes_decrypt);                       352 EXPORT_SYMBOL(aes_decrypt);
353                                                   353 
354 MODULE_DESCRIPTION("Generic AES library");        354 MODULE_DESCRIPTION("Generic AES library");
355 MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@    355 MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@linaro.org>");
356 MODULE_LICENSE("GPL v2");                         356 MODULE_LICENSE("GPL v2");
357                                                   357 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php