linux/crypto/salsa20_generic.c
<<
>>
Prefs
   1/*
   2 * Salsa20: Salsa20 stream cipher algorithm
   3 *
   4 * Copyright (c) 2007 Tan Swee Heng <thesweeheng@gmail.com>
   5 *
   6 * Derived from:
   7 * - salsa20.c: Public domain C code by Daniel J. Bernstein <djb@cr.yp.to>
   8 *
   9 * Salsa20 is a stream cipher candidate in eSTREAM, the ECRYPT Stream
  10 * Cipher Project. It is designed by Daniel J. Bernstein <djb@cr.yp.to>.
  11 * More information about eSTREAM and Salsa20 can be found here:
  12 *   http://www.ecrypt.eu.org/stream/
  13 *   http://cr.yp.to/snuffle.html
  14 *
  15 * This program is free software; you can redistribute it and/or modify it
  16 * under the terms of the GNU General Public License as published by the Free
  17 * Software Foundation; either version 2 of the License, or (at your option)
  18 * any later version.
  19 *
  20 */
  21
  22#include <asm/unaligned.h>
  23#include <crypto/internal/skcipher.h>
  24#include <linux/module.h>
  25
  26#define SALSA20_IV_SIZE        8
  27#define SALSA20_MIN_KEY_SIZE  16
  28#define SALSA20_MAX_KEY_SIZE  32
  29#define SALSA20_BLOCK_SIZE    64
  30
  31struct salsa20_ctx {
  32        u32 initial_state[16];
  33};
  34
  35static void salsa20_block(u32 *state, __le32 *stream)
  36{
  37        u32 x[16];
  38        int i;
  39
  40        memcpy(x, state, sizeof(x));
  41
  42        for (i = 0; i < 20; i += 2) {
  43                x[ 4] ^= rol32((x[ 0] + x[12]),  7);
  44                x[ 8] ^= rol32((x[ 4] + x[ 0]),  9);
  45                x[12] ^= rol32((x[ 8] + x[ 4]), 13);
  46                x[ 0] ^= rol32((x[12] + x[ 8]), 18);
  47                x[ 9] ^= rol32((x[ 5] + x[ 1]),  7);
  48                x[13] ^= rol32((x[ 9] + x[ 5]),  9);
  49                x[ 1] ^= rol32((x[13] + x[ 9]), 13);
  50                x[ 5] ^= rol32((x[ 1] + x[13]), 18);
  51                x[14] ^= rol32((x[10] + x[ 6]),  7);
  52                x[ 2] ^= rol32((x[14] + x[10]),  9);
  53                x[ 6] ^= rol32((x[ 2] + x[14]), 13);
  54                x[10] ^= rol32((x[ 6] + x[ 2]), 18);
  55                x[ 3] ^= rol32((x[15] + x[11]),  7);
  56                x[ 7] ^= rol32((x[ 3] + x[15]),  9);
  57                x[11] ^= rol32((x[ 7] + x[ 3]), 13);
  58                x[15] ^= rol32((x[11] + x[ 7]), 18);
  59                x[ 1] ^= rol32((x[ 0] + x[ 3]),  7);
  60                x[ 2] ^= rol32((x[ 1] + x[ 0]),  9);
  61                x[ 3] ^= rol32((x[ 2] + x[ 1]), 13);
  62                x[ 0] ^= rol32((x[ 3] + x[ 2]), 18);
  63                x[ 6] ^= rol32((x[ 5] + x[ 4]),  7);
  64                x[ 7] ^= rol32((x[ 6] + x[ 5]),  9);
  65                x[ 4] ^= rol32((x[ 7] + x[ 6]), 13);
  66                x[ 5] ^= rol32((x[ 4] + x[ 7]), 18);
  67                x[11] ^= rol32((x[10] + x[ 9]),  7);
  68                x[ 8] ^= rol32((x[11] + x[10]),  9);
  69                x[ 9] ^= rol32((x[ 8] + x[11]), 13);
  70                x[10] ^= rol32((x[ 9] + x[ 8]), 18);
  71                x[12] ^= rol32((x[15] + x[14]),  7);
  72                x[13] ^= rol32((x[12] + x[15]),  9);
  73                x[14] ^= rol32((x[13] + x[12]), 13);
  74                x[15] ^= rol32((x[14] + x[13]), 18);
  75        }
  76
  77        for (i = 0; i < 16; i++)
  78                stream[i] = cpu_to_le32(x[i] + state[i]);
  79
  80        if (++state[8] == 0)
  81                state[9]++;
  82}
  83
  84static void salsa20_docrypt(u32 *state, u8 *dst, const u8 *src,
  85                            unsigned int bytes)
  86{
  87        __le32 stream[SALSA20_BLOCK_SIZE / sizeof(__le32)];
  88
  89        while (bytes >= SALSA20_BLOCK_SIZE) {
  90                salsa20_block(state, stream);
  91                crypto_xor_cpy(dst, src, (const u8 *)stream,
  92                               SALSA20_BLOCK_SIZE);
  93                bytes -= SALSA20_BLOCK_SIZE;
  94                dst += SALSA20_BLOCK_SIZE;
  95                src += SALSA20_BLOCK_SIZE;
  96        }
  97        if (bytes) {
  98                salsa20_block(state, stream);
  99                crypto_xor_cpy(dst, src, (const u8 *)stream, bytes);
 100        }
 101}
 102
 103static void salsa20_init(u32 *state, const struct salsa20_ctx *ctx,
 104                         const u8 *iv)
 105{
 106        memcpy(state, ctx->initial_state, sizeof(ctx->initial_state));
 107        state[6] = get_unaligned_le32(iv + 0);
 108        state[7] = get_unaligned_le32(iv + 4);
 109}
 110
 111static int salsa20_setkey(struct crypto_skcipher *tfm, const u8 *key,
 112                          unsigned int keysize)
 113{
 114        static const char sigma[16] = "expand 32-byte k";
 115        static const char tau[16] = "expand 16-byte k";
 116        struct salsa20_ctx *ctx = crypto_skcipher_ctx(tfm);
 117        const char *constants;
 118
 119        if (keysize != SALSA20_MIN_KEY_SIZE &&
 120            keysize != SALSA20_MAX_KEY_SIZE)
 121                return -EINVAL;
 122
 123        ctx->initial_state[1] = get_unaligned_le32(key + 0);
 124        ctx->initial_state[2] = get_unaligned_le32(key + 4);
 125        ctx->initial_state[3] = get_unaligned_le32(key + 8);
 126        ctx->initial_state[4] = get_unaligned_le32(key + 12);
 127        if (keysize == 32) { /* recommended */
 128                key += 16;
 129                constants = sigma;
 130        } else { /* keysize == 16 */
 131                constants = tau;
 132        }
 133        ctx->initial_state[11] = get_unaligned_le32(key + 0);
 134        ctx->initial_state[12] = get_unaligned_le32(key + 4);
 135        ctx->initial_state[13] = get_unaligned_le32(key + 8);
 136        ctx->initial_state[14] = get_unaligned_le32(key + 12);
 137        ctx->initial_state[0]  = get_unaligned_le32(constants + 0);
 138        ctx->initial_state[5]  = get_unaligned_le32(constants + 4);
 139        ctx->initial_state[10] = get_unaligned_le32(constants + 8);
 140        ctx->initial_state[15] = get_unaligned_le32(constants + 12);
 141
 142        /* space for the nonce; it will be overridden for each request */
 143        ctx->initial_state[6] = 0;
 144        ctx->initial_state[7] = 0;
 145
 146        /* initial block number */
 147        ctx->initial_state[8] = 0;
 148        ctx->initial_state[9] = 0;
 149
 150        return 0;
 151}
 152
 153static int salsa20_crypt(struct skcipher_request *req)
 154{
 155        struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
 156        const struct salsa20_ctx *ctx = crypto_skcipher_ctx(tfm);
 157        struct skcipher_walk walk;
 158        u32 state[16];
 159        int err;
 160
 161        err = skcipher_walk_virt(&walk, req, false);
 162
 163        salsa20_init(state, ctx, req->iv);
 164
 165        while (walk.nbytes > 0) {
 166                unsigned int nbytes = walk.nbytes;
 167
 168                if (nbytes < walk.total)
 169                        nbytes = round_down(nbytes, walk.stride);
 170
 171                salsa20_docrypt(state, walk.dst.virt.addr, walk.src.virt.addr,
 172                                nbytes);
 173                err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
 174        }
 175
 176        return err;
 177}
 178
 179static struct skcipher_alg alg = {
 180        .base.cra_name          = "salsa20",
 181        .base.cra_driver_name   = "salsa20-generic",
 182        .base.cra_priority      = 100,
 183        .base.cra_blocksize     = 1,
 184        .base.cra_ctxsize       = sizeof(struct salsa20_ctx),
 185        .base.cra_module        = THIS_MODULE,
 186
 187        .min_keysize            = SALSA20_MIN_KEY_SIZE,
 188        .max_keysize            = SALSA20_MAX_KEY_SIZE,
 189        .ivsize                 = SALSA20_IV_SIZE,
 190        .chunksize              = SALSA20_BLOCK_SIZE,
 191        .setkey                 = salsa20_setkey,
 192        .encrypt                = salsa20_crypt,
 193        .decrypt                = salsa20_crypt,
 194};
 195
 196static int __init salsa20_generic_mod_init(void)
 197{
 198        return crypto_register_skcipher(&alg);
 199}
 200
 201static void __exit salsa20_generic_mod_fini(void)
 202{
 203        crypto_unregister_skcipher(&alg);
 204}
 205
 206subsys_initcall(salsa20_generic_mod_init);
 207module_exit(salsa20_generic_mod_fini);
 208
 209MODULE_LICENSE("GPL");
 210MODULE_DESCRIPTION ("Salsa20 stream cipher algorithm");
 211MODULE_ALIAS_CRYPTO("salsa20");
 212MODULE_ALIAS_CRYPTO("salsa20-generic");
 213