Blame view
crypto/salsa20_generic.c
6.02 KB
2407d6087
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
/* * Salsa20: Salsa20 stream cipher algorithm * * Copyright (c) 2007 Tan Swee Heng <thesweeheng@gmail.com> * * Derived from: * - salsa20.c: Public domain C code by Daniel J. Bernstein <djb@cr.yp.to> * * Salsa20 is a stream cipher candidate in eSTREAM, the ECRYPT Stream * Cipher Project. It is designed by Daniel J. Bernstein <djb@cr.yp.to>. * More information about eSTREAM and Salsa20 can be found here: * http://www.ecrypt.eu.org/stream/ * http://cr.yp.to/snuffle.html * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the Free * Software Foundation; either version 2 of the License, or (at your option) * any later version. * */ |
b62b3db76
|
21 22 |
#include <asm/unaligned.h> #include <crypto/internal/skcipher.h> |
2407d6087
|
23 |
#include <linux/module.h> |
2407d6087
|
24 |
|
015a03704
|
25 26 27 28 29 30 31 32 |
#define SALSA20_IV_SIZE 8 #define SALSA20_MIN_KEY_SIZE 16 #define SALSA20_MAX_KEY_SIZE 32 #define SALSA20_BLOCK_SIZE 64 struct salsa20_ctx { u32 initial_state[16]; }; |
b62b3db76
|
33 |
static void salsa20_block(u32 *state, __le32 *stream) |
2407d6087
|
34 35 36 |
{ u32 x[16]; int i; |
b62b3db76
|
37 38 39 |
memcpy(x, state, sizeof(x)); for (i = 0; i < 20; i += 2) { |
f0d1ec3a2
|
40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 |
x[ 4] ^= rol32((x[ 0] + x[12]), 7); x[ 8] ^= rol32((x[ 4] + x[ 0]), 9); x[12] ^= rol32((x[ 8] + x[ 4]), 13); x[ 0] ^= rol32((x[12] + x[ 8]), 18); x[ 9] ^= rol32((x[ 5] + x[ 1]), 7); x[13] ^= rol32((x[ 9] + x[ 5]), 9); x[ 1] ^= rol32((x[13] + x[ 9]), 13); x[ 5] ^= rol32((x[ 1] + x[13]), 18); x[14] ^= rol32((x[10] + x[ 6]), 7); x[ 2] ^= rol32((x[14] + x[10]), 9); x[ 6] ^= rol32((x[ 2] + x[14]), 13); x[10] ^= rol32((x[ 6] + x[ 2]), 18); x[ 3] ^= rol32((x[15] + x[11]), 7); x[ 7] ^= rol32((x[ 3] + x[15]), 9); x[11] ^= rol32((x[ 7] + x[ 3]), 13); x[15] ^= rol32((x[11] + x[ 7]), 18); x[ 1] ^= rol32((x[ 0] + x[ 3]), 7); x[ 2] ^= rol32((x[ 1] + x[ 0]), 9); x[ 3] ^= rol32((x[ 2] + x[ 1]), 13); x[ 0] ^= rol32((x[ 3] + x[ 2]), 18); x[ 6] ^= rol32((x[ 5] + x[ 4]), 7); x[ 7] ^= rol32((x[ 6] + x[ 5]), 9); x[ 4] ^= rol32((x[ 7] + x[ 6]), 13); x[ 5] ^= rol32((x[ 4] + x[ 7]), 18); x[11] ^= rol32((x[10] + x[ 9]), 7); x[ 8] ^= rol32((x[11] + x[10]), 9); x[ 9] ^= rol32((x[ 8] + x[11]), 13); x[10] ^= rol32((x[ 9] + x[ 8]), 18); x[12] ^= rol32((x[15] + x[14]), 7); x[13] ^= rol32((x[12] + x[15]), 9); x[14] ^= rol32((x[13] + x[12]), 13); x[15] ^= rol32((x[14] + x[13]), 18); |
2407d6087
|
72 |
} |
2407d6087
|
73 |
|
b62b3db76
|
74 75 76 77 78 79 |
for (i = 0; i < 16; i++) stream[i] = cpu_to_le32(x[i] + state[i]); if (++state[8] == 0) state[9]++; } |
2407d6087
|
80 |
|
b62b3db76
|
81 82 |
static void salsa20_docrypt(u32 *state, u8 *dst, const u8 *src, unsigned int bytes) |
2407d6087
|
83 |
{ |
b62b3db76
|
84 |
__le32 stream[SALSA20_BLOCK_SIZE / sizeof(__le32)]; |
2407d6087
|
85 |
|
b62b3db76
|
86 87 |
while (bytes >= SALSA20_BLOCK_SIZE) { salsa20_block(state, stream); |
f6fff1707
|
88 89 |
crypto_xor_cpy(dst, src, (const u8 *)stream, SALSA20_BLOCK_SIZE); |
b62b3db76
|
90 91 |
bytes -= SALSA20_BLOCK_SIZE; dst += SALSA20_BLOCK_SIZE; |
f6fff1707
|
92 |
src += SALSA20_BLOCK_SIZE; |
b62b3db76
|
93 94 95 |
} if (bytes) { salsa20_block(state, stream); |
f6fff1707
|
96 |
crypto_xor_cpy(dst, src, (const u8 *)stream, bytes); |
2407d6087
|
97 |
} |
2407d6087
|
98 |
} |
015a03704
|
99 |
static void salsa20_init(u32 *state, const struct salsa20_ctx *ctx, |
b62b3db76
|
100 |
const u8 *iv) |
2407d6087
|
101 |
{ |
b62b3db76
|
102 103 104 |
memcpy(state, ctx->initial_state, sizeof(ctx->initial_state)); state[6] = get_unaligned_le32(iv + 0); state[7] = get_unaligned_le32(iv + 4); |
2407d6087
|
105 |
} |
015a03704
|
106 |
static int salsa20_setkey(struct crypto_skcipher *tfm, const u8 *key, |
b62b3db76
|
107 |
unsigned int keysize) |
2407d6087
|
108 |
{ |
b62b3db76
|
109 110 111 112 |
static const char sigma[16] = "expand 32-byte k"; static const char tau[16] = "expand 16-byte k"; struct salsa20_ctx *ctx = crypto_skcipher_ctx(tfm); const char *constants; |
2407d6087
|
113 |
|
b62b3db76
|
114 115 116 |
if (keysize != SALSA20_MIN_KEY_SIZE && keysize != SALSA20_MAX_KEY_SIZE) return -EINVAL; |
2407d6087
|
117 |
|
b62b3db76
|
118 119 120 121 122 123 124 125 126 |
ctx->initial_state[1] = get_unaligned_le32(key + 0); ctx->initial_state[2] = get_unaligned_le32(key + 4); ctx->initial_state[3] = get_unaligned_le32(key + 8); ctx->initial_state[4] = get_unaligned_le32(key + 12); if (keysize == 32) { /* recommended */ key += 16; constants = sigma; } else { /* keysize == 16 */ constants = tau; |
2407d6087
|
127 |
} |
b62b3db76
|
128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 |
ctx->initial_state[11] = get_unaligned_le32(key + 0); ctx->initial_state[12] = get_unaligned_le32(key + 4); ctx->initial_state[13] = get_unaligned_le32(key + 8); ctx->initial_state[14] = get_unaligned_le32(key + 12); ctx->initial_state[0] = get_unaligned_le32(constants + 0); ctx->initial_state[5] = get_unaligned_le32(constants + 4); ctx->initial_state[10] = get_unaligned_le32(constants + 8); ctx->initial_state[15] = get_unaligned_le32(constants + 12); /* space for the nonce; it will be overridden for each request */ ctx->initial_state[6] = 0; ctx->initial_state[7] = 0; /* initial block number */ ctx->initial_state[8] = 0; ctx->initial_state[9] = 0; |
2407d6087
|
144 |
|
2407d6087
|
145 146 |
return 0; } |
b62b3db76
|
147 |
static int salsa20_crypt(struct skcipher_request *req) |
2407d6087
|
148 |
{ |
b62b3db76
|
149 150 151 152 |
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); const struct salsa20_ctx *ctx = crypto_skcipher_ctx(tfm); struct skcipher_walk walk; u32 state[16]; |
2407d6087
|
153 |
int err; |
101b53d91
|
154 |
err = skcipher_walk_virt(&walk, req, false); |
2407d6087
|
155 |
|
edaf28e99
|
156 |
salsa20_init(state, ctx, req->iv); |
2407d6087
|
157 |
|
b62b3db76
|
158 159 |
while (walk.nbytes > 0) { unsigned int nbytes = walk.nbytes; |
eb6f13eb9
|
160 |
|
b62b3db76
|
161 162 163 164 165 166 |
if (nbytes < walk.total) nbytes = round_down(nbytes, walk.stride); salsa20_docrypt(state, walk.dst.virt.addr, walk.src.virt.addr, nbytes); err = skcipher_walk_done(&walk, walk.nbytes - nbytes); |
eb6f13eb9
|
167 |
} |
2407d6087
|
168 169 |
return err; } |
b62b3db76
|
170 171 172 173 174 175 176 177 178 179 180 181 |
static struct skcipher_alg alg = { .base.cra_name = "salsa20", .base.cra_driver_name = "salsa20-generic", .base.cra_priority = 100, .base.cra_blocksize = 1, .base.cra_ctxsize = sizeof(struct salsa20_ctx), .base.cra_module = THIS_MODULE, .min_keysize = SALSA20_MIN_KEY_SIZE, .max_keysize = SALSA20_MAX_KEY_SIZE, .ivsize = SALSA20_IV_SIZE, .chunksize = SALSA20_BLOCK_SIZE, |
015a03704
|
182 |
.setkey = salsa20_setkey, |
b62b3db76
|
183 184 |
.encrypt = salsa20_crypt, .decrypt = salsa20_crypt, |
2407d6087
|
185 |
}; |
3af5b90bd
|
186 |
static int __init salsa20_generic_mod_init(void) |
2407d6087
|
187 |
{ |
b62b3db76
|
188 |
return crypto_register_skcipher(&alg); |
2407d6087
|
189 |
} |
3af5b90bd
|
190 |
static void __exit salsa20_generic_mod_fini(void) |
2407d6087
|
191 |
{ |
b62b3db76
|
192 |
crypto_unregister_skcipher(&alg); |
2407d6087
|
193 |
} |
c4741b230
|
194 |
subsys_initcall(salsa20_generic_mod_init); |
3af5b90bd
|
195 |
module_exit(salsa20_generic_mod_fini); |
2407d6087
|
196 197 198 |
MODULE_LICENSE("GPL"); MODULE_DESCRIPTION ("Salsa20 stream cipher algorithm"); |
5d26a105b
|
199 |
MODULE_ALIAS_CRYPTO("salsa20"); |
3e14dcf7c
|
200 |
MODULE_ALIAS_CRYPTO("salsa20-generic"); |