salsa20_generic.c 6.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214
  1. /*
  2. * Salsa20: Salsa20 stream cipher algorithm
  3. *
  4. * Copyright (c) 2007 Tan Swee Heng <thesweeheng@gmail.com>
  5. *
  6. * Derived from:
  7. * - salsa20.c: Public domain C code by Daniel J. Bernstein <djb@cr.yp.to>
  8. *
  9. * Salsa20 is a stream cipher candidate in eSTREAM, the ECRYPT Stream
  10. * Cipher Project. It is designed by Daniel J. Bernstein <djb@cr.yp.to>.
  11. * More information about eSTREAM and Salsa20 can be found here:
  12. * http://www.ecrypt.eu.org/stream/
  13. * http://cr.yp.to/snuffle.html
  14. *
  15. * This program is free software; you can redistribute it and/or modify it
  16. * under the terms of the GNU General Public License as published by the Free
  17. * Software Foundation; either version 2 of the License, or (at your option)
  18. * any later version.
  19. *
  20. */
  21. #include <asm/unaligned.h>
  22. #include <crypto/internal/skcipher.h>
  23. #include <linux/module.h>
  24. #define SALSA20_IV_SIZE 8
  25. #define SALSA20_MIN_KEY_SIZE 16
  26. #define SALSA20_MAX_KEY_SIZE 32
  27. #define SALSA20_BLOCK_SIZE 64
  28. struct salsa20_ctx {
  29. u32 initial_state[16];
  30. };
  31. static void salsa20_block(u32 *state, __le32 *stream)
  32. {
  33. u32 x[16];
  34. int i;
  35. memcpy(x, state, sizeof(x));
  36. for (i = 0; i < 20; i += 2) {
  37. x[ 4] ^= rol32((x[ 0] + x[12]), 7);
  38. x[ 8] ^= rol32((x[ 4] + x[ 0]), 9);
  39. x[12] ^= rol32((x[ 8] + x[ 4]), 13);
  40. x[ 0] ^= rol32((x[12] + x[ 8]), 18);
  41. x[ 9] ^= rol32((x[ 5] + x[ 1]), 7);
  42. x[13] ^= rol32((x[ 9] + x[ 5]), 9);
  43. x[ 1] ^= rol32((x[13] + x[ 9]), 13);
  44. x[ 5] ^= rol32((x[ 1] + x[13]), 18);
  45. x[14] ^= rol32((x[10] + x[ 6]), 7);
  46. x[ 2] ^= rol32((x[14] + x[10]), 9);
  47. x[ 6] ^= rol32((x[ 2] + x[14]), 13);
  48. x[10] ^= rol32((x[ 6] + x[ 2]), 18);
  49. x[ 3] ^= rol32((x[15] + x[11]), 7);
  50. x[ 7] ^= rol32((x[ 3] + x[15]), 9);
  51. x[11] ^= rol32((x[ 7] + x[ 3]), 13);
  52. x[15] ^= rol32((x[11] + x[ 7]), 18);
  53. x[ 1] ^= rol32((x[ 0] + x[ 3]), 7);
  54. x[ 2] ^= rol32((x[ 1] + x[ 0]), 9);
  55. x[ 3] ^= rol32((x[ 2] + x[ 1]), 13);
  56. x[ 0] ^= rol32((x[ 3] + x[ 2]), 18);
  57. x[ 6] ^= rol32((x[ 5] + x[ 4]), 7);
  58. x[ 7] ^= rol32((x[ 6] + x[ 5]), 9);
  59. x[ 4] ^= rol32((x[ 7] + x[ 6]), 13);
  60. x[ 5] ^= rol32((x[ 4] + x[ 7]), 18);
  61. x[11] ^= rol32((x[10] + x[ 9]), 7);
  62. x[ 8] ^= rol32((x[11] + x[10]), 9);
  63. x[ 9] ^= rol32((x[ 8] + x[11]), 13);
  64. x[10] ^= rol32((x[ 9] + x[ 8]), 18);
  65. x[12] ^= rol32((x[15] + x[14]), 7);
  66. x[13] ^= rol32((x[12] + x[15]), 9);
  67. x[14] ^= rol32((x[13] + x[12]), 13);
  68. x[15] ^= rol32((x[14] + x[13]), 18);
  69. }
  70. for (i = 0; i < 16; i++)
  71. stream[i] = cpu_to_le32(x[i] + state[i]);
  72. if (++state[8] == 0)
  73. state[9]++;
  74. }
  75. static void salsa20_docrypt(u32 *state, u8 *dst, const u8 *src,
  76. unsigned int bytes)
  77. {
  78. __le32 stream[SALSA20_BLOCK_SIZE / sizeof(__le32)];
  79. if (dst != src)
  80. memcpy(dst, src, bytes);
  81. while (bytes >= SALSA20_BLOCK_SIZE) {
  82. salsa20_block(state, stream);
  83. crypto_xor(dst, (const u8 *)stream, SALSA20_BLOCK_SIZE);
  84. bytes -= SALSA20_BLOCK_SIZE;
  85. dst += SALSA20_BLOCK_SIZE;
  86. }
  87. if (bytes) {
  88. salsa20_block(state, stream);
  89. crypto_xor(dst, (const u8 *)stream, bytes);
  90. }
  91. }
  92. static void salsa20_init(u32 *state, const struct salsa20_ctx *ctx,
  93. const u8 *iv)
  94. {
  95. memcpy(state, ctx->initial_state, sizeof(ctx->initial_state));
  96. state[6] = get_unaligned_le32(iv + 0);
  97. state[7] = get_unaligned_le32(iv + 4);
  98. }
  99. static int salsa20_setkey(struct crypto_skcipher *tfm, const u8 *key,
  100. unsigned int keysize)
  101. {
  102. static const char sigma[16] = "expand 32-byte k";
  103. static const char tau[16] = "expand 16-byte k";
  104. struct salsa20_ctx *ctx = crypto_skcipher_ctx(tfm);
  105. const char *constants;
  106. if (keysize != SALSA20_MIN_KEY_SIZE &&
  107. keysize != SALSA20_MAX_KEY_SIZE)
  108. return -EINVAL;
  109. ctx->initial_state[1] = get_unaligned_le32(key + 0);
  110. ctx->initial_state[2] = get_unaligned_le32(key + 4);
  111. ctx->initial_state[3] = get_unaligned_le32(key + 8);
  112. ctx->initial_state[4] = get_unaligned_le32(key + 12);
  113. if (keysize == 32) { /* recommended */
  114. key += 16;
  115. constants = sigma;
  116. } else { /* keysize == 16 */
  117. constants = tau;
  118. }
  119. ctx->initial_state[11] = get_unaligned_le32(key + 0);
  120. ctx->initial_state[12] = get_unaligned_le32(key + 4);
  121. ctx->initial_state[13] = get_unaligned_le32(key + 8);
  122. ctx->initial_state[14] = get_unaligned_le32(key + 12);
  123. ctx->initial_state[0] = get_unaligned_le32(constants + 0);
  124. ctx->initial_state[5] = get_unaligned_le32(constants + 4);
  125. ctx->initial_state[10] = get_unaligned_le32(constants + 8);
  126. ctx->initial_state[15] = get_unaligned_le32(constants + 12);
  127. /* space for the nonce; it will be overridden for each request */
  128. ctx->initial_state[6] = 0;
  129. ctx->initial_state[7] = 0;
  130. /* initial block number */
  131. ctx->initial_state[8] = 0;
  132. ctx->initial_state[9] = 0;
  133. return 0;
  134. }
  135. static int salsa20_crypt(struct skcipher_request *req)
  136. {
  137. struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
  138. const struct salsa20_ctx *ctx = crypto_skcipher_ctx(tfm);
  139. struct skcipher_walk walk;
  140. u32 state[16];
  141. int err;
  142. err = skcipher_walk_virt(&walk, req, true);
  143. salsa20_init(state, ctx, req->iv);
  144. while (walk.nbytes > 0) {
  145. unsigned int nbytes = walk.nbytes;
  146. if (nbytes < walk.total)
  147. nbytes = round_down(nbytes, walk.stride);
  148. salsa20_docrypt(state, walk.dst.virt.addr, walk.src.virt.addr,
  149. nbytes);
  150. err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
  151. }
  152. return err;
  153. }
  154. static struct skcipher_alg alg = {
  155. .base.cra_name = "salsa20",
  156. .base.cra_driver_name = "salsa20-generic",
  157. .base.cra_priority = 100,
  158. .base.cra_blocksize = 1,
  159. .base.cra_ctxsize = sizeof(struct salsa20_ctx),
  160. .base.cra_module = THIS_MODULE,
  161. .min_keysize = SALSA20_MIN_KEY_SIZE,
  162. .max_keysize = SALSA20_MAX_KEY_SIZE,
  163. .ivsize = SALSA20_IV_SIZE,
  164. .chunksize = SALSA20_BLOCK_SIZE,
  165. .setkey = salsa20_setkey,
  166. .encrypt = salsa20_crypt,
  167. .decrypt = salsa20_crypt,
  168. };
  169. static int __init salsa20_generic_mod_init(void)
  170. {
  171. return crypto_register_skcipher(&alg);
  172. }
  173. static void __exit salsa20_generic_mod_fini(void)
  174. {
  175. crypto_unregister_skcipher(&alg);
  176. }
  177. module_init(salsa20_generic_mod_init);
  178. module_exit(salsa20_generic_mod_fini);
  179. MODULE_LICENSE("GPL");
  180. MODULE_DESCRIPTION ("Salsa20 stream cipher algorithm");
  181. MODULE_ALIAS_CRYPTO("salsa20");
  182. MODULE_ALIAS_CRYPTO("salsa20-generic");