root/crypto/salsa20_generic.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. salsa20_block
  2. salsa20_docrypt
  3. salsa20_init
  4. salsa20_setkey
  5. salsa20_crypt
  6. salsa20_generic_mod_init
  7. salsa20_generic_mod_fini

   1 /*
   2  * Salsa20: Salsa20 stream cipher algorithm
   3  *
   4  * Copyright (c) 2007 Tan Swee Heng <thesweeheng@gmail.com>
   5  *
   6  * Derived from:
   7  * - salsa20.c: Public domain C code by Daniel J. Bernstein <djb@cr.yp.to>
   8  *
   9  * Salsa20 is a stream cipher candidate in eSTREAM, the ECRYPT Stream
  10  * Cipher Project. It is designed by Daniel J. Bernstein <djb@cr.yp.to>.
  11  * More information about eSTREAM and Salsa20 can be found here:
  12  *   http://www.ecrypt.eu.org/stream/
  13  *   http://cr.yp.to/snuffle.html
  14  *
  15  * This program is free software; you can redistribute it and/or modify it
  16  * under the terms of the GNU General Public License as published by the Free
  17  * Software Foundation; either version 2 of the License, or (at your option)
  18  * any later version.
  19  *
  20  */
  21 
  22 #include <asm/unaligned.h>
  23 #include <crypto/internal/skcipher.h>
  24 #include <linux/module.h>
  25 
  26 #define SALSA20_IV_SIZE        8
  27 #define SALSA20_MIN_KEY_SIZE  16
  28 #define SALSA20_MAX_KEY_SIZE  32
  29 #define SALSA20_BLOCK_SIZE    64
  30 
  31 struct salsa20_ctx {
  32         u32 initial_state[16];
  33 };
  34 
  35 static void salsa20_block(u32 *state, __le32 *stream)
  36 {
  37         u32 x[16];
  38         int i;
  39 
  40         memcpy(x, state, sizeof(x));
  41 
  42         for (i = 0; i < 20; i += 2) {
  43                 x[ 4] ^= rol32((x[ 0] + x[12]),  7);
  44                 x[ 8] ^= rol32((x[ 4] + x[ 0]),  9);
  45                 x[12] ^= rol32((x[ 8] + x[ 4]), 13);
  46                 x[ 0] ^= rol32((x[12] + x[ 8]), 18);
  47                 x[ 9] ^= rol32((x[ 5] + x[ 1]),  7);
  48                 x[13] ^= rol32((x[ 9] + x[ 5]),  9);
  49                 x[ 1] ^= rol32((x[13] + x[ 9]), 13);
  50                 x[ 5] ^= rol32((x[ 1] + x[13]), 18);
  51                 x[14] ^= rol32((x[10] + x[ 6]),  7);
  52                 x[ 2] ^= rol32((x[14] + x[10]),  9);
  53                 x[ 6] ^= rol32((x[ 2] + x[14]), 13);
  54                 x[10] ^= rol32((x[ 6] + x[ 2]), 18);
  55                 x[ 3] ^= rol32((x[15] + x[11]),  7);
  56                 x[ 7] ^= rol32((x[ 3] + x[15]),  9);
  57                 x[11] ^= rol32((x[ 7] + x[ 3]), 13);
  58                 x[15] ^= rol32((x[11] + x[ 7]), 18);
  59                 x[ 1] ^= rol32((x[ 0] + x[ 3]),  7);
  60                 x[ 2] ^= rol32((x[ 1] + x[ 0]),  9);
  61                 x[ 3] ^= rol32((x[ 2] + x[ 1]), 13);
  62                 x[ 0] ^= rol32((x[ 3] + x[ 2]), 18);
  63                 x[ 6] ^= rol32((x[ 5] + x[ 4]),  7);
  64                 x[ 7] ^= rol32((x[ 6] + x[ 5]),  9);
  65                 x[ 4] ^= rol32((x[ 7] + x[ 6]), 13);
  66                 x[ 5] ^= rol32((x[ 4] + x[ 7]), 18);
  67                 x[11] ^= rol32((x[10] + x[ 9]),  7);
  68                 x[ 8] ^= rol32((x[11] + x[10]),  9);
  69                 x[ 9] ^= rol32((x[ 8] + x[11]), 13);
  70                 x[10] ^= rol32((x[ 9] + x[ 8]), 18);
  71                 x[12] ^= rol32((x[15] + x[14]),  7);
  72                 x[13] ^= rol32((x[12] + x[15]),  9);
  73                 x[14] ^= rol32((x[13] + x[12]), 13);
  74                 x[15] ^= rol32((x[14] + x[13]), 18);
  75         }
  76 
  77         for (i = 0; i < 16; i++)
  78                 stream[i] = cpu_to_le32(x[i] + state[i]);
  79 
  80         if (++state[8] == 0)
  81                 state[9]++;
  82 }
  83 
  84 static void salsa20_docrypt(u32 *state, u8 *dst, const u8 *src,
  85                             unsigned int bytes)
  86 {
  87         __le32 stream[SALSA20_BLOCK_SIZE / sizeof(__le32)];
  88 
  89         while (bytes >= SALSA20_BLOCK_SIZE) {
  90                 salsa20_block(state, stream);
  91                 crypto_xor_cpy(dst, src, (const u8 *)stream,
  92                                SALSA20_BLOCK_SIZE);
  93                 bytes -= SALSA20_BLOCK_SIZE;
  94                 dst += SALSA20_BLOCK_SIZE;
  95                 src += SALSA20_BLOCK_SIZE;
  96         }
  97         if (bytes) {
  98                 salsa20_block(state, stream);
  99                 crypto_xor_cpy(dst, src, (const u8 *)stream, bytes);
 100         }
 101 }
 102 
 103 static void salsa20_init(u32 *state, const struct salsa20_ctx *ctx,
 104                          const u8 *iv)
 105 {
 106         memcpy(state, ctx->initial_state, sizeof(ctx->initial_state));
 107         state[6] = get_unaligned_le32(iv + 0);
 108         state[7] = get_unaligned_le32(iv + 4);
 109 }
 110 
 111 static int salsa20_setkey(struct crypto_skcipher *tfm, const u8 *key,
 112                           unsigned int keysize)
 113 {
 114         static const char sigma[16] = "expand 32-byte k";
 115         static const char tau[16] = "expand 16-byte k";
 116         struct salsa20_ctx *ctx = crypto_skcipher_ctx(tfm);
 117         const char *constants;
 118 
 119         if (keysize != SALSA20_MIN_KEY_SIZE &&
 120             keysize != SALSA20_MAX_KEY_SIZE)
 121                 return -EINVAL;
 122 
 123         ctx->initial_state[1] = get_unaligned_le32(key + 0);
 124         ctx->initial_state[2] = get_unaligned_le32(key + 4);
 125         ctx->initial_state[3] = get_unaligned_le32(key + 8);
 126         ctx->initial_state[4] = get_unaligned_le32(key + 12);
 127         if (keysize == 32) { /* recommended */
 128                 key += 16;
 129                 constants = sigma;
 130         } else { /* keysize == 16 */
 131                 constants = tau;
 132         }
 133         ctx->initial_state[11] = get_unaligned_le32(key + 0);
 134         ctx->initial_state[12] = get_unaligned_le32(key + 4);
 135         ctx->initial_state[13] = get_unaligned_le32(key + 8);
 136         ctx->initial_state[14] = get_unaligned_le32(key + 12);
 137         ctx->initial_state[0]  = get_unaligned_le32(constants + 0);
 138         ctx->initial_state[5]  = get_unaligned_le32(constants + 4);
 139         ctx->initial_state[10] = get_unaligned_le32(constants + 8);
 140         ctx->initial_state[15] = get_unaligned_le32(constants + 12);
 141 
 142         /* space for the nonce; it will be overridden for each request */
 143         ctx->initial_state[6] = 0;
 144         ctx->initial_state[7] = 0;
 145 
 146         /* initial block number */
 147         ctx->initial_state[8] = 0;
 148         ctx->initial_state[9] = 0;
 149 
 150         return 0;
 151 }
 152 
 153 static int salsa20_crypt(struct skcipher_request *req)
 154 {
 155         struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
 156         const struct salsa20_ctx *ctx = crypto_skcipher_ctx(tfm);
 157         struct skcipher_walk walk;
 158         u32 state[16];
 159         int err;
 160 
 161         err = skcipher_walk_virt(&walk, req, false);
 162 
 163         salsa20_init(state, ctx, req->iv);
 164 
 165         while (walk.nbytes > 0) {
 166                 unsigned int nbytes = walk.nbytes;
 167 
 168                 if (nbytes < walk.total)
 169                         nbytes = round_down(nbytes, walk.stride);
 170 
 171                 salsa20_docrypt(state, walk.dst.virt.addr, walk.src.virt.addr,
 172                                 nbytes);
 173                 err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
 174         }
 175 
 176         return err;
 177 }
 178 
 179 static struct skcipher_alg alg = {
 180         .base.cra_name          = "salsa20",
 181         .base.cra_driver_name   = "salsa20-generic",
 182         .base.cra_priority      = 100,
 183         .base.cra_blocksize     = 1,
 184         .base.cra_ctxsize       = sizeof(struct salsa20_ctx),
 185         .base.cra_module        = THIS_MODULE,
 186 
 187         .min_keysize            = SALSA20_MIN_KEY_SIZE,
 188         .max_keysize            = SALSA20_MAX_KEY_SIZE,
 189         .ivsize                 = SALSA20_IV_SIZE,
 190         .chunksize              = SALSA20_BLOCK_SIZE,
 191         .setkey                 = salsa20_setkey,
 192         .encrypt                = salsa20_crypt,
 193         .decrypt                = salsa20_crypt,
 194 };
 195 
 196 static int __init salsa20_generic_mod_init(void)
 197 {
 198         return crypto_register_skcipher(&alg);
 199 }
 200 
 201 static void __exit salsa20_generic_mod_fini(void)
 202 {
 203         crypto_unregister_skcipher(&alg);
 204 }
 205 
 206 subsys_initcall(salsa20_generic_mod_init);
 207 module_exit(salsa20_generic_mod_fini);
 208 
 209 MODULE_LICENSE("GPL");
 210 MODULE_DESCRIPTION ("Salsa20 stream cipher algorithm");
 211 MODULE_ALIAS_CRYPTO("salsa20");
 212 MODULE_ALIAS_CRYPTO("salsa20-generic");

/* [<][>][^][v][top][bottom][index][help] */