Loading...
1/*
2 * Salsa20: Salsa20 stream cipher algorithm
3 *
4 * Copyright (c) 2007 Tan Swee Heng <thesweeheng@gmail.com>
5 *
6 * Derived from:
7 * - salsa20.c: Public domain C code by Daniel J. Bernstein <djb@cr.yp.to>
8 *
9 * Salsa20 is a stream cipher candidate in eSTREAM, the ECRYPT Stream
10 * Cipher Project. It is designed by Daniel J. Bernstein <djb@cr.yp.to>.
11 * More information about eSTREAM and Salsa20 can be found here:
12 * https://www.ecrypt.eu.org/stream/
13 * https://cr.yp.to/snuffle.html
14 *
15 * This program is free software; you can redistribute it and/or modify it
16 * under the terms of the GNU General Public License as published by the Free
17 * Software Foundation; either version 2 of the License, or (at your option)
18 * any later version.
19 *
20 */
21
22#include <asm/unaligned.h>
23#include <crypto/internal/skcipher.h>
24#include <linux/module.h>
25
26#define SALSA20_IV_SIZE 8
27#define SALSA20_MIN_KEY_SIZE 16
28#define SALSA20_MAX_KEY_SIZE 32
29#define SALSA20_BLOCK_SIZE 64
30
31struct salsa20_ctx {
32 u32 initial_state[16];
33};
34
35static void salsa20_block(u32 *state, __le32 *stream)
36{
37 u32 x[16];
38 int i;
39
40 memcpy(x, state, sizeof(x));
41
42 for (i = 0; i < 20; i += 2) {
43 x[ 4] ^= rol32((x[ 0] + x[12]), 7);
44 x[ 8] ^= rol32((x[ 4] + x[ 0]), 9);
45 x[12] ^= rol32((x[ 8] + x[ 4]), 13);
46 x[ 0] ^= rol32((x[12] + x[ 8]), 18);
47 x[ 9] ^= rol32((x[ 5] + x[ 1]), 7);
48 x[13] ^= rol32((x[ 9] + x[ 5]), 9);
49 x[ 1] ^= rol32((x[13] + x[ 9]), 13);
50 x[ 5] ^= rol32((x[ 1] + x[13]), 18);
51 x[14] ^= rol32((x[10] + x[ 6]), 7);
52 x[ 2] ^= rol32((x[14] + x[10]), 9);
53 x[ 6] ^= rol32((x[ 2] + x[14]), 13);
54 x[10] ^= rol32((x[ 6] + x[ 2]), 18);
55 x[ 3] ^= rol32((x[15] + x[11]), 7);
56 x[ 7] ^= rol32((x[ 3] + x[15]), 9);
57 x[11] ^= rol32((x[ 7] + x[ 3]), 13);
58 x[15] ^= rol32((x[11] + x[ 7]), 18);
59 x[ 1] ^= rol32((x[ 0] + x[ 3]), 7);
60 x[ 2] ^= rol32((x[ 1] + x[ 0]), 9);
61 x[ 3] ^= rol32((x[ 2] + x[ 1]), 13);
62 x[ 0] ^= rol32((x[ 3] + x[ 2]), 18);
63 x[ 6] ^= rol32((x[ 5] + x[ 4]), 7);
64 x[ 7] ^= rol32((x[ 6] + x[ 5]), 9);
65 x[ 4] ^= rol32((x[ 7] + x[ 6]), 13);
66 x[ 5] ^= rol32((x[ 4] + x[ 7]), 18);
67 x[11] ^= rol32((x[10] + x[ 9]), 7);
68 x[ 8] ^= rol32((x[11] + x[10]), 9);
69 x[ 9] ^= rol32((x[ 8] + x[11]), 13);
70 x[10] ^= rol32((x[ 9] + x[ 8]), 18);
71 x[12] ^= rol32((x[15] + x[14]), 7);
72 x[13] ^= rol32((x[12] + x[15]), 9);
73 x[14] ^= rol32((x[13] + x[12]), 13);
74 x[15] ^= rol32((x[14] + x[13]), 18);
75 }
76
77 for (i = 0; i < 16; i++)
78 stream[i] = cpu_to_le32(x[i] + state[i]);
79
80 if (++state[8] == 0)
81 state[9]++;
82}
83
84static void salsa20_docrypt(u32 *state, u8 *dst, const u8 *src,
85 unsigned int bytes)
86{
87 __le32 stream[SALSA20_BLOCK_SIZE / sizeof(__le32)];
88
89 while (bytes >= SALSA20_BLOCK_SIZE) {
90 salsa20_block(state, stream);
91 crypto_xor_cpy(dst, src, (const u8 *)stream,
92 SALSA20_BLOCK_SIZE);
93 bytes -= SALSA20_BLOCK_SIZE;
94 dst += SALSA20_BLOCK_SIZE;
95 src += SALSA20_BLOCK_SIZE;
96 }
97 if (bytes) {
98 salsa20_block(state, stream);
99 crypto_xor_cpy(dst, src, (const u8 *)stream, bytes);
100 }
101}
102
103static void salsa20_init(u32 *state, const struct salsa20_ctx *ctx,
104 const u8 *iv)
105{
106 memcpy(state, ctx->initial_state, sizeof(ctx->initial_state));
107 state[6] = get_unaligned_le32(iv + 0);
108 state[7] = get_unaligned_le32(iv + 4);
109}
110
111static int salsa20_setkey(struct crypto_skcipher *tfm, const u8 *key,
112 unsigned int keysize)
113{
114 static const char sigma[16] = "expand 32-byte k";
115 static const char tau[16] = "expand 16-byte k";
116 struct salsa20_ctx *ctx = crypto_skcipher_ctx(tfm);
117 const char *constants;
118
119 if (keysize != SALSA20_MIN_KEY_SIZE &&
120 keysize != SALSA20_MAX_KEY_SIZE)
121 return -EINVAL;
122
123 ctx->initial_state[1] = get_unaligned_le32(key + 0);
124 ctx->initial_state[2] = get_unaligned_le32(key + 4);
125 ctx->initial_state[3] = get_unaligned_le32(key + 8);
126 ctx->initial_state[4] = get_unaligned_le32(key + 12);
127 if (keysize == 32) { /* recommended */
128 key += 16;
129 constants = sigma;
130 } else { /* keysize == 16 */
131 constants = tau;
132 }
133 ctx->initial_state[11] = get_unaligned_le32(key + 0);
134 ctx->initial_state[12] = get_unaligned_le32(key + 4);
135 ctx->initial_state[13] = get_unaligned_le32(key + 8);
136 ctx->initial_state[14] = get_unaligned_le32(key + 12);
137 ctx->initial_state[0] = get_unaligned_le32(constants + 0);
138 ctx->initial_state[5] = get_unaligned_le32(constants + 4);
139 ctx->initial_state[10] = get_unaligned_le32(constants + 8);
140 ctx->initial_state[15] = get_unaligned_le32(constants + 12);
141
142 /* space for the nonce; it will be overridden for each request */
143 ctx->initial_state[6] = 0;
144 ctx->initial_state[7] = 0;
145
146 /* initial block number */
147 ctx->initial_state[8] = 0;
148 ctx->initial_state[9] = 0;
149
150 return 0;
151}
152
153static int salsa20_crypt(struct skcipher_request *req)
154{
155 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
156 const struct salsa20_ctx *ctx = crypto_skcipher_ctx(tfm);
157 struct skcipher_walk walk;
158 u32 state[16];
159 int err;
160
161 err = skcipher_walk_virt(&walk, req, false);
162
163 salsa20_init(state, ctx, req->iv);
164
165 while (walk.nbytes > 0) {
166 unsigned int nbytes = walk.nbytes;
167
168 if (nbytes < walk.total)
169 nbytes = round_down(nbytes, walk.stride);
170
171 salsa20_docrypt(state, walk.dst.virt.addr, walk.src.virt.addr,
172 nbytes);
173 err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
174 }
175
176 return err;
177}
178
179static struct skcipher_alg alg = {
180 .base.cra_name = "salsa20",
181 .base.cra_driver_name = "salsa20-generic",
182 .base.cra_priority = 100,
183 .base.cra_blocksize = 1,
184 .base.cra_ctxsize = sizeof(struct salsa20_ctx),
185 .base.cra_module = THIS_MODULE,
186
187 .min_keysize = SALSA20_MIN_KEY_SIZE,
188 .max_keysize = SALSA20_MAX_KEY_SIZE,
189 .ivsize = SALSA20_IV_SIZE,
190 .chunksize = SALSA20_BLOCK_SIZE,
191 .setkey = salsa20_setkey,
192 .encrypt = salsa20_crypt,
193 .decrypt = salsa20_crypt,
194};
195
196static int __init salsa20_generic_mod_init(void)
197{
198 return crypto_register_skcipher(&alg);
199}
200
201static void __exit salsa20_generic_mod_fini(void)
202{
203 crypto_unregister_skcipher(&alg);
204}
205
206subsys_initcall(salsa20_generic_mod_init);
207module_exit(salsa20_generic_mod_fini);
208
209MODULE_LICENSE("GPL");
210MODULE_DESCRIPTION ("Salsa20 stream cipher algorithm");
211MODULE_ALIAS_CRYPTO("salsa20");
212MODULE_ALIAS_CRYPTO("salsa20-generic");
1/*
2 * Salsa20: Salsa20 stream cipher algorithm
3 *
4 * Copyright (c) 2007 Tan Swee Heng <thesweeheng@gmail.com>
5 *
6 * Derived from:
7 * - salsa20.c: Public domain C code by Daniel J. Bernstein <djb@cr.yp.to>
8 *
9 * Salsa20 is a stream cipher candidate in eSTREAM, the ECRYPT Stream
10 * Cipher Project. It is designed by Daniel J. Bernstein <djb@cr.yp.to>.
11 * More information about eSTREAM and Salsa20 can be found here:
12 * http://www.ecrypt.eu.org/stream/
13 * http://cr.yp.to/snuffle.html
14 *
15 * This program is free software; you can redistribute it and/or modify it
16 * under the terms of the GNU General Public License as published by the Free
17 * Software Foundation; either version 2 of the License, or (at your option)
18 * any later version.
19 *
20 */
21
22#include <asm/unaligned.h>
23#include <crypto/internal/skcipher.h>
24#include <crypto/salsa20.h>
25#include <linux/module.h>
26
27static void salsa20_block(u32 *state, __le32 *stream)
28{
29 u32 x[16];
30 int i;
31
32 memcpy(x, state, sizeof(x));
33
34 for (i = 0; i < 20; i += 2) {
35 x[ 4] ^= rol32((x[ 0] + x[12]), 7);
36 x[ 8] ^= rol32((x[ 4] + x[ 0]), 9);
37 x[12] ^= rol32((x[ 8] + x[ 4]), 13);
38 x[ 0] ^= rol32((x[12] + x[ 8]), 18);
39 x[ 9] ^= rol32((x[ 5] + x[ 1]), 7);
40 x[13] ^= rol32((x[ 9] + x[ 5]), 9);
41 x[ 1] ^= rol32((x[13] + x[ 9]), 13);
42 x[ 5] ^= rol32((x[ 1] + x[13]), 18);
43 x[14] ^= rol32((x[10] + x[ 6]), 7);
44 x[ 2] ^= rol32((x[14] + x[10]), 9);
45 x[ 6] ^= rol32((x[ 2] + x[14]), 13);
46 x[10] ^= rol32((x[ 6] + x[ 2]), 18);
47 x[ 3] ^= rol32((x[15] + x[11]), 7);
48 x[ 7] ^= rol32((x[ 3] + x[15]), 9);
49 x[11] ^= rol32((x[ 7] + x[ 3]), 13);
50 x[15] ^= rol32((x[11] + x[ 7]), 18);
51 x[ 1] ^= rol32((x[ 0] + x[ 3]), 7);
52 x[ 2] ^= rol32((x[ 1] + x[ 0]), 9);
53 x[ 3] ^= rol32((x[ 2] + x[ 1]), 13);
54 x[ 0] ^= rol32((x[ 3] + x[ 2]), 18);
55 x[ 6] ^= rol32((x[ 5] + x[ 4]), 7);
56 x[ 7] ^= rol32((x[ 6] + x[ 5]), 9);
57 x[ 4] ^= rol32((x[ 7] + x[ 6]), 13);
58 x[ 5] ^= rol32((x[ 4] + x[ 7]), 18);
59 x[11] ^= rol32((x[10] + x[ 9]), 7);
60 x[ 8] ^= rol32((x[11] + x[10]), 9);
61 x[ 9] ^= rol32((x[ 8] + x[11]), 13);
62 x[10] ^= rol32((x[ 9] + x[ 8]), 18);
63 x[12] ^= rol32((x[15] + x[14]), 7);
64 x[13] ^= rol32((x[12] + x[15]), 9);
65 x[14] ^= rol32((x[13] + x[12]), 13);
66 x[15] ^= rol32((x[14] + x[13]), 18);
67 }
68
69 for (i = 0; i < 16; i++)
70 stream[i] = cpu_to_le32(x[i] + state[i]);
71
72 if (++state[8] == 0)
73 state[9]++;
74}
75
76static void salsa20_docrypt(u32 *state, u8 *dst, const u8 *src,
77 unsigned int bytes)
78{
79 __le32 stream[SALSA20_BLOCK_SIZE / sizeof(__le32)];
80
81 if (dst != src)
82 memcpy(dst, src, bytes);
83
84 while (bytes >= SALSA20_BLOCK_SIZE) {
85 salsa20_block(state, stream);
86 crypto_xor(dst, (const u8 *)stream, SALSA20_BLOCK_SIZE);
87 bytes -= SALSA20_BLOCK_SIZE;
88 dst += SALSA20_BLOCK_SIZE;
89 }
90 if (bytes) {
91 salsa20_block(state, stream);
92 crypto_xor(dst, (const u8 *)stream, bytes);
93 }
94}
95
96void crypto_salsa20_init(u32 *state, const struct salsa20_ctx *ctx,
97 const u8 *iv)
98{
99 memcpy(state, ctx->initial_state, sizeof(ctx->initial_state));
100 state[6] = get_unaligned_le32(iv + 0);
101 state[7] = get_unaligned_le32(iv + 4);
102}
103EXPORT_SYMBOL_GPL(crypto_salsa20_init);
104
105int crypto_salsa20_setkey(struct crypto_skcipher *tfm, const u8 *key,
106 unsigned int keysize)
107{
108 static const char sigma[16] = "expand 32-byte k";
109 static const char tau[16] = "expand 16-byte k";
110 struct salsa20_ctx *ctx = crypto_skcipher_ctx(tfm);
111 const char *constants;
112
113 if (keysize != SALSA20_MIN_KEY_SIZE &&
114 keysize != SALSA20_MAX_KEY_SIZE)
115 return -EINVAL;
116
117 ctx->initial_state[1] = get_unaligned_le32(key + 0);
118 ctx->initial_state[2] = get_unaligned_le32(key + 4);
119 ctx->initial_state[3] = get_unaligned_le32(key + 8);
120 ctx->initial_state[4] = get_unaligned_le32(key + 12);
121 if (keysize == 32) { /* recommended */
122 key += 16;
123 constants = sigma;
124 } else { /* keysize == 16 */
125 constants = tau;
126 }
127 ctx->initial_state[11] = get_unaligned_le32(key + 0);
128 ctx->initial_state[12] = get_unaligned_le32(key + 4);
129 ctx->initial_state[13] = get_unaligned_le32(key + 8);
130 ctx->initial_state[14] = get_unaligned_le32(key + 12);
131 ctx->initial_state[0] = get_unaligned_le32(constants + 0);
132 ctx->initial_state[5] = get_unaligned_le32(constants + 4);
133 ctx->initial_state[10] = get_unaligned_le32(constants + 8);
134 ctx->initial_state[15] = get_unaligned_le32(constants + 12);
135
136 /* space for the nonce; it will be overridden for each request */
137 ctx->initial_state[6] = 0;
138 ctx->initial_state[7] = 0;
139
140 /* initial block number */
141 ctx->initial_state[8] = 0;
142 ctx->initial_state[9] = 0;
143
144 return 0;
145}
146EXPORT_SYMBOL_GPL(crypto_salsa20_setkey);
147
148static int salsa20_crypt(struct skcipher_request *req)
149{
150 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
151 const struct salsa20_ctx *ctx = crypto_skcipher_ctx(tfm);
152 struct skcipher_walk walk;
153 u32 state[16];
154 int err;
155
156 err = skcipher_walk_virt(&walk, req, true);
157
158 crypto_salsa20_init(state, ctx, walk.iv);
159
160 while (walk.nbytes > 0) {
161 unsigned int nbytes = walk.nbytes;
162
163 if (nbytes < walk.total)
164 nbytes = round_down(nbytes, walk.stride);
165
166 salsa20_docrypt(state, walk.dst.virt.addr, walk.src.virt.addr,
167 nbytes);
168 err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
169 }
170
171 return err;
172}
173
174static struct skcipher_alg alg = {
175 .base.cra_name = "salsa20",
176 .base.cra_driver_name = "salsa20-generic",
177 .base.cra_priority = 100,
178 .base.cra_blocksize = 1,
179 .base.cra_ctxsize = sizeof(struct salsa20_ctx),
180 .base.cra_module = THIS_MODULE,
181
182 .min_keysize = SALSA20_MIN_KEY_SIZE,
183 .max_keysize = SALSA20_MAX_KEY_SIZE,
184 .ivsize = SALSA20_IV_SIZE,
185 .chunksize = SALSA20_BLOCK_SIZE,
186 .setkey = crypto_salsa20_setkey,
187 .encrypt = salsa20_crypt,
188 .decrypt = salsa20_crypt,
189};
190
191static int __init salsa20_generic_mod_init(void)
192{
193 return crypto_register_skcipher(&alg);
194}
195
196static void __exit salsa20_generic_mod_fini(void)
197{
198 crypto_unregister_skcipher(&alg);
199}
200
201module_init(salsa20_generic_mod_init);
202module_exit(salsa20_generic_mod_fini);
203
204MODULE_LICENSE("GPL");
205MODULE_DESCRIPTION ("Salsa20 stream cipher algorithm");
206MODULE_ALIAS_CRYPTO("salsa20");
207MODULE_ALIAS_CRYPTO("salsa20-generic");