Loading...
1/* SPDX-License-Identifier: GPL-2.0 */
2/*
3 * Common values and helper functions for the ChaCha and XChaCha stream ciphers.
4 *
5 * XChaCha extends ChaCha's nonce to 192 bits, while provably retaining ChaCha's
6 * security. Here they share the same key size, tfm context, and setkey
7 * function; only their IV size and encrypt/decrypt function differ.
8 *
9 * The ChaCha paper specifies 20, 12, and 8-round variants. In general, it is
10 * recommended to use the 20-round variant ChaCha20. However, the other
11 * variants can be needed in some performance-sensitive scenarios. The generic
12 * ChaCha code currently allows only the 20 and 12-round variants.
13 */
14
15#ifndef _CRYPTO_CHACHA_H
16#define _CRYPTO_CHACHA_H
17
18#include <asm/unaligned.h>
19#include <linux/types.h>
20
21/* 32-bit stream position, then 96-bit nonce (RFC7539 convention) */
22#define CHACHA_IV_SIZE 16
23
24#define CHACHA_KEY_SIZE 32
25#define CHACHA_BLOCK_SIZE 64
26#define CHACHAPOLY_IV_SIZE 12
27
28#define CHACHA_STATE_WORDS (CHACHA_BLOCK_SIZE / sizeof(u32))
29
30/* 192-bit nonce, then 64-bit stream position */
31#define XCHACHA_IV_SIZE 32
32
33void chacha_block_generic(u32 *state, u8 *stream, int nrounds);
34static inline void chacha20_block(u32 *state, u8 *stream)
35{
36 chacha_block_generic(state, stream, 20);
37}
38
39void hchacha_block_arch(const u32 *state, u32 *out, int nrounds);
40void hchacha_block_generic(const u32 *state, u32 *out, int nrounds);
41
42static inline void hchacha_block(const u32 *state, u32 *out, int nrounds)
43{
44 if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA))
45 hchacha_block_arch(state, out, nrounds);
46 else
47 hchacha_block_generic(state, out, nrounds);
48}
49
50enum chacha_constants { /* expand 32-byte k */
51 CHACHA_CONSTANT_EXPA = 0x61707865U,
52 CHACHA_CONSTANT_ND_3 = 0x3320646eU,
53 CHACHA_CONSTANT_2_BY = 0x79622d32U,
54 CHACHA_CONSTANT_TE_K = 0x6b206574U
55};
56
57static inline void chacha_init_consts(u32 *state)
58{
59 state[0] = CHACHA_CONSTANT_EXPA;
60 state[1] = CHACHA_CONSTANT_ND_3;
61 state[2] = CHACHA_CONSTANT_2_BY;
62 state[3] = CHACHA_CONSTANT_TE_K;
63}
64
65void chacha_init_arch(u32 *state, const u32 *key, const u8 *iv);
66static inline void chacha_init_generic(u32 *state, const u32 *key, const u8 *iv)
67{
68 chacha_init_consts(state);
69 state[4] = key[0];
70 state[5] = key[1];
71 state[6] = key[2];
72 state[7] = key[3];
73 state[8] = key[4];
74 state[9] = key[5];
75 state[10] = key[6];
76 state[11] = key[7];
77 state[12] = get_unaligned_le32(iv + 0);
78 state[13] = get_unaligned_le32(iv + 4);
79 state[14] = get_unaligned_le32(iv + 8);
80 state[15] = get_unaligned_le32(iv + 12);
81}
82
83static inline void chacha_init(u32 *state, const u32 *key, const u8 *iv)
84{
85 if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA))
86 chacha_init_arch(state, key, iv);
87 else
88 chacha_init_generic(state, key, iv);
89}
90
91void chacha_crypt_arch(u32 *state, u8 *dst, const u8 *src,
92 unsigned int bytes, int nrounds);
93void chacha_crypt_generic(u32 *state, u8 *dst, const u8 *src,
94 unsigned int bytes, int nrounds);
95
96static inline void chacha_crypt(u32 *state, u8 *dst, const u8 *src,
97 unsigned int bytes, int nrounds)
98{
99 if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA))
100 chacha_crypt_arch(state, dst, src, bytes, nrounds);
101 else
102 chacha_crypt_generic(state, dst, src, bytes, nrounds);
103}
104
105static inline void chacha20_crypt(u32 *state, u8 *dst, const u8 *src,
106 unsigned int bytes)
107{
108 chacha_crypt(state, dst, src, bytes, 20);
109}
110
111#endif /* _CRYPTO_CHACHA_H */
1/* SPDX-License-Identifier: GPL-2.0 */
2/*
3 * Common values and helper functions for the ChaCha and XChaCha stream ciphers.
4 *
5 * XChaCha extends ChaCha's nonce to 192 bits, while provably retaining ChaCha's
6 * security. Here they share the same key size, tfm context, and setkey
7 * function; only their IV size and encrypt/decrypt function differ.
8 *
9 * The ChaCha paper specifies 20, 12, and 8-round variants. In general, it is
10 * recommended to use the 20-round variant ChaCha20. However, the other
11 * variants can be needed in some performance-sensitive scenarios. The generic
12 * ChaCha code currently allows only the 20 and 12-round variants.
13 */
14
15#ifndef _CRYPTO_CHACHA_H
16#define _CRYPTO_CHACHA_H
17
18#include <crypto/skcipher.h>
19#include <linux/types.h>
20#include <linux/crypto.h>
21
22/* 32-bit stream position, then 96-bit nonce (RFC7539 convention) */
23#define CHACHA_IV_SIZE 16
24
25#define CHACHA_KEY_SIZE 32
26#define CHACHA_BLOCK_SIZE 64
27#define CHACHAPOLY_IV_SIZE 12
28
29/* 192-bit nonce, then 64-bit stream position */
30#define XCHACHA_IV_SIZE 32
31
32struct chacha_ctx {
33 u32 key[8];
34 int nrounds;
35};
36
37void chacha_block(u32 *state, u8 *stream, int nrounds);
38static inline void chacha20_block(u32 *state, u8 *stream)
39{
40 chacha_block(state, stream, 20);
41}
42void hchacha_block(const u32 *in, u32 *out, int nrounds);
43
44void crypto_chacha_init(u32 *state, const struct chacha_ctx *ctx, const u8 *iv);
45
46int crypto_chacha20_setkey(struct crypto_skcipher *tfm, const u8 *key,
47 unsigned int keysize);
48int crypto_chacha12_setkey(struct crypto_skcipher *tfm, const u8 *key,
49 unsigned int keysize);
50
51int crypto_chacha_crypt(struct skcipher_request *req);
52int crypto_xchacha_crypt(struct skcipher_request *req);
53
54#endif /* _CRYPTO_CHACHA_H */