[thirdparty/kernel/stable.git] / crypto / salsa20_generic.c

/*
 * Salsa20: Salsa20 stream cipher algorithm
 *
 * Copyright (c) 2007 Tan Swee Heng <thesweeheng@gmail.com>
 *
 * Derived from:
 * - salsa20.c: Public domain C code by Daniel J. Bernstein <djb@cr.yp.to>
 *
 * Salsa20 is a stream cipher candidate in eSTREAM, the ECRYPT Stream
 * Cipher Project. It is designed by Daniel J. Bernstein <djb@cr.yp.to>.
 * More information about eSTREAM and Salsa20 can be found here:
 *   http://www.ecrypt.eu.org/stream/
 *   http://cr.yp.to/snuffle.html
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the Free
 * Software Foundation; either version 2 of the License, or (at your option)
 * any later version.
 *
 */

#include <asm/unaligned.h>
#include <crypto/internal/skcipher.h>
#include <linux/module.h>

#define SALSA20_IV_SIZE        8
#define SALSA20_MIN_KEY_SIZE  16
#define SALSA20_MAX_KEY_SIZE  32
#define SALSA20_BLOCK_SIZE    64

struct salsa20_ctx {
	u32 initial_state[16];
};

static void salsa20_block(u32 *state, __le32 *stream)
{
	u32 x[16];
	int i;

	memcpy(x, state, sizeof(x));

	for (i = 0; i < 20; i += 2) {
		x[ 4] ^= rol32((x[ 0] + x[12]),  7);
		x[ 8] ^= rol32((x[ 4] + x[ 0]),  9);
		x[12] ^= rol32((x[ 8] + x[ 4]), 13);
		x[ 0] ^= rol32((x[12] + x[ 8]), 18);
		x[ 9] ^= rol32((x[ 5] + x[ 1]),  7);
		x[13] ^= rol32((x[ 9] + x[ 5]),  9);
		x[ 1] ^= rol32((x[13] + x[ 9]), 13);
		x[ 5] ^= rol32((x[ 1] + x[13]), 18);
		x[14] ^= rol32((x[10] + x[ 6]),  7);
		x[ 2] ^= rol32((x[14] + x[10]),  9);
		x[ 6] ^= rol32((x[ 2] + x[14]), 13);
		x[10] ^= rol32((x[ 6] + x[ 2]), 18);
		x[ 3] ^= rol32((x[15] + x[11]),  7);
		x[ 7] ^= rol32((x[ 3] + x[15]),  9);
		x[11] ^= rol32((x[ 7] + x[ 3]), 13);
		x[15] ^= rol32((x[11] + x[ 7]), 18);
		x[ 1] ^= rol32((x[ 0] + x[ 3]),  7);
		x[ 2] ^= rol32((x[ 1] + x[ 0]),  9);
		x[ 3] ^= rol32((x[ 2] + x[ 1]), 13);
		x[ 0] ^= rol32((x[ 3] + x[ 2]), 18);
		x[ 6] ^= rol32((x[ 5] + x[ 4]),  7);
		x[ 7] ^= rol32((x[ 6] + x[ 5]),  9);
		x[ 4] ^= rol32((x[ 7] + x[ 6]), 13);
		x[ 5] ^= rol32((x[ 4] + x[ 7]), 18);
		x[11] ^= rol32((x[10] + x[ 9]),  7);
		x[ 8] ^= rol32((x[11] + x[10]),  9);
		x[ 9] ^= rol32((x[ 8] + x[11]), 13);
		x[10] ^= rol32((x[ 9] + x[ 8]), 18);
		x[12] ^= rol32((x[15] + x[14]),  7);
		x[13] ^= rol32((x[12] + x[15]),  9);
		x[14] ^= rol32((x[13] + x[12]), 13);
		x[15] ^= rol32((x[14] + x[13]), 18);
	}

	for (i = 0; i < 16; i++)
		stream[i] = cpu_to_le32(x[i] + state[i]);

	if (++state[8] == 0)
		state[9]++;
}

static void salsa20_docrypt(u32 *state, u8 *dst, const u8 *src,
			    unsigned int bytes)
{
	__le32 stream[SALSA20_BLOCK_SIZE / sizeof(__le32)];

	while (bytes >= SALSA20_BLOCK_SIZE) {
		salsa20_block(state, stream);
		crypto_xor_cpy(dst, src, (const u8 *)stream,
			       SALSA20_BLOCK_SIZE);
		bytes -= SALSA20_BLOCK_SIZE;
		dst += SALSA20_BLOCK_SIZE;
		src += SALSA20_BLOCK_SIZE;
	}
	if (bytes) {
		salsa20_block(state, stream);
		crypto_xor_cpy(dst, src, (const u8 *)stream, bytes);
	}
}

static void salsa20_init(u32 *state, const struct salsa20_ctx *ctx,
			 const u8 *iv)
{
	memcpy(state, ctx->initial_state, sizeof(ctx->initial_state));
	state[6] = get_unaligned_le32(iv + 0);
	state[7] = get_unaligned_le32(iv + 4);
}

static int salsa20_setkey(struct crypto_skcipher *tfm, const u8 *key,
			  unsigned int keysize)
{
	static const char sigma[16] = "expand 32-byte k";
	static const char tau[16] = "expand 16-byte k";
	struct salsa20_ctx *ctx = crypto_skcipher_ctx(tfm);
	const char *constants;

	if (keysize != SALSA20_MIN_KEY_SIZE &&
	    keysize != SALSA20_MAX_KEY_SIZE)
		return -EINVAL;

	ctx->initial_state[1] = get_unaligned_le32(key + 0);
	ctx->initial_state[2] = get_unaligned_le32(key + 4);
	ctx->initial_state[3] = get_unaligned_le32(key + 8);
	ctx->initial_state[4] = get_unaligned_le32(key + 12);
	if (keysize == 32) { /* recommended */
		key += 16;
		constants = sigma;
	} else { /* keysize == 16 */
		constants = tau;
	}
	ctx->initial_state[11] = get_unaligned_le32(key + 0);
	ctx->initial_state[12] = get_unaligned_le32(key + 4);
	ctx->initial_state[13] = get_unaligned_le32(key + 8);
	ctx->initial_state[14] = get_unaligned_le32(key + 12);
	ctx->initial_state[0]  = get_unaligned_le32(constants + 0);
	ctx->initial_state[5]  = get_unaligned_le32(constants + 4);
	ctx->initial_state[10] = get_unaligned_le32(constants + 8);
	ctx->initial_state[15] = get_unaligned_le32(constants + 12);

	/* space for the nonce; it will be overridden for each request */
	ctx->initial_state[6] = 0;
	ctx->initial_state[7] = 0;

	/* initial block number */
	ctx->initial_state[8] = 0;
	ctx->initial_state[9] = 0;

	return 0;
}

static int salsa20_crypt(struct skcipher_request *req)
{
	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
	const struct salsa20_ctx *ctx = crypto_skcipher_ctx(tfm);
	struct skcipher_walk walk;
	u32 state[16];
	int err;

	err = skcipher_walk_virt(&walk, req, false);

	salsa20_init(state, ctx, req->iv);

	while (walk.nbytes > 0) {
		unsigned int nbytes = walk.nbytes;

		if (nbytes < walk.total)
			nbytes = round_down(nbytes, walk.stride);

		salsa20_docrypt(state, walk.dst.virt.addr, walk.src.virt.addr,
				nbytes);
		err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
	}

	return err;
}

static struct skcipher_alg alg = {
	.base.cra_name		= "salsa20",
	.base.cra_driver_name	= "salsa20-generic",
	.base.cra_priority	= 100,
	.base.cra_blocksize	= 1,
	.base.cra_ctxsize	= sizeof(struct salsa20_ctx),
	.base.cra_module	= THIS_MODULE,

	.min_keysize		= SALSA20_MIN_KEY_SIZE,
	.max_keysize		= SALSA20_MAX_KEY_SIZE,
	.ivsize			= SALSA20_IV_SIZE,
	.chunksize		= SALSA20_BLOCK_SIZE,
	.setkey			= salsa20_setkey,
	.encrypt		= salsa20_crypt,
	.decrypt		= salsa20_crypt,
};

static int __init salsa20_generic_mod_init(void)
{
	return crypto_register_skcipher(&alg);
}

static void __exit salsa20_generic_mod_fini(void)
{
	crypto_unregister_skcipher(&alg);
}

subsys_initcall(salsa20_generic_mod_init);
module_exit(salsa20_generic_mod_fini);

MODULE_LICENSE("GPL");
MODULE_DESCRIPTION ("Salsa20 stream cipher algorithm");
MODULE_ALIAS_CRYPTO("salsa20");
MODULE_ALIAS_CRYPTO("salsa20-generic");
Commit	Line	Data
2407d608 TSH	1	/*
	2	* Salsa20: Salsa20 stream cipher algorithm
	3	*
	4	* Copyright (c) 2007 Tan Swee Heng <thesweeheng@gmail.com>
	5	*
	6	* Derived from:
	7	* - salsa20.c: Public domain C code by Daniel J. Bernstein <djb@cr.yp.to>
	8	*
	9	* Salsa20 is a stream cipher candidate in eSTREAM, the ECRYPT Stream
	10	* Cipher Project. It is designed by Daniel J. Bernstein <djb@cr.yp.to>.
	11	* More information about eSTREAM and Salsa20 can be found here:
	12	* http://www.ecrypt.eu.org/stream/
	13	* http://cr.yp.to/snuffle.html
	14	*
	15	* This program is free software; you can redistribute it and/or modify it
	16	* under the terms of the GNU General Public License as published by the Free
	17	* Software Foundation; either version 2 of the License, or (at your option)
	18	* any later version.
	19	*
	20	*/
	21
b62b3db7 EB	22	#include <asm/unaligned.h>
b62b3db7 EB	23	#include <crypto/internal/skcipher.h>
2407d608	24	#include <linux/module.h>
2407d608	25
015a0370 EB	26	#define SALSA20_IV_SIZE 8
	27	#define SALSA20_MIN_KEY_SIZE 16
	28	#define SALSA20_MAX_KEY_SIZE 32
	29	#define SALSA20_BLOCK_SIZE 64
	30
	31	struct salsa20_ctx {
	32	u32 initial_state[16];
	33	};
	34
b62b3db7	35	static void salsa20_block(u32 state, __le32 stream)
2407d608 TSH	36	{
	37	u32 x[16];
	38	int i;
	39
b62b3db7 EB	40	memcpy(x, state, sizeof(x));
	41
	42	for (i = 0; i < 20; i += 2) {
f0d1ec3a HH	43	x[ 4] ^= rol32((x[ 0] + x[12]), 7);
	44	x[ 8] ^= rol32((x[ 4] + x[ 0]), 9);
	45	x[12] ^= rol32((x[ 8] + x[ 4]), 13);
	46	x[ 0] ^= rol32((x[12] + x[ 8]), 18);
	47	x[ 9] ^= rol32((x[ 5] + x[ 1]), 7);
	48	x[13] ^= rol32((x[ 9] + x[ 5]), 9);
	49	x[ 1] ^= rol32((x[13] + x[ 9]), 13);
	50	x[ 5] ^= rol32((x[ 1] + x[13]), 18);
	51	x[14] ^= rol32((x[10] + x[ 6]), 7);
	52	x[ 2] ^= rol32((x[14] + x[10]), 9);
	53	x[ 6] ^= rol32((x[ 2] + x[14]), 13);
	54	x[10] ^= rol32((x[ 6] + x[ 2]), 18);
	55	x[ 3] ^= rol32((x[15] + x[11]), 7);
	56	x[ 7] ^= rol32((x[ 3] + x[15]), 9);
	57	x[11] ^= rol32((x[ 7] + x[ 3]), 13);
	58	x[15] ^= rol32((x[11] + x[ 7]), 18);
	59	x[ 1] ^= rol32((x[ 0] + x[ 3]), 7);
	60	x[ 2] ^= rol32((x[ 1] + x[ 0]), 9);
	61	x[ 3] ^= rol32((x[ 2] + x[ 1]), 13);
	62	x[ 0] ^= rol32((x[ 3] + x[ 2]), 18);
	63	x[ 6] ^= rol32((x[ 5] + x[ 4]), 7);
	64	x[ 7] ^= rol32((x[ 6] + x[ 5]), 9);
	65	x[ 4] ^= rol32((x[ 7] + x[ 6]), 13);
	66	x[ 5] ^= rol32((x[ 4] + x[ 7]), 18);
	67	x[11] ^= rol32((x[10] + x[ 9]), 7);
	68	x[ 8] ^= rol32((x[11] + x[10]), 9);
	69	x[ 9] ^= rol32((x[ 8] + x[11]), 13);
	70	x[10] ^= rol32((x[ 9] + x[ 8]), 18);
	71	x[12] ^= rol32((x[15] + x[14]), 7);
	72	x[13] ^= rol32((x[12] + x[15]), 9);
	73	x[14] ^= rol32((x[13] + x[12]), 13);
	74	x[15] ^= rol32((x[14] + x[13]), 18);
2407d608	75	}
2407d608	76
b62b3db7 EB	77	for (i = 0; i < 16; i++)
	78	stream[i] = cpu_to_le32(x[i] + state[i]);
	79
	80	if (++state[8] == 0)
	81	state[9]++;
	82	}
2407d608	83
b62b3db7 EB	84	static void salsa20_docrypt(u32 state, u8 dst, const u8 *src,
b62b3db7 EB	85	unsigned int bytes)
2407d608	86	{
b62b3db7	87	__le32 stream[SALSA20_BLOCK_SIZE / sizeof(__le32)];
2407d608	88
b62b3db7 EB	89	while (bytes >= SALSA20_BLOCK_SIZE) {
b62b3db7 EB	90	salsa20_block(state, stream);
f6fff170 EB	91	crypto_xor_cpy(dst, src, (const u8 *)stream,
f6fff170 EB	92	SALSA20_BLOCK_SIZE);
b62b3db7 EB	93	bytes -= SALSA20_BLOCK_SIZE;
b62b3db7 EB	94	dst += SALSA20_BLOCK_SIZE;
f6fff170	95	src += SALSA20_BLOCK_SIZE;
b62b3db7 EB	96	}
	97	if (bytes) {
	98	salsa20_block(state, stream);
f6fff170	99	crypto_xor_cpy(dst, src, (const u8 *)stream, bytes);
2407d608	100	}
2407d608 TSH	101	}
2407d608 TSH	102
015a0370	103	static void salsa20_init(u32 state, const struct salsa20_ctx ctx,
b62b3db7	104	const u8 *iv)
2407d608	105	{
b62b3db7 EB	106	memcpy(state, ctx->initial_state, sizeof(ctx->initial_state));
	107	state[6] = get_unaligned_le32(iv + 0);
	108	state[7] = get_unaligned_le32(iv + 4);
2407d608 TSH	109	}
2407d608 TSH	110
015a0370	111	static int salsa20_setkey(struct crypto_skcipher tfm, const u8 key,
b62b3db7	112	unsigned int keysize)
2407d608	113	{
b62b3db7 EB	114	static const char sigma[16] = "expand 32-byte k";
	115	static const char tau[16] = "expand 16-byte k";
	116	struct salsa20_ctx *ctx = crypto_skcipher_ctx(tfm);
	117	const char *constants;
2407d608	118
b62b3db7 EB	119	if (keysize != SALSA20_MIN_KEY_SIZE &&
	120	keysize != SALSA20_MAX_KEY_SIZE)
	121	return -EINVAL;
2407d608	122
b62b3db7 EB	123	ctx->initial_state[1] = get_unaligned_le32(key + 0);
	124	ctx->initial_state[2] = get_unaligned_le32(key + 4);
	125	ctx->initial_state[3] = get_unaligned_le32(key + 8);
	126	ctx->initial_state[4] = get_unaligned_le32(key + 12);
	127	if (keysize == 32) { /* recommended */
	128	key += 16;
	129	constants = sigma;
	130	} else { /* keysize == 16 */
	131	constants = tau;
2407d608	132	}
b62b3db7 EB	133	ctx->initial_state[11] = get_unaligned_le32(key + 0);
	134	ctx->initial_state[12] = get_unaligned_le32(key + 4);
	135	ctx->initial_state[13] = get_unaligned_le32(key + 8);
	136	ctx->initial_state[14] = get_unaligned_le32(key + 12);
	137	ctx->initial_state[0] = get_unaligned_le32(constants + 0);
	138	ctx->initial_state[5] = get_unaligned_le32(constants + 4);
	139	ctx->initial_state[10] = get_unaligned_le32(constants + 8);
	140	ctx->initial_state[15] = get_unaligned_le32(constants + 12);
	141
	142	/* space for the nonce; it will be overridden for each request */
	143	ctx->initial_state[6] = 0;
	144	ctx->initial_state[7] = 0;
	145
	146	/* initial block number */
	147	ctx->initial_state[8] = 0;
	148	ctx->initial_state[9] = 0;
2407d608	149
2407d608 TSH	150	return 0;
	151	}
	152
b62b3db7	153	static int salsa20_crypt(struct skcipher_request *req)
2407d608	154	{
b62b3db7 EB	155	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
	156	const struct salsa20_ctx *ctx = crypto_skcipher_ctx(tfm);
	157	struct skcipher_walk walk;
	158	u32 state[16];
2407d608 TSH	159	int err;
2407d608 TSH	160
101b53d9	161	err = skcipher_walk_virt(&walk, req, false);
2407d608	162
edaf28e9	163	salsa20_init(state, ctx, req->iv);
2407d608	164
b62b3db7 EB	165	while (walk.nbytes > 0) {
b62b3db7 EB	166	unsigned int nbytes = walk.nbytes;
eb6f13eb	167
b62b3db7 EB	168	if (nbytes < walk.total)
	169	nbytes = round_down(nbytes, walk.stride);
	170
	171	salsa20_docrypt(state, walk.dst.virt.addr, walk.src.virt.addr,
	172	nbytes);
	173	err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
eb6f13eb TSH	174	}
eb6f13eb TSH	175
2407d608 TSH	176	return err;
	177	}
	178
b62b3db7 EB	179	static struct skcipher_alg alg = {
	180	.base.cra_name = "salsa20",
	181	.base.cra_driver_name = "salsa20-generic",
	182	.base.cra_priority = 100,
	183	.base.cra_blocksize = 1,
	184	.base.cra_ctxsize = sizeof(struct salsa20_ctx),
	185	.base.cra_module = THIS_MODULE,
	186
	187	.min_keysize = SALSA20_MIN_KEY_SIZE,
	188	.max_keysize = SALSA20_MAX_KEY_SIZE,
	189	.ivsize = SALSA20_IV_SIZE,
	190	.chunksize = SALSA20_BLOCK_SIZE,
015a0370	191	.setkey = salsa20_setkey,
b62b3db7 EB	192	.encrypt = salsa20_crypt,
b62b3db7 EB	193	.decrypt = salsa20_crypt,
2407d608 TSH	194	};
2407d608 TSH	195
3af5b90b	196	static int __init salsa20_generic_mod_init(void)
2407d608	197	{
b62b3db7	198	return crypto_register_skcipher(&alg);
2407d608 TSH	199	}
2407d608 TSH	200
3af5b90b	201	static void __exit salsa20_generic_mod_fini(void)
2407d608	202	{
b62b3db7	203	crypto_unregister_skcipher(&alg);
2407d608 TSH	204	}
2407d608 TSH	205
c4741b23	206	subsys_initcall(salsa20_generic_mod_init);
3af5b90b	207	module_exit(salsa20_generic_mod_fini);
2407d608 TSH	208
	209	MODULE_LICENSE("GPL");
	210	MODULE_DESCRIPTION ("Salsa20 stream cipher algorithm");
5d26a105	211	MODULE_ALIAS_CRYPTO("salsa20");
3e14dcf7	212	MODULE_ALIAS_CRYPTO("salsa20-generic");