Back to home page

LXR

 
 

    


0001 /*
0002  * Salsa20: Salsa20 stream cipher algorithm
0003  *
0004  * Copyright (c) 2007 Tan Swee Heng <thesweeheng@gmail.com>
0005  *
0006  * Derived from:
0007  * - salsa20.c: Public domain C code by Daniel J. Bernstein <djb@cr.yp.to>
0008  *
0009  * Salsa20 is a stream cipher candidate in eSTREAM, the ECRYPT Stream
0010  * Cipher Project. It is designed by Daniel J. Bernstein <djb@cr.yp.to>.
0011  * More information about eSTREAM and Salsa20 can be found here:
0012  *   http://www.ecrypt.eu.org/stream/
0013  *   http://cr.yp.to/snuffle.html
0014  *
0015  * This program is free software; you can redistribute it and/or modify it
0016  * under the terms of the GNU General Public License as published by the Free
0017  * Software Foundation; either version 2 of the License, or (at your option)
0018  * any later version.
0019  *
0020  */
0021 
0022 #include <linux/init.h>
0023 #include <linux/module.h>
0024 #include <linux/errno.h>
0025 #include <linux/crypto.h>
0026 #include <linux/types.h>
0027 #include <linux/bitops.h>
0028 #include <crypto/algapi.h>
0029 #include <asm/byteorder.h>
0030 
0031 #define SALSA20_IV_SIZE        8U
0032 #define SALSA20_MIN_KEY_SIZE  16U
0033 #define SALSA20_MAX_KEY_SIZE  32U
0034 
0035 /*
0036  * Start of code taken from D. J. Bernstein's reference implementation.
0037  * With some modifications and optimizations made to suit our needs.
0038  */
0039 
0040 /*
0041 salsa20-ref.c version 20051118
0042 D. J. Bernstein
0043 Public domain.
0044 */
0045 
0046 #define U32TO8_LITTLE(p, v) \
0047     { (p)[0] = (v >>  0) & 0xff; (p)[1] = (v >>  8) & 0xff; \
0048       (p)[2] = (v >> 16) & 0xff; (p)[3] = (v >> 24) & 0xff; }
0049 #define U8TO32_LITTLE(p)   \
0050     (((u32)((p)[0])      ) | ((u32)((p)[1]) <<  8) | \
0051      ((u32)((p)[2]) << 16) | ((u32)((p)[3]) << 24)   )
0052 
0053 struct salsa20_ctx
0054 {
0055     u32 input[16];
0056 };
0057 
0058 static void salsa20_wordtobyte(u8 output[64], const u32 input[16])
0059 {
0060     u32 x[16];
0061     int i;
0062 
0063     memcpy(x, input, sizeof(x));
0064     for (i = 20; i > 0; i -= 2) {
0065         x[ 4] ^= rol32((x[ 0] + x[12]),  7);
0066         x[ 8] ^= rol32((x[ 4] + x[ 0]),  9);
0067         x[12] ^= rol32((x[ 8] + x[ 4]), 13);
0068         x[ 0] ^= rol32((x[12] + x[ 8]), 18);
0069         x[ 9] ^= rol32((x[ 5] + x[ 1]),  7);
0070         x[13] ^= rol32((x[ 9] + x[ 5]),  9);
0071         x[ 1] ^= rol32((x[13] + x[ 9]), 13);
0072         x[ 5] ^= rol32((x[ 1] + x[13]), 18);
0073         x[14] ^= rol32((x[10] + x[ 6]),  7);
0074         x[ 2] ^= rol32((x[14] + x[10]),  9);
0075         x[ 6] ^= rol32((x[ 2] + x[14]), 13);
0076         x[10] ^= rol32((x[ 6] + x[ 2]), 18);
0077         x[ 3] ^= rol32((x[15] + x[11]),  7);
0078         x[ 7] ^= rol32((x[ 3] + x[15]),  9);
0079         x[11] ^= rol32((x[ 7] + x[ 3]), 13);
0080         x[15] ^= rol32((x[11] + x[ 7]), 18);
0081         x[ 1] ^= rol32((x[ 0] + x[ 3]),  7);
0082         x[ 2] ^= rol32((x[ 1] + x[ 0]),  9);
0083         x[ 3] ^= rol32((x[ 2] + x[ 1]), 13);
0084         x[ 0] ^= rol32((x[ 3] + x[ 2]), 18);
0085         x[ 6] ^= rol32((x[ 5] + x[ 4]),  7);
0086         x[ 7] ^= rol32((x[ 6] + x[ 5]),  9);
0087         x[ 4] ^= rol32((x[ 7] + x[ 6]), 13);
0088         x[ 5] ^= rol32((x[ 4] + x[ 7]), 18);
0089         x[11] ^= rol32((x[10] + x[ 9]),  7);
0090         x[ 8] ^= rol32((x[11] + x[10]),  9);
0091         x[ 9] ^= rol32((x[ 8] + x[11]), 13);
0092         x[10] ^= rol32((x[ 9] + x[ 8]), 18);
0093         x[12] ^= rol32((x[15] + x[14]),  7);
0094         x[13] ^= rol32((x[12] + x[15]),  9);
0095         x[14] ^= rol32((x[13] + x[12]), 13);
0096         x[15] ^= rol32((x[14] + x[13]), 18);
0097     }
0098     for (i = 0; i < 16; ++i)
0099         x[i] += input[i];
0100     for (i = 0; i < 16; ++i)
0101         U32TO8_LITTLE(output + 4 * i,x[i]);
0102 }
0103 
0104 static const char sigma[16] = "expand 32-byte k";
0105 static const char tau[16] = "expand 16-byte k";
0106 
0107 static void salsa20_keysetup(struct salsa20_ctx *ctx, const u8 *k, u32 kbytes)
0108 {
0109     const char *constants;
0110 
0111     ctx->input[1] = U8TO32_LITTLE(k + 0);
0112     ctx->input[2] = U8TO32_LITTLE(k + 4);
0113     ctx->input[3] = U8TO32_LITTLE(k + 8);
0114     ctx->input[4] = U8TO32_LITTLE(k + 12);
0115     if (kbytes == 32) { /* recommended */
0116         k += 16;
0117         constants = sigma;
0118     } else { /* kbytes == 16 */
0119         constants = tau;
0120     }
0121     ctx->input[11] = U8TO32_LITTLE(k + 0);
0122     ctx->input[12] = U8TO32_LITTLE(k + 4);
0123     ctx->input[13] = U8TO32_LITTLE(k + 8);
0124     ctx->input[14] = U8TO32_LITTLE(k + 12);
0125     ctx->input[0] = U8TO32_LITTLE(constants + 0);
0126     ctx->input[5] = U8TO32_LITTLE(constants + 4);
0127     ctx->input[10] = U8TO32_LITTLE(constants + 8);
0128     ctx->input[15] = U8TO32_LITTLE(constants + 12);
0129 }
0130 
0131 static void salsa20_ivsetup(struct salsa20_ctx *ctx, const u8 *iv)
0132 {
0133     ctx->input[6] = U8TO32_LITTLE(iv + 0);
0134     ctx->input[7] = U8TO32_LITTLE(iv + 4);
0135     ctx->input[8] = 0;
0136     ctx->input[9] = 0;
0137 }
0138 
0139 static void salsa20_encrypt_bytes(struct salsa20_ctx *ctx, u8 *dst,
0140                   const u8 *src, unsigned int bytes)
0141 {
0142     u8 buf[64];
0143 
0144     if (dst != src)
0145         memcpy(dst, src, bytes);
0146 
0147     while (bytes) {
0148         salsa20_wordtobyte(buf, ctx->input);
0149 
0150         ctx->input[8]++;
0151         if (!ctx->input[8])
0152             ctx->input[9]++;
0153 
0154         if (bytes <= 64) {
0155             crypto_xor(dst, buf, bytes);
0156             return;
0157         }
0158 
0159         crypto_xor(dst, buf, 64);
0160         bytes -= 64;
0161         dst += 64;
0162     }
0163 }
0164 
0165 /*
0166  * End of code taken from D. J. Bernstein's reference implementation.
0167  */
0168 
0169 static int setkey(struct crypto_tfm *tfm, const u8 *key,
0170           unsigned int keysize)
0171 {
0172     struct salsa20_ctx *ctx = crypto_tfm_ctx(tfm);
0173     salsa20_keysetup(ctx, key, keysize);
0174     return 0;
0175 }
0176 
0177 static int encrypt(struct blkcipher_desc *desc,
0178            struct scatterlist *dst, struct scatterlist *src,
0179            unsigned int nbytes)
0180 {
0181     struct blkcipher_walk walk;
0182     struct crypto_blkcipher *tfm = desc->tfm;
0183     struct salsa20_ctx *ctx = crypto_blkcipher_ctx(tfm);
0184     int err;
0185 
0186     blkcipher_walk_init(&walk, dst, src, nbytes);
0187     err = blkcipher_walk_virt_block(desc, &walk, 64);
0188 
0189     salsa20_ivsetup(ctx, walk.iv);
0190 
0191     if (likely(walk.nbytes == nbytes))
0192     {
0193         salsa20_encrypt_bytes(ctx, walk.dst.virt.addr,
0194                       walk.src.virt.addr, nbytes);
0195         return blkcipher_walk_done(desc, &walk, 0);
0196     }
0197 
0198     while (walk.nbytes >= 64) {
0199         salsa20_encrypt_bytes(ctx, walk.dst.virt.addr,
0200                       walk.src.virt.addr,
0201                       walk.nbytes - (walk.nbytes % 64));
0202         err = blkcipher_walk_done(desc, &walk, walk.nbytes % 64);
0203     }
0204 
0205     if (walk.nbytes) {
0206         salsa20_encrypt_bytes(ctx, walk.dst.virt.addr,
0207                       walk.src.virt.addr, walk.nbytes);
0208         err = blkcipher_walk_done(desc, &walk, 0);
0209     }
0210 
0211     return err;
0212 }
0213 
0214 static struct crypto_alg alg = {
0215     .cra_name           =   "salsa20",
0216     .cra_driver_name    =   "salsa20-generic",
0217     .cra_priority       =   100,
0218     .cra_flags          =   CRYPTO_ALG_TYPE_BLKCIPHER,
0219     .cra_type           =   &crypto_blkcipher_type,
0220     .cra_blocksize      =   1,
0221     .cra_ctxsize        =   sizeof(struct salsa20_ctx),
0222     .cra_alignmask      =   3,
0223     .cra_module         =   THIS_MODULE,
0224     .cra_u              =   {
0225         .blkcipher = {
0226             .setkey         =   setkey,
0227             .encrypt        =   encrypt,
0228             .decrypt        =   encrypt,
0229             .min_keysize    =   SALSA20_MIN_KEY_SIZE,
0230             .max_keysize    =   SALSA20_MAX_KEY_SIZE,
0231             .ivsize         =   SALSA20_IV_SIZE,
0232         }
0233     }
0234 };
0235 
0236 static int __init salsa20_generic_mod_init(void)
0237 {
0238     return crypto_register_alg(&alg);
0239 }
0240 
0241 static void __exit salsa20_generic_mod_fini(void)
0242 {
0243     crypto_unregister_alg(&alg);
0244 }
0245 
0246 module_init(salsa20_generic_mod_init);
0247 module_exit(salsa20_generic_mod_fini);
0248 
0249 MODULE_LICENSE("GPL");
0250 MODULE_DESCRIPTION ("Salsa20 stream cipher algorithm");
0251 MODULE_ALIAS_CRYPTO("salsa20");
0252 MODULE_ALIAS_CRYPTO("salsa20-generic");