| 1 | // SPDX-License-Identifier: GPL-2.0-or-later |
|---|
| 2 | /* |
|---|
| 3 | * ChaCha and XChaCha stream ciphers, including ChaCha20 (RFC7539) |
|---|
| 4 | * |
|---|
| 5 | * Copyright (C) 2015 Martin Willi |
|---|
| 6 | * Copyright (C) 2018 Google LLC |
|---|
| 7 | */ |
|---|
| 8 | |
|---|
| 9 | #include <asm/unaligned.h> |
|---|
| 10 | #include <crypto/algapi.h> |
|---|
| 11 | #include <crypto/internal/chacha.h> |
|---|
| 12 | #include <crypto/internal/skcipher.h> |
|---|
| 13 | #include <linux/module.h> |
|---|
| 14 | |
|---|
| 15 | static int chacha_stream_xor(struct skcipher_request *req, |
|---|
| 16 | const struct chacha_ctx *ctx, const u8 *iv) |
|---|
| 17 | { |
|---|
| 18 | struct skcipher_walk walk; |
|---|
| 19 | u32 state[16]; |
|---|
| 20 | int err; |
|---|
| 21 | |
|---|
| 22 | err = skcipher_walk_virt(walk: &walk, req, atomic: false); |
|---|
| 23 | |
|---|
| 24 | chacha_init_generic(state, key: ctx->key, iv); |
|---|
| 25 | |
|---|
| 26 | while (walk.nbytes > 0) { |
|---|
| 27 | unsigned int nbytes = walk.nbytes; |
|---|
| 28 | |
|---|
| 29 | if (nbytes < walk.total) |
|---|
| 30 | nbytes = round_down(nbytes, CHACHA_BLOCK_SIZE); |
|---|
| 31 | |
|---|
| 32 | chacha_crypt_generic(state, dst: walk.dst.virt.addr, |
|---|
| 33 | src: walk.src.virt.addr, bytes: nbytes, nrounds: ctx->nrounds); |
|---|
| 34 | err = skcipher_walk_done(walk: &walk, err: walk.nbytes - nbytes); |
|---|
| 35 | } |
|---|
| 36 | |
|---|
| 37 | return err; |
|---|
| 38 | } |
|---|
| 39 | |
|---|
| 40 | static int crypto_chacha_crypt(struct skcipher_request *req) |
|---|
| 41 | { |
|---|
| 42 | struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); |
|---|
| 43 | struct chacha_ctx *ctx = crypto_skcipher_ctx(tfm); |
|---|
| 44 | |
|---|
| 45 | return chacha_stream_xor(req, ctx, iv: req->iv); |
|---|
| 46 | } |
|---|
| 47 | |
|---|
| 48 | static int crypto_xchacha_crypt(struct skcipher_request *req) |
|---|
| 49 | { |
|---|
| 50 | struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); |
|---|
| 51 | struct chacha_ctx *ctx = crypto_skcipher_ctx(tfm); |
|---|
| 52 | struct chacha_ctx subctx; |
|---|
| 53 | u32 state[16]; |
|---|
| 54 | u8 real_iv[16]; |
|---|
| 55 | |
|---|
| 56 | /* Compute the subkey given the original key and first 128 nonce bits */ |
|---|
| 57 | chacha_init_generic(state, key: ctx->key, iv: req->iv); |
|---|
| 58 | hchacha_block_generic(state, out: subctx.key, nrounds: ctx->nrounds); |
|---|
| 59 | subctx.nrounds = ctx->nrounds; |
|---|
| 60 | |
|---|
| 61 | /* Build the real IV */ |
|---|
| 62 | memcpy(&real_iv[0], req->iv + 24, 8); /* stream position */ |
|---|
| 63 | memcpy(&real_iv[8], req->iv + 16, 8); /* remaining 64 nonce bits */ |
|---|
| 64 | |
|---|
| 65 | /* Generate the stream and XOR it with the data */ |
|---|
| 66 | return chacha_stream_xor(req, ctx: &subctx, iv: real_iv); |
|---|
| 67 | } |
|---|
| 68 | |
|---|
| 69 | static struct skcipher_alg algs[] = { |
|---|
| 70 | { |
|---|
| 71 | .base.cra_name = "chacha20" , |
|---|
| 72 | .base.cra_driver_name = "chacha20-generic" , |
|---|
| 73 | .base.cra_priority = 100, |
|---|
| 74 | .base.cra_blocksize = 1, |
|---|
| 75 | .base.cra_ctxsize = sizeof(struct chacha_ctx), |
|---|
| 76 | .base.cra_module = THIS_MODULE, |
|---|
| 77 | |
|---|
| 78 | .min_keysize = CHACHA_KEY_SIZE, |
|---|
| 79 | .max_keysize = CHACHA_KEY_SIZE, |
|---|
| 80 | .ivsize = CHACHA_IV_SIZE, |
|---|
| 81 | .chunksize = CHACHA_BLOCK_SIZE, |
|---|
| 82 | .setkey = chacha20_setkey, |
|---|
| 83 | .encrypt = crypto_chacha_crypt, |
|---|
| 84 | .decrypt = crypto_chacha_crypt, |
|---|
| 85 | }, { |
|---|
| 86 | .base.cra_name = "xchacha20" , |
|---|
| 87 | .base.cra_driver_name = "xchacha20-generic" , |
|---|
| 88 | .base.cra_priority = 100, |
|---|
| 89 | .base.cra_blocksize = 1, |
|---|
| 90 | .base.cra_ctxsize = sizeof(struct chacha_ctx), |
|---|
| 91 | .base.cra_module = THIS_MODULE, |
|---|
| 92 | |
|---|
| 93 | .min_keysize = CHACHA_KEY_SIZE, |
|---|
| 94 | .max_keysize = CHACHA_KEY_SIZE, |
|---|
| 95 | .ivsize = XCHACHA_IV_SIZE, |
|---|
| 96 | .chunksize = CHACHA_BLOCK_SIZE, |
|---|
| 97 | .setkey = chacha20_setkey, |
|---|
| 98 | .encrypt = crypto_xchacha_crypt, |
|---|
| 99 | .decrypt = crypto_xchacha_crypt, |
|---|
| 100 | }, { |
|---|
| 101 | .base.cra_name = "xchacha12" , |
|---|
| 102 | .base.cra_driver_name = "xchacha12-generic" , |
|---|
| 103 | .base.cra_priority = 100, |
|---|
| 104 | .base.cra_blocksize = 1, |
|---|
| 105 | .base.cra_ctxsize = sizeof(struct chacha_ctx), |
|---|
| 106 | .base.cra_module = THIS_MODULE, |
|---|
| 107 | |
|---|
| 108 | .min_keysize = CHACHA_KEY_SIZE, |
|---|
| 109 | .max_keysize = CHACHA_KEY_SIZE, |
|---|
| 110 | .ivsize = XCHACHA_IV_SIZE, |
|---|
| 111 | .chunksize = CHACHA_BLOCK_SIZE, |
|---|
| 112 | .setkey = chacha12_setkey, |
|---|
| 113 | .encrypt = crypto_xchacha_crypt, |
|---|
| 114 | .decrypt = crypto_xchacha_crypt, |
|---|
| 115 | } |
|---|
| 116 | }; |
|---|
| 117 | |
|---|
| 118 | static int __init chacha_generic_mod_init(void) |
|---|
| 119 | { |
|---|
| 120 | return crypto_register_skciphers(algs, ARRAY_SIZE(algs)); |
|---|
| 121 | } |
|---|
| 122 | |
|---|
| 123 | static void __exit chacha_generic_mod_fini(void) |
|---|
| 124 | { |
|---|
| 125 | crypto_unregister_skciphers(algs, ARRAY_SIZE(algs)); |
|---|
| 126 | } |
|---|
| 127 | |
|---|
| 128 | subsys_initcall(chacha_generic_mod_init); |
|---|
| 129 | module_exit(chacha_generic_mod_fini); |
|---|
| 130 | |
|---|
| 131 | MODULE_LICENSE("GPL" ); |
|---|
| 132 | MODULE_AUTHOR("Martin Willi <martin@strongswan.org>" ); |
|---|
| 133 | MODULE_DESCRIPTION("ChaCha and XChaCha stream ciphers (generic)" ); |
|---|
| 134 | MODULE_ALIAS_CRYPTO("chacha20" ); |
|---|
| 135 | MODULE_ALIAS_CRYPTO("chacha20-generic" ); |
|---|
| 136 | MODULE_ALIAS_CRYPTO("xchacha20" ); |
|---|
| 137 | MODULE_ALIAS_CRYPTO("xchacha20-generic" ); |
|---|
| 138 | MODULE_ALIAS_CRYPTO("xchacha12" ); |
|---|
| 139 | MODULE_ALIAS_CRYPTO("xchacha12-generic" ); |
|---|
| 140 | |
|---|
