[mirror_ubuntu-hirsute-kernel.git] / include / crypto / chacha.h

/* SPDX-License-Identifier: GPL-2.0 */
/*
 * Common values and helper functions for the ChaCha and XChaCha stream ciphers.
 *
 * XChaCha extends ChaCha's nonce to 192 bits, while provably retaining ChaCha's
 * security.  Here they share the same key size, tfm context, and setkey
 * function; only their IV size and encrypt/decrypt function differ.
 *
 * The ChaCha paper specifies 20, 12, and 8-round variants.  In general, it is
 * recommended to use the 20-round variant ChaCha20.  However, the other
 * variants can be needed in some performance-sensitive scenarios.  The generic
 * ChaCha code currently allows only the 20 and 12-round variants.
 */

#ifndef _CRYPTO_CHACHA_H
#define _CRYPTO_CHACHA_H

#include <asm/unaligned.h>
#include <linux/types.h>

/* 32-bit stream position, then 96-bit nonce (RFC7539 convention) */
#define CHACHA_IV_SIZE		16

#define CHACHA_KEY_SIZE		32
#define CHACHA_BLOCK_SIZE	64
#define CHACHAPOLY_IV_SIZE	12

#define CHACHA_STATE_WORDS	(CHACHA_BLOCK_SIZE / sizeof(u32))

/* 192-bit nonce, then 64-bit stream position */
#define XCHACHA_IV_SIZE		32

void chacha_block_generic(u32 *state, u8 *stream, int nrounds);
static inline void chacha20_block(u32 *state, u8 *stream)
{
	chacha_block_generic(state, stream, 20);
}

void hchacha_block_arch(const u32 *state, u32 *out, int nrounds);
void hchacha_block_generic(const u32 *state, u32 *out, int nrounds);

static inline void hchacha_block(const u32 *state, u32 *out, int nrounds)
{
	if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA))
		hchacha_block_arch(state, out, nrounds);
	else
		hchacha_block_generic(state, out, nrounds);
}

void chacha_init_arch(u32 *state, const u32 *key, const u8 *iv);
static inline void chacha_init_generic(u32 *state, const u32 *key, const u8 *iv)
{
	state[0]  = 0x61707865; /* "expa" */
	state[1]  = 0x3320646e; /* "nd 3" */
	state[2]  = 0x79622d32; /* "2-by" */
	state[3]  = 0x6b206574; /* "te k" */
	state[4]  = key[0];
	state[5]  = key[1];
	state[6]  = key[2];
	state[7]  = key[3];
	state[8]  = key[4];
	state[9]  = key[5];
	state[10] = key[6];
	state[11] = key[7];
	state[12] = get_unaligned_le32(iv +  0);
	state[13] = get_unaligned_le32(iv +  4);
	state[14] = get_unaligned_le32(iv +  8);
	state[15] = get_unaligned_le32(iv + 12);
}

static inline void chacha_init(u32 *state, const u32 *key, const u8 *iv)
{
	if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA))
		chacha_init_arch(state, key, iv);
	else
		chacha_init_generic(state, key, iv);
}

void chacha_crypt_arch(u32 *state, u8 *dst, const u8 *src,
		       unsigned int bytes, int nrounds);
void chacha_crypt_generic(u32 *state, u8 *dst, const u8 *src,
			  unsigned int bytes, int nrounds);

static inline void chacha_crypt(u32 *state, u8 *dst, const u8 *src,
				unsigned int bytes, int nrounds)
{
	if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA))
		chacha_crypt_arch(state, dst, src, bytes, nrounds);
	else
		chacha_crypt_generic(state, dst, src, bytes, nrounds);
}

static inline void chacha20_crypt(u32 *state, u8 *dst, const u8 *src,
				  unsigned int bytes)
{
	chacha_crypt(state, dst, src, bytes, 20);
}

#endif /* _CRYPTO_CHACHA_H */
Commit	Line	Data
1ca1b917 EB	1	/* SPDX-License-Identifier: GPL-2.0 */
	2	/*
	3	* Common values and helper functions for the ChaCha and XChaCha stream ciphers.
	4	*
	5	* XChaCha extends ChaCha's nonce to 192 bits, while provably retaining ChaCha's
	6	* security. Here they share the same key size, tfm context, and setkey
	7	* function; only their IV size and encrypt/decrypt function differ.
aa762409 EB	8	*
	9	* The ChaCha paper specifies 20, 12, and 8-round variants. In general, it is
	10	* recommended to use the 20-round variant ChaCha20. However, the other
	11	* variants can be needed in some performance-sensitive scenarios. The generic
	12	* ChaCha code currently allows only the 20 and 12-round variants.
1ca1b917 EB	13	*/
	14
	15	#ifndef _CRYPTO_CHACHA_H
	16	#define _CRYPTO_CHACHA_H
	17
5fb8ef25	18	#include <asm/unaligned.h>
1ca1b917	19	#include <linux/types.h>
1ca1b917 EB	20
	21	/* 32-bit stream position, then 96-bit nonce (RFC7539 convention) */
	22	#define CHACHA_IV_SIZE 16
	23
	24	#define CHACHA_KEY_SIZE 32
	25	#define CHACHA_BLOCK_SIZE 64
	26	#define CHACHAPOLY_IV_SIZE 12
	27
84e03fa3	28	#define CHACHA_STATE_WORDS (CHACHA_BLOCK_SIZE / sizeof(u32))
84e03fa3	29
1ca1b917 EB	30	/* 192-bit nonce, then 64-bit stream position */
	31	#define XCHACHA_IV_SIZE 32
	32
5fb8ef25	33	void chacha_block_generic(u32 state, u8 stream, int nrounds);
1ca1b917 EB	34	static inline void chacha20_block(u32 state, u8 stream)
1ca1b917 EB	35	{
5fb8ef25	36	chacha_block_generic(state, stream, 20);
1ca1b917	37	}
1ca1b917	38
5fb8ef25 AB	39	void hchacha_block_arch(const u32 state, u32 out, int nrounds);
	40	void hchacha_block_generic(const u32 state, u32 out, int nrounds);
	41
	42	static inline void hchacha_block(const u32 state, u32 out, int nrounds)
	43	{
	44	if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA))
	45	hchacha_block_arch(state, out, nrounds);
	46	else
	47	hchacha_block_generic(state, out, nrounds);
	48	}
1ca1b917	49
5fb8ef25 AB	50	void chacha_init_arch(u32 state, const u32 key, const u8 *iv);
	51	static inline void chacha_init_generic(u32 state, const u32 key, const u8 *iv)
	52	{
	53	state[0] = 0x61707865; /* "expa" */
	54	state[1] = 0x3320646e; /* "nd 3" */
	55	state[2] = 0x79622d32; /* "2-by" */
	56	state[3] = 0x6b206574; /* "te k" */
	57	state[4] = key[0];
	58	state[5] = key[1];
	59	state[6] = key[2];
	60	state[7] = key[3];
	61	state[8] = key[4];
	62	state[9] = key[5];
	63	state[10] = key[6];
	64	state[11] = key[7];
	65	state[12] = get_unaligned_le32(iv + 0);
	66	state[13] = get_unaligned_le32(iv + 4);
	67	state[14] = get_unaligned_le32(iv + 8);
	68	state[15] = get_unaligned_le32(iv + 12);
	69	}
1ca1b917	70
5fb8ef25 AB	71	static inline void chacha_init(u32 state, const u32 key, const u8 *iv)
	72	{
	73	if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA))
	74	chacha_init_arch(state, key, iv);
	75	else
	76	chacha_init_generic(state, key, iv);
	77	}
	78
	79	void chacha_crypt_arch(u32 state, u8 dst, const u8 *src,
	80	unsigned int bytes, int nrounds);
	81	void chacha_crypt_generic(u32 state, u8 dst, const u8 *src,
	82	unsigned int bytes, int nrounds);
	83
	84	static inline void chacha_crypt(u32 state, u8 dst, const u8 *src,
	85	unsigned int bytes, int nrounds)
	86	{
	87	if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA))
	88	chacha_crypt_arch(state, dst, src, bytes, nrounds);
	89	else
	90	chacha_crypt_generic(state, dst, src, bytes, nrounds);
	91	}
	92
	93	static inline void chacha20_crypt(u32 state, u8 dst, const u8 *src,
	94	unsigned int bytes)
	95	{
	96	chacha_crypt(state, dst, src, bytes, 20);
	97	}
1ca1b917 EB	98
1ca1b917 EB	99	#endif /* _CRYPTO_CHACHA_H */