]>
Commit | Line | Data |
---|---|---|
1ca1b917 EB |
1 | /* SPDX-License-Identifier: GPL-2.0 */ |
2 | /* | |
3 | * Common values and helper functions for the ChaCha and XChaCha stream ciphers. | |
4 | * | |
5 | * XChaCha extends ChaCha's nonce to 192 bits, while provably retaining ChaCha's | |
6 | * security. Here they share the same key size, tfm context, and setkey | |
7 | * function; only their IV size and encrypt/decrypt function differ. | |
aa762409 EB |
8 | * |
9 | * The ChaCha paper specifies 20, 12, and 8-round variants. In general, it is | |
10 | * recommended to use the 20-round variant ChaCha20. However, the other | |
11 | * variants can be needed in some performance-sensitive scenarios. The generic | |
12 | * ChaCha code currently allows only the 20 and 12-round variants. | |
1ca1b917 EB |
13 | */ |
14 | ||
15 | #ifndef _CRYPTO_CHACHA_H | |
16 | #define _CRYPTO_CHACHA_H | |
17 | ||
5fb8ef25 | 18 | #include <asm/unaligned.h> |
1ca1b917 | 19 | #include <linux/types.h> |
1ca1b917 EB |
20 | |
21 | /* 32-bit stream position, then 96-bit nonce (RFC7539 convention) */ | |
22 | #define CHACHA_IV_SIZE 16 | |
23 | ||
24 | #define CHACHA_KEY_SIZE 32 | |
25 | #define CHACHA_BLOCK_SIZE 64 | |
26 | #define CHACHAPOLY_IV_SIZE 12 | |
27 | ||
84e03fa3 | 28 | #define CHACHA_STATE_WORDS (CHACHA_BLOCK_SIZE / sizeof(u32)) |
84e03fa3 | 29 | |
1ca1b917 EB |
30 | /* 192-bit nonce, then 64-bit stream position */ |
31 | #define XCHACHA_IV_SIZE 32 | |
32 | ||
5fb8ef25 | 33 | void chacha_block_generic(u32 *state, u8 *stream, int nrounds); |
1ca1b917 EB |
34 | static inline void chacha20_block(u32 *state, u8 *stream) |
35 | { | |
5fb8ef25 | 36 | chacha_block_generic(state, stream, 20); |
1ca1b917 | 37 | } |
1ca1b917 | 38 | |
5fb8ef25 AB |
39 | void hchacha_block_arch(const u32 *state, u32 *out, int nrounds); |
40 | void hchacha_block_generic(const u32 *state, u32 *out, int nrounds); | |
41 | ||
42 | static inline void hchacha_block(const u32 *state, u32 *out, int nrounds) | |
43 | { | |
44 | if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA)) | |
45 | hchacha_block_arch(state, out, nrounds); | |
46 | else | |
47 | hchacha_block_generic(state, out, nrounds); | |
48 | } | |
1ca1b917 | 49 | |
5050f692 DB |
50 | enum chacha_constants { /* expand 32-byte k */ |
51 | CHACHA_CONSTANT_EXPA = 0x61707865U, | |
52 | CHACHA_CONSTANT_ND_3 = 0x3320646eU, | |
53 | CHACHA_CONSTANT_2_BY = 0x79622d32U, | |
54 | CHACHA_CONSTANT_TE_K = 0x6b206574U | |
55 | }; | |
56 | ||
a181e0fd | 57 | static inline void chacha_init_consts(u32 *state) |
5fb8ef25 | 58 | { |
5050f692 DB |
59 | state[0] = CHACHA_CONSTANT_EXPA; |
60 | state[1] = CHACHA_CONSTANT_ND_3; | |
61 | state[2] = CHACHA_CONSTANT_2_BY; | |
62 | state[3] = CHACHA_CONSTANT_TE_K; | |
a181e0fd EB |
63 | } |
64 | ||
65 | void chacha_init_arch(u32 *state, const u32 *key, const u8 *iv); | |
66 | static inline void chacha_init_generic(u32 *state, const u32 *key, const u8 *iv) | |
67 | { | |
68 | chacha_init_consts(state); | |
5fb8ef25 AB |
69 | state[4] = key[0]; |
70 | state[5] = key[1]; | |
71 | state[6] = key[2]; | |
72 | state[7] = key[3]; | |
73 | state[8] = key[4]; | |
74 | state[9] = key[5]; | |
75 | state[10] = key[6]; | |
76 | state[11] = key[7]; | |
77 | state[12] = get_unaligned_le32(iv + 0); | |
78 | state[13] = get_unaligned_le32(iv + 4); | |
79 | state[14] = get_unaligned_le32(iv + 8); | |
80 | state[15] = get_unaligned_le32(iv + 12); | |
81 | } | |
1ca1b917 | 82 | |
5fb8ef25 AB |
83 | static inline void chacha_init(u32 *state, const u32 *key, const u8 *iv) |
84 | { | |
85 | if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA)) | |
86 | chacha_init_arch(state, key, iv); | |
87 | else | |
88 | chacha_init_generic(state, key, iv); | |
89 | } | |
90 | ||
91 | void chacha_crypt_arch(u32 *state, u8 *dst, const u8 *src, | |
92 | unsigned int bytes, int nrounds); | |
93 | void chacha_crypt_generic(u32 *state, u8 *dst, const u8 *src, | |
94 | unsigned int bytes, int nrounds); | |
95 | ||
96 | static inline void chacha_crypt(u32 *state, u8 *dst, const u8 *src, | |
97 | unsigned int bytes, int nrounds) | |
98 | { | |
99 | if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA)) | |
100 | chacha_crypt_arch(state, dst, src, bytes, nrounds); | |
101 | else | |
102 | chacha_crypt_generic(state, dst, src, bytes, nrounds); | |
103 | } | |
104 | ||
105 | static inline void chacha20_crypt(u32 *state, u8 *dst, const u8 *src, | |
106 | unsigned int bytes) | |
107 | { | |
108 | chacha_crypt(state, dst, src, bytes, 20); | |
109 | } | |
1ca1b917 EB |
110 | |
111 | #endif /* _CRYPTO_CHACHA_H */ |