38e6b19eaf
Changes in 4.9.178
net: core: another layer of lists, around PF_MEMALLOC skb handling
locking/rwsem: Prevent decrement of reader count before increment
PCI: hv: Fix a memory leak in hv_eject_device_work()
x86/speculation/mds: Revert CPU buffer clear on double fault exit
x86/speculation/mds: Improve CPU buffer clear documentation
objtool: Fix function fallthrough detection
ARM: exynos: Fix a leaked reference by adding missing of_node_put
power: supply: axp288_charger: Fix unchecked return value
arm64: compat: Reduce address limit
arm64: Clear OSDLR_EL1 on CPU boot
sched/x86: Save [ER]FLAGS on context switch
crypto: chacha20poly1305 - set cra_name correctly
crypto: vmx - fix copy-paste error in CTR mode
crypto: crct10dif-generic - fix use via crypto_shash_digest()
crypto: x86/crct10dif-pcl - fix use via crypto_shash_digest()
ALSA: usb-audio: Fix a memory leak bug
ALSA: hda/hdmi - Read the pin sense from register when repolling
ALSA: hda/hdmi - Consider eld_valid when reporting jack event
ALSA: hda/realtek - EAPD turn on later
ASoC: max98090: Fix restore of DAPM Muxes
ASoC: RT5677-SPI: Disable 16Bit SPI Transfers
mm/mincore.c: make mincore() more conservative
ocfs2: fix ocfs2 read inode data panic in ocfs2_iget
mfd: da9063: Fix OTP control register names to match datasheets for DA9063/63L
mfd: max77620: Fix swapped FPS_PERIOD_MAX_US values
tty/vt: fix write/write race in ioctl(KDSKBSENT) handler
jbd2: check superblock mapped prior to committing
ext4: actually request zeroing of inode table after grow
ext4: fix ext4_show_options for file systems w/o journal
Btrfs: do not start a transaction at iterate_extent_inodes()
bcache: fix a race between cache register and cacheset unregister
bcache: never set KEY_PTRS of journal key to 0 in journal_reclaim()
ipmi:ssif: compare block number correctly for multi-part return messages
crypto: gcm - Fix error return code in crypto_gcm_create_common()
crypto: gcm - fix incompatibility between "gcm" and "gcm_base"
crypto: salsa20 - don't access already-freed walk.iv
crypto: arm/aes-neonbs - don't access already-freed walk.iv
fib_rules: fix error in backport of e9919a24d302 ("fib_rules: return 0...")
writeback: synchronize sync(2) against cgroup writeback membership switches
fs/writeback.c: use rcu_barrier() to wait for inflight wb switches going into workqueue when umount
ext4: zero out the unused memory region in the extent tree block
ext4: fix data corruption caused by overlapping unaligned and aligned IO
ALSA: hda/realtek - Fix for Lenovo B50-70 inverted internal microphone bug
KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes
Linux 4.9.178
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
246 lines
6.5 KiB
C
246 lines
6.5 KiB
C
/*
|
|
* Salsa20: Salsa20 stream cipher algorithm
|
|
*
|
|
* Copyright (c) 2007 Tan Swee Heng <thesweeheng@gmail.com>
|
|
*
|
|
* Derived from:
|
|
* - salsa20.c: Public domain C code by Daniel J. Bernstein <djb@cr.yp.to>
|
|
*
|
|
* Salsa20 is a stream cipher candidate in eSTREAM, the ECRYPT Stream
|
|
* Cipher Project. It is designed by Daniel J. Bernstein <djb@cr.yp.to>.
|
|
* More information about eSTREAM and Salsa20 can be found here:
|
|
* http://www.ecrypt.eu.org/stream/
|
|
* http://cr.yp.to/snuffle.html
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License as published by the Free
|
|
* Software Foundation; either version 2 of the License, or (at your option)
|
|
* any later version.
|
|
*
|
|
*/
|
|
|
|
#include <linux/init.h>
|
|
#include <linux/module.h>
|
|
#include <linux/errno.h>
|
|
#include <linux/crypto.h>
|
|
#include <linux/types.h>
|
|
#include <linux/bitops.h>
|
|
#include <crypto/algapi.h>
|
|
#include <asm/byteorder.h>
|
|
|
|
#define SALSA20_IV_SIZE 8U
|
|
#define SALSA20_MIN_KEY_SIZE 16U
|
|
#define SALSA20_MAX_KEY_SIZE 32U
|
|
|
|
/*
|
|
* Start of code taken from D. J. Bernstein's reference implementation.
|
|
* With some modifications and optimizations made to suit our needs.
|
|
*/
|
|
|
|
/*
|
|
salsa20-ref.c version 20051118
|
|
D. J. Bernstein
|
|
Public domain.
|
|
*/
|
|
|
|
#define U32TO8_LITTLE(p, v) \
|
|
{ (p)[0] = (v >> 0) & 0xff; (p)[1] = (v >> 8) & 0xff; \
|
|
(p)[2] = (v >> 16) & 0xff; (p)[3] = (v >> 24) & 0xff; }
|
|
#define U8TO32_LITTLE(p) \
|
|
(((u32)((p)[0]) ) | ((u32)((p)[1]) << 8) | \
|
|
((u32)((p)[2]) << 16) | ((u32)((p)[3]) << 24) )
|
|
|
|
struct salsa20_ctx
|
|
{
|
|
u32 input[16];
|
|
};
|
|
|
|
static void salsa20_wordtobyte(u8 output[64], const u32 input[16])
|
|
{
|
|
u32 x[16];
|
|
int i;
|
|
|
|
memcpy(x, input, sizeof(x));
|
|
for (i = 20; i > 0; i -= 2) {
|
|
x[ 4] ^= rol32((x[ 0] + x[12]), 7);
|
|
x[ 8] ^= rol32((x[ 4] + x[ 0]), 9);
|
|
x[12] ^= rol32((x[ 8] + x[ 4]), 13);
|
|
x[ 0] ^= rol32((x[12] + x[ 8]), 18);
|
|
x[ 9] ^= rol32((x[ 5] + x[ 1]), 7);
|
|
x[13] ^= rol32((x[ 9] + x[ 5]), 9);
|
|
x[ 1] ^= rol32((x[13] + x[ 9]), 13);
|
|
x[ 5] ^= rol32((x[ 1] + x[13]), 18);
|
|
x[14] ^= rol32((x[10] + x[ 6]), 7);
|
|
x[ 2] ^= rol32((x[14] + x[10]), 9);
|
|
x[ 6] ^= rol32((x[ 2] + x[14]), 13);
|
|
x[10] ^= rol32((x[ 6] + x[ 2]), 18);
|
|
x[ 3] ^= rol32((x[15] + x[11]), 7);
|
|
x[ 7] ^= rol32((x[ 3] + x[15]), 9);
|
|
x[11] ^= rol32((x[ 7] + x[ 3]), 13);
|
|
x[15] ^= rol32((x[11] + x[ 7]), 18);
|
|
x[ 1] ^= rol32((x[ 0] + x[ 3]), 7);
|
|
x[ 2] ^= rol32((x[ 1] + x[ 0]), 9);
|
|
x[ 3] ^= rol32((x[ 2] + x[ 1]), 13);
|
|
x[ 0] ^= rol32((x[ 3] + x[ 2]), 18);
|
|
x[ 6] ^= rol32((x[ 5] + x[ 4]), 7);
|
|
x[ 7] ^= rol32((x[ 6] + x[ 5]), 9);
|
|
x[ 4] ^= rol32((x[ 7] + x[ 6]), 13);
|
|
x[ 5] ^= rol32((x[ 4] + x[ 7]), 18);
|
|
x[11] ^= rol32((x[10] + x[ 9]), 7);
|
|
x[ 8] ^= rol32((x[11] + x[10]), 9);
|
|
x[ 9] ^= rol32((x[ 8] + x[11]), 13);
|
|
x[10] ^= rol32((x[ 9] + x[ 8]), 18);
|
|
x[12] ^= rol32((x[15] + x[14]), 7);
|
|
x[13] ^= rol32((x[12] + x[15]), 9);
|
|
x[14] ^= rol32((x[13] + x[12]), 13);
|
|
x[15] ^= rol32((x[14] + x[13]), 18);
|
|
}
|
|
for (i = 0; i < 16; ++i)
|
|
x[i] += input[i];
|
|
for (i = 0; i < 16; ++i)
|
|
U32TO8_LITTLE(output + 4 * i,x[i]);
|
|
}
|
|
|
|
static const char sigma[16] = "expand 32-byte k";
|
|
static const char tau[16] = "expand 16-byte k";
|
|
|
|
static void salsa20_keysetup(struct salsa20_ctx *ctx, const u8 *k, u32 kbytes)
|
|
{
|
|
const char *constants;
|
|
|
|
ctx->input[1] = U8TO32_LITTLE(k + 0);
|
|
ctx->input[2] = U8TO32_LITTLE(k + 4);
|
|
ctx->input[3] = U8TO32_LITTLE(k + 8);
|
|
ctx->input[4] = U8TO32_LITTLE(k + 12);
|
|
if (kbytes == 32) { /* recommended */
|
|
k += 16;
|
|
constants = sigma;
|
|
} else { /* kbytes == 16 */
|
|
constants = tau;
|
|
}
|
|
ctx->input[11] = U8TO32_LITTLE(k + 0);
|
|
ctx->input[12] = U8TO32_LITTLE(k + 4);
|
|
ctx->input[13] = U8TO32_LITTLE(k + 8);
|
|
ctx->input[14] = U8TO32_LITTLE(k + 12);
|
|
ctx->input[0] = U8TO32_LITTLE(constants + 0);
|
|
ctx->input[5] = U8TO32_LITTLE(constants + 4);
|
|
ctx->input[10] = U8TO32_LITTLE(constants + 8);
|
|
ctx->input[15] = U8TO32_LITTLE(constants + 12);
|
|
}
|
|
|
|
static void salsa20_ivsetup(struct salsa20_ctx *ctx, const u8 *iv)
|
|
{
|
|
ctx->input[6] = U8TO32_LITTLE(iv + 0);
|
|
ctx->input[7] = U8TO32_LITTLE(iv + 4);
|
|
ctx->input[8] = 0;
|
|
ctx->input[9] = 0;
|
|
}
|
|
|
|
static void salsa20_encrypt_bytes(struct salsa20_ctx *ctx, u8 *dst,
|
|
const u8 *src, unsigned int bytes)
|
|
{
|
|
u8 buf[64];
|
|
|
|
if (dst != src)
|
|
memcpy(dst, src, bytes);
|
|
|
|
while (bytes) {
|
|
salsa20_wordtobyte(buf, ctx->input);
|
|
|
|
ctx->input[8]++;
|
|
if (!ctx->input[8])
|
|
ctx->input[9]++;
|
|
|
|
if (bytes <= 64) {
|
|
crypto_xor(dst, buf, bytes);
|
|
return;
|
|
}
|
|
|
|
crypto_xor(dst, buf, 64);
|
|
bytes -= 64;
|
|
dst += 64;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* End of code taken from D. J. Bernstein's reference implementation.
|
|
*/
|
|
|
|
static int setkey(struct crypto_tfm *tfm, const u8 *key,
|
|
unsigned int keysize)
|
|
{
|
|
struct salsa20_ctx *ctx = crypto_tfm_ctx(tfm);
|
|
salsa20_keysetup(ctx, key, keysize);
|
|
return 0;
|
|
}
|
|
|
|
static int encrypt(struct blkcipher_desc *desc,
|
|
struct scatterlist *dst, struct scatterlist *src,
|
|
unsigned int nbytes)
|
|
{
|
|
struct blkcipher_walk walk;
|
|
struct crypto_blkcipher *tfm = desc->tfm;
|
|
struct salsa20_ctx *ctx = crypto_blkcipher_ctx(tfm);
|
|
int err;
|
|
|
|
blkcipher_walk_init(&walk, dst, src, nbytes);
|
|
err = blkcipher_walk_virt_block(desc, &walk, 64);
|
|
|
|
salsa20_ivsetup(ctx, desc->info);
|
|
|
|
while (walk.nbytes >= 64) {
|
|
salsa20_encrypt_bytes(ctx, walk.dst.virt.addr,
|
|
walk.src.virt.addr,
|
|
walk.nbytes - (walk.nbytes % 64));
|
|
err = blkcipher_walk_done(desc, &walk, walk.nbytes % 64);
|
|
}
|
|
|
|
if (walk.nbytes) {
|
|
salsa20_encrypt_bytes(ctx, walk.dst.virt.addr,
|
|
walk.src.virt.addr, walk.nbytes);
|
|
err = blkcipher_walk_done(desc, &walk, 0);
|
|
}
|
|
|
|
return err;
|
|
}
|
|
|
|
static struct crypto_alg alg = {
|
|
.cra_name = "salsa20",
|
|
.cra_driver_name = "salsa20-generic",
|
|
.cra_priority = 100,
|
|
.cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER,
|
|
.cra_type = &crypto_blkcipher_type,
|
|
.cra_blocksize = 1,
|
|
.cra_ctxsize = sizeof(struct salsa20_ctx),
|
|
.cra_alignmask = 3,
|
|
.cra_module = THIS_MODULE,
|
|
.cra_u = {
|
|
.blkcipher = {
|
|
.setkey = setkey,
|
|
.encrypt = encrypt,
|
|
.decrypt = encrypt,
|
|
.min_keysize = SALSA20_MIN_KEY_SIZE,
|
|
.max_keysize = SALSA20_MAX_KEY_SIZE,
|
|
.ivsize = SALSA20_IV_SIZE,
|
|
}
|
|
}
|
|
};
|
|
|
|
static int __init salsa20_generic_mod_init(void)
|
|
{
|
|
return crypto_register_alg(&alg);
|
|
}
|
|
|
|
static void __exit salsa20_generic_mod_fini(void)
|
|
{
|
|
crypto_unregister_alg(&alg);
|
|
}
|
|
|
|
module_init(salsa20_generic_mod_init);
|
|
module_exit(salsa20_generic_mod_fini);
|
|
|
|
MODULE_LICENSE("GPL");
|
|
MODULE_DESCRIPTION ("Salsa20 stream cipher algorithm");
|
|
MODULE_ALIAS_CRYPTO("salsa20");
|
|
MODULE_ALIAS_CRYPTO("salsa20-generic");
|