^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) // SPDX-License-Identifier: GPL-2.0 OR MIT
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) * This is an implementation of the ChaCha20Poly1305 AEAD construction.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) * Information: https://tools.ietf.org/html/rfc8439
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) #include <crypto/algapi.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) #include <crypto/chacha20poly1305.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) #include <crypto/chacha.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) #include <crypto/poly1305.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) #include <crypto/scatterwalk.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) #include <asm/unaligned.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) #include <linux/kernel.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) #include <linux/init.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) #include <linux/mm.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) #include <linux/module.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) #define CHACHA_KEY_WORDS (CHACHA_KEY_SIZE / sizeof(u32))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) static void chacha_load_key(u32 *k, const u8 *in)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) k[0] = get_unaligned_le32(in);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) k[1] = get_unaligned_le32(in + 4);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) k[2] = get_unaligned_le32(in + 8);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) k[3] = get_unaligned_le32(in + 12);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) k[4] = get_unaligned_le32(in + 16);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) k[5] = get_unaligned_le32(in + 20);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) k[6] = get_unaligned_le32(in + 24);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) k[7] = get_unaligned_le32(in + 28);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) static void xchacha_init(u32 *chacha_state, const u8 *key, const u8 *nonce)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) u32 k[CHACHA_KEY_WORDS];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) u8 iv[CHACHA_IV_SIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) memset(iv, 0, 8);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) memcpy(iv + 8, nonce + 16, 8);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) chacha_load_key(k, key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) /* Compute the subkey given the original key and first 128 nonce bits */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) chacha_init(chacha_state, k, nonce);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) hchacha_block(chacha_state, k, 20);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) chacha_init(chacha_state, k, iv);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) memzero_explicit(k, sizeof(k));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) memzero_explicit(iv, sizeof(iv));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) static void
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) __chacha20poly1305_encrypt(u8 *dst, const u8 *src, const size_t src_len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) const u8 *ad, const size_t ad_len, u32 *chacha_state)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) const u8 *pad0 = page_address(ZERO_PAGE(0));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) struct poly1305_desc_ctx poly1305_state;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) union {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) u8 block0[POLY1305_KEY_SIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) __le64 lens[2];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) } b;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) chacha20_crypt(chacha_state, b.block0, pad0, sizeof(b.block0));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) poly1305_init(&poly1305_state, b.block0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) poly1305_update(&poly1305_state, ad, ad_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) if (ad_len & 0xf)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) poly1305_update(&poly1305_state, pad0, 0x10 - (ad_len & 0xf));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) chacha20_crypt(chacha_state, dst, src, src_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) poly1305_update(&poly1305_state, dst, src_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) if (src_len & 0xf)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) poly1305_update(&poly1305_state, pad0, 0x10 - (src_len & 0xf));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) b.lens[0] = cpu_to_le64(ad_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) b.lens[1] = cpu_to_le64(src_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) poly1305_update(&poly1305_state, (u8 *)b.lens, sizeof(b.lens));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) poly1305_final(&poly1305_state, dst + src_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) memzero_explicit(chacha_state, CHACHA_STATE_WORDS * sizeof(u32));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) memzero_explicit(&b, sizeof(b));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) void chacha20poly1305_encrypt(u8 *dst, const u8 *src, const size_t src_len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) const u8 *ad, const size_t ad_len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) const u64 nonce,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) const u8 key[CHACHA20POLY1305_KEY_SIZE])
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) u32 chacha_state[CHACHA_STATE_WORDS];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) u32 k[CHACHA_KEY_WORDS];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) __le64 iv[2];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) chacha_load_key(k, key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) iv[0] = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) iv[1] = cpu_to_le64(nonce);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) chacha_init(chacha_state, k, (u8 *)iv);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) __chacha20poly1305_encrypt(dst, src, src_len, ad, ad_len, chacha_state);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) memzero_explicit(iv, sizeof(iv));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) memzero_explicit(k, sizeof(k));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) EXPORT_SYMBOL(chacha20poly1305_encrypt);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) void xchacha20poly1305_encrypt(u8 *dst, const u8 *src, const size_t src_len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) const u8 *ad, const size_t ad_len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) const u8 nonce[XCHACHA20POLY1305_NONCE_SIZE],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) const u8 key[CHACHA20POLY1305_KEY_SIZE])
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) u32 chacha_state[CHACHA_STATE_WORDS];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) xchacha_init(chacha_state, key, nonce);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) __chacha20poly1305_encrypt(dst, src, src_len, ad, ad_len, chacha_state);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) EXPORT_SYMBOL(xchacha20poly1305_encrypt);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) static bool
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) __chacha20poly1305_decrypt(u8 *dst, const u8 *src, const size_t src_len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) const u8 *ad, const size_t ad_len, u32 *chacha_state)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) const u8 *pad0 = page_address(ZERO_PAGE(0));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) struct poly1305_desc_ctx poly1305_state;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) size_t dst_len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) union {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) u8 block0[POLY1305_KEY_SIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) u8 mac[POLY1305_DIGEST_SIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) __le64 lens[2];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) } b;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) if (unlikely(src_len < POLY1305_DIGEST_SIZE))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) chacha20_crypt(chacha_state, b.block0, pad0, sizeof(b.block0));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) poly1305_init(&poly1305_state, b.block0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) poly1305_update(&poly1305_state, ad, ad_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) if (ad_len & 0xf)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) poly1305_update(&poly1305_state, pad0, 0x10 - (ad_len & 0xf));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) dst_len = src_len - POLY1305_DIGEST_SIZE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) poly1305_update(&poly1305_state, src, dst_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) if (dst_len & 0xf)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) poly1305_update(&poly1305_state, pad0, 0x10 - (dst_len & 0xf));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) b.lens[0] = cpu_to_le64(ad_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) b.lens[1] = cpu_to_le64(dst_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) poly1305_update(&poly1305_state, (u8 *)b.lens, sizeof(b.lens));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) poly1305_final(&poly1305_state, b.mac);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) ret = crypto_memneq(b.mac, src + dst_len, POLY1305_DIGEST_SIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) if (likely(!ret))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) chacha20_crypt(chacha_state, dst, src, dst_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) memzero_explicit(&b, sizeof(b));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) return !ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) bool chacha20poly1305_decrypt(u8 *dst, const u8 *src, const size_t src_len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) const u8 *ad, const size_t ad_len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) const u64 nonce,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) const u8 key[CHACHA20POLY1305_KEY_SIZE])
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) u32 chacha_state[CHACHA_STATE_WORDS];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) u32 k[CHACHA_KEY_WORDS];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) __le64 iv[2];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) bool ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) chacha_load_key(k, key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) iv[0] = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) iv[1] = cpu_to_le64(nonce);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) chacha_init(chacha_state, k, (u8 *)iv);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) ret = __chacha20poly1305_decrypt(dst, src, src_len, ad, ad_len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) chacha_state);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) memzero_explicit(chacha_state, sizeof(chacha_state));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) memzero_explicit(iv, sizeof(iv));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) memzero_explicit(k, sizeof(k));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) EXPORT_SYMBOL(chacha20poly1305_decrypt);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194) bool xchacha20poly1305_decrypt(u8 *dst, const u8 *src, const size_t src_len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) const u8 *ad, const size_t ad_len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) const u8 nonce[XCHACHA20POLY1305_NONCE_SIZE],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) const u8 key[CHACHA20POLY1305_KEY_SIZE])
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) u32 chacha_state[CHACHA_STATE_WORDS];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) xchacha_init(chacha_state, key, nonce);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202) return __chacha20poly1305_decrypt(dst, src, src_len, ad, ad_len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) chacha_state);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) EXPORT_SYMBOL(xchacha20poly1305_decrypt);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207) static
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) bool chacha20poly1305_crypt_sg_inplace(struct scatterlist *src,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) const size_t src_len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) const u8 *ad, const size_t ad_len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) const u64 nonce,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) const u8 key[CHACHA20POLY1305_KEY_SIZE],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) int encrypt)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) const u8 *pad0 = page_address(ZERO_PAGE(0));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) struct poly1305_desc_ctx poly1305_state;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) u32 chacha_state[CHACHA_STATE_WORDS];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) struct sg_mapping_iter miter;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) size_t partial = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) unsigned int flags;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) bool ret = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222) int sl;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) union {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) struct {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) u32 k[CHACHA_KEY_WORDS];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) __le64 iv[2];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) u8 block0[POLY1305_KEY_SIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) u8 chacha_stream[CHACHA_BLOCK_SIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) struct {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231) u8 mac[2][POLY1305_DIGEST_SIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) __le64 lens[2];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) } b __aligned(16);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) if (WARN_ON(src_len > INT_MAX))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239) chacha_load_key(b.k, key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) b.iv[0] = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) b.iv[1] = cpu_to_le64(nonce);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) chacha_init(chacha_state, b.k, (u8 *)b.iv);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) chacha20_crypt(chacha_state, b.block0, pad0, sizeof(b.block0));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) poly1305_init(&poly1305_state, b.block0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) if (unlikely(ad_len)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) poly1305_update(&poly1305_state, ad, ad_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) if (ad_len & 0xf)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) poly1305_update(&poly1305_state, pad0, 0x10 - (ad_len & 0xf));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) flags = SG_MITER_TO_SG | SG_MITER_ATOMIC;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256) sg_miter_start(&miter, src, sg_nents(src), flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258) for (sl = src_len; sl > 0 && sg_miter_next(&miter); sl -= miter.length) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) u8 *addr = miter.addr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260) size_t length = min_t(size_t, sl, miter.length);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262) if (!encrypt)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263) poly1305_update(&poly1305_state, addr, length);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265) if (unlikely(partial)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266) size_t l = min(length, CHACHA_BLOCK_SIZE - partial);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268) crypto_xor(addr, b.chacha_stream + partial, l);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269) partial = (partial + l) & (CHACHA_BLOCK_SIZE - 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271) addr += l;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272) length -= l;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275) if (likely(length >= CHACHA_BLOCK_SIZE || length == sl)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276) size_t l = length;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278) if (unlikely(length < sl))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279) l &= ~(CHACHA_BLOCK_SIZE - 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280) chacha20_crypt(chacha_state, addr, addr, l);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281) addr += l;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282) length -= l;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285) if (unlikely(length > 0)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286) chacha20_crypt(chacha_state, b.chacha_stream, pad0,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287) CHACHA_BLOCK_SIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288) crypto_xor(addr, b.chacha_stream, length);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289) partial = length;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292) if (encrypt)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293) poly1305_update(&poly1305_state, miter.addr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294) min_t(size_t, sl, miter.length));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297) if (src_len & 0xf)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298) poly1305_update(&poly1305_state, pad0, 0x10 - (src_len & 0xf));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 299)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 300) b.lens[0] = cpu_to_le64(ad_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 301) b.lens[1] = cpu_to_le64(src_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 302) poly1305_update(&poly1305_state, (u8 *)b.lens, sizeof(b.lens));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 303)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 304) if (likely(sl <= -POLY1305_DIGEST_SIZE)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 305) if (encrypt) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 306) poly1305_final(&poly1305_state,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 307) miter.addr + miter.length + sl);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 308) ret = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 309) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 310) poly1305_final(&poly1305_state, b.mac[0]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 311) ret = !crypto_memneq(b.mac[0],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 312) miter.addr + miter.length + sl,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 313) POLY1305_DIGEST_SIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 314) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 315) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 316)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 317) sg_miter_stop(&miter);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 318)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 319) if (unlikely(sl > -POLY1305_DIGEST_SIZE)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 320) poly1305_final(&poly1305_state, b.mac[1]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 321) scatterwalk_map_and_copy(b.mac[encrypt], src, src_len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 322) sizeof(b.mac[1]), encrypt);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 323) ret = encrypt ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 324) !crypto_memneq(b.mac[0], b.mac[1], POLY1305_DIGEST_SIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 325) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 326)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 327) memzero_explicit(chacha_state, sizeof(chacha_state));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 328) memzero_explicit(&b, sizeof(b));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 329)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 330) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 331) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 332)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 333) bool chacha20poly1305_encrypt_sg_inplace(struct scatterlist *src, size_t src_len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 334) const u8 *ad, const size_t ad_len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 335) const u64 nonce,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 336) const u8 key[CHACHA20POLY1305_KEY_SIZE])
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 337) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 338) return chacha20poly1305_crypt_sg_inplace(src, src_len, ad, ad_len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 339) nonce, key, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 340) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 341) EXPORT_SYMBOL(chacha20poly1305_encrypt_sg_inplace);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 342)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 343) bool chacha20poly1305_decrypt_sg_inplace(struct scatterlist *src, size_t src_len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 344) const u8 *ad, const size_t ad_len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 345) const u64 nonce,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 346) const u8 key[CHACHA20POLY1305_KEY_SIZE])
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 347) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 348) if (unlikely(src_len < POLY1305_DIGEST_SIZE))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 349) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 350)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 351) return chacha20poly1305_crypt_sg_inplace(src,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 352) src_len - POLY1305_DIGEST_SIZE,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 353) ad, ad_len, nonce, key, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 354) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 355) EXPORT_SYMBOL(chacha20poly1305_decrypt_sg_inplace);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 356)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 357) static int __init mod_init(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 358) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 359) if (!IS_ENABLED(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 360) WARN_ON(!chacha20poly1305_selftest()))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 361) return -ENODEV;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 362) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 363) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 364)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 365) module_init(mod_init);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 366) MODULE_LICENSE("GPL v2");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 367) MODULE_DESCRIPTION("ChaCha20Poly1305 AEAD construction");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 368) MODULE_AUTHOR("Jason A. Donenfeld <Jason@zx2c4.com>");
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags