kpriv/linux-hardened
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
linux-hardened/crypto
History
Eric Biggers de61d7ae5d crypto: chacha20-generic - add XChaCha20 support 
Add support for the XChaCha20 stream cipher.  XChaCha20 is the
application of the XSalsa20 construction
(https://cr.yp.to/snuffle/xsalsa-20081128.pdf) to ChaCha20 rather than
to Salsa20.  XChaCha20 extends ChaCha20's nonce length from 64 bits (or
96 bits, depending on convention) to 192 bits, while provably retaining
ChaCha20's security.  XChaCha20 uses the ChaCha20 permutation to map the
key and first 128 nonce bits to a 256-bit subkey.  Then, it does the
ChaCha20 stream cipher with the subkey and remaining 64 bits of nonce.

We need XChaCha support in order to add support for the Adiantum
encryption mode.  Note that to meet our performance requirements, we
actually plan to primarily use the variant XChaCha12.  But we believe
it's wise to first add XChaCha20 as a baseline with a higher security
margin, in case there are any situations where it can be used.
Supporting both variants is straightforward.

Since XChaCha20's subkey differs for each request, XChaCha20 can't be a
template that wraps ChaCha20; that would require re-keying the
underlying ChaCha20 for every request, which wouldn't be thread-safe.
Instead, we make XChaCha20 its own top-level algorithm which calls the
ChaCha20 streaming implementation internally.

Similar to the existing ChaCha20 implementation, we define the IV to be
the nonce and stream position concatenated together.  This allows users
to seek to any position in the stream.

I considered splitting the code into separate chacha20-common, chacha20,
and xchacha20 modules, so that chacha20 and xchacha20 could be
enabled/disabled independently.  However, since nearly all the code is
shared anyway, I ultimately decided there would have been little benefit
to the added complexity of separate modules.

Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Acked-by: Martin Willi <martin@strongswan.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2018-11-20 14:26:55 +08:00
..
asymmetric_keys KEYS: asym_tpm: Add support for the sign operation [ver #2] 2018-10-26 09:30:47 +01:00
async_tx async_pq: Remove VLA usage 2018-06-18 20:17:38 +05:30
842.c crypto: acomp - add support for 842 via scomp 2016-10-25 11:08:33 +08:00
ablkcipher.c crypto: user - clean up report structure copying 2018-11-09 17:41:39 +08:00
acompress.c crypto: user - clean up report structure copying 2018-11-09 17:41:39 +08:00
aead.c crypto: user - clean up report structure copying 2018-11-09 17:41:39 +08:00
aegis.h crypto: aegis/generic - fix for big endian systems 2018-10-08 13:44:53 +08:00
aegis128.c crypto: aead - remove useless setting of type flags 2018-07-09 00:30:26 +08:00
aegis128l.c crypto: aead - remove useless setting of type flags 2018-07-09 00:30:26 +08:00
aegis256.c crypto: aead - remove useless setting of type flags 2018-07-09 00:30:26 +08:00
aes_generic.c crypto: arm/aes - add some hardening against cache-timing attacks 2018-11-09 17:36:48 +08:00
aes_ti.c crypto: aes_ti - disable interrupts while accessing S-box 2018-11-09 17:36:48 +08:00
af_alg.c Revert "net: simplify sock_poll_wait" 2018-10-23 10:57:06 -07:00
ahash.c crypto: user - clean up report structure copying 2018-11-09 17:41:39 +08:00
akcipher.c crypto: user - clean up report structure copying 2018-11-09 17:41:39 +08:00
algapi.c crypto: user - Implement a generic crypto statistics 2018-09-28 12:46:25 +08:00
algboss.c crypto: api - Introduce notifier for new crypto algorithms 2018-09-04 11:37:04 +08:00
algif_aead.c crypto: null - Remove VLA usage of skcipher 2018-09-28 12:46:08 +08:00
algif_hash.c crypto: hash - Remove VLA usage 2018-09-04 11:35:03 +08:00
algif_rng.c net: remove sock_no_poll 2018-05-26 09:16:44 +02:00
algif_skcipher.c Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL 2018-06-28 10:40:47 -07:00
ansi_cprng.c crypto: ansi_cprng - Convert to new rng interface 2015-04-22 09:30:18 +08:00
anubis.c crypto: prefix module autoloading with "crypto-" 2014-11-24 22:43:57 +08:00
api.c evm: Don't deadlock if a crypto algorithm is unavailable 2018-07-18 07:27:22 -04:00
arc4.c crypto: prefix module autoloading with "crypto-" 2014-11-24 22:43:57 +08:00
authenc.c crypto: null - Remove VLA usage of skcipher 2018-09-28 12:46:08 +08:00
authencesn.c crypto: null - Remove VLA usage of skcipher 2018-09-28 12:46:08 +08:00
blkcipher.c crypto: user - clean up report structure copying 2018-11-09 17:41:39 +08:00
blowfish_common.c
blowfish_generic.c crypto: add missing crypto module aliases 2015-01-13 22:29:11 +11:00
camellia_generic.c crypto: replace FSF address with web source in license notices 2017-11-29 17:33:25 +11:00
cast5_generic.c crypto: replace FSF address with web source in license notices 2017-11-29 17:33:25 +11:00
cast6_generic.c crypto: replace FSF address with web source in license notices 2017-11-29 17:33:25 +11:00
cast_common.c
cbc.c crypto: cbc - Propagate NEED_FALLBACK bit 2017-03-09 18:34:39 +08:00
ccm.c crypto: ccm - Remove VLA usage 2018-09-04 11:35:03 +08:00
cfb.c crypto: cfb - fix decryption 2018-11-09 17:40:59 +08:00
chacha20_generic.c crypto: chacha20-generic - add XChaCha20 support 2018-11-20 14:26:55 +08:00
chacha20poly1305.c crypto: chacha20poly1305 - export CHACHAPOLY_IV_SIZE 2018-11-16 14:11:03 +08:00
cipher.c crypto: remove several VLAs 2018-04-21 00:58:34 +08:00
cmac.c crypto: algapi - make crypto_xor() and crypto_inc() alignment agnostic 2017-02-11 17:52:28 +08:00
compress.c crypto: api - Remove no-op exit_ops code 2016-10-21 11:03:42 +08:00
crc32_generic.c crypto: crc32-generic - remove __crc32_le() 2018-05-27 00:12:09 +08:00
crc32c_generic.c crypto: crc32c-generic - remove cra_alignmask 2018-05-27 00:12:08 +08:00
crct10dif_common.c
crct10dif_generic.c crypto: squash lines for simple wrapper functions 2016-09-13 20:27:26 +08:00
cryptd.c crypto: cryptd - Remove VLA usage of skcipher 2018-09-28 12:46:08 +08:00
crypto_engine.c crypto: engine - Permit to enqueue all async requests 2018-02-15 23:26:50 +08:00
crypto_null.c crypto: null - Remove VLA usage of skcipher 2018-09-28 12:46:08 +08:00
crypto_user_base.c crypto: user - clean up report structure copying 2018-11-09 17:41:39 +08:00
crypto_user_stat.c crypto: user - clean up report structure copying 2018-11-09 17:41:39 +08:00
crypto_wq.c
ctr.c crypto: remove several VLAs 2018-04-21 00:58:34 +08:00
cts.c crypto: remove several VLAs 2018-04-21 00:58:34 +08:00
deflate.c crypto: scomp - add support for deflate rfc1950 (zlib) 2017-04-24 18:11:08 +08:00
des_generic.c crypto: add missing crypto module aliases 2015-01-13 22:29:11 +11:00
dh.c crypto: dh - fix memory leak 2018-07-20 13:51:21 +08:00
dh_helper.c crypto: dh - make crypto_dh_encode_key() make robust 2018-08-03 18:06:06 +08:00
drbg.c crypto: drbg - in-place cipher operation for CTR 2018-08-03 18:05:48 +08:00
ecb.c crypto: include crypto- module prefix in template 2014-11-26 20:06:30 +08:00
ecc.c crypto: ecc - regularize scalar for scalar multiplication 2018-11-16 14:11:04 +08:00
ecc.h crypto: ecc - Actually remove stack VLA usage 2018-04-21 00:58:29 +08:00
ecc_curve_defs.h crypto: ecdh - fix typo of P-192 b value 2018-07-20 13:51:22 +08:00
ecdh.c crypto: ecc - Actually remove stack VLA usage 2018-04-21 00:58:29 +08:00
ecdh_helper.c crypto: ecdh - return unsigned value for crypto_ecdh_key_len() 2017-10-12 22:55:00 +08:00
echainiv.c crypto: null - Remove VLA usage of skcipher 2018-09-28 12:46:08 +08:00
fcrypt.c crypto: prefix module autoloading with "crypto-" 2014-11-24 22:43:57 +08:00
fips.c crypto: fips - Move fips_enabled sysctl into fips.c 2015-04-23 14:18:09 +08:00
gcm.c crypto: null - Remove VLA usage of skcipher 2018-09-28 12:46:08 +08:00
gf128mul.c crypto: gf128mul - remove incorrect comment 2017-12-22 19:52:40 +11:00
ghash-generic.c crypto: shash - remove useless setting of type flags 2018-07-09 00:30:24 +08:00
hash_info.c crypto: streebog - register Streebog in hash info for IMA 2018-11-16 14:09:40 +08:00
hmac.c crypto: hmac - require that the underlying hash algorithm is unkeyed 2017-11-29 13:39:15 +11:00
internal.h crypto: api - Introduce notifier for new crypto algorithms 2018-09-04 11:37:04 +08:00
jitterentropy-kcapi.c crypto: jitterentropy - drop duplicate header module.h 2016-11-17 23:34:52 +08:00
jitterentropy.c crypto: jitterentropy - Delete unnecessary checks before the function call "kzfree" 2015-06-25 23:18:33 +08:00
Kconfig crypto: chacha20-generic - add XChaCha20 support 2018-11-20 14:26:55 +08:00
keywrap.c crypto: keywrap - Add missing ULL suffixes for 64-bit constants 2017-11-29 17:33:26 +11:00
khazad.c crypto: prefix module autoloading with "crypto-" 2014-11-24 22:43:57 +08:00
kpp.c crypto: user - clean up report structure copying 2018-11-09 17:41:39 +08:00
lrw.c crypto: lrw - fix rebase error after out of bounds fix 2018-10-05 10:22:48 +08:00
lz4.c crypto: remove useless initializations of cra_list 2018-11-20 14:26:55 +08:00
lz4hc.c crypto: remove useless initializations of cra_list 2018-11-20 14:26:55 +08:00
lzo.c treewide: use kv[mz]alloc* rather than opencoded variants 2017-05-08 17:15:13 -07:00
Makefile crypto: streebog - add Streebog hash function 2018-11-16 14:09:40 +08:00
md4.c crypto: shash - remove useless setting of type flags 2018-07-09 00:30:24 +08:00
md5.c crypto: shash - remove useless setting of type flags 2018-07-09 00:30:24 +08:00
memneq.c
michael_mic.c crypto: prefix module autoloading with "crypto-" 2014-11-24 22:43:57 +08:00
morus640.c crypto: morus/generic - fix for big endian systems 2018-10-08 13:44:53 +08:00
morus1280.c crypto: morus/generic - fix for big endian systems 2018-10-08 13:44:53 +08:00
ofb.c crypto: ofb - add output feedback mode 2018-09-28 12:46:26 +08:00
pcbc.c crypto: remove several VLAs 2018-04-21 00:58:34 +08:00
pcrypt.c pcrypt: use format specifier in kobject_add 2018-11-09 17:41:39 +08:00
poly1305_generic.c crypto: shash - remove useless setting of type flags 2018-07-09 00:30:24 +08:00
proc.c proc: introduce proc_create_seq{,_data} 2018-05-16 07:23:35 +02:00
ripemd.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
rmd128.c crypto: shash - remove useless setting of type flags 2018-07-09 00:30:24 +08:00
rmd160.c crypto: shash - remove useless setting of type flags 2018-07-09 00:30:24 +08:00
rmd256.c crypto: rmd256 - use swap macro in rmd256_transform 2018-07-27 19:28:36 +08:00
rmd320.c crypto: rmd320 - use swap macro in rmd320_transform 2018-07-27 19:28:36 +08:00
rng.c crypto: user - clean up report structure copying 2018-11-09 17:41:39 +08:00
rsa-pkcs1pad.c crypto: rsa-pkcs1pad: Allow hash to be optional [ver #2] 2018-10-26 09:30:46 +01:00
rsa.c crypto: rsa - Remove unneeded error assignment 2018-04-21 00:58:37 +08:00
rsa_helper.c kbuild: rename *-asn1.[ch] to *.asn1.[ch] 2018-04-07 19:04:02 +09:00
rsaprivkey.asn1 crypto: rsa - Store rest of the private key components 2016-07-05 23:05:26 +08:00
rsapubkey.asn1 crypto: akcipher - Changes to asymmetric key API 2015-10-14 22:23:16 +08:00
salsa20_generic.c crypto: salsa20 - Revert "crypto: salsa20 - export generic helpers" 2018-05-31 00:13:57 +08:00
scatterwalk.c crypto: scatterwalk - remove 'chain' argument from scatterwalk_crypto_chain() 2018-08-03 18:06:03 +08:00
scompress.c crypto: user - clean up report structure copying 2018-11-09 17:41:39 +08:00
seed.c crypto: prefix module autoloading with "crypto-" 2014-11-24 22:43:57 +08:00
seqiv.c crypto: null - Remove VLA usage of skcipher 2018-09-28 12:46:08 +08:00
serpent_generic.c crypto: serpent - improve __serpent_setkey with UBSAN 2017-08-09 20:17:54 +08:00
sha1_generic.c crypto: shash - remove useless setting of type flags 2018-07-09 00:30:24 +08:00
sha3_generic.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux 2018-08-03 17:55:12 +08:00
sha256_generic.c crypto: shash - remove useless setting of type flags 2018-07-09 00:30:24 +08:00
sha512_generic.c crypto: shash - remove useless setting of type flags 2018-07-09 00:30:24 +08:00
shash.c crypto: user - clean up report structure copying 2018-11-09 17:41:39 +08:00
simd.c crypto: simd - correctly take reqsize of wrapped skcipher into account 2018-11-09 17:35:43 +08:00
skcipher.c crypto: user - clean up report structure copying 2018-11-09 17:41:39 +08:00
sm3_generic.c crypto: shash - remove useless setting of type flags 2018-07-09 00:30:24 +08:00
sm4_generic.c crypto: sm4 - export encrypt/decrypt routines to other drivers 2018-05-05 14:52:51 +08:00
streebog_generic.c crypto: streebog - add Streebog hash function 2018-11-16 14:09:40 +08:00
tcrypt.c crypto: streebog - add Streebog test vectors 2018-11-16 14:11:02 +08:00
tcrypt.h crypto: testmgr - update sm4 test vectors 2018-09-28 12:46:26 +08:00
tea.c crypto: add missing crypto module aliases 2015-01-13 22:29:11 +11:00
testmgr.c crypto: chacha20-generic - add XChaCha20 support 2018-11-20 14:26:55 +08:00
testmgr.h crypto: chacha20-generic - add XChaCha20 support 2018-11-20 14:26:55 +08:00
tgr192.c crypto: shash - remove useless setting of type flags 2018-07-09 00:30:24 +08:00
twofish_common.c crypto: replace FSF address with web source in license notices 2017-11-29 17:33:25 +11:00
twofish_generic.c crypto: replace FSF address with web source in license notices 2017-11-29 17:33:25 +11:00
vmac.c crypto: vmac - remove insecure version with hardcoded nonce 2018-07-01 21:00:44 +08:00
wp512.c crypto: shash - remove useless setting of type flags 2018-07-09 00:30:24 +08:00
xcbc.c crypto: xcbc - Remove VLA usage 2018-09-04 11:35:03 +08:00
xor.c kmemcheck: stop using GFP_NOTRACK and SLAB_NOTRACK 2017-11-15 18:21:04 -08:00
xts.c crypto: xts - Drop use of auxiliary buffer 2018-09-21 13:24:50 +08:00
zstd.c crypto: zstd - Add zstd support 2018-04-21 00:58:30 +08:00