Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/sys/crypto/siphash/siphash.c
39534 views
1
/*-

2
 * Copyright (c) 2013 Andre Oppermann <[email protected]>

3
 * All rights reserved.

4
 *

5
 * Redistribution and use in source and binary forms, with or without

6
 * modification, are permitted provided that the following conditions

7
 * are met:

8
 * 1. Redistributions of source code must retain the above copyright

9
 *    notice, this list of conditions and the following disclaimer.

10
 * 2. Redistributions in binary form must reproduce the above copyright

11
 *    notice, this list of conditions and the following disclaimer in the

12
 *    documentation and/or other materials provided with the distribution.

13
 * 3. The name of the author may not be used to endorse or promote

14
 *    products derived from this software without specific prior written

15
 *    permission.

16
 *

17
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND

18
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

19
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

20
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

21
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

22
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

23
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

24
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

25
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

26
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

27
 * SUCH DAMAGE.

28
 */

29


30
/*

31
 * SipHash is a family of PRFs SipHash-c-d where the integer parameters c and d

32
 * are the number of compression rounds and the number of finalization rounds.

33
 * A compression round is identical to a finalization round and this round

34
 * function is called SipRound.  Given a 128-bit key k and a (possibly empty)

35
 * byte string m, SipHash-c-d returns a 64-bit value SipHash-c-d(k; m).

36
 *

37
 * Implemented from the paper "SipHash: a fast short-input PRF", 2012.09.18,

38
 * by Jean-Philippe Aumasson and Daniel J. Bernstein,

39
 * Permanent Document ID b9a943a805fbfc6fde808af9fc0ecdfa

40
 * https://131002.net/siphash/siphash.pdf

41
 * https://131002.net/siphash/

42
 */

43


44
#include <sys/param.h>

45
#include <sys/types.h>

46
#include <sys/systm.h>

47
#include <sys/libkern.h>

48
#include <sys/endian.h>

49


50
#include <crypto/siphash/siphash.h>

51


52
static void	SipRounds(SIPHASH_CTX *ctx, int final);

53


54
void

55
SipHash_InitX(SIPHASH_CTX *ctx, int rc, int rf)

56
{

57


58
	ctx->v[0] = 0x736f6d6570736575ull;

59
	ctx->v[1] = 0x646f72616e646f6dull;

60
	ctx->v[2] = 0x6c7967656e657261ull;

61
	ctx->v[3] = 0x7465646279746573ull;

62
	ctx->buf.b64 = 0;

63
	ctx->bytes = 0;

64
	ctx->buflen = 0;

65
	ctx->rounds_compr = rc;

66
	ctx->rounds_final = rf;

67
	ctx->initialized = 1;

68
}

69


70
void

71
SipHash_SetKey(SIPHASH_CTX *ctx, const uint8_t key[static SIPHASH_KEY_LENGTH])

72
{

73
	uint64_t k[2];

74


75
	KASSERT(ctx->v[0] == 0x736f6d6570736575ull &&

76
	    ctx->initialized == 1,

77
	    ("%s: context %p not properly initialized", __func__, ctx));

78


79
	k[0] = le64dec(&key[0]);

80
	k[1] = le64dec(&key[8]);

81


82
	ctx->v[0] ^= k[0];

83
	ctx->v[1] ^= k[1];

84
	ctx->v[2] ^= k[0];

85
	ctx->v[3] ^= k[1];

86


87
	ctx->initialized = 2;

88
}

89


90
static size_t

91
SipBuf(SIPHASH_CTX *ctx, const uint8_t **src, size_t len, int final)

92
{

93
	size_t x = 0;

94


95
	/* handle hashing 0 length buffer - needed for test vectors */

96
	if (len == 0 && final == 0)

97
		return (0);

98


99
	if (final) {

100
		KASSERT(len == 0, ("%s: invalid len param", __func__));

101
		ctx->buf.b8[7] = (uint8_t)ctx->bytes;

102
	} else {

103
		KASSERT((len > 0) && src && *src,

104
			("%s: invalid parameters", __func__));

105
		x = MIN(len, sizeof(ctx->buf.b64) - ctx->buflen);

106
		bcopy(*src, &ctx->buf.b8[ctx->buflen], x);

107
		ctx->buflen += x;

108
		*src += x;

109
	}

110


111
	if (ctx->buflen == 8 || final) {

112
		ctx->v[3] ^= le64toh(ctx->buf.b64);

113
		SipRounds(ctx, 0);

114
		ctx->v[0] ^= le64toh(ctx->buf.b64);

115
		ctx->buf.b64 = 0;

116
		ctx->buflen = 0;

117
	}

118
	return (x);

119
}

120


121
void

122
SipHash_Update(SIPHASH_CTX *ctx, const void *src, size_t len)

123
{

124
	uint64_t m;

125
	const uint64_t *p;

126
	const uint8_t *s;

127
	size_t rem;

128


129
	KASSERT(ctx->initialized == 2,

130
	    ("%s: context %p not properly initialized", __func__, ctx));

131


132
	s = src;

133
	ctx->bytes += len;

134


135
	/*

136
	 * Push length smaller than block size into buffer or

137
	 * fill up the buffer if there is already something

138
	 * in it.

139
	 */

140
	if (ctx->buflen > 0 || len < 8)

141
		len -= SipBuf(ctx, &s, len, 0);

142
	if (len == 0)

143
		return;

144


145
	rem = len & 0x7;

146
	len >>= 3;

147


148
	/* Optimze for 64bit aligned/unaligned access. */

149
	if (((uintptr_t)s & 0x7) == 0) {

150
		for (p = (const uint64_t *)s; len > 0; len--, p++) {

151
			m = le64toh(*p);

152
			ctx->v[3] ^= m;

153
			SipRounds(ctx, 0);

154
			ctx->v[0] ^= m;

155
		}

156
		s = (const uint8_t *)p;

157
	} else {

158
		for (; len > 0; len--, s += 8) {

159
			m = le64dec(s);

160
			ctx->v[3] ^= m;

161
			SipRounds(ctx, 0);

162
			ctx->v[0] ^= m;

163
		}

164
	}

165


166
	/* Push remainder into buffer. */

167
	if (rem > 0)

168
		(void)SipBuf(ctx, &s, rem, 0);

169
}

170


171
void

172
SipHash_Final(uint8_t dst[static SIPHASH_DIGEST_LENGTH], SIPHASH_CTX *ctx)

173
{

174
	uint64_t r;

175


176
	KASSERT(ctx->initialized == 2,

177
	    ("%s: context %p not properly initialized", __func__, ctx));

178


179
	r = SipHash_End(ctx);

180
	le64enc(dst, r);

181
}

182


183
uint64_t

184
SipHash_End(SIPHASH_CTX *ctx)

185
{

186
	uint64_t r;

187


188
	KASSERT(ctx->initialized == 2,

189
	    ("%s: context %p not properly initialized", __func__, ctx));

190


191
	SipBuf(ctx, NULL, 0, 1);

192
	ctx->v[2] ^= 0xff;

193
	SipRounds(ctx, 1);

194
	r = (ctx->v[0] ^ ctx->v[1]) ^ (ctx->v[2] ^ ctx->v[3]);

195


196
	bzero(ctx, sizeof(*ctx));

197
	return (r);

198
}

199


200
uint64_t

201
SipHashX(SIPHASH_CTX *ctx, int rc, int rf,

202
    const uint8_t key[static SIPHASH_KEY_LENGTH], const void *src, size_t len)

203
{

204


205
	SipHash_InitX(ctx, rc, rf);

206
	SipHash_SetKey(ctx, key);

207
	SipHash_Update(ctx, src, len);

208


209
	return (SipHash_End(ctx));

210
}

211


212
#define SIP_ROTL(x, b)	(uint64_t)(((x) << (b)) | ( (x) >> (64 - (b))))

213


214
static void

215
SipRounds(SIPHASH_CTX *ctx, int final)

216
{

217
	int rounds;

218


219
	if (!final)

220
		rounds = ctx->rounds_compr;

221
	else

222
		rounds = ctx->rounds_final;

223


224
	while (rounds--) {

225
		ctx->v[0] += ctx->v[1];

226
		ctx->v[2] += ctx->v[3];

227
		ctx->v[1] = SIP_ROTL(ctx->v[1], 13);

228
		ctx->v[3] = SIP_ROTL(ctx->v[3], 16);

229


230
		ctx->v[1] ^= ctx->v[0];

231
		ctx->v[3] ^= ctx->v[2];

232
		ctx->v[0] = SIP_ROTL(ctx->v[0], 32);

233


234
		ctx->v[2] += ctx->v[1];

235
		ctx->v[0] += ctx->v[3];

236
		ctx->v[1] = SIP_ROTL(ctx->v[1], 17);

237
		ctx->v[3] = SIP_ROTL(ctx->v[3], 21);

238


239
		ctx->v[1] ^= ctx->v[2];

240
		ctx->v[3] ^= ctx->v[0];

241
		ctx->v[2] = SIP_ROTL(ctx->v[2], 32);

242
	}

243
}

244


245


246