1/* $OpenBSD: siphash.c,v 1.5 2018/01/05 19:05:09 mikeb Exp $ */ 2 3/*- 4 * Copyright (c) 2013 Andre Oppermann <andre@FreeBSD.org> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. The name of the author may not be used to endorse or promote 16 * products derived from this software without specific prior written 17 * permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32/* 33 * SipHash is a family of PRFs SipHash-c-d where the integer parameters c and d 34 * are the number of compression rounds and the number of finalization rounds. 35 * A compression round is identical to a finalization round and this round 36 * function is called SipRound. Given a 128-bit key k and a (possibly empty) 37 * byte string m, SipHash-c-d returns a 64-bit value SipHash-c-d(k; m). 38 * 39 * Implemented from the paper "SipHash: a fast short-input PRF", 2012.09.18, 40 * by Jean-Philippe Aumasson and Daniel J. Bernstein, 41 * Permanent Document ID b9a943a805fbfc6fde808af9fc0ecdfa 42 * https://131002.net/siphash/siphash.pdf 43 * https://131002.net/siphash/ 44 */ 45 46#include <sys/param.h> 47#include <sys/systm.h> 48 49#include <crypto/siphash.h> 50 51static void SipHash_CRounds(SIPHASH_CTX *, int); 52static void SipHash_Rounds(SIPHASH_CTX *, int); 53 54void 55SipHash_Init(SIPHASH_CTX *ctx, const SIPHASH_KEY *key) 56{ 57 uint64_t k0, k1; 58 59 k0 = lemtoh64(&key->k0); 60 k1 = lemtoh64(&key->k1); 61 62 ctx->v[0] = 0x736f6d6570736575ULL ^ k0; 63 ctx->v[1] = 0x646f72616e646f6dULL ^ k1; 64 ctx->v[2] = 0x6c7967656e657261ULL ^ k0; 65 ctx->v[3] = 0x7465646279746573ULL ^ k1; 66 67 memset(ctx->buf, 0, sizeof(ctx->buf)); 68 ctx->bytes = 0; 69} 70 71void 72SipHash_Update(SIPHASH_CTX *ctx, int rc, int rf, const void *src, size_t len) 73{ 74 const uint8_t *ptr = src; 75 size_t left, used; 76 77 if (len == 0) 78 return; 79 80 used = ctx->bytes % sizeof(ctx->buf); 81 ctx->bytes += len; 82 83 if (used > 0) { 84 left = sizeof(ctx->buf) - used; 85 86 if (len >= left) { 87 memcpy(&ctx->buf[used], ptr, left); 88 SipHash_CRounds(ctx, rc); 89 len -= left; 90 ptr += left; 91 } else { 92 memcpy(&ctx->buf[used], ptr, len); 93 return; 94 } 95 } 96 97 while (len >= sizeof(ctx->buf)) { 98 memcpy(ctx->buf, ptr, sizeof(ctx->buf)); 99 SipHash_CRounds(ctx, rc); 100 len -= sizeof(ctx->buf); 101 ptr += sizeof(ctx->buf); 102 } 103 104 if (len > 0) 105 memcpy(ctx->buf, ptr, len); 106} 107 108void 109SipHash_Final(void *dst, SIPHASH_CTX *ctx, int rc, int rf) 110{ 111 uint64_t r; 112 113 htolem64(&r, SipHash_End(ctx, rc, rf)); 114 memcpy(dst, &r, sizeof r); 115} 116 117uint64_t 118SipHash_End(SIPHASH_CTX *ctx, int rc, int rf) 119{ 120 uint64_t r; 121 size_t left, used; 122 123 used = ctx->bytes % sizeof(ctx->buf); 124 left = sizeof(ctx->buf) - used; 125 memset(&ctx->buf[used], 0, left - 1); 126 ctx->buf[7] = ctx->bytes; 127 128 SipHash_CRounds(ctx, rc); 129 ctx->v[2] ^= 0xff; 130 SipHash_Rounds(ctx, rf); 131 132 r = (ctx->v[0] ^ ctx->v[1]) ^ (ctx->v[2] ^ ctx->v[3]); 133 explicit_bzero(ctx, sizeof(*ctx)); 134 return (r); 135} 136 137uint64_t 138SipHash(const SIPHASH_KEY *key, int rc, int rf, const void *src, size_t len) 139{ 140 SIPHASH_CTX ctx; 141 142 SipHash_Init(&ctx, key); 143 SipHash_Update(&ctx, rc, rf, src, len); 144 return (SipHash_End(&ctx, rc, rf)); 145} 146 147#define SIP_ROTL(x, b) ((x) << (b)) | ( (x) >> (64 - (b))) 148 149static void 150SipHash_Rounds(SIPHASH_CTX *ctx, int rounds) 151{ 152 while (rounds--) { 153 ctx->v[0] += ctx->v[1]; 154 ctx->v[2] += ctx->v[3]; 155 ctx->v[1] = SIP_ROTL(ctx->v[1], 13); 156 ctx->v[3] = SIP_ROTL(ctx->v[3], 16); 157 158 ctx->v[1] ^= ctx->v[0]; 159 ctx->v[3] ^= ctx->v[2]; 160 ctx->v[0] = SIP_ROTL(ctx->v[0], 32); 161 162 ctx->v[2] += ctx->v[1]; 163 ctx->v[0] += ctx->v[3]; 164 ctx->v[1] = SIP_ROTL(ctx->v[1], 17); 165 ctx->v[3] = SIP_ROTL(ctx->v[3], 21); 166 167 ctx->v[1] ^= ctx->v[2]; 168 ctx->v[3] ^= ctx->v[0]; 169 ctx->v[2] = SIP_ROTL(ctx->v[2], 32); 170 } 171} 172 173static void 174SipHash_CRounds(SIPHASH_CTX *ctx, int rounds) 175{ 176 uint64_t m = lemtoh64((uint64_t *)ctx->buf); 177 178 ctx->v[3] ^= m; 179 SipHash_Rounds(ctx, rounds); 180 ctx->v[0] ^= m; 181} 182