1 /* $OpenBSD: siphash.c,v 1.8 2019/01/20 03:53:47 bcook Exp $ */
2
3 /*-
4 * Copyright (c) 2013 Andre Oppermann <andre@FreeBSD.org>
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. The name of the author may not be used to endorse or promote
16 * products derived from this software without specific prior written
17 * permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32 /*
33 * SipHash is a family of PRFs SipHash-c-d where the integer parameters c and d
34 * are the number of compression rounds and the number of finalization rounds.
35 * A compression round is identical to a finalization round and this round
36 * function is called SipRound. Given a 128-bit key k and a (possibly empty)
37 * byte string m, SipHash-c-d returns a 64-bit value SipHash-c-d(k; m).
38 *
39 * Implemented from the paper "SipHash: a fast short-input PRF", 2012.09.18,
40 * by Jean-Philippe Aumasson and Daniel J. Bernstein,
41 * Permanent Document ID b9a943a805fbfc6fde808af9fc0ecdfa
42 * https://131002.net/siphash/siphash.pdf
43 * https://131002.net/siphash/
44 */
45
46 #include <endian.h>
47 #include <stdint.h>
48 #include <string.h>
49 #include <siphash.h>
50
51 static void SipHash_CRounds(SIPHASH_CTX *, int);
52 static void SipHash_Rounds(SIPHASH_CTX *, int);
53
54 void
SipHash_Init(SIPHASH_CTX * ctx,const SIPHASH_KEY * key)55 SipHash_Init(SIPHASH_CTX *ctx, const SIPHASH_KEY *key)
56 {
57 uint64_t k0, k1;
58
59 k0 = le64toh(key->k0);
60 k1 = le64toh(key->k1);
61
62 ctx->v[0] = 0x736f6d6570736575ULL ^ k0;
63 ctx->v[1] = 0x646f72616e646f6dULL ^ k1;
64 ctx->v[2] = 0x6c7967656e657261ULL ^ k0;
65 ctx->v[3] = 0x7465646279746573ULL ^ k1;
66
67 memset(ctx->buf, 0, sizeof(ctx->buf));
68 ctx->bytes = 0;
69 }
70 DEF_WEAK(SipHash_Init);
71
72 void
SipHash_Update(SIPHASH_CTX * ctx,int rc,int rf,const void * src,size_t len)73 SipHash_Update(SIPHASH_CTX *ctx, int rc, int rf, const void *src, size_t len)
74 {
75 const uint8_t *ptr = src;
76 size_t left, used;
77
78 if (len == 0)
79 return;
80
81 used = ctx->bytes % sizeof(ctx->buf);
82 ctx->bytes += len;
83
84 if (used > 0) {
85 left = sizeof(ctx->buf) - used;
86
87 if (len >= left) {
88 memcpy(&ctx->buf[used], ptr, left);
89 SipHash_CRounds(ctx, rc);
90 len -= left;
91 ptr += left;
92 } else {
93 memcpy(&ctx->buf[used], ptr, len);
94 return;
95 }
96 }
97
98 while (len >= sizeof(ctx->buf)) {
99 memcpy(ctx->buf, ptr, sizeof(ctx->buf));
100 SipHash_CRounds(ctx, rc);
101 len -= sizeof(ctx->buf);
102 ptr += sizeof(ctx->buf);
103 }
104
105 if (len > 0)
106 memcpy(ctx->buf, ptr, len);
107 }
108 DEF_WEAK(SipHash_Update);
109
110 void
SipHash_Final(void * dst,SIPHASH_CTX * ctx,int rc,int rf)111 SipHash_Final(void *dst, SIPHASH_CTX *ctx, int rc, int rf)
112 {
113 uint64_t r;
114
115 r = htole64(SipHash_End(ctx, rc, rf));
116 memcpy(dst, &r, sizeof r);
117 }
118 DEF_WEAK(SipHash_Final);
119
120 uint64_t
SipHash_End(SIPHASH_CTX * ctx,int rc,int rf)121 SipHash_End(SIPHASH_CTX *ctx, int rc, int rf)
122 {
123 uint64_t r;
124 size_t left, used;
125
126 used = ctx->bytes % sizeof(ctx->buf);
127 left = sizeof(ctx->buf) - used;
128 memset(&ctx->buf[used], 0, left - 1);
129 ctx->buf[7] = ctx->bytes;
130
131 SipHash_CRounds(ctx, rc);
132 ctx->v[2] ^= 0xff;
133 SipHash_Rounds(ctx, rf);
134
135 r = (ctx->v[0] ^ ctx->v[1]) ^ (ctx->v[2] ^ ctx->v[3]);
136 explicit_bzero(ctx, sizeof(*ctx));
137 return (r);
138 }
139 DEF_WEAK(SipHash_End);
140
141 uint64_t
SipHash(const SIPHASH_KEY * key,int rc,int rf,const void * src,size_t len)142 SipHash(const SIPHASH_KEY *key, int rc, int rf, const void *src, size_t len)
143 {
144 SIPHASH_CTX ctx;
145
146 SipHash_Init(&ctx, key);
147 SipHash_Update(&ctx, rc, rf, src, len);
148 return (SipHash_End(&ctx, rc, rf));
149 }
150 DEF_WEAK(SipHash);
151
152 #define SIP_ROTL(x, b) ((x) << (b)) | ( (x) >> (64 - (b)))
153
154 static void
SipHash_Rounds(SIPHASH_CTX * ctx,int rounds)155 SipHash_Rounds(SIPHASH_CTX *ctx, int rounds)
156 {
157 while (rounds--) {
158 ctx->v[0] += ctx->v[1];
159 ctx->v[2] += ctx->v[3];
160 ctx->v[1] = SIP_ROTL(ctx->v[1], 13);
161 ctx->v[3] = SIP_ROTL(ctx->v[3], 16);
162
163 ctx->v[1] ^= ctx->v[0];
164 ctx->v[3] ^= ctx->v[2];
165 ctx->v[0] = SIP_ROTL(ctx->v[0], 32);
166
167 ctx->v[2] += ctx->v[1];
168 ctx->v[0] += ctx->v[3];
169 ctx->v[1] = SIP_ROTL(ctx->v[1], 17);
170 ctx->v[3] = SIP_ROTL(ctx->v[3], 21);
171
172 ctx->v[1] ^= ctx->v[2];
173 ctx->v[3] ^= ctx->v[0];
174 ctx->v[2] = SIP_ROTL(ctx->v[2], 32);
175 }
176 }
177
178 static void
SipHash_CRounds(SIPHASH_CTX * ctx,int rounds)179 SipHash_CRounds(SIPHASH_CTX *ctx, int rounds)
180 {
181 uint64_t m = le64toh(*(uint64_t *)ctx->buf);
182
183 ctx->v[3] ^= m;
184 SipHash_Rounds(ctx, rounds);
185 ctx->v[0] ^= m;
186 }
187