1 /* $OpenBSD: siphash.c,v 1.5 2015/09/11 09:18:27 guenther Exp $ */ 2 3 /*- 4 * Copyright (c) 2013 Andre Oppermann <andre@FreeBSD.org> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. The name of the author may not be used to endorse or promote 16 * products derived from this software without specific prior written 17 * permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32 /* 33 * SipHash is a family of PRFs SipHash-c-d where the integer parameters c and d 34 * are the number of compression rounds and the number of finalization rounds. 35 * A compression round is identical to a finalization round and this round 36 * function is called SipRound. Given a 128-bit key k and a (possibly empty) 37 * byte string m, SipHash-c-d returns a 64-bit value SipHash-c-d(k; m). 38 * 39 * Implemented from the paper "SipHash: a fast short-input PRF", 2012.09.18, 40 * by Jean-Philippe Aumasson and Daniel J. Bernstein, 41 * Permanent Document ID b9a943a805fbfc6fde808af9fc0ecdfa 42 * https://131002.net/siphash/siphash.pdf 43 * https://131002.net/siphash/ 44 */ 45 46 #include <sys/types.h> 47 #include <sys/endian.h> 48 49 #include <string.h> 50 #include <siphash.h> 51 52 static void SipHash_CRounds(SIPHASH_CTX *, int); 53 static void SipHash_Rounds(SIPHASH_CTX *, int); 54 55 void 56 SipHash_Init(SIPHASH_CTX *ctx, const SIPHASH_KEY *key) 57 { 58 uint64_t k0, k1; 59 60 k0 = le64toh(key->k0); 61 k1 = le64toh(key->k1); 62 63 ctx->v[0] = 0x736f6d6570736575ULL ^ k0; 64 ctx->v[1] = 0x646f72616e646f6dULL ^ k1; 65 ctx->v[2] = 0x6c7967656e657261ULL ^ k0; 66 ctx->v[3] = 0x7465646279746573ULL ^ k1; 67 68 memset(ctx->buf, 0, sizeof(ctx->buf)); 69 ctx->bytes = 0; 70 } 71 DEF_WEAK(SipHash_Init); 72 73 void 74 SipHash_Update(SIPHASH_CTX *ctx, int rc, int rf, const void *src, size_t len) 75 { 76 const uint8_t *ptr = src; 77 size_t left, used; 78 79 if (len == 0) 80 return; 81 82 used = ctx->bytes % sizeof(ctx->buf); 83 ctx->bytes += len; 84 85 if (used > 0) { 86 left = sizeof(ctx->buf) - used; 87 88 if (len >= left) { 89 memcpy(&ctx->buf[used], ptr, left); 90 SipHash_CRounds(ctx, rc); 91 len -= left; 92 ptr += left; 93 } else { 94 memcpy(&ctx->buf[used], ptr, len); 95 return; 96 } 97 } 98 99 while (len >= sizeof(ctx->buf)) { 100 memcpy(ctx->buf, ptr, sizeof(ctx->buf)); 101 SipHash_CRounds(ctx, rc); 102 len -= sizeof(ctx->buf); 103 ptr += sizeof(ctx->buf); 104 } 105 106 if (len > 0) 107 memcpy(&ctx->buf[used], ptr, len); 108 } 109 DEF_WEAK(SipHash_Update); 110 111 void 112 SipHash_Final(void *dst, SIPHASH_CTX *ctx, int rc, int rf) 113 { 114 uint64_t r; 115 116 r = SipHash_End(ctx, rc, rf); 117 118 *(uint64_t *)dst = htole64(r); 119 } 120 DEF_WEAK(SipHash_Final); 121 122 uint64_t 123 SipHash_End(SIPHASH_CTX *ctx, int rc, int rf) 124 { 125 uint64_t r; 126 size_t left, used; 127 128 used = ctx->bytes % sizeof(ctx->buf); 129 left = sizeof(ctx->buf) - used; 130 memset(&ctx->buf[used], 0, left - 1); 131 ctx->buf[7] = ctx->bytes; 132 133 SipHash_CRounds(ctx, rc); 134 ctx->v[2] ^= 0xff; 135 SipHash_Rounds(ctx, rf); 136 137 r = (ctx->v[0] ^ ctx->v[1]) ^ (ctx->v[2] ^ ctx->v[3]); 138 explicit_bzero(ctx, sizeof(*ctx)); 139 return (r); 140 } 141 DEF_WEAK(SipHash_End); 142 143 uint64_t 144 SipHash(const SIPHASH_KEY *key, int rc, int rf, const void *src, size_t len) 145 { 146 SIPHASH_CTX ctx; 147 148 SipHash_Init(&ctx, key); 149 SipHash_Update(&ctx, rc, rf, src, len); 150 return (SipHash_End(&ctx, rc, rf)); 151 } 152 DEF_WEAK(SipHash); 153 154 #define SIP_ROTL(x, b) ((x) << (b)) | ( (x) >> (64 - (b))) 155 156 static void 157 SipHash_Rounds(SIPHASH_CTX *ctx, int rounds) 158 { 159 while (rounds--) { 160 ctx->v[0] += ctx->v[1]; 161 ctx->v[2] += ctx->v[3]; 162 ctx->v[1] = SIP_ROTL(ctx->v[1], 13); 163 ctx->v[3] = SIP_ROTL(ctx->v[3], 16); 164 165 ctx->v[1] ^= ctx->v[0]; 166 ctx->v[3] ^= ctx->v[2]; 167 ctx->v[0] = SIP_ROTL(ctx->v[0], 32); 168 169 ctx->v[2] += ctx->v[1]; 170 ctx->v[0] += ctx->v[3]; 171 ctx->v[1] = SIP_ROTL(ctx->v[1], 17); 172 ctx->v[3] = SIP_ROTL(ctx->v[3], 21); 173 174 ctx->v[1] ^= ctx->v[2]; 175 ctx->v[3] ^= ctx->v[0]; 176 ctx->v[2] = SIP_ROTL(ctx->v[2], 32); 177 } 178 } 179 180 static void 181 SipHash_CRounds(SIPHASH_CTX *ctx, int rounds) 182 { 183 uint64_t m = le64toh(*(uint64_t *)ctx->buf); 184 185 ctx->v[3] ^= m; 186 SipHash_Rounds(ctx, rounds); 187 ctx->v[0] ^= m; 188 } 189