]>
Commit | Line | Data |
---|---|---|
91d68933 DS |
1 | // SPDX-License-Identifier: (GPL-2.0-only OR Apache-2.0) |
2 | /* | |
3 | * BLAKE2b reference source code package - reference C implementations | |
4 | * | |
5 | * Copyright 2012, Samuel Neves <sneves@dei.uc.pt>. You may use this under the | |
6 | * terms of the CC0, the OpenSSL Licence, or the Apache Public License 2.0, at | |
7 | * your option. The terms of these licenses can be found at: | |
8 | * | |
9 | * - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0 | |
10 | * - OpenSSL license : https://www.openssl.org/source/license.html | |
11 | * - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0 | |
12 | * | |
13 | * More information about the BLAKE2 hash function can be found at | |
14 | * https://blake2.net. | |
15 | * | |
16 | * Note: the original sources have been modified for inclusion in linux kernel | |
17 | * in terms of coding style, using generic helpers and simplifications of error | |
18 | * handling. | |
19 | */ | |
20 | ||
21 | #include <asm/unaligned.h> | |
22 | #include <linux/module.h> | |
23 | #include <linux/string.h> | |
24 | #include <linux/kernel.h> | |
25 | #include <linux/bitops.h> | |
26 | #include <crypto/internal/hash.h> | |
27 | ||
28 | #define BLAKE2B_160_DIGEST_SIZE (160 / 8) | |
29 | #define BLAKE2B_256_DIGEST_SIZE (256 / 8) | |
30 | #define BLAKE2B_384_DIGEST_SIZE (384 / 8) | |
31 | #define BLAKE2B_512_DIGEST_SIZE (512 / 8) | |
32 | ||
33 | enum blake2b_constant { | |
34 | BLAKE2B_BLOCKBYTES = 128, | |
35 | BLAKE2B_OUTBYTES = 64, | |
36 | BLAKE2B_KEYBYTES = 64, | |
37 | BLAKE2B_SALTBYTES = 16, | |
38 | BLAKE2B_PERSONALBYTES = 16 | |
39 | }; | |
40 | ||
41 | struct blake2b_state { | |
42 | u64 h[8]; | |
43 | u64 t[2]; | |
44 | u64 f[2]; | |
45 | u8 buf[BLAKE2B_BLOCKBYTES]; | |
46 | size_t buflen; | |
47 | size_t outlen; | |
48 | u8 last_node; | |
49 | }; | |
50 | ||
51 | struct blake2b_param { | |
52 | u8 digest_length; /* 1 */ | |
53 | u8 key_length; /* 2 */ | |
54 | u8 fanout; /* 3 */ | |
55 | u8 depth; /* 4 */ | |
56 | __le32 leaf_length; /* 8 */ | |
57 | __le32 node_offset; /* 12 */ | |
58 | __le32 xof_length; /* 16 */ | |
59 | u8 node_depth; /* 17 */ | |
60 | u8 inner_length; /* 18 */ | |
61 | u8 reserved[14]; /* 32 */ | |
62 | u8 salt[BLAKE2B_SALTBYTES]; /* 48 */ | |
63 | u8 personal[BLAKE2B_PERSONALBYTES]; /* 64 */ | |
64 | } __packed; | |
65 | ||
66 | static const u64 blake2b_IV[8] = { | |
67 | 0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL, | |
68 | 0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL, | |
69 | 0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL, | |
70 | 0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL | |
71 | }; | |
72 | ||
73 | static const u8 blake2b_sigma[12][16] = { | |
74 | { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, | |
75 | { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }, | |
76 | { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 }, | |
77 | { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 }, | |
78 | { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 }, | |
79 | { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 }, | |
80 | { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 }, | |
81 | { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 }, | |
82 | { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 }, | |
83 | { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 }, | |
84 | { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, | |
85 | { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } | |
86 | }; | |
87 | ||
88 | static void blake2b_update(struct blake2b_state *S, const void *pin, size_t inlen); | |
89 | ||
90 | static void blake2b_set_lastnode(struct blake2b_state *S) | |
91 | { | |
92 | S->f[1] = (u64)-1; | |
93 | } | |
94 | ||
95 | static void blake2b_set_lastblock(struct blake2b_state *S) | |
96 | { | |
97 | if (S->last_node) | |
98 | blake2b_set_lastnode(S); | |
99 | ||
100 | S->f[0] = (u64)-1; | |
101 | } | |
102 | ||
103 | static void blake2b_increment_counter(struct blake2b_state *S, const u64 inc) | |
104 | { | |
105 | S->t[0] += inc; | |
106 | S->t[1] += (S->t[0] < inc); | |
107 | } | |
108 | ||
109 | static void blake2b_init0(struct blake2b_state *S) | |
110 | { | |
111 | size_t i; | |
112 | ||
113 | memset(S, 0, sizeof(struct blake2b_state)); | |
114 | ||
115 | for (i = 0; i < 8; ++i) | |
116 | S->h[i] = blake2b_IV[i]; | |
117 | } | |
118 | ||
119 | /* init xors IV with input parameter block */ | |
120 | static void blake2b_init_param(struct blake2b_state *S, | |
121 | const struct blake2b_param *P) | |
122 | { | |
123 | const u8 *p = (const u8 *)(P); | |
124 | size_t i; | |
125 | ||
126 | blake2b_init0(S); | |
127 | ||
128 | /* IV XOR ParamBlock */ | |
129 | for (i = 0; i < 8; ++i) | |
130 | S->h[i] ^= get_unaligned_le64(p + sizeof(S->h[i]) * i); | |
131 | ||
132 | S->outlen = P->digest_length; | |
133 | } | |
134 | ||
135 | static void blake2b_init(struct blake2b_state *S, size_t outlen) | |
136 | { | |
137 | struct blake2b_param P; | |
138 | ||
139 | P.digest_length = (u8)outlen; | |
140 | P.key_length = 0; | |
141 | P.fanout = 1; | |
142 | P.depth = 1; | |
143 | P.leaf_length = 0; | |
144 | P.node_offset = 0; | |
145 | P.xof_length = 0; | |
146 | P.node_depth = 0; | |
147 | P.inner_length = 0; | |
148 | memset(P.reserved, 0, sizeof(P.reserved)); | |
149 | memset(P.salt, 0, sizeof(P.salt)); | |
150 | memset(P.personal, 0, sizeof(P.personal)); | |
151 | blake2b_init_param(S, &P); | |
152 | } | |
153 | ||
154 | static void blake2b_init_key(struct blake2b_state *S, size_t outlen, | |
155 | const void *key, size_t keylen) | |
156 | { | |
157 | struct blake2b_param P; | |
158 | ||
159 | P.digest_length = (u8)outlen; | |
160 | P.key_length = (u8)keylen; | |
161 | P.fanout = 1; | |
162 | P.depth = 1; | |
163 | P.leaf_length = 0; | |
164 | P.node_offset = 0; | |
165 | P.xof_length = 0; | |
166 | P.node_depth = 0; | |
167 | P.inner_length = 0; | |
168 | memset(P.reserved, 0, sizeof(P.reserved)); | |
169 | memset(P.salt, 0, sizeof(P.salt)); | |
170 | memset(P.personal, 0, sizeof(P.personal)); | |
171 | ||
172 | blake2b_init_param(S, &P); | |
173 | ||
174 | { | |
175 | u8 block[BLAKE2B_BLOCKBYTES]; | |
176 | ||
177 | memset(block, 0, BLAKE2B_BLOCKBYTES); | |
178 | memcpy(block, key, keylen); | |
179 | blake2b_update(S, block, BLAKE2B_BLOCKBYTES); | |
180 | memzero_explicit(block, BLAKE2B_BLOCKBYTES); | |
181 | } | |
182 | } | |
183 | ||
184 | #define G(r,i,a,b,c,d) \ | |
185 | do { \ | |
186 | a = a + b + m[blake2b_sigma[r][2*i+0]]; \ | |
187 | d = ror64(d ^ a, 32); \ | |
188 | c = c + d; \ | |
189 | b = ror64(b ^ c, 24); \ | |
190 | a = a + b + m[blake2b_sigma[r][2*i+1]]; \ | |
191 | d = ror64(d ^ a, 16); \ | |
192 | c = c + d; \ | |
193 | b = ror64(b ^ c, 63); \ | |
194 | } while (0) | |
195 | ||
196 | #define ROUND(r) \ | |
197 | do { \ | |
198 | G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \ | |
199 | G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \ | |
200 | G(r,2,v[ 2],v[ 6],v[10],v[14]); \ | |
201 | G(r,3,v[ 3],v[ 7],v[11],v[15]); \ | |
202 | G(r,4,v[ 0],v[ 5],v[10],v[15]); \ | |
203 | G(r,5,v[ 1],v[ 6],v[11],v[12]); \ | |
204 | G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \ | |
205 | G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \ | |
206 | } while (0) | |
207 | ||
208 | static void blake2b_compress(struct blake2b_state *S, | |
209 | const u8 block[BLAKE2B_BLOCKBYTES]) | |
210 | { | |
211 | u64 m[16]; | |
212 | u64 v[16]; | |
213 | size_t i; | |
214 | ||
215 | for (i = 0; i < 16; ++i) | |
216 | m[i] = get_unaligned_le64(block + i * sizeof(m[i])); | |
217 | ||
218 | for (i = 0; i < 8; ++i) | |
219 | v[i] = S->h[i]; | |
220 | ||
221 | v[ 8] = blake2b_IV[0]; | |
222 | v[ 9] = blake2b_IV[1]; | |
223 | v[10] = blake2b_IV[2]; | |
224 | v[11] = blake2b_IV[3]; | |
225 | v[12] = blake2b_IV[4] ^ S->t[0]; | |
226 | v[13] = blake2b_IV[5] ^ S->t[1]; | |
227 | v[14] = blake2b_IV[6] ^ S->f[0]; | |
228 | v[15] = blake2b_IV[7] ^ S->f[1]; | |
229 | ||
230 | ROUND(0); | |
231 | ROUND(1); | |
232 | ROUND(2); | |
233 | ROUND(3); | |
234 | ROUND(4); | |
235 | ROUND(5); | |
236 | ROUND(6); | |
237 | ROUND(7); | |
238 | ROUND(8); | |
239 | ROUND(9); | |
240 | ROUND(10); | |
241 | ROUND(11); | |
242 | ||
243 | for (i = 0; i < 8; ++i) | |
244 | S->h[i] = S->h[i] ^ v[i] ^ v[i + 8]; | |
245 | } | |
246 | ||
247 | #undef G | |
248 | #undef ROUND | |
249 | ||
250 | static void blake2b_update(struct blake2b_state *S, const void *pin, size_t inlen) | |
251 | { | |
252 | const u8 *in = (const u8 *)pin; | |
253 | ||
254 | if (inlen > 0) { | |
255 | size_t left = S->buflen; | |
256 | size_t fill = BLAKE2B_BLOCKBYTES - left; | |
257 | ||
258 | if (inlen > fill) { | |
259 | S->buflen = 0; | |
260 | /* Fill buffer */ | |
261 | memcpy(S->buf + left, in, fill); | |
262 | blake2b_increment_counter(S, BLAKE2B_BLOCKBYTES); | |
263 | /* Compress */ | |
264 | blake2b_compress(S, S->buf); | |
265 | in += fill; | |
266 | inlen -= fill; | |
267 | while (inlen > BLAKE2B_BLOCKBYTES) { | |
268 | blake2b_increment_counter(S, BLAKE2B_BLOCKBYTES); | |
269 | blake2b_compress(S, in); | |
270 | in += BLAKE2B_BLOCKBYTES; | |
271 | inlen -= BLAKE2B_BLOCKBYTES; | |
272 | } | |
273 | } | |
274 | memcpy(S->buf + S->buflen, in, inlen); | |
275 | S->buflen += inlen; | |
276 | } | |
277 | } | |
278 | ||
279 | static void blake2b_final(struct blake2b_state *S, void *out, size_t outlen) | |
280 | { | |
281 | u8 buffer[BLAKE2B_OUTBYTES] = {0}; | |
282 | size_t i; | |
283 | ||
284 | blake2b_increment_counter(S, S->buflen); | |
285 | blake2b_set_lastblock(S); | |
286 | /* Padding */ | |
287 | memset(S->buf + S->buflen, 0, BLAKE2B_BLOCKBYTES - S->buflen); | |
288 | blake2b_compress(S, S->buf); | |
289 | ||
290 | /* Output full hash to temp buffer */ | |
291 | for (i = 0; i < 8; ++i) | |
292 | put_unaligned_le64(S->h[i], buffer + sizeof(S->h[i]) * i); | |
293 | ||
294 | memcpy(out, buffer, S->outlen); | |
295 | memzero_explicit(buffer, sizeof(buffer)); | |
296 | } | |
297 | ||
298 | struct digest_tfm_ctx { | |
299 | u8 key[BLAKE2B_KEYBYTES]; | |
300 | unsigned int keylen; | |
301 | }; | |
302 | ||
303 | static int digest_setkey(struct crypto_shash *tfm, const u8 *key, | |
304 | unsigned int keylen) | |
305 | { | |
306 | struct digest_tfm_ctx *mctx = crypto_shash_ctx(tfm); | |
307 | ||
308 | if (keylen == 0 || keylen > BLAKE2B_KEYBYTES) { | |
309 | crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN); | |
310 | return -EINVAL; | |
311 | } | |
312 | ||
313 | memcpy(mctx->key, key, keylen); | |
314 | mctx->keylen = keylen; | |
315 | ||
316 | return 0; | |
317 | } | |
318 | ||
319 | static int digest_init(struct shash_desc *desc) | |
320 | { | |
321 | struct digest_tfm_ctx *mctx = crypto_shash_ctx(desc->tfm); | |
322 | struct blake2b_state *state = shash_desc_ctx(desc); | |
323 | const int digestsize = crypto_shash_digestsize(desc->tfm); | |
324 | ||
325 | if (mctx->keylen == 0) | |
326 | blake2b_init(state, digestsize); | |
327 | else | |
328 | blake2b_init_key(state, digestsize, mctx->key, mctx->keylen); | |
329 | return 0; | |
330 | } | |
331 | ||
332 | static int digest_update(struct shash_desc *desc, const u8 *data, | |
333 | unsigned int length) | |
334 | { | |
335 | struct blake2b_state *state = shash_desc_ctx(desc); | |
336 | ||
337 | blake2b_update(state, data, length); | |
338 | return 0; | |
339 | } | |
340 | ||
341 | static int digest_final(struct shash_desc *desc, u8 *out) | |
342 | { | |
343 | struct blake2b_state *state = shash_desc_ctx(desc); | |
344 | const int digestsize = crypto_shash_digestsize(desc->tfm); | |
345 | ||
346 | blake2b_final(state, out, digestsize); | |
347 | return 0; | |
348 | } | |
349 | ||
350 | static struct shash_alg blake2b_algs[] = { | |
351 | { | |
352 | .base.cra_name = "blake2b-160", | |
353 | .base.cra_driver_name = "blake2b-160-generic", | |
354 | .base.cra_priority = 100, | |
355 | .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY, | |
356 | .base.cra_blocksize = BLAKE2B_BLOCKBYTES, | |
357 | .base.cra_ctxsize = sizeof(struct digest_tfm_ctx), | |
358 | .base.cra_module = THIS_MODULE, | |
359 | .digestsize = BLAKE2B_160_DIGEST_SIZE, | |
360 | .setkey = digest_setkey, | |
361 | .init = digest_init, | |
362 | .update = digest_update, | |
363 | .final = digest_final, | |
364 | .descsize = sizeof(struct blake2b_state), | |
365 | }, { | |
366 | .base.cra_name = "blake2b-256", | |
367 | .base.cra_driver_name = "blake2b-256-generic", | |
368 | .base.cra_priority = 100, | |
369 | .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY, | |
370 | .base.cra_blocksize = BLAKE2B_BLOCKBYTES, | |
371 | .base.cra_ctxsize = sizeof(struct digest_tfm_ctx), | |
372 | .base.cra_module = THIS_MODULE, | |
373 | .digestsize = BLAKE2B_256_DIGEST_SIZE, | |
374 | .setkey = digest_setkey, | |
375 | .init = digest_init, | |
376 | .update = digest_update, | |
377 | .final = digest_final, | |
378 | .descsize = sizeof(struct blake2b_state), | |
379 | }, { | |
380 | .base.cra_name = "blake2b-384", | |
381 | .base.cra_driver_name = "blake2b-384-generic", | |
382 | .base.cra_priority = 100, | |
383 | .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY, | |
384 | .base.cra_blocksize = BLAKE2B_BLOCKBYTES, | |
385 | .base.cra_ctxsize = sizeof(struct digest_tfm_ctx), | |
386 | .base.cra_module = THIS_MODULE, | |
387 | .digestsize = BLAKE2B_384_DIGEST_SIZE, | |
388 | .setkey = digest_setkey, | |
389 | .init = digest_init, | |
390 | .update = digest_update, | |
391 | .final = digest_final, | |
392 | .descsize = sizeof(struct blake2b_state), | |
393 | }, { | |
394 | .base.cra_name = "blake2b-512", | |
395 | .base.cra_driver_name = "blake2b-512-generic", | |
396 | .base.cra_priority = 100, | |
397 | .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY, | |
398 | .base.cra_blocksize = BLAKE2B_BLOCKBYTES, | |
399 | .base.cra_ctxsize = sizeof(struct digest_tfm_ctx), | |
400 | .base.cra_module = THIS_MODULE, | |
401 | .digestsize = BLAKE2B_512_DIGEST_SIZE, | |
402 | .setkey = digest_setkey, | |
403 | .init = digest_init, | |
404 | .update = digest_update, | |
405 | .final = digest_final, | |
406 | .descsize = sizeof(struct blake2b_state), | |
407 | } | |
408 | }; | |
409 | ||
410 | static int __init blake2b_mod_init(void) | |
411 | { | |
412 | BUILD_BUG_ON(sizeof(struct blake2b_param) != BLAKE2B_OUTBYTES); | |
413 | ||
414 | return crypto_register_shashes(blake2b_algs, ARRAY_SIZE(blake2b_algs)); | |
415 | } | |
416 | ||
417 | static void __exit blake2b_mod_fini(void) | |
418 | { | |
419 | crypto_unregister_shashes(blake2b_algs, ARRAY_SIZE(blake2b_algs)); | |
420 | } | |
421 | ||
422 | subsys_initcall(blake2b_mod_init); | |
423 | module_exit(blake2b_mod_fini); | |
424 | ||
425 | MODULE_AUTHOR("David Sterba <kdave@kernel.org>"); | |
426 | MODULE_DESCRIPTION("BLAKE2b generic implementation"); | |
427 | MODULE_LICENSE("GPL"); | |
428 | MODULE_ALIAS_CRYPTO("blake2b-160"); | |
429 | MODULE_ALIAS_CRYPTO("blake2b-160-generic"); | |
430 | MODULE_ALIAS_CRYPTO("blake2b-256"); | |
431 | MODULE_ALIAS_CRYPTO("blake2b-256-generic"); | |
432 | MODULE_ALIAS_CRYPTO("blake2b-384"); | |
433 | MODULE_ALIAS_CRYPTO("blake2b-384-generic"); | |
434 | MODULE_ALIAS_CRYPTO("blake2b-512"); | |
435 | MODULE_ALIAS_CRYPTO("blake2b-512-generic"); |