Commit | Line | Data |
---|---|---|
91d68933 DS |
1 | // SPDX-License-Identifier: (GPL-2.0-only OR Apache-2.0) |
2 | /* | |
3 | * BLAKE2b reference source code package - reference C implementations | |
4 | * | |
5 | * Copyright 2012, Samuel Neves <sneves@dei.uc.pt>. You may use this under the | |
6 | * terms of the CC0, the OpenSSL Licence, or the Apache Public License 2.0, at | |
7 | * your option. The terms of these licenses can be found at: | |
8 | * | |
9 | * - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0 | |
10 | * - OpenSSL license : https://www.openssl.org/source/license.html | |
11 | * - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0 | |
12 | * | |
13 | * More information about the BLAKE2 hash function can be found at | |
14 | * https://blake2.net. | |
15 | * | |
16 | * Note: the original sources have been modified for inclusion in linux kernel | |
17 | * in terms of coding style, using generic helpers and simplifications of error | |
18 | * handling. | |
19 | */ | |
20 | ||
21 | #include <asm/unaligned.h> | |
22 | #include <linux/module.h> | |
23 | #include <linux/string.h> | |
24 | #include <linux/kernel.h> | |
25 | #include <linux/bitops.h> | |
26 | #include <crypto/internal/hash.h> | |
27 | ||
28 | #define BLAKE2B_160_DIGEST_SIZE (160 / 8) | |
29 | #define BLAKE2B_256_DIGEST_SIZE (256 / 8) | |
30 | #define BLAKE2B_384_DIGEST_SIZE (384 / 8) | |
31 | #define BLAKE2B_512_DIGEST_SIZE (512 / 8) | |
32 | ||
33 | enum blake2b_constant { | |
34 | BLAKE2B_BLOCKBYTES = 128, | |
91d68933 | 35 | BLAKE2B_KEYBYTES = 64, |
91d68933 DS |
36 | }; |
37 | ||
38 | struct blake2b_state { | |
39 | u64 h[8]; | |
40 | u64 t[2]; | |
41 | u64 f[2]; | |
42 | u8 buf[BLAKE2B_BLOCKBYTES]; | |
43 | size_t buflen; | |
91d68933 DS |
44 | }; |
45 | ||
91d68933 DS |
46 | static const u64 blake2b_IV[8] = { |
47 | 0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL, | |
48 | 0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL, | |
49 | 0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL, | |
50 | 0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL | |
51 | }; | |
52 | ||
53 | static const u8 blake2b_sigma[12][16] = { | |
54 | { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, | |
55 | { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }, | |
56 | { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 }, | |
57 | { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 }, | |
58 | { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 }, | |
59 | { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 }, | |
60 | { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 }, | |
61 | { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 }, | |
62 | { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 }, | |
63 | { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 }, | |
64 | { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, | |
65 | { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } | |
66 | }; | |
67 | ||
91d68933 DS |
68 | static void blake2b_increment_counter(struct blake2b_state *S, const u64 inc) |
69 | { | |
70 | S->t[0] += inc; | |
71 | S->t[1] += (S->t[0] < inc); | |
72 | } | |
73 | ||
91d68933 DS |
74 | #define G(r,i,a,b,c,d) \ |
75 | do { \ | |
76 | a = a + b + m[blake2b_sigma[r][2*i+0]]; \ | |
77 | d = ror64(d ^ a, 32); \ | |
78 | c = c + d; \ | |
79 | b = ror64(b ^ c, 24); \ | |
80 | a = a + b + m[blake2b_sigma[r][2*i+1]]; \ | |
81 | d = ror64(d ^ a, 16); \ | |
82 | c = c + d; \ | |
83 | b = ror64(b ^ c, 63); \ | |
84 | } while (0) | |
85 | ||
86 | #define ROUND(r) \ | |
87 | do { \ | |
88 | G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \ | |
89 | G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \ | |
90 | G(r,2,v[ 2],v[ 6],v[10],v[14]); \ | |
91 | G(r,3,v[ 3],v[ 7],v[11],v[15]); \ | |
92 | G(r,4,v[ 0],v[ 5],v[10],v[15]); \ | |
93 | G(r,5,v[ 1],v[ 6],v[11],v[12]); \ | |
94 | G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \ | |
95 | G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \ | |
96 | } while (0) | |
97 | ||
98 | static void blake2b_compress(struct blake2b_state *S, | |
99 | const u8 block[BLAKE2B_BLOCKBYTES]) | |
100 | { | |
101 | u64 m[16]; | |
102 | u64 v[16]; | |
103 | size_t i; | |
104 | ||
105 | for (i = 0; i < 16; ++i) | |
106 | m[i] = get_unaligned_le64(block + i * sizeof(m[i])); | |
107 | ||
108 | for (i = 0; i < 8; ++i) | |
109 | v[i] = S->h[i]; | |
110 | ||
111 | v[ 8] = blake2b_IV[0]; | |
112 | v[ 9] = blake2b_IV[1]; | |
113 | v[10] = blake2b_IV[2]; | |
114 | v[11] = blake2b_IV[3]; | |
115 | v[12] = blake2b_IV[4] ^ S->t[0]; | |
116 | v[13] = blake2b_IV[5] ^ S->t[1]; | |
117 | v[14] = blake2b_IV[6] ^ S->f[0]; | |
118 | v[15] = blake2b_IV[7] ^ S->f[1]; | |
119 | ||
120 | ROUND(0); | |
121 | ROUND(1); | |
122 | ROUND(2); | |
123 | ROUND(3); | |
124 | ROUND(4); | |
125 | ROUND(5); | |
126 | ROUND(6); | |
127 | ROUND(7); | |
128 | ROUND(8); | |
129 | ROUND(9); | |
130 | ROUND(10); | |
131 | ROUND(11); | |
132 | ||
133 | for (i = 0; i < 8; ++i) | |
134 | S->h[i] = S->h[i] ^ v[i] ^ v[i + 8]; | |
135 | } | |
136 | ||
137 | #undef G | |
138 | #undef ROUND | |
139 | ||
c433a1a8 | 140 | struct blake2b_tfm_ctx { |
91d68933 DS |
141 | u8 key[BLAKE2B_KEYBYTES]; |
142 | unsigned int keylen; | |
143 | }; | |
144 | ||
c433a1a8 DS |
145 | static int blake2b_setkey(struct crypto_shash *tfm, const u8 *key, |
146 | unsigned int keylen) | |
91d68933 | 147 | { |
c433a1a8 | 148 | struct blake2b_tfm_ctx *tctx = crypto_shash_ctx(tfm); |
91d68933 DS |
149 | |
150 | if (keylen == 0 || keylen > BLAKE2B_KEYBYTES) { | |
151 | crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN); | |
152 | return -EINVAL; | |
153 | } | |
154 | ||
c433a1a8 DS |
155 | memcpy(tctx->key, key, keylen); |
156 | tctx->keylen = keylen; | |
91d68933 DS |
157 | |
158 | return 0; | |
159 | } | |
160 | ||
e3749695 | 161 | static int blake2b_init(struct shash_desc *desc) |
91d68933 | 162 | { |
c433a1a8 | 163 | struct blake2b_tfm_ctx *tctx = crypto_shash_ctx(desc->tfm); |
91d68933 DS |
164 | struct blake2b_state *state = shash_desc_ctx(desc); |
165 | const int digestsize = crypto_shash_digestsize(desc->tfm); | |
166 | ||
e3749695 DS |
167 | memset(state, 0, sizeof(*state)); |
168 | memcpy(state->h, blake2b_IV, sizeof(state->h)); | |
169 | ||
170 | /* Parameter block is all zeros except index 0, no xor for 1..7 */ | |
c433a1a8 | 171 | state->h[0] ^= 0x01010000 | tctx->keylen << 8 | digestsize; |
e3749695 | 172 | |
c433a1a8 | 173 | if (tctx->keylen) { |
e87e484d DS |
174 | /* |
175 | * Prefill the buffer with the key, next call to _update or | |
176 | * _final will process it | |
177 | */ | |
c433a1a8 | 178 | memcpy(state->buf, tctx->key, tctx->keylen); |
e87e484d | 179 | state->buflen = BLAKE2B_BLOCKBYTES; |
e3749695 | 180 | } |
91d68933 DS |
181 | return 0; |
182 | } | |
183 | ||
0b4b5f10 DS |
184 | static int blake2b_update(struct shash_desc *desc, const u8 *in, |
185 | unsigned int inlen) | |
91d68933 DS |
186 | { |
187 | struct blake2b_state *state = shash_desc_ctx(desc); | |
0b4b5f10 DS |
188 | const size_t left = state->buflen; |
189 | const size_t fill = BLAKE2B_BLOCKBYTES - left; | |
190 | ||
191 | if (!inlen) | |
192 | return 0; | |
193 | ||
194 | if (inlen > fill) { | |
195 | state->buflen = 0; | |
196 | /* Fill buffer */ | |
197 | memcpy(state->buf + left, in, fill); | |
198 | blake2b_increment_counter(state, BLAKE2B_BLOCKBYTES); | |
199 | /* Compress */ | |
200 | blake2b_compress(state, state->buf); | |
201 | in += fill; | |
202 | inlen -= fill; | |
203 | while (inlen > BLAKE2B_BLOCKBYTES) { | |
204 | blake2b_increment_counter(state, BLAKE2B_BLOCKBYTES); | |
205 | blake2b_compress(state, in); | |
206 | in += BLAKE2B_BLOCKBYTES; | |
207 | inlen -= BLAKE2B_BLOCKBYTES; | |
208 | } | |
209 | } | |
210 | memcpy(state->buf + state->buflen, in, inlen); | |
211 | state->buflen += inlen; | |
91d68933 | 212 | |
91d68933 DS |
213 | return 0; |
214 | } | |
215 | ||
086db43b | 216 | static int blake2b_final(struct shash_desc *desc, u8 *out) |
91d68933 DS |
217 | { |
218 | struct blake2b_state *state = shash_desc_ctx(desc); | |
219 | const int digestsize = crypto_shash_digestsize(desc->tfm); | |
086db43b DS |
220 | size_t i; |
221 | ||
222 | blake2b_increment_counter(state, state->buflen); | |
a2e4bdce DS |
223 | /* Set last block */ |
224 | state->f[0] = (u64)-1; | |
086db43b DS |
225 | /* Padding */ |
226 | memset(state->buf + state->buflen, 0, BLAKE2B_BLOCKBYTES - state->buflen); | |
227 | blake2b_compress(state, state->buf); | |
228 | ||
229 | /* Avoid temporary buffer and switch the internal output to LE order */ | |
230 | for (i = 0; i < ARRAY_SIZE(state->h); i++) | |
231 | __cpu_to_le64s(&state->h[i]); | |
91d68933 | 232 | |
086db43b | 233 | memcpy(out, state->h, digestsize); |
91d68933 DS |
234 | return 0; |
235 | } | |
236 | ||
237 | static struct shash_alg blake2b_algs[] = { | |
238 | { | |
239 | .base.cra_name = "blake2b-160", | |
240 | .base.cra_driver_name = "blake2b-160-generic", | |
241 | .base.cra_priority = 100, | |
242 | .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY, | |
243 | .base.cra_blocksize = BLAKE2B_BLOCKBYTES, | |
c433a1a8 | 244 | .base.cra_ctxsize = sizeof(struct blake2b_tfm_ctx), |
91d68933 DS |
245 | .base.cra_module = THIS_MODULE, |
246 | .digestsize = BLAKE2B_160_DIGEST_SIZE, | |
c433a1a8 | 247 | .setkey = blake2b_setkey, |
e3749695 | 248 | .init = blake2b_init, |
0b4b5f10 | 249 | .update = blake2b_update, |
086db43b | 250 | .final = blake2b_final, |
91d68933 DS |
251 | .descsize = sizeof(struct blake2b_state), |
252 | }, { | |
253 | .base.cra_name = "blake2b-256", | |
254 | .base.cra_driver_name = "blake2b-256-generic", | |
255 | .base.cra_priority = 100, | |
256 | .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY, | |
257 | .base.cra_blocksize = BLAKE2B_BLOCKBYTES, | |
c433a1a8 | 258 | .base.cra_ctxsize = sizeof(struct blake2b_tfm_ctx), |
91d68933 DS |
259 | .base.cra_module = THIS_MODULE, |
260 | .digestsize = BLAKE2B_256_DIGEST_SIZE, | |
c433a1a8 | 261 | .setkey = blake2b_setkey, |
e3749695 | 262 | .init = blake2b_init, |
0b4b5f10 | 263 | .update = blake2b_update, |
086db43b | 264 | .final = blake2b_final, |
91d68933 DS |
265 | .descsize = sizeof(struct blake2b_state), |
266 | }, { | |
267 | .base.cra_name = "blake2b-384", | |
268 | .base.cra_driver_name = "blake2b-384-generic", | |
269 | .base.cra_priority = 100, | |
270 | .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY, | |
271 | .base.cra_blocksize = BLAKE2B_BLOCKBYTES, | |
c433a1a8 | 272 | .base.cra_ctxsize = sizeof(struct blake2b_tfm_ctx), |
91d68933 DS |
273 | .base.cra_module = THIS_MODULE, |
274 | .digestsize = BLAKE2B_384_DIGEST_SIZE, | |
c433a1a8 | 275 | .setkey = blake2b_setkey, |
e3749695 | 276 | .init = blake2b_init, |
0b4b5f10 | 277 | .update = blake2b_update, |
086db43b | 278 | .final = blake2b_final, |
91d68933 DS |
279 | .descsize = sizeof(struct blake2b_state), |
280 | }, { | |
281 | .base.cra_name = "blake2b-512", | |
282 | .base.cra_driver_name = "blake2b-512-generic", | |
283 | .base.cra_priority = 100, | |
284 | .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY, | |
285 | .base.cra_blocksize = BLAKE2B_BLOCKBYTES, | |
c433a1a8 | 286 | .base.cra_ctxsize = sizeof(struct blake2b_tfm_ctx), |
91d68933 DS |
287 | .base.cra_module = THIS_MODULE, |
288 | .digestsize = BLAKE2B_512_DIGEST_SIZE, | |
c433a1a8 | 289 | .setkey = blake2b_setkey, |
e3749695 | 290 | .init = blake2b_init, |
0b4b5f10 | 291 | .update = blake2b_update, |
086db43b | 292 | .final = blake2b_final, |
91d68933 DS |
293 | .descsize = sizeof(struct blake2b_state), |
294 | } | |
295 | }; | |
296 | ||
297 | static int __init blake2b_mod_init(void) | |
298 | { | |
91d68933 DS |
299 | return crypto_register_shashes(blake2b_algs, ARRAY_SIZE(blake2b_algs)); |
300 | } | |
301 | ||
302 | static void __exit blake2b_mod_fini(void) | |
303 | { | |
304 | crypto_unregister_shashes(blake2b_algs, ARRAY_SIZE(blake2b_algs)); | |
305 | } | |
306 | ||
307 | subsys_initcall(blake2b_mod_init); | |
308 | module_exit(blake2b_mod_fini); | |
309 | ||
310 | MODULE_AUTHOR("David Sterba <kdave@kernel.org>"); | |
311 | MODULE_DESCRIPTION("BLAKE2b generic implementation"); | |
312 | MODULE_LICENSE("GPL"); | |
313 | MODULE_ALIAS_CRYPTO("blake2b-160"); | |
314 | MODULE_ALIAS_CRYPTO("blake2b-160-generic"); | |
315 | MODULE_ALIAS_CRYPTO("blake2b-256"); | |
316 | MODULE_ALIAS_CRYPTO("blake2b-256-generic"); | |
317 | MODULE_ALIAS_CRYPTO("blake2b-384"); | |
318 | MODULE_ALIAS_CRYPTO("blake2b-384-generic"); | |
319 | MODULE_ALIAS_CRYPTO("blake2b-512"); | |
320 | MODULE_ALIAS_CRYPTO("blake2b-512-generic"); |