Commit | Line | Data |
---|---|---|
91d68933 DS |
1 | // SPDX-License-Identifier: (GPL-2.0-only OR Apache-2.0) |
2 | /* | |
3 | * BLAKE2b reference source code package - reference C implementations | |
4 | * | |
5 | * Copyright 2012, Samuel Neves <sneves@dei.uc.pt>. You may use this under the | |
6 | * terms of the CC0, the OpenSSL Licence, or the Apache Public License 2.0, at | |
7 | * your option. The terms of these licenses can be found at: | |
8 | * | |
9 | * - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0 | |
10 | * - OpenSSL license : https://www.openssl.org/source/license.html | |
11 | * - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0 | |
12 | * | |
13 | * More information about the BLAKE2 hash function can be found at | |
14 | * https://blake2.net. | |
15 | * | |
16 | * Note: the original sources have been modified for inclusion in linux kernel | |
17 | * in terms of coding style, using generic helpers and simplifications of error | |
18 | * handling. | |
19 | */ | |
20 | ||
21 | #include <asm/unaligned.h> | |
22 | #include <linux/module.h> | |
23 | #include <linux/string.h> | |
24 | #include <linux/kernel.h> | |
25 | #include <linux/bitops.h> | |
26 | #include <crypto/internal/hash.h> | |
27 | ||
28 | #define BLAKE2B_160_DIGEST_SIZE (160 / 8) | |
29 | #define BLAKE2B_256_DIGEST_SIZE (256 / 8) | |
30 | #define BLAKE2B_384_DIGEST_SIZE (384 / 8) | |
31 | #define BLAKE2B_512_DIGEST_SIZE (512 / 8) | |
32 | ||
33 | enum blake2b_constant { | |
34 | BLAKE2B_BLOCKBYTES = 128, | |
35 | BLAKE2B_OUTBYTES = 64, | |
36 | BLAKE2B_KEYBYTES = 64, | |
37 | BLAKE2B_SALTBYTES = 16, | |
38 | BLAKE2B_PERSONALBYTES = 16 | |
39 | }; | |
40 | ||
41 | struct blake2b_state { | |
42 | u64 h[8]; | |
43 | u64 t[2]; | |
44 | u64 f[2]; | |
45 | u8 buf[BLAKE2B_BLOCKBYTES]; | |
46 | size_t buflen; | |
47 | size_t outlen; | |
48 | u8 last_node; | |
49 | }; | |
50 | ||
51 | struct blake2b_param { | |
52 | u8 digest_length; /* 1 */ | |
53 | u8 key_length; /* 2 */ | |
54 | u8 fanout; /* 3 */ | |
55 | u8 depth; /* 4 */ | |
56 | __le32 leaf_length; /* 8 */ | |
57 | __le32 node_offset; /* 12 */ | |
58 | __le32 xof_length; /* 16 */ | |
59 | u8 node_depth; /* 17 */ | |
60 | u8 inner_length; /* 18 */ | |
61 | u8 reserved[14]; /* 32 */ | |
62 | u8 salt[BLAKE2B_SALTBYTES]; /* 48 */ | |
63 | u8 personal[BLAKE2B_PERSONALBYTES]; /* 64 */ | |
64 | } __packed; | |
65 | ||
66 | static const u64 blake2b_IV[8] = { | |
67 | 0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL, | |
68 | 0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL, | |
69 | 0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL, | |
70 | 0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL | |
71 | }; | |
72 | ||
73 | static const u8 blake2b_sigma[12][16] = { | |
74 | { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, | |
75 | { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }, | |
76 | { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 }, | |
77 | { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 }, | |
78 | { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 }, | |
79 | { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 }, | |
80 | { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 }, | |
81 | { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 }, | |
82 | { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 }, | |
83 | { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 }, | |
84 | { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, | |
85 | { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } | |
86 | }; | |
87 | ||
88 | static void blake2b_update(struct blake2b_state *S, const void *pin, size_t inlen); | |
89 | ||
90 | static void blake2b_set_lastnode(struct blake2b_state *S) | |
91 | { | |
92 | S->f[1] = (u64)-1; | |
93 | } | |
94 | ||
95 | static void blake2b_set_lastblock(struct blake2b_state *S) | |
96 | { | |
97 | if (S->last_node) | |
98 | blake2b_set_lastnode(S); | |
99 | ||
100 | S->f[0] = (u64)-1; | |
101 | } | |
102 | ||
103 | static void blake2b_increment_counter(struct blake2b_state *S, const u64 inc) | |
104 | { | |
105 | S->t[0] += inc; | |
106 | S->t[1] += (S->t[0] < inc); | |
107 | } | |
108 | ||
91d68933 DS |
109 | #define G(r,i,a,b,c,d) \ |
110 | do { \ | |
111 | a = a + b + m[blake2b_sigma[r][2*i+0]]; \ | |
112 | d = ror64(d ^ a, 32); \ | |
113 | c = c + d; \ | |
114 | b = ror64(b ^ c, 24); \ | |
115 | a = a + b + m[blake2b_sigma[r][2*i+1]]; \ | |
116 | d = ror64(d ^ a, 16); \ | |
117 | c = c + d; \ | |
118 | b = ror64(b ^ c, 63); \ | |
119 | } while (0) | |
120 | ||
121 | #define ROUND(r) \ | |
122 | do { \ | |
123 | G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \ | |
124 | G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \ | |
125 | G(r,2,v[ 2],v[ 6],v[10],v[14]); \ | |
126 | G(r,3,v[ 3],v[ 7],v[11],v[15]); \ | |
127 | G(r,4,v[ 0],v[ 5],v[10],v[15]); \ | |
128 | G(r,5,v[ 1],v[ 6],v[11],v[12]); \ | |
129 | G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \ | |
130 | G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \ | |
131 | } while (0) | |
132 | ||
133 | static void blake2b_compress(struct blake2b_state *S, | |
134 | const u8 block[BLAKE2B_BLOCKBYTES]) | |
135 | { | |
136 | u64 m[16]; | |
137 | u64 v[16]; | |
138 | size_t i; | |
139 | ||
140 | for (i = 0; i < 16; ++i) | |
141 | m[i] = get_unaligned_le64(block + i * sizeof(m[i])); | |
142 | ||
143 | for (i = 0; i < 8; ++i) | |
144 | v[i] = S->h[i]; | |
145 | ||
146 | v[ 8] = blake2b_IV[0]; | |
147 | v[ 9] = blake2b_IV[1]; | |
148 | v[10] = blake2b_IV[2]; | |
149 | v[11] = blake2b_IV[3]; | |
150 | v[12] = blake2b_IV[4] ^ S->t[0]; | |
151 | v[13] = blake2b_IV[5] ^ S->t[1]; | |
152 | v[14] = blake2b_IV[6] ^ S->f[0]; | |
153 | v[15] = blake2b_IV[7] ^ S->f[1]; | |
154 | ||
155 | ROUND(0); | |
156 | ROUND(1); | |
157 | ROUND(2); | |
158 | ROUND(3); | |
159 | ROUND(4); | |
160 | ROUND(5); | |
161 | ROUND(6); | |
162 | ROUND(7); | |
163 | ROUND(8); | |
164 | ROUND(9); | |
165 | ROUND(10); | |
166 | ROUND(11); | |
167 | ||
168 | for (i = 0; i < 8; ++i) | |
169 | S->h[i] = S->h[i] ^ v[i] ^ v[i + 8]; | |
170 | } | |
171 | ||
172 | #undef G | |
173 | #undef ROUND | |
174 | ||
175 | static void blake2b_update(struct blake2b_state *S, const void *pin, size_t inlen) | |
176 | { | |
177 | const u8 *in = (const u8 *)pin; | |
178 | ||
179 | if (inlen > 0) { | |
180 | size_t left = S->buflen; | |
181 | size_t fill = BLAKE2B_BLOCKBYTES - left; | |
182 | ||
183 | if (inlen > fill) { | |
184 | S->buflen = 0; | |
185 | /* Fill buffer */ | |
186 | memcpy(S->buf + left, in, fill); | |
187 | blake2b_increment_counter(S, BLAKE2B_BLOCKBYTES); | |
188 | /* Compress */ | |
189 | blake2b_compress(S, S->buf); | |
190 | in += fill; | |
191 | inlen -= fill; | |
192 | while (inlen > BLAKE2B_BLOCKBYTES) { | |
193 | blake2b_increment_counter(S, BLAKE2B_BLOCKBYTES); | |
194 | blake2b_compress(S, in); | |
195 | in += BLAKE2B_BLOCKBYTES; | |
196 | inlen -= BLAKE2B_BLOCKBYTES; | |
197 | } | |
198 | } | |
199 | memcpy(S->buf + S->buflen, in, inlen); | |
200 | S->buflen += inlen; | |
201 | } | |
202 | } | |
203 | ||
91d68933 DS |
204 | struct digest_tfm_ctx { |
205 | u8 key[BLAKE2B_KEYBYTES]; | |
206 | unsigned int keylen; | |
207 | }; | |
208 | ||
209 | static int digest_setkey(struct crypto_shash *tfm, const u8 *key, | |
210 | unsigned int keylen) | |
211 | { | |
212 | struct digest_tfm_ctx *mctx = crypto_shash_ctx(tfm); | |
213 | ||
214 | if (keylen == 0 || keylen > BLAKE2B_KEYBYTES) { | |
215 | crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN); | |
216 | return -EINVAL; | |
217 | } | |
218 | ||
219 | memcpy(mctx->key, key, keylen); | |
220 | mctx->keylen = keylen; | |
221 | ||
222 | return 0; | |
223 | } | |
224 | ||
e3749695 | 225 | static int blake2b_init(struct shash_desc *desc) |
91d68933 DS |
226 | { |
227 | struct digest_tfm_ctx *mctx = crypto_shash_ctx(desc->tfm); | |
228 | struct blake2b_state *state = shash_desc_ctx(desc); | |
229 | const int digestsize = crypto_shash_digestsize(desc->tfm); | |
230 | ||
e3749695 DS |
231 | memset(state, 0, sizeof(*state)); |
232 | memcpy(state->h, blake2b_IV, sizeof(state->h)); | |
233 | ||
234 | /* Parameter block is all zeros except index 0, no xor for 1..7 */ | |
235 | state->h[0] ^= 0x01010000 | mctx->keylen << 8 | digestsize; | |
236 | ||
237 | if (mctx->keylen) { | |
238 | u8 block[BLAKE2B_BLOCKBYTES]; | |
239 | ||
240 | memset(block, 0, BLAKE2B_BLOCKBYTES); | |
241 | memcpy(block, mctx->key, mctx->keylen); | |
242 | blake2b_update(state, block, BLAKE2B_BLOCKBYTES); | |
243 | memzero_explicit(block, BLAKE2B_BLOCKBYTES); | |
244 | } | |
91d68933 DS |
245 | return 0; |
246 | } | |
247 | ||
248 | static int digest_update(struct shash_desc *desc, const u8 *data, | |
249 | unsigned int length) | |
250 | { | |
251 | struct blake2b_state *state = shash_desc_ctx(desc); | |
252 | ||
253 | blake2b_update(state, data, length); | |
254 | return 0; | |
255 | } | |
256 | ||
086db43b | 257 | static int blake2b_final(struct shash_desc *desc, u8 *out) |
91d68933 DS |
258 | { |
259 | struct blake2b_state *state = shash_desc_ctx(desc); | |
260 | const int digestsize = crypto_shash_digestsize(desc->tfm); | |
086db43b DS |
261 | size_t i; |
262 | ||
263 | blake2b_increment_counter(state, state->buflen); | |
264 | blake2b_set_lastblock(state); | |
265 | /* Padding */ | |
266 | memset(state->buf + state->buflen, 0, BLAKE2B_BLOCKBYTES - state->buflen); | |
267 | blake2b_compress(state, state->buf); | |
268 | ||
269 | /* Avoid temporary buffer and switch the internal output to LE order */ | |
270 | for (i = 0; i < ARRAY_SIZE(state->h); i++) | |
271 | __cpu_to_le64s(&state->h[i]); | |
91d68933 | 272 | |
086db43b | 273 | memcpy(out, state->h, digestsize); |
91d68933 DS |
274 | return 0; |
275 | } | |
276 | ||
277 | static struct shash_alg blake2b_algs[] = { | |
278 | { | |
279 | .base.cra_name = "blake2b-160", | |
280 | .base.cra_driver_name = "blake2b-160-generic", | |
281 | .base.cra_priority = 100, | |
282 | .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY, | |
283 | .base.cra_blocksize = BLAKE2B_BLOCKBYTES, | |
284 | .base.cra_ctxsize = sizeof(struct digest_tfm_ctx), | |
285 | .base.cra_module = THIS_MODULE, | |
286 | .digestsize = BLAKE2B_160_DIGEST_SIZE, | |
287 | .setkey = digest_setkey, | |
e3749695 | 288 | .init = blake2b_init, |
91d68933 | 289 | .update = digest_update, |
086db43b | 290 | .final = blake2b_final, |
91d68933 DS |
291 | .descsize = sizeof(struct blake2b_state), |
292 | }, { | |
293 | .base.cra_name = "blake2b-256", | |
294 | .base.cra_driver_name = "blake2b-256-generic", | |
295 | .base.cra_priority = 100, | |
296 | .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY, | |
297 | .base.cra_blocksize = BLAKE2B_BLOCKBYTES, | |
298 | .base.cra_ctxsize = sizeof(struct digest_tfm_ctx), | |
299 | .base.cra_module = THIS_MODULE, | |
300 | .digestsize = BLAKE2B_256_DIGEST_SIZE, | |
301 | .setkey = digest_setkey, | |
e3749695 | 302 | .init = blake2b_init, |
91d68933 | 303 | .update = digest_update, |
086db43b | 304 | .final = blake2b_final, |
91d68933 DS |
305 | .descsize = sizeof(struct blake2b_state), |
306 | }, { | |
307 | .base.cra_name = "blake2b-384", | |
308 | .base.cra_driver_name = "blake2b-384-generic", | |
309 | .base.cra_priority = 100, | |
310 | .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY, | |
311 | .base.cra_blocksize = BLAKE2B_BLOCKBYTES, | |
312 | .base.cra_ctxsize = sizeof(struct digest_tfm_ctx), | |
313 | .base.cra_module = THIS_MODULE, | |
314 | .digestsize = BLAKE2B_384_DIGEST_SIZE, | |
315 | .setkey = digest_setkey, | |
e3749695 | 316 | .init = blake2b_init, |
91d68933 | 317 | .update = digest_update, |
086db43b | 318 | .final = blake2b_final, |
91d68933 DS |
319 | .descsize = sizeof(struct blake2b_state), |
320 | }, { | |
321 | .base.cra_name = "blake2b-512", | |
322 | .base.cra_driver_name = "blake2b-512-generic", | |
323 | .base.cra_priority = 100, | |
324 | .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY, | |
325 | .base.cra_blocksize = BLAKE2B_BLOCKBYTES, | |
326 | .base.cra_ctxsize = sizeof(struct digest_tfm_ctx), | |
327 | .base.cra_module = THIS_MODULE, | |
328 | .digestsize = BLAKE2B_512_DIGEST_SIZE, | |
329 | .setkey = digest_setkey, | |
e3749695 | 330 | .init = blake2b_init, |
91d68933 | 331 | .update = digest_update, |
086db43b | 332 | .final = blake2b_final, |
91d68933 DS |
333 | .descsize = sizeof(struct blake2b_state), |
334 | } | |
335 | }; | |
336 | ||
337 | static int __init blake2b_mod_init(void) | |
338 | { | |
339 | BUILD_BUG_ON(sizeof(struct blake2b_param) != BLAKE2B_OUTBYTES); | |
340 | ||
341 | return crypto_register_shashes(blake2b_algs, ARRAY_SIZE(blake2b_algs)); | |
342 | } | |
343 | ||
344 | static void __exit blake2b_mod_fini(void) | |
345 | { | |
346 | crypto_unregister_shashes(blake2b_algs, ARRAY_SIZE(blake2b_algs)); | |
347 | } | |
348 | ||
349 | subsys_initcall(blake2b_mod_init); | |
350 | module_exit(blake2b_mod_fini); | |
351 | ||
352 | MODULE_AUTHOR("David Sterba <kdave@kernel.org>"); | |
353 | MODULE_DESCRIPTION("BLAKE2b generic implementation"); | |
354 | MODULE_LICENSE("GPL"); | |
355 | MODULE_ALIAS_CRYPTO("blake2b-160"); | |
356 | MODULE_ALIAS_CRYPTO("blake2b-160-generic"); | |
357 | MODULE_ALIAS_CRYPTO("blake2b-256"); | |
358 | MODULE_ALIAS_CRYPTO("blake2b-256-generic"); | |
359 | MODULE_ALIAS_CRYPTO("blake2b-384"); | |
360 | MODULE_ALIAS_CRYPTO("blake2b-384-generic"); | |
361 | MODULE_ALIAS_CRYPTO("blake2b-512"); | |
362 | MODULE_ALIAS_CRYPTO("blake2b-512-generic"); |