Commit | Line | Data |
---|---|---|
91d68933 DS |
1 | // SPDX-License-Identifier: (GPL-2.0-only OR Apache-2.0) |
2 | /* | |
3 | * BLAKE2b reference source code package - reference C implementations | |
4 | * | |
5 | * Copyright 2012, Samuel Neves <sneves@dei.uc.pt>. You may use this under the | |
6 | * terms of the CC0, the OpenSSL Licence, or the Apache Public License 2.0, at | |
7 | * your option. The terms of these licenses can be found at: | |
8 | * | |
9 | * - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0 | |
10 | * - OpenSSL license : https://www.openssl.org/source/license.html | |
11 | * - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0 | |
12 | * | |
13 | * More information about the BLAKE2 hash function can be found at | |
14 | * https://blake2.net. | |
15 | * | |
16 | * Note: the original sources have been modified for inclusion in linux kernel | |
17 | * in terms of coding style, using generic helpers and simplifications of error | |
18 | * handling. | |
19 | */ | |
20 | ||
21 | #include <asm/unaligned.h> | |
22 | #include <linux/module.h> | |
23 | #include <linux/string.h> | |
24 | #include <linux/kernel.h> | |
25 | #include <linux/bitops.h> | |
26 | #include <crypto/internal/hash.h> | |
27 | ||
28 | #define BLAKE2B_160_DIGEST_SIZE (160 / 8) | |
29 | #define BLAKE2B_256_DIGEST_SIZE (256 / 8) | |
30 | #define BLAKE2B_384_DIGEST_SIZE (384 / 8) | |
31 | #define BLAKE2B_512_DIGEST_SIZE (512 / 8) | |
32 | ||
33 | enum blake2b_constant { | |
34 | BLAKE2B_BLOCKBYTES = 128, | |
35 | BLAKE2B_OUTBYTES = 64, | |
36 | BLAKE2B_KEYBYTES = 64, | |
37 | BLAKE2B_SALTBYTES = 16, | |
38 | BLAKE2B_PERSONALBYTES = 16 | |
39 | }; | |
40 | ||
41 | struct blake2b_state { | |
42 | u64 h[8]; | |
43 | u64 t[2]; | |
44 | u64 f[2]; | |
45 | u8 buf[BLAKE2B_BLOCKBYTES]; | |
46 | size_t buflen; | |
47 | size_t outlen; | |
48 | u8 last_node; | |
49 | }; | |
50 | ||
51 | struct blake2b_param { | |
52 | u8 digest_length; /* 1 */ | |
53 | u8 key_length; /* 2 */ | |
54 | u8 fanout; /* 3 */ | |
55 | u8 depth; /* 4 */ | |
56 | __le32 leaf_length; /* 8 */ | |
57 | __le32 node_offset; /* 12 */ | |
58 | __le32 xof_length; /* 16 */ | |
59 | u8 node_depth; /* 17 */ | |
60 | u8 inner_length; /* 18 */ | |
61 | u8 reserved[14]; /* 32 */ | |
62 | u8 salt[BLAKE2B_SALTBYTES]; /* 48 */ | |
63 | u8 personal[BLAKE2B_PERSONALBYTES]; /* 64 */ | |
64 | } __packed; | |
65 | ||
66 | static const u64 blake2b_IV[8] = { | |
67 | 0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL, | |
68 | 0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL, | |
69 | 0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL, | |
70 | 0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL | |
71 | }; | |
72 | ||
73 | static const u8 blake2b_sigma[12][16] = { | |
74 | { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, | |
75 | { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }, | |
76 | { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 }, | |
77 | { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 }, | |
78 | { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 }, | |
79 | { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 }, | |
80 | { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 }, | |
81 | { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 }, | |
82 | { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 }, | |
83 | { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 }, | |
84 | { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, | |
85 | { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } | |
86 | }; | |
87 | ||
91d68933 DS |
88 | static void blake2b_set_lastnode(struct blake2b_state *S) |
89 | { | |
90 | S->f[1] = (u64)-1; | |
91 | } | |
92 | ||
93 | static void blake2b_set_lastblock(struct blake2b_state *S) | |
94 | { | |
95 | if (S->last_node) | |
96 | blake2b_set_lastnode(S); | |
97 | ||
98 | S->f[0] = (u64)-1; | |
99 | } | |
100 | ||
101 | static void blake2b_increment_counter(struct blake2b_state *S, const u64 inc) | |
102 | { | |
103 | S->t[0] += inc; | |
104 | S->t[1] += (S->t[0] < inc); | |
105 | } | |
106 | ||
91d68933 DS |
107 | #define G(r,i,a,b,c,d) \ |
108 | do { \ | |
109 | a = a + b + m[blake2b_sigma[r][2*i+0]]; \ | |
110 | d = ror64(d ^ a, 32); \ | |
111 | c = c + d; \ | |
112 | b = ror64(b ^ c, 24); \ | |
113 | a = a + b + m[blake2b_sigma[r][2*i+1]]; \ | |
114 | d = ror64(d ^ a, 16); \ | |
115 | c = c + d; \ | |
116 | b = ror64(b ^ c, 63); \ | |
117 | } while (0) | |
118 | ||
119 | #define ROUND(r) \ | |
120 | do { \ | |
121 | G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \ | |
122 | G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \ | |
123 | G(r,2,v[ 2],v[ 6],v[10],v[14]); \ | |
124 | G(r,3,v[ 3],v[ 7],v[11],v[15]); \ | |
125 | G(r,4,v[ 0],v[ 5],v[10],v[15]); \ | |
126 | G(r,5,v[ 1],v[ 6],v[11],v[12]); \ | |
127 | G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \ | |
128 | G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \ | |
129 | } while (0) | |
130 | ||
131 | static void blake2b_compress(struct blake2b_state *S, | |
132 | const u8 block[BLAKE2B_BLOCKBYTES]) | |
133 | { | |
134 | u64 m[16]; | |
135 | u64 v[16]; | |
136 | size_t i; | |
137 | ||
138 | for (i = 0; i < 16; ++i) | |
139 | m[i] = get_unaligned_le64(block + i * sizeof(m[i])); | |
140 | ||
141 | for (i = 0; i < 8; ++i) | |
142 | v[i] = S->h[i]; | |
143 | ||
144 | v[ 8] = blake2b_IV[0]; | |
145 | v[ 9] = blake2b_IV[1]; | |
146 | v[10] = blake2b_IV[2]; | |
147 | v[11] = blake2b_IV[3]; | |
148 | v[12] = blake2b_IV[4] ^ S->t[0]; | |
149 | v[13] = blake2b_IV[5] ^ S->t[1]; | |
150 | v[14] = blake2b_IV[6] ^ S->f[0]; | |
151 | v[15] = blake2b_IV[7] ^ S->f[1]; | |
152 | ||
153 | ROUND(0); | |
154 | ROUND(1); | |
155 | ROUND(2); | |
156 | ROUND(3); | |
157 | ROUND(4); | |
158 | ROUND(5); | |
159 | ROUND(6); | |
160 | ROUND(7); | |
161 | ROUND(8); | |
162 | ROUND(9); | |
163 | ROUND(10); | |
164 | ROUND(11); | |
165 | ||
166 | for (i = 0; i < 8; ++i) | |
167 | S->h[i] = S->h[i] ^ v[i] ^ v[i + 8]; | |
168 | } | |
169 | ||
170 | #undef G | |
171 | #undef ROUND | |
172 | ||
173 | static void blake2b_update(struct blake2b_state *S, const void *pin, size_t inlen) | |
174 | { | |
175 | const u8 *in = (const u8 *)pin; | |
176 | ||
177 | if (inlen > 0) { | |
178 | size_t left = S->buflen; | |
179 | size_t fill = BLAKE2B_BLOCKBYTES - left; | |
180 | ||
181 | if (inlen > fill) { | |
182 | S->buflen = 0; | |
183 | /* Fill buffer */ | |
184 | memcpy(S->buf + left, in, fill); | |
185 | blake2b_increment_counter(S, BLAKE2B_BLOCKBYTES); | |
186 | /* Compress */ | |
187 | blake2b_compress(S, S->buf); | |
188 | in += fill; | |
189 | inlen -= fill; | |
190 | while (inlen > BLAKE2B_BLOCKBYTES) { | |
191 | blake2b_increment_counter(S, BLAKE2B_BLOCKBYTES); | |
192 | blake2b_compress(S, in); | |
193 | in += BLAKE2B_BLOCKBYTES; | |
194 | inlen -= BLAKE2B_BLOCKBYTES; | |
195 | } | |
196 | } | |
197 | memcpy(S->buf + S->buflen, in, inlen); | |
198 | S->buflen += inlen; | |
199 | } | |
200 | } | |
201 | ||
91d68933 DS |
202 | struct digest_tfm_ctx { |
203 | u8 key[BLAKE2B_KEYBYTES]; | |
204 | unsigned int keylen; | |
205 | }; | |
206 | ||
207 | static int digest_setkey(struct crypto_shash *tfm, const u8 *key, | |
208 | unsigned int keylen) | |
209 | { | |
210 | struct digest_tfm_ctx *mctx = crypto_shash_ctx(tfm); | |
211 | ||
212 | if (keylen == 0 || keylen > BLAKE2B_KEYBYTES) { | |
213 | crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN); | |
214 | return -EINVAL; | |
215 | } | |
216 | ||
217 | memcpy(mctx->key, key, keylen); | |
218 | mctx->keylen = keylen; | |
219 | ||
220 | return 0; | |
221 | } | |
222 | ||
e3749695 | 223 | static int blake2b_init(struct shash_desc *desc) |
91d68933 DS |
224 | { |
225 | struct digest_tfm_ctx *mctx = crypto_shash_ctx(desc->tfm); | |
226 | struct blake2b_state *state = shash_desc_ctx(desc); | |
227 | const int digestsize = crypto_shash_digestsize(desc->tfm); | |
228 | ||
e3749695 DS |
229 | memset(state, 0, sizeof(*state)); |
230 | memcpy(state->h, blake2b_IV, sizeof(state->h)); | |
231 | ||
232 | /* Parameter block is all zeros except index 0, no xor for 1..7 */ | |
233 | state->h[0] ^= 0x01010000 | mctx->keylen << 8 | digestsize; | |
234 | ||
235 | if (mctx->keylen) { | |
e87e484d DS |
236 | /* |
237 | * Prefill the buffer with the key, next call to _update or | |
238 | * _final will process it | |
239 | */ | |
240 | memcpy(state->buf, mctx->key, mctx->keylen); | |
241 | state->buflen = BLAKE2B_BLOCKBYTES; | |
e3749695 | 242 | } |
91d68933 DS |
243 | return 0; |
244 | } | |
245 | ||
246 | static int digest_update(struct shash_desc *desc, const u8 *data, | |
247 | unsigned int length) | |
248 | { | |
249 | struct blake2b_state *state = shash_desc_ctx(desc); | |
250 | ||
251 | blake2b_update(state, data, length); | |
252 | return 0; | |
253 | } | |
254 | ||
086db43b | 255 | static int blake2b_final(struct shash_desc *desc, u8 *out) |
91d68933 DS |
256 | { |
257 | struct blake2b_state *state = shash_desc_ctx(desc); | |
258 | const int digestsize = crypto_shash_digestsize(desc->tfm); | |
086db43b DS |
259 | size_t i; |
260 | ||
261 | blake2b_increment_counter(state, state->buflen); | |
262 | blake2b_set_lastblock(state); | |
263 | /* Padding */ | |
264 | memset(state->buf + state->buflen, 0, BLAKE2B_BLOCKBYTES - state->buflen); | |
265 | blake2b_compress(state, state->buf); | |
266 | ||
267 | /* Avoid temporary buffer and switch the internal output to LE order */ | |
268 | for (i = 0; i < ARRAY_SIZE(state->h); i++) | |
269 | __cpu_to_le64s(&state->h[i]); | |
91d68933 | 270 | |
086db43b | 271 | memcpy(out, state->h, digestsize); |
91d68933 DS |
272 | return 0; |
273 | } | |
274 | ||
275 | static struct shash_alg blake2b_algs[] = { | |
276 | { | |
277 | .base.cra_name = "blake2b-160", | |
278 | .base.cra_driver_name = "blake2b-160-generic", | |
279 | .base.cra_priority = 100, | |
280 | .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY, | |
281 | .base.cra_blocksize = BLAKE2B_BLOCKBYTES, | |
282 | .base.cra_ctxsize = sizeof(struct digest_tfm_ctx), | |
283 | .base.cra_module = THIS_MODULE, | |
284 | .digestsize = BLAKE2B_160_DIGEST_SIZE, | |
285 | .setkey = digest_setkey, | |
e3749695 | 286 | .init = blake2b_init, |
91d68933 | 287 | .update = digest_update, |
086db43b | 288 | .final = blake2b_final, |
91d68933 DS |
289 | .descsize = sizeof(struct blake2b_state), |
290 | }, { | |
291 | .base.cra_name = "blake2b-256", | |
292 | .base.cra_driver_name = "blake2b-256-generic", | |
293 | .base.cra_priority = 100, | |
294 | .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY, | |
295 | .base.cra_blocksize = BLAKE2B_BLOCKBYTES, | |
296 | .base.cra_ctxsize = sizeof(struct digest_tfm_ctx), | |
297 | .base.cra_module = THIS_MODULE, | |
298 | .digestsize = BLAKE2B_256_DIGEST_SIZE, | |
299 | .setkey = digest_setkey, | |
e3749695 | 300 | .init = blake2b_init, |
91d68933 | 301 | .update = digest_update, |
086db43b | 302 | .final = blake2b_final, |
91d68933 DS |
303 | .descsize = sizeof(struct blake2b_state), |
304 | }, { | |
305 | .base.cra_name = "blake2b-384", | |
306 | .base.cra_driver_name = "blake2b-384-generic", | |
307 | .base.cra_priority = 100, | |
308 | .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY, | |
309 | .base.cra_blocksize = BLAKE2B_BLOCKBYTES, | |
310 | .base.cra_ctxsize = sizeof(struct digest_tfm_ctx), | |
311 | .base.cra_module = THIS_MODULE, | |
312 | .digestsize = BLAKE2B_384_DIGEST_SIZE, | |
313 | .setkey = digest_setkey, | |
e3749695 | 314 | .init = blake2b_init, |
91d68933 | 315 | .update = digest_update, |
086db43b | 316 | .final = blake2b_final, |
91d68933 DS |
317 | .descsize = sizeof(struct blake2b_state), |
318 | }, { | |
319 | .base.cra_name = "blake2b-512", | |
320 | .base.cra_driver_name = "blake2b-512-generic", | |
321 | .base.cra_priority = 100, | |
322 | .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY, | |
323 | .base.cra_blocksize = BLAKE2B_BLOCKBYTES, | |
324 | .base.cra_ctxsize = sizeof(struct digest_tfm_ctx), | |
325 | .base.cra_module = THIS_MODULE, | |
326 | .digestsize = BLAKE2B_512_DIGEST_SIZE, | |
327 | .setkey = digest_setkey, | |
e3749695 | 328 | .init = blake2b_init, |
91d68933 | 329 | .update = digest_update, |
086db43b | 330 | .final = blake2b_final, |
91d68933 DS |
331 | .descsize = sizeof(struct blake2b_state), |
332 | } | |
333 | }; | |
334 | ||
335 | static int __init blake2b_mod_init(void) | |
336 | { | |
337 | BUILD_BUG_ON(sizeof(struct blake2b_param) != BLAKE2B_OUTBYTES); | |
338 | ||
339 | return crypto_register_shashes(blake2b_algs, ARRAY_SIZE(blake2b_algs)); | |
340 | } | |
341 | ||
342 | static void __exit blake2b_mod_fini(void) | |
343 | { | |
344 | crypto_unregister_shashes(blake2b_algs, ARRAY_SIZE(blake2b_algs)); | |
345 | } | |
346 | ||
347 | subsys_initcall(blake2b_mod_init); | |
348 | module_exit(blake2b_mod_fini); | |
349 | ||
350 | MODULE_AUTHOR("David Sterba <kdave@kernel.org>"); | |
351 | MODULE_DESCRIPTION("BLAKE2b generic implementation"); | |
352 | MODULE_LICENSE("GPL"); | |
353 | MODULE_ALIAS_CRYPTO("blake2b-160"); | |
354 | MODULE_ALIAS_CRYPTO("blake2b-160-generic"); | |
355 | MODULE_ALIAS_CRYPTO("blake2b-256"); | |
356 | MODULE_ALIAS_CRYPTO("blake2b-256-generic"); | |
357 | MODULE_ALIAS_CRYPTO("blake2b-384"); | |
358 | MODULE_ALIAS_CRYPTO("blake2b-384-generic"); | |
359 | MODULE_ALIAS_CRYPTO("blake2b-512"); | |
360 | MODULE_ALIAS_CRYPTO("blake2b-512-generic"); |