1 /* $OpenBSD: siphash.c,v 1.3 2015/02/20 11:51:03 tedu Exp $ */
4 * Copyright (c) 2013 Andre Oppermann <andre@FreeBSD.org>
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. The name of the author may not be used to endorse or promote
16 * products derived from this software without specific prior written
19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SipHash is a family of PRFs SipHash-c-d where the integer parameters c and d
34 * are the number of compression rounds and the number of finalization rounds.
35 * A compression round is identical to a finalization round and this round
36 * function is called SipRound. Given a 128-bit key k and a (possibly empty)
37 * byte string m, SipHash-c-d returns a 64-bit value SipHash-c-d(k; m).
39 * Implemented from the paper "SipHash: a fast short-input PRF", 2012.09.18,
40 * by Jean-Philippe Aumasson and Daniel J. Bernstein,
41 * Permanent Document ID b9a943a805fbfc6fde808af9fc0ecdfa
42 * https://131002.net/siphash/siphash.pdf
43 * https://131002.net/siphash/
46 //#include <sys/param.h>
47 //#include <sys/systm.h>
49 #include <asm/byteorder.h>
50 #include <linux/string.h>
54 static void SipHash_CRounds(SIPHASH_CTX *, int);
55 static void SipHash_Rounds(SIPHASH_CTX *, int);
58 SipHash_Init(SIPHASH_CTX *ctx, const SIPHASH_KEY *key)
62 k0 = le64_to_cpu(key->k0);
63 k1 = le64_to_cpu(key->k1);
65 ctx->v[0] = 0x736f6d6570736575ULL ^ k0;
66 ctx->v[1] = 0x646f72616e646f6dULL ^ k1;
67 ctx->v[2] = 0x6c7967656e657261ULL ^ k0;
68 ctx->v[3] = 0x7465646279746573ULL ^ k1;
70 memset(ctx->buf, 0, sizeof(ctx->buf));
75 SipHash_Update(SIPHASH_CTX *ctx, int rc, int rf, const void *src, size_t len)
83 used = ctx->bytes % sizeof(ctx->buf);
87 left = sizeof(ctx->buf) - used;
90 memcpy(&ctx->buf[used], ptr, left);
91 SipHash_CRounds(ctx, rc);
95 memcpy(&ctx->buf[used], ptr, len);
100 while (len >= sizeof(ctx->buf)) {
101 memcpy(ctx->buf, ptr, sizeof(ctx->buf));
102 SipHash_CRounds(ctx, rc);
103 len -= sizeof(ctx->buf);
104 ptr += sizeof(ctx->buf);
108 memcpy(&ctx->buf[used], ptr, len);
112 SipHash_Final(void *dst, SIPHASH_CTX *ctx, int rc, int rf)
116 r = SipHash_End(ctx, rc, rf);
118 *((__le64 *) dst) = cpu_to_le64(r);
122 SipHash_End(SIPHASH_CTX *ctx, int rc, int rf)
127 used = ctx->bytes % sizeof(ctx->buf);
128 left = sizeof(ctx->buf) - used;
129 memset(&ctx->buf[used], 0, left - 1);
130 ctx->buf[7] = ctx->bytes;
132 SipHash_CRounds(ctx, rc);
134 SipHash_Rounds(ctx, rf);
136 r = (ctx->v[0] ^ ctx->v[1]) ^ (ctx->v[2] ^ ctx->v[3]);
137 memset(ctx, 0, sizeof(*ctx));
142 SipHash(const SIPHASH_KEY *key, int rc, int rf, const void *src, size_t len)
146 SipHash_Init(&ctx, key);
147 SipHash_Update(&ctx, rc, rf, src, len);
148 return (SipHash_End(&ctx, rc, rf));
151 #define SIP_ROTL(x, b) ((x) << (b)) | ( (x) >> (64 - (b)))
154 SipHash_Rounds(SIPHASH_CTX *ctx, int rounds)
157 ctx->v[0] += ctx->v[1];
158 ctx->v[2] += ctx->v[3];
159 ctx->v[1] = SIP_ROTL(ctx->v[1], 13);
160 ctx->v[3] = SIP_ROTL(ctx->v[3], 16);
162 ctx->v[1] ^= ctx->v[0];
163 ctx->v[3] ^= ctx->v[2];
164 ctx->v[0] = SIP_ROTL(ctx->v[0], 32);
166 ctx->v[2] += ctx->v[1];
167 ctx->v[0] += ctx->v[3];
168 ctx->v[1] = SIP_ROTL(ctx->v[1], 17);
169 ctx->v[3] = SIP_ROTL(ctx->v[3], 21);
171 ctx->v[1] ^= ctx->v[2];
172 ctx->v[3] ^= ctx->v[0];
173 ctx->v[2] = SIP_ROTL(ctx->v[2], 32);
178 SipHash_CRounds(SIPHASH_CTX *ctx, int rounds)
180 u64 m = le64_to_cpu(*((__le64 *)ctx->buf));
183 SipHash_Rounds(ctx, rounds);