aboutsummaryrefslogtreecommitdiffstats
path: root/crypto/siphash
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/siphash')
-rw-r--r--crypto/siphash/build.info5
-rw-r--r--crypto/siphash/siphash.c248
-rw-r--r--crypto/siphash/siphash_ameth.c123
-rw-r--r--crypto/siphash/siphash_local.h23
-rw-r--r--crypto/siphash/siphash_pmeth.c205
5 files changed, 604 insertions, 0 deletions
diff --git a/crypto/siphash/build.info b/crypto/siphash/build.info
new file mode 100644
index 000000000000..4166344a5bfb
--- /dev/null
+++ b/crypto/siphash/build.info
@@ -0,0 +1,5 @@
+LIBS=../../libcrypto
+SOURCE[../../libcrypto]=\
+ siphash.c \
+ siphash_pmeth.c \
+ siphash_ameth.c
diff --git a/crypto/siphash/siphash.c b/crypto/siphash/siphash.c
new file mode 100644
index 000000000000..ff84a29f8215
--- /dev/null
+++ b/crypto/siphash/siphash.c
@@ -0,0 +1,248 @@
+/*
+ * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/* Based on https://131002.net/siphash C reference implementation */
+/*
+ SipHash reference C implementation
+
+ Copyright (c) 2012-2016 Jean-Philippe Aumasson
+ Copyright (c) 2012-2014 Daniel J. Bernstein
+
+ To the extent possible under law, the author(s) have dedicated all copyright
+ and related and neighboring rights to this software to the public domain
+ worldwide. This software is distributed without any warranty.
+
+ You should have received a copy of the CC0 Public Domain Dedication along
+ with this software. If not, see
+ <http://creativecommons.org/publicdomain/zero/1.0/>.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/crypto.h>
+
+#include "internal/siphash.h"
+#include "siphash_local.h"
+
+/* default: SipHash-2-4 */
+#define SIPHASH_C_ROUNDS 2
+#define SIPHASH_D_ROUNDS 4
+
+#define ROTL(x, b) (uint64_t)(((x) << (b)) | ((x) >> (64 - (b))))
+
+#define U32TO8_LE(p, v) \
+ (p)[0] = (uint8_t)((v)); \
+ (p)[1] = (uint8_t)((v) >> 8); \
+ (p)[2] = (uint8_t)((v) >> 16); \
+ (p)[3] = (uint8_t)((v) >> 24);
+
+#define U64TO8_LE(p, v) \
+ U32TO8_LE((p), (uint32_t)((v))); \
+ U32TO8_LE((p) + 4, (uint32_t)((v) >> 32));
+
+#define U8TO64_LE(p) \
+ (((uint64_t)((p)[0])) | ((uint64_t)((p)[1]) << 8) | \
+ ((uint64_t)((p)[2]) << 16) | ((uint64_t)((p)[3]) << 24) | \
+ ((uint64_t)((p)[4]) << 32) | ((uint64_t)((p)[5]) << 40) | \
+ ((uint64_t)((p)[6]) << 48) | ((uint64_t)((p)[7]) << 56))
+
+#define SIPROUND \
+ do { \
+ v0 += v1; \
+ v1 = ROTL(v1, 13); \
+ v1 ^= v0; \
+ v0 = ROTL(v0, 32); \
+ v2 += v3; \
+ v3 = ROTL(v3, 16); \
+ v3 ^= v2; \
+ v0 += v3; \
+ v3 = ROTL(v3, 21); \
+ v3 ^= v0; \
+ v2 += v1; \
+ v1 = ROTL(v1, 17); \
+ v1 ^= v2; \
+ v2 = ROTL(v2, 32); \
+ } while (0)
+
+size_t SipHash_ctx_size(void)
+{
+ return sizeof(SIPHASH);
+}
+
+size_t SipHash_hash_size(SIPHASH *ctx)
+{
+ return ctx->hash_size;
+}
+
+static size_t siphash_adjust_hash_size(size_t hash_size)
+{
+ if (hash_size == 0)
+ hash_size = SIPHASH_MAX_DIGEST_SIZE;
+ return hash_size;
+}
+
+int SipHash_set_hash_size(SIPHASH *ctx, size_t hash_size)
+{
+ hash_size = siphash_adjust_hash_size(hash_size);
+ if (hash_size != SIPHASH_MIN_DIGEST_SIZE
+ && hash_size != SIPHASH_MAX_DIGEST_SIZE)
+ return 0;
+
+ ctx->hash_size = hash_size;
+ return 1;
+}
+
+/* hash_size = crounds = drounds = 0 means SipHash24 with 16-byte output */
+int SipHash_Init(SIPHASH *ctx, const unsigned char *k, int crounds, int drounds)
+{
+ uint64_t k0 = U8TO64_LE(k);
+ uint64_t k1 = U8TO64_LE(k + 8);
+
+ /* If the hash size wasn't set, i.e. is zero */
+ ctx->hash_size = siphash_adjust_hash_size(ctx->hash_size);
+
+ if (drounds == 0)
+ drounds = SIPHASH_D_ROUNDS;
+ if (crounds == 0)
+ crounds = SIPHASH_C_ROUNDS;
+
+ ctx->crounds = crounds;
+ ctx->drounds = drounds;
+
+ ctx->len = 0;
+ ctx->total_inlen = 0;
+
+ ctx->v0 = 0x736f6d6570736575ULL ^ k0;
+ ctx->v1 = 0x646f72616e646f6dULL ^ k1;
+ ctx->v2 = 0x6c7967656e657261ULL ^ k0;
+ ctx->v3 = 0x7465646279746573ULL ^ k1;
+
+ if (ctx->hash_size == SIPHASH_MAX_DIGEST_SIZE)
+ ctx->v1 ^= 0xee;
+
+ return 1;
+}
+
+void SipHash_Update(SIPHASH *ctx, const unsigned char *in, size_t inlen)
+{
+ uint64_t m;
+ const uint8_t *end;
+ int left;
+ int i;
+ uint64_t v0 = ctx->v0;
+ uint64_t v1 = ctx->v1;
+ uint64_t v2 = ctx->v2;
+ uint64_t v3 = ctx->v3;
+
+ ctx->total_inlen += inlen;
+
+ if (ctx->len) {
+ /* deal with leavings */
+ size_t available = SIPHASH_BLOCK_SIZE - ctx->len;
+
+ /* not enough to fill leavings */
+ if (inlen < available) {
+ memcpy(&ctx->leavings[ctx->len], in, inlen);
+ ctx->len += inlen;
+ return;
+ }
+
+ /* copy data into leavings and reduce input */
+ memcpy(&ctx->leavings[ctx->len], in, available);
+ inlen -= available;
+ in += available;
+
+ /* process leavings */
+ m = U8TO64_LE(ctx->leavings);
+ v3 ^= m;
+ for (i = 0; i < ctx->crounds; ++i)
+ SIPROUND;
+ v0 ^= m;
+ }
+ left = inlen & (SIPHASH_BLOCK_SIZE-1); /* gets put into leavings */
+ end = in + inlen - left;
+
+ for (; in != end; in += 8) {
+ m = U8TO64_LE(in);
+ v3 ^= m;
+ for (i = 0; i < ctx->crounds; ++i)
+ SIPROUND;
+ v0 ^= m;
+ }
+
+ /* save leavings and other ctx */
+ if (left)
+ memcpy(ctx->leavings, end, left);
+ ctx->len = left;
+
+ ctx->v0 = v0;
+ ctx->v1 = v1;
+ ctx->v2 = v2;
+ ctx->v3 = v3;
+}
+
+int SipHash_Final(SIPHASH *ctx, unsigned char *out, size_t outlen)
+{
+ /* finalize hash */
+ int i;
+ uint64_t b = ctx->total_inlen << 56;
+ uint64_t v0 = ctx->v0;
+ uint64_t v1 = ctx->v1;
+ uint64_t v2 = ctx->v2;
+ uint64_t v3 = ctx->v3;
+
+ if (outlen != (size_t)ctx->hash_size)
+ return 0;
+
+ switch (ctx->len) {
+ case 7:
+ b |= ((uint64_t)ctx->leavings[6]) << 48;
+ /* fall thru */
+ case 6:
+ b |= ((uint64_t)ctx->leavings[5]) << 40;
+ /* fall thru */
+ case 5:
+ b |= ((uint64_t)ctx->leavings[4]) << 32;
+ /* fall thru */
+ case 4:
+ b |= ((uint64_t)ctx->leavings[3]) << 24;
+ /* fall thru */
+ case 3:
+ b |= ((uint64_t)ctx->leavings[2]) << 16;
+ /* fall thru */
+ case 2:
+ b |= ((uint64_t)ctx->leavings[1]) << 8;
+ /* fall thru */
+ case 1:
+ b |= ((uint64_t)ctx->leavings[0]);
+ case 0:
+ break;
+ }
+
+ v3 ^= b;
+ for (i = 0; i < ctx->crounds; ++i)
+ SIPROUND;
+ v0 ^= b;
+ if (ctx->hash_size == SIPHASH_MAX_DIGEST_SIZE)
+ v2 ^= 0xee;
+ else
+ v2 ^= 0xff;
+ for (i = 0; i < ctx->drounds; ++i)
+ SIPROUND;
+ b = v0 ^ v1 ^ v2 ^ v3;
+ U64TO8_LE(out, b);
+ if (ctx->hash_size == SIPHASH_MIN_DIGEST_SIZE)
+ return 1;
+ v1 ^= 0xdd;
+ for (i = 0; i < ctx->drounds; ++i)
+ SIPROUND;
+ b = v0 ^ v1 ^ v2 ^ v3;
+ U64TO8_LE(out + 8, b);
+ return 1;
+}
diff --git a/crypto/siphash/siphash_ameth.c b/crypto/siphash/siphash_ameth.c
new file mode 100644
index 000000000000..c0ab7efae4b6
--- /dev/null
+++ b/crypto/siphash/siphash_ameth.c
@@ -0,0 +1,123 @@
+/*
+ * Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdio.h>
+#include "internal/cryptlib.h"
+#include <openssl/evp.h>
+#include "internal/asn1_int.h"
+#include "internal/siphash.h"
+#include "siphash_local.h"
+#include "internal/evp_int.h"
+
+/*
+ * SIPHASH "ASN1" method. This is just here to indicate the maximum
+ * SIPHASH output length and to free up a SIPHASH key.
+ */
+
+static int siphash_size(const EVP_PKEY *pkey)
+{
+ return SIPHASH_MAX_DIGEST_SIZE;
+}
+
+static void siphash_key_free(EVP_PKEY *pkey)
+{
+ ASN1_OCTET_STRING *os = EVP_PKEY_get0(pkey);
+
+ if (os != NULL) {
+ if (os->data != NULL)
+ OPENSSL_cleanse(os->data, os->length);
+ ASN1_OCTET_STRING_free(os);
+ }
+}
+
+static int siphash_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
+{
+ /* nothing (including ASN1_PKEY_CTRL_DEFAULT_MD_NID), is supported */
+ return -2;
+}
+
+static int siphash_pkey_public_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
+{
+ return ASN1_OCTET_STRING_cmp(EVP_PKEY_get0(a), EVP_PKEY_get0(b));
+}
+
+static int siphash_set_priv_key(EVP_PKEY *pkey, const unsigned char *priv,
+ size_t len)
+{
+ ASN1_OCTET_STRING *os;
+
+ if (pkey->pkey.ptr != NULL || len != SIPHASH_KEY_SIZE)
+ return 0;
+
+ os = ASN1_OCTET_STRING_new();
+ if (os == NULL)
+ return 0;
+
+ if (!ASN1_OCTET_STRING_set(os, priv, len)) {
+ ASN1_OCTET_STRING_free(os);
+ return 0;
+ }
+
+ pkey->pkey.ptr = os;
+ return 1;
+}
+
+static int siphash_get_priv_key(const EVP_PKEY *pkey, unsigned char *priv,
+ size_t *len)
+{
+ ASN1_OCTET_STRING *os = (ASN1_OCTET_STRING *)pkey->pkey.ptr;
+
+ if (priv == NULL) {
+ *len = SIPHASH_KEY_SIZE;
+ return 1;
+ }
+
+ if (os == NULL || *len < SIPHASH_KEY_SIZE)
+ return 0;
+
+ memcpy(priv, ASN1_STRING_get0_data(os), ASN1_STRING_length(os));
+ *len = SIPHASH_KEY_SIZE;
+
+ return 1;
+}
+
+const EVP_PKEY_ASN1_METHOD siphash_asn1_meth = {
+ EVP_PKEY_SIPHASH,
+ EVP_PKEY_SIPHASH,
+ 0,
+
+ "SIPHASH",
+ "OpenSSL SIPHASH method",
+
+ 0, 0, siphash_pkey_public_cmp, 0,
+
+ 0, 0, 0,
+
+ siphash_size,
+ 0, 0,
+ 0, 0, 0, 0, 0, 0, 0,
+
+ siphash_key_free,
+ siphash_pkey_ctrl,
+ NULL,
+ NULL,
+
+ NULL,
+ NULL,
+ NULL,
+
+ NULL,
+ NULL,
+ NULL,
+
+ siphash_set_priv_key,
+ NULL,
+ siphash_get_priv_key,
+ NULL,
+};
diff --git a/crypto/siphash/siphash_local.h b/crypto/siphash/siphash_local.h
new file mode 100644
index 000000000000..5ad34764634d
--- /dev/null
+++ b/crypto/siphash/siphash_local.h
@@ -0,0 +1,23 @@
+/*
+ * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/* Based on https://131002.net/siphash C reference implementation */
+
+struct siphash_st {
+ uint64_t total_inlen;
+ uint64_t v0;
+ uint64_t v1;
+ uint64_t v2;
+ uint64_t v3;
+ unsigned int len;
+ int hash_size;
+ int crounds;
+ int drounds;
+ unsigned char leavings[SIPHASH_BLOCK_SIZE];
+};
diff --git a/crypto/siphash/siphash_pmeth.c b/crypto/siphash/siphash_pmeth.c
new file mode 100644
index 000000000000..66e552fec5e5
--- /dev/null
+++ b/crypto/siphash/siphash_pmeth.c
@@ -0,0 +1,205 @@
+/*
+ * Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdio.h>
+#include "internal/cryptlib.h"
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/evp.h>
+#include <openssl/err.h>
+#include "internal/siphash.h"
+#include "siphash_local.h"
+#include "internal/evp_int.h"
+
+/* SIPHASH pkey context structure */
+
+typedef struct siphash_pkey_ctx_st {
+ ASN1_OCTET_STRING ktmp; /* Temp storage for key */
+ SIPHASH ctx;
+} SIPHASH_PKEY_CTX;
+
+static int pkey_siphash_init(EVP_PKEY_CTX *ctx)
+{
+ SIPHASH_PKEY_CTX *pctx;
+
+ if ((pctx = OPENSSL_zalloc(sizeof(*pctx))) == NULL) {
+ CRYPTOerr(CRYPTO_F_PKEY_SIPHASH_INIT, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+ pctx->ktmp.type = V_ASN1_OCTET_STRING;
+
+ EVP_PKEY_CTX_set_data(ctx, pctx);
+ EVP_PKEY_CTX_set0_keygen_info(ctx, NULL, 0);
+ return 1;
+}
+
+static void pkey_siphash_cleanup(EVP_PKEY_CTX *ctx)
+{
+ SIPHASH_PKEY_CTX *pctx = EVP_PKEY_CTX_get_data(ctx);
+
+ if (pctx != NULL) {
+ OPENSSL_clear_free(pctx->ktmp.data, pctx->ktmp.length);
+ OPENSSL_clear_free(pctx, sizeof(*pctx));
+ EVP_PKEY_CTX_set_data(ctx, NULL);
+ }
+}
+
+static int pkey_siphash_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
+{
+ SIPHASH_PKEY_CTX *sctx, *dctx;
+
+ /* allocate memory for dst->data and a new SIPHASH_CTX in dst->data->ctx */
+ if (!pkey_siphash_init(dst))
+ return 0;
+ sctx = EVP_PKEY_CTX_get_data(src);
+ dctx = EVP_PKEY_CTX_get_data(dst);
+ if (ASN1_STRING_get0_data(&sctx->ktmp) != NULL &&
+ !ASN1_STRING_copy(&dctx->ktmp, &sctx->ktmp)) {
+ /* cleanup and free the SIPHASH_PKEY_CTX in dst->data */
+ pkey_siphash_cleanup(dst);
+ return 0;
+ }
+ memcpy(&dctx->ctx, &sctx->ctx, sizeof(SIPHASH));
+ return 1;
+}
+
+static int pkey_siphash_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
+{
+ ASN1_OCTET_STRING *key;
+ SIPHASH_PKEY_CTX *pctx = EVP_PKEY_CTX_get_data(ctx);
+
+ if (ASN1_STRING_get0_data(&pctx->ktmp) == NULL)
+ return 0;
+ key = ASN1_OCTET_STRING_dup(&pctx->ktmp);
+ if (key == NULL)
+ return 0;
+ return EVP_PKEY_assign_SIPHASH(pkey, key);
+}
+
+static int int_update(EVP_MD_CTX *ctx, const void *data, size_t count)
+{
+ SIPHASH_PKEY_CTX *pctx = EVP_PKEY_CTX_get_data(EVP_MD_CTX_pkey_ctx(ctx));
+
+ SipHash_Update(&pctx->ctx, data, count);
+ return 1;
+}
+
+static int siphash_signctx_init(EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx)
+{
+ SIPHASH_PKEY_CTX *pctx = EVP_PKEY_CTX_get_data(ctx);
+ const unsigned char* key;
+ size_t len;
+
+ key = EVP_PKEY_get0_siphash(EVP_PKEY_CTX_get0_pkey(ctx), &len);
+ if (key == NULL || len != SIPHASH_KEY_SIZE)
+ return 0;
+ EVP_MD_CTX_set_flags(mctx, EVP_MD_CTX_FLAG_NO_INIT);
+ EVP_MD_CTX_set_update_fn(mctx, int_update);
+ return SipHash_Init(&pctx->ctx, key, 0, 0);
+}
+static int siphash_signctx(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
+ EVP_MD_CTX *mctx)
+{
+ SIPHASH_PKEY_CTX *pctx = ctx->data;
+
+ *siglen = SipHash_hash_size(&pctx->ctx);
+ if (sig != NULL)
+ return SipHash_Final(&pctx->ctx, sig, *siglen);
+ return 1;
+}
+
+static int pkey_siphash_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
+{
+ SIPHASH_PKEY_CTX *pctx = EVP_PKEY_CTX_get_data(ctx);
+ const unsigned char *key;
+ size_t len;
+
+ switch (type) {
+
+ case EVP_PKEY_CTRL_MD:
+ /* ignore */
+ break;
+
+ case EVP_PKEY_CTRL_SET_DIGEST_SIZE:
+ return SipHash_set_hash_size(&pctx->ctx, p1);
+
+ case EVP_PKEY_CTRL_SET_MAC_KEY:
+ case EVP_PKEY_CTRL_DIGESTINIT:
+ if (type == EVP_PKEY_CTRL_SET_MAC_KEY) {
+ /* user explicitly setting the key */
+ key = p2;
+ len = p1;
+ } else {
+ /* user indirectly setting the key via EVP_DigestSignInit */
+ key = EVP_PKEY_get0_siphash(EVP_PKEY_CTX_get0_pkey(ctx), &len);
+ }
+ if (key == NULL || len != SIPHASH_KEY_SIZE ||
+ !ASN1_OCTET_STRING_set(&pctx->ktmp, key, len))
+ return 0;
+ /* use default rounds (2,4) */
+ return SipHash_Init(&pctx->ctx, ASN1_STRING_get0_data(&pctx->ktmp),
+ 0, 0);
+
+ default:
+ return -2;
+
+ }
+ return 1;
+}
+
+static int pkey_siphash_ctrl_str(EVP_PKEY_CTX *ctx,
+ const char *type, const char *value)
+{
+ if (value == NULL)
+ return 0;
+ if (strcmp(type, "digestsize") == 0) {
+ size_t hash_size = atoi(value);
+
+ return pkey_siphash_ctrl(ctx, EVP_PKEY_CTRL_SET_DIGEST_SIZE, hash_size,
+ NULL);
+ }
+ if (strcmp(type, "key") == 0)
+ return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_SET_MAC_KEY, value);
+ if (strcmp(type, "hexkey") == 0)
+ return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_SET_MAC_KEY, value);
+ return -2;
+}
+
+const EVP_PKEY_METHOD siphash_pkey_meth = {
+ EVP_PKEY_SIPHASH,
+ EVP_PKEY_FLAG_SIGCTX_CUSTOM, /* we don't deal with a separate MD */
+ pkey_siphash_init,
+ pkey_siphash_copy,
+ pkey_siphash_cleanup,
+
+ 0, 0,
+
+ 0,
+ pkey_siphash_keygen,
+
+ 0, 0,
+
+ 0, 0,
+
+ 0, 0,
+
+ siphash_signctx_init,
+ siphash_signctx,
+
+ 0, 0,
+
+ 0, 0,
+
+ 0, 0,
+
+ 0, 0,
+
+ pkey_siphash_ctrl,
+ pkey_siphash_ctrl_str
+};