Jason A. Donenfeld | 66d7fb9 | 2019-11-08 13:22:28 +0100 | [diff] [blame] | 1 | // SPDX-License-Identifier: GPL-2.0 OR MIT |
| 2 | /* |
| 3 | * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. |
| 4 | * |
| 5 | * This is an implementation of the BLAKE2s hash and PRF functions. |
| 6 | * |
| 7 | * Information: https://blake2.net/ |
| 8 | * |
| 9 | */ |
| 10 | |
| 11 | #include <crypto/internal/blake2s.h> |
| 12 | #include <linux/types.h> |
| 13 | #include <linux/string.h> |
| 14 | #include <linux/kernel.h> |
| 15 | #include <linux/module.h> |
| 16 | #include <linux/init.h> |
| 17 | #include <linux/bug.h> |
| 18 | #include <asm/unaligned.h> |
| 19 | |
| 20 | bool blake2s_selftest(void); |
| 21 | |
| 22 | void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen) |
| 23 | { |
| 24 | const size_t fill = BLAKE2S_BLOCK_SIZE - state->buflen; |
| 25 | |
| 26 | if (unlikely(!inlen)) |
| 27 | return; |
| 28 | if (inlen > fill) { |
| 29 | memcpy(state->buf + state->buflen, in, fill); |
| 30 | if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S)) |
| 31 | blake2s_compress_arch(state, state->buf, 1, |
| 32 | BLAKE2S_BLOCK_SIZE); |
| 33 | else |
| 34 | blake2s_compress_generic(state, state->buf, 1, |
| 35 | BLAKE2S_BLOCK_SIZE); |
| 36 | state->buflen = 0; |
| 37 | in += fill; |
| 38 | inlen -= fill; |
| 39 | } |
| 40 | if (inlen > BLAKE2S_BLOCK_SIZE) { |
| 41 | const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2S_BLOCK_SIZE); |
| 42 | /* Hash one less (full) block than strictly possible */ |
| 43 | if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S)) |
| 44 | blake2s_compress_arch(state, in, nblocks - 1, |
| 45 | BLAKE2S_BLOCK_SIZE); |
| 46 | else |
| 47 | blake2s_compress_generic(state, in, nblocks - 1, |
| 48 | BLAKE2S_BLOCK_SIZE); |
| 49 | in += BLAKE2S_BLOCK_SIZE * (nblocks - 1); |
| 50 | inlen -= BLAKE2S_BLOCK_SIZE * (nblocks - 1); |
| 51 | } |
| 52 | memcpy(state->buf + state->buflen, in, inlen); |
| 53 | state->buflen += inlen; |
| 54 | } |
| 55 | EXPORT_SYMBOL(blake2s_update); |
| 56 | |
| 57 | void blake2s_final(struct blake2s_state *state, u8 *out) |
| 58 | { |
| 59 | WARN_ON(IS_ENABLED(DEBUG) && !out); |
| 60 | blake2s_set_lastblock(state); |
| 61 | memset(state->buf + state->buflen, 0, |
| 62 | BLAKE2S_BLOCK_SIZE - state->buflen); /* Padding */ |
| 63 | if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S)) |
| 64 | blake2s_compress_arch(state, state->buf, 1, state->buflen); |
| 65 | else |
| 66 | blake2s_compress_generic(state, state->buf, 1, state->buflen); |
| 67 | cpu_to_le32_array(state->h, ARRAY_SIZE(state->h)); |
| 68 | memcpy(out, state->h, state->outlen); |
| 69 | memzero_explicit(state, sizeof(*state)); |
| 70 | } |
| 71 | EXPORT_SYMBOL(blake2s_final); |
| 72 | |
| 73 | void blake2s256_hmac(u8 *out, const u8 *in, const u8 *key, const size_t inlen, |
| 74 | const size_t keylen) |
| 75 | { |
| 76 | struct blake2s_state state; |
| 77 | u8 x_key[BLAKE2S_BLOCK_SIZE] __aligned(__alignof__(u32)) = { 0 }; |
| 78 | u8 i_hash[BLAKE2S_HASH_SIZE] __aligned(__alignof__(u32)); |
| 79 | int i; |
| 80 | |
| 81 | if (keylen > BLAKE2S_BLOCK_SIZE) { |
| 82 | blake2s_init(&state, BLAKE2S_HASH_SIZE); |
| 83 | blake2s_update(&state, key, keylen); |
| 84 | blake2s_final(&state, x_key); |
| 85 | } else |
| 86 | memcpy(x_key, key, keylen); |
| 87 | |
| 88 | for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i) |
| 89 | x_key[i] ^= 0x36; |
| 90 | |
| 91 | blake2s_init(&state, BLAKE2S_HASH_SIZE); |
| 92 | blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE); |
| 93 | blake2s_update(&state, in, inlen); |
| 94 | blake2s_final(&state, i_hash); |
| 95 | |
| 96 | for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i) |
| 97 | x_key[i] ^= 0x5c ^ 0x36; |
| 98 | |
| 99 | blake2s_init(&state, BLAKE2S_HASH_SIZE); |
| 100 | blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE); |
| 101 | blake2s_update(&state, i_hash, BLAKE2S_HASH_SIZE); |
| 102 | blake2s_final(&state, i_hash); |
| 103 | |
| 104 | memcpy(out, i_hash, BLAKE2S_HASH_SIZE); |
| 105 | memzero_explicit(x_key, BLAKE2S_BLOCK_SIZE); |
| 106 | memzero_explicit(i_hash, BLAKE2S_HASH_SIZE); |
| 107 | } |
| 108 | EXPORT_SYMBOL(blake2s256_hmac); |
| 109 | |
| 110 | static int __init mod_init(void) |
| 111 | { |
| 112 | if (!IS_ENABLED(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS) && |
| 113 | WARN_ON(!blake2s_selftest())) |
| 114 | return -ENODEV; |
| 115 | return 0; |
| 116 | } |
| 117 | |
| 118 | static void __exit mod_exit(void) |
| 119 | { |
| 120 | } |
| 121 | |
| 122 | module_init(mod_init); |
| 123 | module_exit(mod_exit); |
| 124 | MODULE_LICENSE("GPL v2"); |
| 125 | MODULE_DESCRIPTION("BLAKE2s hash function"); |
| 126 | MODULE_AUTHOR("Jason A. Donenfeld <Jason@zx2c4.com>"); |