2 * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 /* Based on https://131002.net/siphash C reference implementation */
12 SipHash reference C implementation
14 Copyright (c) 2012-2016 Jean-Philippe Aumasson
15 Copyright (c) 2012-2014 Daniel J. Bernstein
17 To the extent possible under law, the author(s) have dedicated all copyright
18 and related and neighboring rights to this software to the public domain
19 worldwide. This software is distributed without any warranty.
21 You should have received a copy of the CC0 Public Domain Dedication along
22 with this software. If not, see
23 <http://creativecommons.org/publicdomain/zero/1.0/>.
28 #include <openssl/crypto.h>
30 #include "crypto/siphash.h"
32 #define ROTL(x, b) (uint64_t)(((x) << (b)) | ((x) >> (64 - (b))))
34 #define U32TO8_LE(p, v) \
35 (p)[0] = (uint8_t)((v)); \
36 (p)[1] = (uint8_t)((v) >> 8); \
37 (p)[2] = (uint8_t)((v) >> 16); \
38 (p)[3] = (uint8_t)((v) >> 24);
40 #define U64TO8_LE(p, v) \
41 U32TO8_LE((p), (uint32_t)((v))); \
42 U32TO8_LE((p) + 4, (uint32_t)((v) >> 32));
44 #define U8TO64_LE(p) \
45 (((uint64_t)((p)[0])) | ((uint64_t)((p)[1]) << 8) | \
46 ((uint64_t)((p)[2]) << 16) | ((uint64_t)((p)[3]) << 24) | \
47 ((uint64_t)((p)[4]) << 32) | ((uint64_t)((p)[5]) << 40) | \
48 ((uint64_t)((p)[6]) << 48) | ((uint64_t)((p)[7]) << 56))
68 size_t SipHash_ctx_size(void)
70 return sizeof(SIPHASH);
73 size_t SipHash_hash_size(SIPHASH *ctx)
75 return ctx->hash_size;
78 static size_t siphash_adjust_hash_size(size_t hash_size)
81 hash_size = SIPHASH_MAX_DIGEST_SIZE;
85 int SipHash_set_hash_size(SIPHASH *ctx, size_t hash_size)
87 hash_size = siphash_adjust_hash_size(hash_size);
88 if (hash_size != SIPHASH_MIN_DIGEST_SIZE
89 && hash_size != SIPHASH_MAX_DIGEST_SIZE)
93 * It's possible that the key was set first. If the hash size changes,
94 * we need to adjust v1 (see SipHash_Init().
97 /* Start by adjusting the stored size, to make things easier */
98 ctx->hash_size = siphash_adjust_hash_size(ctx->hash_size);
100 /* Now, adjust ctx->v1 if the old and the new size differ */
101 if ((size_t)ctx->hash_size != hash_size) {
103 ctx->hash_size = hash_size;
108 /* hash_size = crounds = drounds = 0 means SipHash24 with 16-byte output */
109 int SipHash_Init(SIPHASH *ctx, const unsigned char *k, int crounds, int drounds)
111 uint64_t k0 = U8TO64_LE(k);
112 uint64_t k1 = U8TO64_LE(k + 8);
114 /* If the hash size wasn't set, i.e. is zero */
115 ctx->hash_size = siphash_adjust_hash_size(ctx->hash_size);
118 drounds = SIPHASH_D_ROUNDS;
120 crounds = SIPHASH_C_ROUNDS;
122 ctx->crounds = crounds;
123 ctx->drounds = drounds;
126 ctx->total_inlen = 0;
128 ctx->v0 = 0x736f6d6570736575ULL ^ k0;
129 ctx->v1 = 0x646f72616e646f6dULL ^ k1;
130 ctx->v2 = 0x6c7967656e657261ULL ^ k0;
131 ctx->v3 = 0x7465646279746573ULL ^ k1;
133 if (ctx->hash_size == SIPHASH_MAX_DIGEST_SIZE)
139 void SipHash_Update(SIPHASH *ctx, const unsigned char *in, size_t inlen)
145 uint64_t v0 = ctx->v0;
146 uint64_t v1 = ctx->v1;
147 uint64_t v2 = ctx->v2;
148 uint64_t v3 = ctx->v3;
150 ctx->total_inlen += inlen;
153 /* deal with leavings */
154 size_t available = SIPHASH_BLOCK_SIZE - ctx->len;
156 /* not enough to fill leavings */
157 if (inlen < available) {
158 memcpy(&ctx->leavings[ctx->len], in, inlen);
163 /* copy data into leavings and reduce input */
164 memcpy(&ctx->leavings[ctx->len], in, available);
168 /* process leavings */
169 m = U8TO64_LE(ctx->leavings);
171 for (i = 0; i < ctx->crounds; ++i)
175 left = inlen & (SIPHASH_BLOCK_SIZE-1); /* gets put into leavings */
176 end = in + inlen - left;
178 for (; in != end; in += 8) {
181 for (i = 0; i < ctx->crounds; ++i)
186 /* save leavings and other ctx */
188 memcpy(ctx->leavings, end, left);
197 int SipHash_Final(SIPHASH *ctx, unsigned char *out, size_t outlen)
201 uint64_t b = ctx->total_inlen << 56;
202 uint64_t v0 = ctx->v0;
203 uint64_t v1 = ctx->v1;
204 uint64_t v2 = ctx->v2;
205 uint64_t v3 = ctx->v3;
207 if (ctx->crounds == 0 || outlen == 0 || outlen != (size_t)ctx->hash_size)
212 b |= ((uint64_t)ctx->leavings[6]) << 48;
215 b |= ((uint64_t)ctx->leavings[5]) << 40;
218 b |= ((uint64_t)ctx->leavings[4]) << 32;
221 b |= ((uint64_t)ctx->leavings[3]) << 24;
224 b |= ((uint64_t)ctx->leavings[2]) << 16;
227 b |= ((uint64_t)ctx->leavings[1]) << 8;
230 b |= ((uint64_t)ctx->leavings[0]);
236 for (i = 0; i < ctx->crounds; ++i)
239 if (ctx->hash_size == SIPHASH_MAX_DIGEST_SIZE)
243 for (i = 0; i < ctx->drounds; ++i)
245 b = v0 ^ v1 ^ v2 ^ v3;
247 if (ctx->hash_size == SIPHASH_MIN_DIGEST_SIZE)
250 for (i = 0; i < ctx->drounds; ++i)
252 b = v0 ^ v1 ^ v2 ^ v3;
253 U64TO8_LE(out + 8, b);