1 /* SPDX-License-Identifier: GPL-2.0 OR MIT */
2 /*
3 * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
4 */
5
6 #ifndef _CRYPTO_BLAKE2S_H
7 #define _CRYPTO_BLAKE2S_H
8
9 #include <linux/bug.h>
10 #include <linux/kconfig.h>
11 #include <linux/types.h>
12 #include <linux/string.h>
13
14 enum blake2s_lengths {
15 BLAKE2S_BLOCK_SIZE = 64,
16 BLAKE2S_HASH_SIZE = 32,
17 BLAKE2S_KEY_SIZE = 32,
18
19 BLAKE2S_128_HASH_SIZE = 16,
20 BLAKE2S_160_HASH_SIZE = 20,
21 BLAKE2S_224_HASH_SIZE = 28,
22 BLAKE2S_256_HASH_SIZE = 32,
23 };
24
25 /**
26 * struct blake2s_ctx - Context for hashing a message with BLAKE2s
27 * @h: compression function state
28 * @t: block counter
29 * @f: finalization indicator
30 * @buf: partial block buffer; 'buflen' bytes are valid
31 * @buflen: number of bytes buffered in @buf
32 * @outlen: length of output hash value in bytes, at most BLAKE2S_HASH_SIZE
33 */
34 struct blake2s_ctx {
35 /* 'h', 't', and 'f' are used in assembly code, so keep them as-is. */
36 u32 h[8];
37 u32 t[2];
38 u32 f[2];
39 u8 buf[BLAKE2S_BLOCK_SIZE];
40 unsigned int buflen;
41 unsigned int outlen;
42 };
43
44 enum blake2s_iv {
45 BLAKE2S_IV0 = 0x6A09E667UL,
46 BLAKE2S_IV1 = 0xBB67AE85UL,
47 BLAKE2S_IV2 = 0x3C6EF372UL,
48 BLAKE2S_IV3 = 0xA54FF53AUL,
49 BLAKE2S_IV4 = 0x510E527FUL,
50 BLAKE2S_IV5 = 0x9B05688CUL,
51 BLAKE2S_IV6 = 0x1F83D9ABUL,
52 BLAKE2S_IV7 = 0x5BE0CD19UL,
53 };
54
__blake2s_init(struct blake2s_ctx * ctx,size_t outlen,const void * key,size_t keylen)55 static inline void __blake2s_init(struct blake2s_ctx *ctx, size_t outlen,
56 const void *key, size_t keylen)
57 {
58 ctx->h[0] = BLAKE2S_IV0 ^ (0x01010000 | keylen << 8 | outlen);
59 ctx->h[1] = BLAKE2S_IV1;
60 ctx->h[2] = BLAKE2S_IV2;
61 ctx->h[3] = BLAKE2S_IV3;
62 ctx->h[4] = BLAKE2S_IV4;
63 ctx->h[5] = BLAKE2S_IV5;
64 ctx->h[6] = BLAKE2S_IV6;
65 ctx->h[7] = BLAKE2S_IV7;
66 ctx->t[0] = 0;
67 ctx->t[1] = 0;
68 ctx->f[0] = 0;
69 ctx->f[1] = 0;
70 ctx->buflen = 0;
71 ctx->outlen = outlen;
72 if (keylen) {
73 memcpy(ctx->buf, key, keylen);
74 memset(&ctx->buf[keylen], 0, BLAKE2S_BLOCK_SIZE - keylen);
75 ctx->buflen = BLAKE2S_BLOCK_SIZE;
76 }
77 }
78
79 /**
80 * blake2s_init() - Initialize a BLAKE2s context for a new message (unkeyed)
81 * @ctx: the context to initialize
82 * @outlen: length of output hash value in bytes, at most BLAKE2S_HASH_SIZE
83 *
84 * Context: Any context.
85 */
blake2s_init(struct blake2s_ctx * ctx,size_t outlen)86 static inline void blake2s_init(struct blake2s_ctx *ctx, size_t outlen)
87 {
88 __blake2s_init(ctx, outlen, NULL, 0);
89 }
90
91 /**
92 * blake2s_init_key() - Initialize a BLAKE2s context for a new message (keyed)
93 * @ctx: the context to initialize
94 * @outlen: length of output hash value in bytes, at most BLAKE2S_HASH_SIZE
95 * @key: the key
96 * @keylen: the key length in bytes, at most BLAKE2S_KEY_SIZE
97 *
98 * Context: Any context.
99 */
blake2s_init_key(struct blake2s_ctx * ctx,size_t outlen,const void * key,size_t keylen)100 static inline void blake2s_init_key(struct blake2s_ctx *ctx, size_t outlen,
101 const void *key, size_t keylen)
102 {
103 WARN_ON(IS_ENABLED(DEBUG) && (!outlen || outlen > BLAKE2S_HASH_SIZE ||
104 !key || !keylen || keylen > BLAKE2S_KEY_SIZE));
105
106 __blake2s_init(ctx, outlen, key, keylen);
107 }
108
109 /**
110 * blake2s_update() - Update a BLAKE2s context with message data
111 * @ctx: the context to update; must have been initialized
112 * @in: the message data
113 * @inlen: the data length in bytes
114 *
115 * This can be called any number of times.
116 *
117 * Context: Any context.
118 */
119 void blake2s_update(struct blake2s_ctx *ctx, const u8 *in, size_t inlen);
120
121 /**
122 * blake2s_final() - Finish computing a BLAKE2s hash
123 * @ctx: the context to finalize; must have been initialized
124 * @out: (output) the resulting BLAKE2s hash. Its length will be equal to the
125 * @outlen that was passed to blake2s_init() or blake2s_init_key().
126 *
127 * After finishing, this zeroizes @ctx. So the caller does not need to do it.
128 *
129 * Context: Any context.
130 */
131 void blake2s_final(struct blake2s_ctx *ctx, u8 *out);
132
133 /**
134 * blake2s() - Compute BLAKE2s hash in one shot
135 * @key: the key, or NULL for an unkeyed hash
136 * @keylen: the key length in bytes (at most BLAKE2S_KEY_SIZE), or 0 for an
137 * unkeyed hash
138 * @in: the message data
139 * @inlen: the data length in bytes
140 * @out: (output) the resulting BLAKE2s hash, with length @outlen
141 * @outlen: length of output hash value in bytes, at most BLAKE2S_HASH_SIZE
142 *
143 * Context: Any context.
144 */
blake2s(const u8 * key,size_t keylen,const u8 * in,size_t inlen,u8 * out,size_t outlen)145 static inline void blake2s(const u8 *key, size_t keylen,
146 const u8 *in, size_t inlen,
147 u8 *out, size_t outlen)
148 {
149 struct blake2s_ctx ctx;
150
151 WARN_ON(IS_ENABLED(DEBUG) && ((!in && inlen > 0) || !out || !outlen ||
152 outlen > BLAKE2S_HASH_SIZE || keylen > BLAKE2S_KEY_SIZE ||
153 (!key && keylen)));
154
155 __blake2s_init(&ctx, outlen, key, keylen);
156 blake2s_update(&ctx, in, inlen);
157 blake2s_final(&ctx, out);
158 }
159
160 #endif /* _CRYPTO_BLAKE2S_H */
161