/src/openssl36/crypto/siphash/siphash.c

Source
/*
 * Copyright 2017-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/* Based on https://131002.net/siphash C reference implementation */
/*
   SipHash reference C implementation

   Copyright (c) 2012-2016 Jean-Philippe Aumasson
   Copyright (c) 2012-2014 Daniel J. Bernstein

   To the extent possible under law, the author(s) have dedicated all copyright
   and related and neighboring rights to this software to the public domain
   worldwide. This software is distributed without any warranty.

   You should have received a copy of the CC0 Public Domain Dedication along
   with this software. If not, see
   <http://creativecommons.org/publicdomain/zero/1.0/>.
 */

#include <stdlib.h>
#include <string.h>
#include <openssl/crypto.h>

#include "crypto/siphash.h"

#define ROTL(x, b) (uint64_t)(((x) << (b)) | ((x) >> (64 - (b))))

#define U32TO8_LE(p, v)            \
    (p)[0] = (uint8_t)((v));       \
    (p)[1] = (uint8_t)((v) >> 8);  \
    (p)[2] = (uint8_t)((v) >> 16); \
    (p)[3] = (uint8_t)((v) >> 24);

#define U64TO8_LE(p, v)              \
    U32TO8_LE((p), (uint32_t)((v))); \
    U32TO8_LE((p) + 4, (uint32_t)((v) >> 32));

#define U8TO64_LE(p) \
    (((uint64_t)((p)[0])) | ((uint64_t)((p)[1]) << 8) | ((uint64_t)((p)[2]) << 16) | ((uint64_t)((p)[3]) << 24) | ((uint64_t)((p)[4]) << 32) | ((uint64_t)((p)[5]) << 40) | ((uint64_t)((p)[6]) << 48) | ((uint64_t)((p)[7]) << 56))

#define SIPROUND           \
    do {                   \
        v0 += v1;          \
        v1 = ROTL(v1, 13); \
        v1 ^= v0;          \
        v0 = ROTL(v0, 32); \
        v2 += v3;          \
        v3 = ROTL(v3, 16); \
        v3 ^= v2;          \
        v0 += v3;          \
        v3 = ROTL(v3, 21); \
        v3 ^= v0;          \
        v2 += v1;          \
        v1 = ROTL(v1, 17); \
        v1 ^= v2;          \
        v2 = ROTL(v2, 32); \
    } while (0)

size_t SipHash_ctx_size(void)
{
    return sizeof(SIPHASH);
}

size_t SipHash_hash_size(SIPHASH *ctx)
{
    return ctx->hash_size;
}

static size_t siphash_adjust_hash_size(size_t hash_size)
{
    if (hash_size == 0)
        hash_size = SIPHASH_MAX_DIGEST_SIZE;
    return hash_size;
}

int SipHash_set_hash_size(SIPHASH *ctx, size_t hash_size)
{
    hash_size = siphash_adjust_hash_size(hash_size);
    if (hash_size != SIPHASH_MIN_DIGEST_SIZE
        && hash_size != SIPHASH_MAX_DIGEST_SIZE)
        return 0;

    /*
     * It's possible that the key was set first.  If the hash size changes,
     * we need to adjust v1 (see SipHash_Init().
     */

    /* Start by adjusting the stored size, to make things easier */
    ctx->hash_size = (unsigned int)siphash_adjust_hash_size(ctx->hash_size);

    /* Now, adjust ctx->v1 if the old and the new size differ */
    if ((size_t)ctx->hash_size != hash_size) {
        ctx->v1 ^= 0xee;
        ctx->hash_size = (unsigned int)hash_size;
    }
    return 1;
}

/* hash_size = crounds = drounds = 0 means SipHash24 with 16-byte output */
int SipHash_Init(SIPHASH *ctx, const unsigned char *k, int crounds, int drounds)
{
    uint64_t k0 = U8TO64_LE(k);
    uint64_t k1 = U8TO64_LE(k + 8);

    /* If the hash size wasn't set, i.e. is zero */
    ctx->hash_size = (unsigned int)siphash_adjust_hash_size(ctx->hash_size);

    if (drounds == 0)
        drounds = SIPHASH_D_ROUNDS;
    if (crounds == 0)
        crounds = SIPHASH_C_ROUNDS;

    ctx->crounds = crounds;
    ctx->drounds = drounds;

    ctx->len = 0;
    ctx->total_inlen = 0;

    ctx->v0 = 0x736f6d6570736575ULL ^ k0;
    ctx->v1 = 0x646f72616e646f6dULL ^ k1;
    ctx->v2 = 0x6c7967656e657261ULL ^ k0;
    ctx->v3 = 0x7465646279746573ULL ^ k1;

    if (ctx->hash_size == SIPHASH_MAX_DIGEST_SIZE)
        ctx->v1 ^= 0xee;

    return 1;
}

void SipHash_Update(SIPHASH *ctx, const unsigned char *in, size_t inlen)
{
    uint64_t m;
    const uint8_t *end;
    int left;
    unsigned int i;
    uint64_t v0 = ctx->v0;
    uint64_t v1 = ctx->v1;
    uint64_t v2 = ctx->v2;
    uint64_t v3 = ctx->v3;

    ctx->total_inlen += inlen;

    if (ctx->len) {
        /* deal with leavings */
        size_t available = SIPHASH_BLOCK_SIZE - ctx->len;

        /* not enough to fill leavings */
        if (inlen < available) {
            memcpy(&ctx->leavings[ctx->len], in, inlen);
            ctx->len += (unsigned int)inlen;
            return;
        }

        /* copy data into leavings and reduce input */
        memcpy(&ctx->leavings[ctx->len], in, available);
        inlen -= available;
        in += available;

        /* process leavings */
        m = U8TO64_LE(ctx->leavings);
        v3 ^= m;
        for (i = 0; i < ctx->crounds; ++i)
            SIPROUND;
        v0 ^= m;
    }
    left = inlen & (SIPHASH_BLOCK_SIZE - 1); /* gets put into leavings */
    end = in + inlen - left;

    for (; in != end; in += 8) {
        m = U8TO64_LE(in);
        v3 ^= m;
        for (i = 0; i < ctx->crounds; ++i)
            SIPROUND;
        v0 ^= m;
    }

    /* save leavings and other ctx */
    if (left)
        memcpy(ctx->leavings, end, left);
    ctx->len = left;

    ctx->v0 = v0;
    ctx->v1 = v1;
    ctx->v2 = v2;
    ctx->v3 = v3;
}

int SipHash_Final(SIPHASH *ctx, unsigned char *out, size_t outlen)
{
    /* finalize hash */
    unsigned int i;
    uint64_t b = ctx->total_inlen << 56;
    uint64_t v0 = ctx->v0;
    uint64_t v1 = ctx->v1;
    uint64_t v2 = ctx->v2;
    uint64_t v3 = ctx->v3;

    if (ctx->crounds == 0 || outlen == 0 || outlen != (size_t)ctx->hash_size)
        return 0;

    switch (ctx->len) {
    case 7:
        b |= ((uint64_t)ctx->leavings[6]) << 48;
        /* fall through */
    case 6:
        b |= ((uint64_t)ctx->leavings[5]) << 40;
        /* fall through */
    case 5:
        b |= ((uint64_t)ctx->leavings[4]) << 32;
        /* fall through */
    case 4:
        b |= ((uint64_t)ctx->leavings[3]) << 24;
        /* fall through */
    case 3:
        b |= ((uint64_t)ctx->leavings[2]) << 16;
        /* fall through */
    case 2:
        b |= ((uint64_t)ctx->leavings[1]) << 8;
        /* fall through */
    case 1:
        b |= ((uint64_t)ctx->leavings[0]);
    case 0:
        break;
    }

    v3 ^= b;
    for (i = 0; i < ctx->crounds; ++i)
        SIPROUND;
    v0 ^= b;
    if (ctx->hash_size == SIPHASH_MAX_DIGEST_SIZE)
        v2 ^= 0xee;
    else
        v2 ^= 0xff;
    for (i = 0; i < ctx->drounds; ++i)
        SIPROUND;
    b = v0 ^ v1 ^ v2 ^ v3;
    U64TO8_LE(out, b);
    if (ctx->hash_size == SIPHASH_MIN_DIGEST_SIZE)
        return 1;
    v1 ^= 0xdd;
    for (i = 0; i < ctx->drounds; ++i)
        SIPROUND;
    b = v0 ^ v1 ^ v2 ^ v3;
    U64TO8_LE(out + 8, b);
    return 1;
}

Coverage Report

Created: 2026-02-14 07:20

Line	Count	Source
1		/*
2		* Copyright 2017-2025 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		/* Based on https://131002.net/siphash C reference implementation */
11		/*
12		SipHash reference C implementation
13
14		Copyright (c) 2012-2016 Jean-Philippe Aumasson
15		Copyright (c) 2012-2014 Daniel J. Bernstein
16
17		To the extent possible under law, the author(s) have dedicated all copyright
18		and related and neighboring rights to this software to the public domain
19		worldwide. This software is distributed without any warranty.
20
21		You should have received a copy of the CC0 Public Domain Dedication along
22		with this software. If not, see
23		<http://creativecommons.org/publicdomain/zero/1.0/>.
24		*/
25
26		#include <stdlib.h>
27		#include <string.h>
28		#include <openssl/crypto.h>
29
30		#include "crypto/siphash.h"
31
32	267M	#define ROTL(x, b) (uint64_t)(((x) << (b)) \| ((x) >> (64 - (b))))
33
34		#define U32TO8_LE(p, v) \
35	13.2M	(p)[0] = (uint8_t)((v)); \
36	13.2M	(p)[1] = (uint8_t)((v) >> 8); \
37	13.2M	(p)[2] = (uint8_t)((v) >> 16); \
38	13.2M	(p)[3] = (uint8_t)((v) >> 24);
39
40		#define U64TO8_LE(p, v) \
41	6.60M	U32TO8_LE((p), (uint32_t)((v))); \
42	6.60M	U32TO8_LE((p) + 4, (uint32_t)((v) >> 32));
43
44		#define U8TO64_LE(p) \
45	15.7M	(((uint64_t)((p)[0])) \| ((uint64_t)((p)[1]) << 8) \| ((uint64_t)((p)[2]) << 16) \| ((uint64_t)((p)[3]) << 24) \| ((uint64_t)((p)[4]) << 32) \| ((uint64_t)((p)[5]) << 40) \| ((uint64_t)((p)[6]) << 48) \| ((uint64_t)((p)[7]) << 56))
46
47		#define SIPROUND \
48	57.8M	do { \
49	44.6M	v0 += v1; \
50	44.6M	v1 = ROTL(v1, 13); \
51	44.6M	v1 ^= v0; \
52	44.6M	v0 = ROTL(v0, 32); \
53	44.6M	v2 += v3; \
54	44.6M	v3 = ROTL(v3, 16); \
55	44.6M	v3 ^= v2; \
56	44.6M	v0 += v3; \
57	44.6M	v3 = ROTL(v3, 21); \
58	44.6M	v3 ^= v0; \
59	44.6M	v2 += v1; \
60	44.6M	v1 = ROTL(v1, 17); \
61	44.6M	v1 ^= v2; \
62	44.6M	v2 = ROTL(v2, 32); \
63	44.6M	} while (0)
64
65		size_t SipHash_ctx_size(void)
66	0	{
67	0	return sizeof(SIPHASH);
68	0	}
69
70		size_t SipHash_hash_size(SIPHASH *ctx)
71	4.82k	{
72	4.82k	return ctx->hash_size;
73	4.82k	}
74
75		static size_t siphash_adjust_hash_size(size_t hash_size)
76	19.8M	{
77	19.8M	if (hash_size == 0)
78	6.60M	hash_size = SIPHASH_MAX_DIGEST_SIZE;
79	19.8M	return hash_size;
80	19.8M	}
81
82		int SipHash_set_hash_size(SIPHASH *ctx, size_t hash_size)
83	6.60M	{
84	6.60M	hash_size = siphash_adjust_hash_size(hash_size);
85	6.60M	if (hash_size != SIPHASH_MIN_DIGEST_SIZE
86	193	&& hash_size != SIPHASH_MAX_DIGEST_SIZE)
87	35	return 0;
88
89		/*
90		* It's possible that the key was set first. If the hash size changes,
91		* we need to adjust v1 (see SipHash_Init().
92		*/
93
94		/* Start by adjusting the stored size, to make things easier */
95	6.60M	ctx->hash_size = (unsigned int)siphash_adjust_hash_size(ctx->hash_size);
96
97		/* Now, adjust ctx->v1 if the old and the new size differ */
98	6.60M	if ((size_t)ctx->hash_size != hash_size) {
99	6.60M	ctx->v1 ^= 0xee;
100	6.60M	ctx->hash_size = (unsigned int)hash_size;
101	6.60M	}
102	6.60M	return 1;
103	6.60M	}
104
105		/* hash_size = crounds = drounds = 0 means SipHash24 with 16-byte output */
106		int SipHash_Init(SIPHASH ctx, const unsigned char k, int crounds, int drounds)
107	6.60M	{
108	6.60M	uint64_t k0 = U8TO64_LE(k);
109	6.60M	uint64_t k1 = U8TO64_LE(k + 8);
110
111		/* If the hash size wasn't set, i.e. is zero */
112	6.60M	ctx->hash_size = (unsigned int)siphash_adjust_hash_size(ctx->hash_size);
113
114	6.60M	if (drounds == 0)
115	6.60M	drounds = SIPHASH_D_ROUNDS;
116	6.60M	if (crounds == 0)
117	6.60M	crounds = SIPHASH_C_ROUNDS;
118
119	6.60M	ctx->crounds = crounds;
120	6.60M	ctx->drounds = drounds;
121
122	6.60M	ctx->len = 0;
123	6.60M	ctx->total_inlen = 0;
124
125	6.60M	ctx->v0 = 0x736f6d6570736575ULL ^ k0;
126	6.60M	ctx->v1 = 0x646f72616e646f6dULL ^ k1;
127	6.60M	ctx->v2 = 0x6c7967656e657261ULL ^ k0;
128	6.60M	ctx->v3 = 0x7465646279746573ULL ^ k1;
129
130	6.60M	if (ctx->hash_size == SIPHASH_MAX_DIGEST_SIZE)
131	2.44k	ctx->v1 ^= 0xee;
132
133	6.60M	return 1;
134	6.60M	}
135
136		void SipHash_Update(SIPHASH ctx, const unsigned char in, size_t inlen)
137	6.60M	{
138	6.60M	uint64_t m;
139	6.60M	const uint8_t *end;
140	6.60M	int left;
141	6.60M	unsigned int i;
142	6.60M	uint64_t v0 = ctx->v0;
143	6.60M	uint64_t v1 = ctx->v1;
144	6.60M	uint64_t v2 = ctx->v2;
145	6.60M	uint64_t v3 = ctx->v3;
146
147	6.60M	ctx->total_inlen += inlen;
148
149	6.60M	if (ctx->len) {
150		/* deal with leavings */
151	80	size_t available = SIPHASH_BLOCK_SIZE - ctx->len;
152
153		/* not enough to fill leavings */
154	80	if (inlen < available) {
155	0	memcpy(&ctx->leavings[ctx->len], in, inlen);
156	0	ctx->len += (unsigned int)inlen;
157	0	return;
158	0	}
159
160		/* copy data into leavings and reduce input */
161	80	memcpy(&ctx->leavings[ctx->len], in, available);
162	80	inlen -= available;
163	80	in += available;
164
165		/* process leavings */
166	80	m = U8TO64_LE(ctx->leavings);
167	80	v3 ^= m;
168	240	for (i = 0; i < ctx->crounds; ++i)
169	160	SIPROUND;
170	80	v0 ^= m;
171	80	}
172	6.60M	left = inlen & (SIPHASH_BLOCK_SIZE - 1); /* gets put into leavings */
173	6.60M	end = in + inlen - left;
174
175	9.10M	for (; in != end; in += 8) {
176	2.50M	m = U8TO64_LE(in);
177	2.50M	v3 ^= m;
178	7.50M	for (i = 0; i < ctx->crounds; ++i)
179	5.00M	SIPROUND;
180	2.50M	v0 ^= m;
181	2.50M	}
182
183		/* save leavings and other ctx */
184	6.60M	if (left)
185	2.63M	memcpy(ctx->leavings, end, left);
186	6.60M	ctx->len = left;
187
188	6.60M	ctx->v0 = v0;
189	6.60M	ctx->v1 = v1;
190	6.60M	ctx->v2 = v2;
191	6.60M	ctx->v3 = v3;
192	6.60M	}
193
194		int SipHash_Final(SIPHASH ctx, unsigned char out, size_t outlen)
195	6.60M	{
196		/* finalize hash */
197	6.60M	unsigned int i;
198	6.60M	uint64_t b = ctx->total_inlen << 56;
199	6.60M	uint64_t v0 = ctx->v0;
200	6.60M	uint64_t v1 = ctx->v1;
201	6.60M	uint64_t v2 = ctx->v2;
202	6.60M	uint64_t v3 = ctx->v3;
203
204	6.60M	if (ctx->crounds == 0 \|\| outlen == 0 \|\| outlen != (size_t)ctx->hash_size)
205	0	return 0;
206
207	6.60M	switch (ctx->len) {
208	80.9k	case 7:
209	80.9k	b \|= ((uint64_t)ctx->leavings[6]) << 48;
210		/* fall through */
211	278k	case 6:
212	278k	b \|= ((uint64_t)ctx->leavings[5]) << 40;
213		/* fall through */
214	503k	case 5:
215	503k	b \|= ((uint64_t)ctx->leavings[4]) << 32;
216		/* fall through */
217	769k	case 4:
218	769k	b \|= ((uint64_t)ctx->leavings[3]) << 24;
219		/* fall through */
220	1.89M	case 3:
221	1.89M	b \|= ((uint64_t)ctx->leavings[2]) << 16;
222		/* fall through */
223	2.02M	case 2:
224	2.02M	b \|= ((uint64_t)ctx->leavings[1]) << 8;
225		/* fall through */
226	2.63M	case 1:
227	2.63M	b \|= ((uint64_t)ctx->leavings[0]);
228	6.60M	case 0:
229	6.60M	break;
230	6.60M	}
231
232	6.60M	v3 ^= b;
233	19.8M	for (i = 0; i < ctx->crounds; ++i)
234	13.2M	SIPROUND;
235	6.60M	v0 ^= b;
236	6.60M	if (ctx->hash_size == SIPHASH_MAX_DIGEST_SIZE)
237	2.41k	v2 ^= 0xee;
238	6.60M	else
239	6.60M	v2 ^= 0xff;
240	33.0M	for (i = 0; i < ctx->drounds; ++i)
241	26.4M	SIPROUND;
242	6.60M	b = v0 ^ v1 ^ v2 ^ v3;
243	6.60M	U64TO8_LE(out, b);
244	6.60M	if (ctx->hash_size == SIPHASH_MIN_DIGEST_SIZE)
245	6.60M	return 1;
246	2.41k	v1 ^= 0xdd;
247	12.0k	for (i = 0; i < ctx->drounds; ++i)
248	9.64k	SIPROUND;
249	2.41k	b = v0 ^ v1 ^ v2 ^ v3;
250	2.41k	U64TO8_LE(out + 8, b);
251	2.41k	return 1;
252	6.60M	}