123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510 |
- /*
- BLAKE2 reference source code package - reference C implementations
- Written in 2012 by Samuel Neves <sneves@dei.uc.pt>
- To the extent possible under law, the author(s) have dedicated all copyright
- and related and neighboring rights to this software to the public domain
- worldwide. This software is distributed without any warranty.
- You should have received a copy of the CC0 Public Domain Dedication along with
- this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
- */
- /* blake2b.c
- *
- * Copyright (C) 2006-2022 wolfSSL Inc.
- *
- * This file is part of wolfSSL.
- *
- * wolfSSL is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * wolfSSL is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
- */
- #ifdef HAVE_CONFIG_H
- #include <config.h>
- #endif
- #include <wolfssl/wolfcrypt/settings.h>
- #ifdef HAVE_BLAKE2
- #include <wolfssl/wolfcrypt/blake2.h>
- #include <wolfssl/wolfcrypt/blake2-impl.h>
- #include <wolfssl/wolfcrypt/error-crypt.h>
- static const word64 blake2b_IV[8] =
- {
- 0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL,
- 0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL,
- 0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL,
- 0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL
- };
- static const byte blake2b_sigma[12][16] =
- {
- { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } ,
- { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } ,
- { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 } ,
- { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 } ,
- { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 } ,
- { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 } ,
- { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 } ,
- { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 } ,
- { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 } ,
- { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13 , 0 } ,
- { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } ,
- { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }
- };
- static WC_INLINE int blake2b_set_lastnode( blake2b_state *S )
- {
- S->f[1] = ~0ULL;
- return 0;
- }
- /* Some helper functions, not necessarily useful */
- static WC_INLINE int blake2b_set_lastblock( blake2b_state *S )
- {
- if( S->last_node ) blake2b_set_lastnode( S );
- S->f[0] = ~0ULL;
- return 0;
- }
- static WC_INLINE int blake2b_increment_counter( blake2b_state *S, const word64
- inc )
- {
- S->t[0] += inc;
- S->t[1] += ( S->t[0] < inc );
- return 0;
- }
- static WC_INLINE int blake2b_init0( blake2b_state *S )
- {
- int i;
- XMEMSET( S, 0, sizeof( blake2b_state ) );
- for( i = 0; i < 8; ++i ) S->h[i] = blake2b_IV[i];
- return 0;
- }
- /* init xors IV with input parameter block */
- int blake2b_init_param( blake2b_state *S, const blake2b_param *P )
- {
- word32 i;
- byte *p ;
- blake2b_init0( S );
- p = ( byte * )( P );
- /* IV XOR ParamBlock */
- for( i = 0; i < 8; ++i )
- S->h[i] ^= load64( p + sizeof( S->h[i] ) * i );
- return 0;
- }
- int blake2b_init( blake2b_state *S, const byte outlen )
- {
- #ifdef WOLFSSL_BLAKE2B_INIT_EACH_FIELD
- blake2b_param P[1];
- #else
- volatile blake2b_param P[1];
- #endif
- if ( ( !outlen ) || ( outlen > BLAKE2B_OUTBYTES ) ) return BAD_FUNC_ARG;
- #ifdef WOLFSSL_BLAKE2B_INIT_EACH_FIELD
- P->digest_length = outlen;
- P->key_length = 0;
- P->fanout = 1;
- P->depth = 1;
- store32( &P->leaf_length, 0 );
- store64( &P->node_offset, 0 );
- P->node_depth = 0;
- P->inner_length = 0;
- XMEMSET( P->reserved, 0, sizeof( P->reserved ) );
- XMEMSET( P->salt, 0, sizeof( P->salt ) );
- XMEMSET( P->personal, 0, sizeof( P->personal ) );
- #else
- XMEMSET( (blake2b_param *)P, 0, sizeof( *P ) );
- P->digest_length = outlen;
- P->fanout = 1;
- P->depth = 1;
- #endif
- return blake2b_init_param( S, (blake2b_param *)P );
- }
- int blake2b_init_key( blake2b_state *S, const byte outlen, const void *key,
- const byte keylen )
- {
- int ret = 0;
- #ifdef WOLFSSL_BLAKE2B_INIT_EACH_FIELD
- blake2b_param P[1];
- #else
- volatile blake2b_param P[1];
- #endif
- if ( ( !outlen ) || ( outlen > BLAKE2B_OUTBYTES ) ) return BAD_FUNC_ARG;
- if ( !key || !keylen || keylen > BLAKE2B_KEYBYTES ) return BAD_FUNC_ARG;
- #ifdef WOLFSSL_BLAKE2B_INIT_EACH_FIELD
- P->digest_length = outlen;
- P->key_length = keylen;
- P->fanout = 1;
- P->depth = 1;
- store32( &P->leaf_length, 0 );
- store64( &P->node_offset, 0 );
- P->node_depth = 0;
- P->inner_length = 0;
- XMEMSET( P->reserved, 0, sizeof( P->reserved ) );
- XMEMSET( P->salt, 0, sizeof( P->salt ) );
- XMEMSET( P->personal, 0, sizeof( P->personal ) );
- #else
- XMEMSET( (blake2b_param *)P, 0, sizeof( *P ) );
- P->digest_length = outlen;
- P->key_length = keylen;
- P->fanout = 1;
- P->depth = 1;
- #endif
- ret = blake2b_init_param( S, (blake2b_param *)P );
- if ( ret < 0 ) return ret;
- {
- #ifdef WOLFSSL_SMALL_STACK
- byte* block;
- block = (byte*)XMALLOC(BLAKE2B_BLOCKBYTES, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- if ( block == NULL ) return MEMORY_E;
- #else
- byte block[BLAKE2B_BLOCKBYTES];
- #endif
- XMEMSET( block, 0, BLAKE2B_BLOCKBYTES );
- XMEMCPY( block, key, keylen );
- ret = blake2b_update( S, block, BLAKE2B_BLOCKBYTES );
- secure_zero_memory( block, BLAKE2B_BLOCKBYTES ); /* Burn the key from */
- /* memory */
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(block, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- #endif
- }
- return ret;
- }
- static WC_INLINE int blake2b_compress(
- blake2b_state *S,
- const byte block[BLAKE2B_BLOCKBYTES],
- word64* m,
- word64* v)
- {
- int i;
- for( i = 0; i < 16; ++i )
- m[i] = load64( block + i * sizeof( m[i] ) );
- for( i = 0; i < 8; ++i )
- v[i] = S->h[i];
- v[ 8] = blake2b_IV[0];
- v[ 9] = blake2b_IV[1];
- v[10] = blake2b_IV[2];
- v[11] = blake2b_IV[3];
- v[12] = S->t[0] ^ blake2b_IV[4];
- v[13] = S->t[1] ^ blake2b_IV[5];
- v[14] = S->f[0] ^ blake2b_IV[6];
- v[15] = S->f[1] ^ blake2b_IV[7];
- #define G(r,i,a,b,c,d) \
- do { \
- (a) = (a) + (b) + m[blake2b_sigma[r][2*(i)+0]]; \
- (d) = rotr64((d) ^ (a), 32); \
- (c) = (c) + (d); \
- (b) = rotr64((b) ^ (c), 24); \
- (a) = (a) + (b) + m[blake2b_sigma[r][2*(i)+1]]; \
- (d) = rotr64((d) ^ (a), 16); \
- (c) = (c) + (d); \
- (b) = rotr64((b) ^ (c), 63); \
- } while(0)
- #define ROUND(r) \
- do { \
- G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \
- G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \
- G(r,2,v[ 2],v[ 6],v[10],v[14]); \
- G(r,3,v[ 3],v[ 7],v[11],v[15]); \
- G(r,4,v[ 0],v[ 5],v[10],v[15]); \
- G(r,5,v[ 1],v[ 6],v[11],v[12]); \
- G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \
- G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \
- } while(0)
- ROUND( 0 );
- ROUND( 1 );
- ROUND( 2 );
- ROUND( 3 );
- ROUND( 4 );
- ROUND( 5 );
- ROUND( 6 );
- ROUND( 7 );
- ROUND( 8 );
- ROUND( 9 );
- ROUND( 10 );
- ROUND( 11 );
- for( i = 0; i < 8; ++i )
- S->h[i] = S->h[i] ^ v[i] ^ v[i + 8];
- #undef G
- #undef ROUND
- return 0;
- }
- /* inlen now in bytes */
- int blake2b_update( blake2b_state *S, const byte *in, word64 inlen )
- {
- int ret = 0;
- #ifdef WOLFSSL_SMALL_STACK
- word64* m;
- word64* v;
- m = (word64*)XMALLOC(sizeof(word64) * 32, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- if ( m == NULL ) return MEMORY_E;
- v = &m[16];
- #else
- word64 m[16];
- word64 v[16];
- #endif
- while( inlen > 0 )
- {
- word64 left = S->buflen;
- word64 fill = 2 * BLAKE2B_BLOCKBYTES - left;
- if( inlen > fill )
- {
- XMEMCPY( S->buf + left, in, (wolfssl_word)fill ); /* Fill buffer */
- S->buflen += fill;
- blake2b_increment_counter( S, BLAKE2B_BLOCKBYTES );
- {
- ret = blake2b_compress( S, S->buf, m, v );
- if (ret < 0) break;
- }
- XMEMCPY( S->buf, S->buf + BLAKE2B_BLOCKBYTES, BLAKE2B_BLOCKBYTES );
- /* Shift buffer left */
- S->buflen -= BLAKE2B_BLOCKBYTES;
- in += fill;
- inlen -= fill;
- }
- else /* inlen <= fill */
- {
- XMEMCPY( S->buf + left, in, (wolfssl_word)inlen );
- S->buflen += inlen; /* Be lazy, do not compress */
- inlen = 0;
- }
- }
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(m, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- #endif
- return ret;
- }
- /* Is this correct? */
- int blake2b_final( blake2b_state *S, byte *out, byte outlen )
- {
- int ret = 0;
- byte buffer[BLAKE2B_OUTBYTES];
- int i;
- #ifdef WOLFSSL_SMALL_STACK
- word64* m;
- word64* v;
- m = (word64*)XMALLOC(sizeof(word64) * 32, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- if ( m == NULL ) return MEMORY_E;
- v = &m[16];
- #else
- word64 m[16];
- word64 v[16];
- #endif
- if( S->buflen > BLAKE2B_BLOCKBYTES )
- {
- blake2b_increment_counter( S, BLAKE2B_BLOCKBYTES );
- {
- ret = blake2b_compress( S, S->buf, m, v );
- if (ret < 0) goto out;
- }
- S->buflen -= BLAKE2B_BLOCKBYTES;
- XMEMCPY( S->buf, S->buf + BLAKE2B_BLOCKBYTES, (wolfssl_word)S->buflen );
- }
- blake2b_increment_counter( S, S->buflen );
- blake2b_set_lastblock( S );
- XMEMSET( S->buf + S->buflen, 0, (wolfssl_word)(2 * BLAKE2B_BLOCKBYTES - S->buflen) );
- /* Padding */
- {
- ret = blake2b_compress( S, S->buf, m, v );
- if (ret < 0) goto out;
- }
- for( i = 0; i < 8; ++i ) /* Output full hash to temp buffer */
- store64( buffer + sizeof( S->h[i] ) * i, S->h[i] );
- XMEMCPY( out, buffer, outlen );
- out:
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(m, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- #endif
- return ret;
- }
- /* inlen, at least, should be word64. Others can be size_t. */
- int blake2b( byte *out, const void *in, const void *key, const byte outlen,
- const word64 inlen, byte keylen )
- {
- blake2b_state S[1];
- /* Verify parameters */
- if ( NULL == in ) return BAD_FUNC_ARG;
- if ( NULL == out ) return BAD_FUNC_ARG;
- if( NULL == key ) keylen = 0;
- if( keylen > 0 )
- {
- int ret = blake2b_init_key( S, outlen, key, keylen );
- if (ret < 0) return ret;
- }
- else
- {
- int ret = blake2b_init( S, outlen );
- if (ret < 0) return ret;
- }
- {
- int ret = blake2b_update( S, ( byte * )in, inlen );
- if (ret < 0) return ret;
- }
- return blake2b_final( S, out, outlen );
- }
- #if defined(BLAKE2B_SELFTEST)
- #include <string.h>
- #include "blake2-kat.h"
- int main( int argc, char **argv )
- {
- byte key[BLAKE2B_KEYBYTES];
- byte buf[KAT_LENGTH];
- for( word32 i = 0; i < BLAKE2B_KEYBYTES; ++i )
- key[i] = ( byte )i;
- for( word32 i = 0; i < KAT_LENGTH; ++i )
- buf[i] = ( byte )i;
- for( word32 i = 0; i < KAT_LENGTH; ++i )
- {
- byte hash[BLAKE2B_OUTBYTES];
- if ( blake2b( hash, buf, key, BLAKE2B_OUTBYTES, i, BLAKE2B_KEYBYTES ) < 0 )
- {
- puts( "error" );
- return -1;
- }
- if( 0 != XMEMCMP( hash, blake2b_keyed_kat[i], BLAKE2B_OUTBYTES ) )
- {
- puts( "error" );
- return -1;
- }
- }
- puts( "ok" );
- return 0;
- }
- #endif
- /* wolfCrypt API */
- /* Init Blake2b digest, track size in case final doesn't want to "remember" */
- int wc_InitBlake2b(Blake2b* b2b, word32 digestSz)
- {
- if (b2b == NULL){
- return BAD_FUNC_ARG;
- }
- b2b->digestSz = digestSz;
- return blake2b_init(b2b->S, (byte)digestSz);
- }
- /* Init Blake2b digest with key, track size in case final doesn't want to "remember" */
- int wc_InitBlake2b_WithKey(Blake2b* b2b, word32 digestSz, const byte *key, word32 keylen)
- {
- if (b2b == NULL){
- return BAD_FUNC_ARG;
- }
- b2b->digestSz = digestSz;
- if (keylen >= 256)
- return BAD_FUNC_ARG;
- if (key)
- return blake2b_init_key(b2b->S, (byte)digestSz, key, (byte)keylen);
- else
- return blake2b_init(b2b->S, (byte)digestSz);
- }
- /* Blake2b Update */
- int wc_Blake2bUpdate(Blake2b* b2b, const byte* data, word32 sz)
- {
- return blake2b_update(b2b->S, data, sz);
- }
- /* Blake2b Final, if pass in zero size we use init digestSz */
- int wc_Blake2bFinal(Blake2b* b2b, byte* final, word32 requestSz)
- {
- word32 sz = requestSz ? requestSz : b2b->digestSz;
- return blake2b_final(b2b->S, final, (byte)sz);
- }
- /* end CTaoCrypt API */
- #endif /* HAVE_BLAKE2 */
|