1/*
2 BLAKE2 reference source code package - reference C implementations
3
4 Written in 2012 by Samuel Neves <[email protected]>
5
6 To the extent possible under law, the author(s) have dedicated all copyright
7 and related and neighboring rights to this software to the public domain
8 worldwide. This software is distributed without any warranty.
9
10 You should have received a copy of the CC0 Public Domain Dedication along with
11 this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
12*/
13
14#include <stdint.h>
15#include <string.h>
16#include <stdio.h>
17
18#include "blake2.h"
19#include "blake2-impl.h"
20
21static const uint64_t blake2b_IV[8] =
22{
23 0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL,
24 0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL,
25 0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL,
26 0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL
27};
28
29static const uint8_t blake2b_sigma[12][16] =
30{
31 { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } ,
32 { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } ,
33 { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 } ,
34 { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 } ,
35 { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 } ,
36 { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 } ,
37 { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 } ,
38 { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 } ,
39 { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 } ,
40 { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13 , 0 } ,
41 { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } ,
42 { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }
43};
44
45
46static inline int blake2b_set_lastnode( blake2b_state *S )
47{
48 S->f[1] = ~0ULL;
49 return 0;
50}
51
52static inline int blake2b_clear_lastnode( blake2b_state *S )
53{
54 S->f[1] = 0ULL;
55 return 0;
56}
57
58/* Some helper functions, not necessarily useful */
59static inline int blake2b_set_lastblock( blake2b_state *S )
60{
61 if( S->last_node ) blake2b_set_lastnode( S );
62
63 S->f[0] = ~0ULL;
64 return 0;
65}
66
67static inline int blake2b_clear_lastblock( blake2b_state *S )
68{
69 if( S->last_node ) blake2b_clear_lastnode( S );
70
71 S->f[0] = 0ULL;
72 return 0;
73}
74
75static inline int blake2b_increment_counter( blake2b_state *S, const uint64_t inc )
76{
77 S->t[0] += inc;
78 S->t[1] += ( S->t[0] < inc );
79 return 0;
80}
81
82
83
84// Parameter-related functions
85static inline int blake2b_param_set_digest_length( blake2b_param *P, const uint8_t digest_length )
86{
87 P->digest_length = digest_length;
88 return 0;
89}
90
91static inline int blake2b_param_set_fanout( blake2b_param *P, const uint8_t fanout )
92{
93 P->fanout = fanout;
94 return 0;
95}
96
97static inline int blake2b_param_set_max_depth( blake2b_param *P, const uint8_t depth )
98{
99 P->depth = depth;
100 return 0;
101}
102
103static inline int blake2b_param_set_leaf_length( blake2b_param *P, const uint32_t leaf_length )
104{
105 store32( &P->leaf_length, leaf_length );
106 return 0;
107}
108
109static inline int blake2b_param_set_node_offset( blake2b_param *P, const uint64_t node_offset )
110{
111 store64( &P->node_offset, node_offset );
112 return 0;
113}
114
115static inline int blake2b_param_set_node_depth( blake2b_param *P, const uint8_t node_depth )
116{
117 P->node_depth = node_depth;
118 return 0;
119}
120
121static inline int blake2b_param_set_inner_length( blake2b_param *P, const uint8_t inner_length )
122{
123 P->inner_length = inner_length;
124 return 0;
125}
126
127static inline int blake2b_param_set_salt( blake2b_param *P, const uint8_t salt[BLAKE2B_SALTBYTES] )
128{
129 memcpy( P->salt, salt, BLAKE2B_SALTBYTES );
130 return 0;
131}
132
133static inline int blake2b_param_set_personal( blake2b_param *P, const uint8_t personal[BLAKE2B_PERSONALBYTES] )
134{
135 memcpy( P->personal, personal, BLAKE2B_PERSONALBYTES );
136 return 0;
137}
138
139static inline int blake2b_init0( blake2b_state *S )
140{
141 memset( S, 0, sizeof( blake2b_state ) );
142
143 for( int i = 0; i < 8; ++i ) S->h[i] = blake2b_IV[i];
144
145 return 0;
146}
147
148#if defined(__cplusplus)
149extern "C" {
150#endif
151 int blake2b_init( blake2b_state *S, size_t outlen );
152 int blake2b_init_param( blake2b_state *S, const blake2b_param *P );
153 int blake2b_init_key( blake2b_state *S, size_t outlen, const void *key, size_t keylen );
154 int blake2b_update( blake2b_state *S, const uint8_t *in, size_t inlen );
155 int blake2b_final( blake2b_state *S, uint8_t *out, size_t outlen );
156 int blake2b( uint8_t *out, const void *in, const void *key, size_t outlen, size_t inlen, size_t keylen );
157#if defined(__cplusplus)
158}
159#endif
160
161/* init xors IV with input parameter block */
162int blake2b_init_param( blake2b_state *S, const blake2b_param *P )
163{
164 blake2b_init0( S );
165 uint8_t *p = ( uint8_t * )( P );
166
167 /* IV XOR ParamBlock */
168 for( size_t i = 0; i < 8; ++i )
169 S->h[i] ^= load64( p + sizeof( S->h[i] ) * i );
170
171 S->outlen = P->digest_length;
172 return 0;
173}
174
175
176
177int blake2b_init( blake2b_state *S, size_t outlen )
178{
179 blake2b_param P[1];
180
181 if ( ( !outlen ) || ( outlen > BLAKE2B_OUTBYTES ) ) return -1;
182
183 P->digest_length = ( uint8_t ) outlen;
184 P->key_length = 0;
185 P->fanout = 1;
186 P->depth = 1;
187 store32( &P->leaf_length, 0 );
188 store64( &P->node_offset, 0 );
189 P->node_depth = 0;
190 P->inner_length = 0;
191 memset( P->reserved, 0, sizeof( P->reserved ) );
192 memset( P->salt, 0, sizeof( P->salt ) );
193 memset( P->personal, 0, sizeof( P->personal ) );
194 return blake2b_init_param( S, P );
195}
196
197
198int blake2b_init_key( blake2b_state *S, size_t outlen, const void *key, size_t keylen )
199{
200 blake2b_param P[1];
201
202 if ( ( !outlen ) || ( outlen > BLAKE2B_OUTBYTES ) ) return -1;
203
204 if ( !key || !keylen || keylen > BLAKE2B_KEYBYTES ) return -1;
205
206 P->digest_length = ( uint8_t ) outlen;
207 P->key_length = ( uint8_t ) keylen;
208 P->fanout = 1;
209 P->depth = 1;
210 store32( &P->leaf_length, 0 );
211 store64( &P->node_offset, 0 );
212 P->node_depth = 0;
213 P->inner_length = 0;
214 memset( P->reserved, 0, sizeof( P->reserved ) );
215 memset( P->salt, 0, sizeof( P->salt ) );
216 memset( P->personal, 0, sizeof( P->personal ) );
217
218 if( blake2b_init_param( S, P ) < 0 ) return -1;
219
220 {
221 uint8_t block[BLAKE2B_BLOCKBYTES];
222 memset( block, 0, BLAKE2B_BLOCKBYTES );
223 memcpy( block, key, keylen );
224 blake2b_update( S, block, BLAKE2B_BLOCKBYTES );
225 secure_zero_memory( block, BLAKE2B_BLOCKBYTES ); /* Burn the key from stack */
226 }
227 return 0;
228}
229
230static int blake2b_compress( blake2b_state *S, const uint8_t block[BLAKE2B_BLOCKBYTES] )
231{
232 uint64_t m[16];
233 uint64_t v[16];
234 size_t i;
235
236 for( i = 0; i < 16; ++i )
237 m[i] = load64( block + i * sizeof( m[i] ) );
238
239 for( i = 0; i < 8; ++i )
240 v[i] = S->h[i];
241
242 v[ 8] = blake2b_IV[0];
243 v[ 9] = blake2b_IV[1];
244 v[10] = blake2b_IV[2];
245 v[11] = blake2b_IV[3];
246 v[12] = S->t[0] ^ blake2b_IV[4];
247 v[13] = S->t[1] ^ blake2b_IV[5];
248 v[14] = S->f[0] ^ blake2b_IV[6];
249 v[15] = S->f[1] ^ blake2b_IV[7];
250#define G(r,i,a,b,c,d) \
251 do { \
252 a = a + b + m[blake2b_sigma[r][2*i+0]]; \
253 d = rotr64(d ^ a, 32); \
254 c = c + d; \
255 b = rotr64(b ^ c, 24); \
256 a = a + b + m[blake2b_sigma[r][2*i+1]]; \
257 d = rotr64(d ^ a, 16); \
258 c = c + d; \
259 b = rotr64(b ^ c, 63); \
260 } while(0)
261#define ROUND(r) \
262 do { \
263 G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \
264 G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \
265 G(r,2,v[ 2],v[ 6],v[10],v[14]); \
266 G(r,3,v[ 3],v[ 7],v[11],v[15]); \
267 G(r,4,v[ 0],v[ 5],v[10],v[15]); \
268 G(r,5,v[ 1],v[ 6],v[11],v[12]); \
269 G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \
270 G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \
271 } while(0)
272 ROUND( 0 );
273 ROUND( 1 );
274 ROUND( 2 );
275 ROUND( 3 );
276 ROUND( 4 );
277 ROUND( 5 );
278 ROUND( 6 );
279 ROUND( 7 );
280 ROUND( 8 );
281 ROUND( 9 );
282 ROUND( 10 );
283 ROUND( 11 );
284
285 for( i = 0; i < 8; ++i )
286 S->h[i] = S->h[i] ^ v[i] ^ v[i + 8];
287
288#undef G
289#undef ROUND
290 return 0;
291}
292
293
294int blake2b_update( blake2b_state *S, const uint8_t *in, size_t inlen )
295{
296 while( inlen > 0 )
297 {
298 uint32_t left = S->buflen;
299 uint32_t fill = 2 * BLAKE2B_BLOCKBYTES - left;
300
301 if( inlen > fill )
302 {
303 memcpy( S->buf + left, in, fill ); // Fill buffer
304 S->buflen += fill;
305 blake2b_increment_counter( S, BLAKE2B_BLOCKBYTES );
306 blake2b_compress( S, S->buf ); // Compress
307 memcpy( S->buf, S->buf + BLAKE2B_BLOCKBYTES, BLAKE2B_BLOCKBYTES ); // Shift buffer left
308 S->buflen -= BLAKE2B_BLOCKBYTES;
309 in += fill;
310 inlen -= fill;
311 }
312 else // inlen <= fill
313 {
314 memcpy( S->buf + left, in, inlen );
315 S->buflen += ( uint32_t ) inlen; // Be lazy, do not compress
316 in += inlen;
317 inlen -= inlen;
318 }
319 }
320
321 return 0;
322}
323
324int blake2b_final( blake2b_state *S, uint8_t *out, size_t outlen )
325{
326 uint8_t buffer[BLAKE2B_OUTBYTES];
327 size_t i;
328
329 if(S->outlen != outlen) return -1;
330
331 if( S->buflen > BLAKE2B_BLOCKBYTES )
332 {
333 blake2b_increment_counter( S, BLAKE2B_BLOCKBYTES );
334 blake2b_compress( S, S->buf );
335 S->buflen -= BLAKE2B_BLOCKBYTES;
336 memmove( S->buf, S->buf + BLAKE2B_BLOCKBYTES, S->buflen );
337 }
338
339 blake2b_increment_counter( S, S->buflen );
340 blake2b_set_lastblock( S );
341 memset( S->buf + S->buflen, 0, 2 * BLAKE2B_BLOCKBYTES - S->buflen ); /* Padding */
342 blake2b_compress( S, S->buf );
343
344 for( i = 0; i < 8; ++i ) /* Output full hash to temp buffer */
345 store64( buffer + sizeof( S->h[i] ) * i, S->h[i] );
346
347 memcpy( out, buffer, outlen );
348 return 0;
349}
350
351int blake2b( uint8_t *out, const void *in, const void *key, size_t outlen, size_t inlen, size_t keylen )
352{
353 blake2b_state S[1];
354
355 /* Verify parameters */
356 if ( NULL == in && inlen > 0 ) return -1;
357
358 if ( NULL == out ) return -1;
359
360 if( NULL == key && keylen > 0 ) return -1;
361
362 if( !outlen || outlen > BLAKE2B_OUTBYTES ) return -1;
363
364 if( keylen > BLAKE2B_KEYBYTES ) return -1;
365
366 if( keylen > 0 )
367 {
368 if( blake2b_init_key( S, outlen, key, keylen ) < 0 ) return -1;
369 }
370 else
371 {
372 if( blake2b_init( S, outlen ) < 0 ) return -1;
373 }
374
375 if( blake2b_update( S, ( uint8_t * )in, inlen ) < 0 ) return -1;
376 return blake2b_final( S, out, outlen );
377}
378
379
380