1 | /*
2 | * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
3 | *
4 | * Licensed under the OpenSSL license (the "License"). You may not use
5 | * this file except in compliance with the License. You can obtain a copy
6 | * in the file LICENSE in the source distribution or at
7 | * https://www.openssl.org/source/license.html
8 | */
9 |
10 | /*
11 | * Derived from the BLAKE2 reference implementation written by Samuel Neves.
12 | * Copyright 2012, Samuel Neves <[email protected]>
13 | * More information about the BLAKE2 hash function and its implementations
14 | * can be found at https://blake2.net.
15 | */
16 |
17 | #include <assert.h>
18 | #include <string.h>
19 | #include <openssl/crypto.h>
20 | #include "e_os.h"
21 |
22 | #include "blake2_locl.h"
23 | #include "blake2_impl.h"
24 |
25 | static const uint64_t blake2b_IV[8] =
26 | {
27 | 0x6a09e667f3bcc908U, 0xbb67ae8584caa73bU,
28 | 0x3c6ef372fe94f82bU, 0xa54ff53a5f1d36f1U,
29 | 0x510e527fade682d1U, 0x9b05688c2b3e6c1fU,
30 | 0x1f83d9abfb41bd6bU, 0x5be0cd19137e2179U
31 | };
32 |
33 | static const uint8_t blake2b_sigma[12][16] =
34 | {
35 | { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } ,
36 | { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } ,
37 | { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 } ,
38 | { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 } ,
39 | { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 } ,
40 | { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 } ,
41 | { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 } ,
42 | { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 } ,
43 | { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 } ,
44 | { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13 , 0 } ,
45 | { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } ,
46 | { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }
47 | };
48 |
49 | /* Set that it's the last block we'll compress */
50 | static ossl_inline void blake2b_set_lastblock(BLAKE2B_CTX *S)
51 | {
52 | S->f[0] = -1;
53 | }
54 |
55 | /* Initialize the hashing state. */
56 | static ossl_inline void blake2b_init0(BLAKE2B_CTX *S)
57 | {
58 | int i;
59 |
60 | memset(S, 0, sizeof(BLAKE2B_CTX));
61 | for (i = 0; i < 8; ++i) {
62 | S->h[i] = blake2b_IV[i];
63 | }
64 | }
65 |
66 | /* init xors IV with input parameter block */
67 | static void blake2b_init_param(BLAKE2B_CTX *S, const BLAKE2B_PARAM *P)
68 | {
69 | size_t i;
70 | const uint8_t *p = (const uint8_t *)(P);
71 | blake2b_init0(S);
72 |
73 | /* The param struct is carefully hand packed, and should be 64 bytes on
74 | * every platform. */
75 | assert(sizeof(BLAKE2B_PARAM) == 64);
76 | /* IV XOR ParamBlock */
77 | for (i = 0; i < 8; ++i) {
78 | S->h[i] ^= load64(p + sizeof(S->h[i]) * i);
79 | }
80 | }
81 |
82 | /* Initialize the hashing context. Always returns 1. */
83 | int BLAKE2b_Init(BLAKE2B_CTX *c)
84 | {
85 | BLAKE2B_PARAM P[1];
86 | P->digest_length = BLAKE2B_DIGEST_LENGTH;
87 | P->key_length = 0;
88 | P->fanout = 1;
89 | P->depth = 1;
90 | store32(P->leaf_length, 0);
91 | store64(P->node_offset, 0);
92 | P->node_depth = 0;
93 | P->inner_length = 0;
94 | memset(P->reserved, 0, sizeof(P->reserved));
95 | memset(P->salt, 0, sizeof(P->salt));
96 | memset(P->personal, 0, sizeof(P->personal));
97 | blake2b_init_param(c, P);
98 | return 1;
99 | }
100 |
101 | /* Permute the state while xoring in the block of data. */
102 | static void blake2b_compress(BLAKE2B_CTX *S,
103 | const uint8_t *blocks,
104 | size_t len)
105 | {
106 | uint64_t m[16];
107 | uint64_t v[16];
108 | int i;
109 | size_t increment;
110 |
111 | /*
112 | * There are two distinct usage vectors for this function:
113 | *
114 | * a) BLAKE2b_Update uses it to process complete blocks,
115 | * possibly more than one at a time;
116 | *
117 | * b) BLAK2b_Final uses it to process last block, always
118 | * single but possibly incomplete, in which case caller
119 | * pads input with zeros.
120 | */
121 | assert(len < BLAKE2B_BLOCKBYTES || len % BLAKE2B_BLOCKBYTES == 0);
122 |
123 | /*
124 | * Since last block is always processed with separate call,
125 | * |len| not being multiple of complete blocks can be observed
126 | * only with |len| being less than BLAKE2B_BLOCKBYTES ("less"
127 | * including even zero), which is why following assignment doesn't
128 | * have to reside inside the main loop below.
129 | */
130 | increment = len < BLAKE2B_BLOCKBYTES ? len : BLAKE2B_BLOCKBYTES;
131 |
132 | for (i = 0; i < 8; ++i) {
133 | v[i] = S->h[i];
134 | }
135 |
136 | do {
137 | for (i = 0; i < 16; ++i) {
138 | m[i] = load64(blocks + i * sizeof(m[i]));
139 | }
140 |
141 | /* blake2b_increment_counter */
142 | S->t[0] += increment;
143 | S->t[1] += (S->t[0] < increment);
144 |
145 | v[8] = blake2b_IV[0];
146 | v[9] = blake2b_IV[1];
147 | v[10] = blake2b_IV[2];
148 | v[11] = blake2b_IV[3];
149 | v[12] = S->t[0] ^ blake2b_IV[4];
150 | v[13] = S->t[1] ^ blake2b_IV[5];
151 | v[14] = S->f[0] ^ blake2b_IV[6];
152 | v[15] = S->f[1] ^ blake2b_IV[7];
153 | #define G(r,i,a,b,c,d) \
154 | do { \
155 | a = a + b + m[blake2b_sigma[r][2*i+0]]; \
156 | d = rotr64(d ^ a, 32); \
157 | c = c + d; \
158 | b = rotr64(b ^ c, 24); \
159 | a = a + b + m[blake2b_sigma[r][2*i+1]]; \
160 | d = rotr64(d ^ a, 16); \
161 | c = c + d; \
162 | b = rotr64(b ^ c, 63); \
163 | } while (0)
164 | #define ROUND(r) \
165 | do { \
166 | G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \
167 | G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \
168 | G(r,2,v[ 2],v[ 6],v[10],v[14]); \
169 | G(r,3,v[ 3],v[ 7],v[11],v[15]); \
170 | G(r,4,v[ 0],v[ 5],v[10],v[15]); \
171 | G(r,5,v[ 1],v[ 6],v[11],v[12]); \
172 | G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \
173 | G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \
174 | } while (0)
175 | #if defined(OPENSSL_SMALL_FOOTPRINT)
176 | /* 3x size reduction on x86_64, almost 7x on ARMv8, 9x on ARMv4 */
177 | for (i = 0; i < 12; i++) {
178 | ROUND(i);
179 | }
180 | #else
181 | ROUND(0);
182 | ROUND(1);
183 | ROUND(2);
184 | ROUND(3);
185 | ROUND(4);
186 | ROUND(5);
187 | ROUND(6);
188 | ROUND(7);
189 | ROUND(8);
190 | ROUND(9);
191 | ROUND(10);
192 | ROUND(11);
193 | #endif
194 |
195 | for (i = 0; i < 8; ++i) {
196 | S->h[i] = v[i] ^= v[i + 8] ^ S->h[i];
197 | }
198 | #undef G
199 | #undef ROUND
200 | blocks += increment;
201 | len -= increment;
202 | } while (len);
203 | }
204 |
205 | /* Absorb the input data into the hash state. Always returns 1. */
206 | int BLAKE2b_Update(BLAKE2B_CTX *c, const void *data, size_t datalen)
207 | {
208 | const uint8_t *in = data;
209 | size_t fill;
210 |
211 | /*
212 | * Intuitively one would expect intermediate buffer, c->buf, to
213 | * store incomplete blocks. But in this case we are interested to
214 | * temporarily stash even complete blocks, because last one in the
215 | * stream has to be treated in special way, and at this point we
216 | * don't know if last block in *this* call is last one "ever". This
217 | * is the reason for why |datalen| is compared as >, and not >=.
218 | */
219 | fill = sizeof(c->buf) - c->buflen;
220 | if (datalen > fill) {
221 | if (c->buflen) {
222 | memcpy(c->buf + c->buflen, in, fill); /* Fill buffer */
223 | blake2b_compress(c, c->buf, BLAKE2B_BLOCKBYTES);
224 | c->buflen = 0;
225 | in += fill;
226 | datalen -= fill;
227 | }
228 | if (datalen > BLAKE2B_BLOCKBYTES) {
229 | size_t stashlen = datalen % BLAKE2B_BLOCKBYTES;
230 | /*
231 | * If |datalen| is a multiple of the blocksize, stash
232 | * last complete block, it can be final one...
233 | */
234 | stashlen = stashlen ? stashlen : BLAKE2B_BLOCKBYTES;
235 | datalen -= stashlen;
236 | blake2b_compress(c, in, datalen);
237 | in += datalen;
238 | datalen = stashlen;
239 | }
240 | }
241 |
242 | assert(datalen <= BLAKE2B_BLOCKBYTES);
243 |
244 | memcpy(c->buf + c->buflen, in, datalen);
245 | c->buflen += datalen; /* Be lazy, do not compress */
246 |
247 | return 1;
248 | }
249 |
250 | /*
251 | * Calculate the final hash and save it in md.
252 | * Always returns 1.
253 | */
254 | int BLAKE2b_Final(unsigned char *md, BLAKE2B_CTX *c)
255 | {
256 | int i;
257 |
258 | blake2b_set_lastblock(c);
259 | /* Padding */
260 | memset(c->buf + c->buflen, 0, sizeof(c->buf) - c->buflen);
261 | blake2b_compress(c, c->buf, c->buflen);
262 |
263 | /* Output full hash to message digest */
264 | for (i = 0; i < 8; ++i) {
265 | store64(md + sizeof(c->h[i]) * i, c->h[i]);
266 | }
267 |
268 | OPENSSL_cleanse(c, sizeof(BLAKE2B_CTX));
269 | return 1;
270 | }