CoCalc -- blake2b

GitHub Repository: freebsd/freebsd-src
Path: blob/main/crypto/openssl/providers/implementations/digests/blake2b_prov.c
¹⁰⁶⁶²² views
1
/*
2
 * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
3
 *
4
 * Licensed under the Apache License 2.0 (the "License").  You may not use
5
 * this file except in compliance with the License.  You can obtain a copy
6
 * in the file LICENSE in the source distribution or at
7
 * https://www.openssl.org/source/license.html
8
 */
9

10
/*
11
 * Derived from the BLAKE2 reference implementation written by Samuel Neves.
12
 * Copyright 2012, Samuel Neves <[email protected]>
13
 * More information about the BLAKE2 hash function and its implementations
14
 * can be found at https://blake2.net.
15
 */
16

17
#include <assert.h>
18
#include <string.h>
19
#include <openssl/crypto.h>
20
#include "internal/numbers.h"
21
#include "blake2_impl.h"
22
#include "prov/blake2.h"
23

24
static const uint64_t blake2b_IV[8] = {
25
    0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL,
26
    0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL,
27
    0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL,
28
    0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL
29
};
30

31
static const uint8_t blake2b_sigma[12][16] = {
32
    { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
33
    { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 },
34
    { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 },
35
    { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 },
36
    { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 },
37
    { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 },
38
    { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 },
39
    { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 },
40
    { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 },
41
    { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 },
42
    { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
43
    { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }
44
};
45

46
/* Set that it's the last block we'll compress */
47
static ossl_inline void blake2b_set_lastblock(BLAKE2B_CTX *S)
48
{
49
    S->f[0] = -1;
50
}
51

52
/* Initialize the hashing state. */
53
static ossl_inline void blake2b_init0(BLAKE2B_CTX *S)
54
{
55
    int i;
56

57
    memset(S, 0, sizeof(BLAKE2B_CTX));
58
    for (i = 0; i < 8; ++i) {
59
        S->h[i] = blake2b_IV[i];
60
    }
61
}
62

63
/* init xors IV with input parameter block and sets the output length */
64
static void blake2b_init_param(BLAKE2B_CTX *S, const BLAKE2B_PARAM *P)
65
{
66
    size_t i;
67
    const uint8_t *p = (const uint8_t *)(P);
68

69
    blake2b_init0(S);
70
    S->outlen = P->digest_length;
71

72
    /* The param struct is carefully hand packed, and should be 64 bytes on
73
     * every platform. */
74
    assert(sizeof(BLAKE2B_PARAM) == 64);
75
    /* IV XOR ParamBlock */
76
    for (i = 0; i < 8; ++i) {
77
        S->h[i] ^= load64(p + sizeof(S->h[i]) * i);
78
    }
79
}
80

81
/* Initialize the parameter block with default values */
82
void ossl_blake2b_param_init(BLAKE2B_PARAM *P)
83
{
84
    P->digest_length = BLAKE2B_DIGEST_LENGTH;
85
    P->key_length = 0;
86
    P->fanout = 1;
87
    P->depth = 1;
88
    store32(P->leaf_length, 0);
89
    store64(P->node_offset, 0);
90
    P->node_depth = 0;
91
    P->inner_length = 0;
92
    memset(P->reserved, 0, sizeof(P->reserved));
93
    memset(P->salt, 0, sizeof(P->salt));
94
    memset(P->personal, 0, sizeof(P->personal));
95
}
96

97
void ossl_blake2b_param_set_digest_length(BLAKE2B_PARAM *P, uint8_t outlen)
98
{
99
    P->digest_length = outlen;
100
}
101

102
void ossl_blake2b_param_set_key_length(BLAKE2B_PARAM *P, uint8_t keylen)
103
{
104
    P->key_length = keylen;
105
}
106

107
void ossl_blake2b_param_set_personal(BLAKE2B_PARAM *P, const uint8_t *personal,
108
    size_t len)
109
{
110
    memcpy(P->personal, personal, len);
111
    memset(P->personal + len, 0, BLAKE2B_PERSONALBYTES - len);
112
}
113

114
void ossl_blake2b_param_set_salt(BLAKE2B_PARAM *P, const uint8_t *salt,
115
    size_t len)
116
{
117
    memcpy(P->salt, salt, len);
118
    memset(P->salt + len, 0, BLAKE2B_SALTBYTES - len);
119
}
120

121
/*
122
 * Initialize the hashing context with the given parameter block.
123
 * Always returns 1.
124
 */
125
int ossl_blake2b_init(BLAKE2B_CTX *c, const BLAKE2B_PARAM *P)
126
{
127
    blake2b_init_param(c, P);
128
    return 1;
129
}
130

131
/*
132
 * Initialize the hashing context with the given parameter block and key.
133
 * Always returns 1.
134
 */
135
int ossl_blake2b_init_key(BLAKE2B_CTX *c, const BLAKE2B_PARAM *P,
136
    const void *key)
137
{
138
    blake2b_init_param(c, P);
139

140
    /* Pad the key to form first data block */
141
    {
142
        uint8_t block[BLAKE2B_BLOCKBYTES] = { 0 };
143

144
        memcpy(block, key, P->key_length);
145
        ossl_blake2b_update(c, block, BLAKE2B_BLOCKBYTES);
146
        OPENSSL_cleanse(block, BLAKE2B_BLOCKBYTES);
147
    }
148

149
    return 1;
150
}
151

152
/* Permute the state while xoring in the block of data. */
153
static void blake2b_compress(BLAKE2B_CTX *S,
154
    const uint8_t *blocks,
155
    size_t len)
156
{
157
    uint64_t m[16];
158
    uint64_t v[16];
159
    int i;
160
    size_t increment;
161

162
    /*
163
     * There are two distinct usage vectors for this function:
164
     *
165
     * a) BLAKE2b_Update uses it to process complete blocks,
166
     *    possibly more than one at a time;
167
     *
168
     * b) BLAK2b_Final uses it to process last block, always
169
     *    single but possibly incomplete, in which case caller
170
     *    pads input with zeros.
171
     */
172
    assert(len < BLAKE2B_BLOCKBYTES || len % BLAKE2B_BLOCKBYTES == 0);
173

174
    /*
175
     * Since last block is always processed with separate call,
176
     * |len| not being multiple of complete blocks can be observed
177
     * only with |len| being less than BLAKE2B_BLOCKBYTES ("less"
178
     * including even zero), which is why following assignment doesn't
179
     * have to reside inside the main loop below.
180
     */
181
    increment = len < BLAKE2B_BLOCKBYTES ? len : BLAKE2B_BLOCKBYTES;
182

183
    for (i = 0; i < 8; ++i) {
184
        v[i] = S->h[i];
185
    }
186

187
    do {
188
        for (i = 0; i < 16; ++i) {
189
            m[i] = load64(blocks + i * sizeof(m[i]));
190
        }
191

192
        /* blake2b_increment_counter */
193
        S->t[0] += increment;
194
        S->t[1] += (S->t[0] < increment);
195

196
        v[8] = blake2b_IV[0];
197
        v[9] = blake2b_IV[1];
198
        v[10] = blake2b_IV[2];
199
        v[11] = blake2b_IV[3];
200
        v[12] = S->t[0] ^ blake2b_IV[4];
201
        v[13] = S->t[1] ^ blake2b_IV[5];
202
        v[14] = S->f[0] ^ blake2b_IV[6];
203
        v[15] = S->f[1] ^ blake2b_IV[7];
204
#define G(r, i, a, b, c, d)                         \
205
    do {                                            \
206
        a = a + b + m[blake2b_sigma[r][2 * i + 0]]; \
207
        d = rotr64(d ^ a, 32);                      \
208
        c = c + d;                                  \
209
        b = rotr64(b ^ c, 24);                      \
210
        a = a + b + m[blake2b_sigma[r][2 * i + 1]]; \
211
        d = rotr64(d ^ a, 16);                      \
212
        c = c + d;                                  \
213
        b = rotr64(b ^ c, 63);                      \
214
    } while (0)
215
#define ROUND(r)                           \
216
    do {                                   \
217
        G(r, 0, v[0], v[4], v[8], v[12]);  \
218
        G(r, 1, v[1], v[5], v[9], v[13]);  \
219
        G(r, 2, v[2], v[6], v[10], v[14]); \
220
        G(r, 3, v[3], v[7], v[11], v[15]); \
221
        G(r, 4, v[0], v[5], v[10], v[15]); \
222
        G(r, 5, v[1], v[6], v[11], v[12]); \
223
        G(r, 6, v[2], v[7], v[8], v[13]);  \
224
        G(r, 7, v[3], v[4], v[9], v[14]);  \
225
    } while (0)
226
#if defined(OPENSSL_SMALL_FOOTPRINT)
227
        /* 3x size reduction on x86_64, almost 7x on ARMv8, 9x on ARMv4 */
228
        for (i = 0; i < 12; i++) {
229
            ROUND(i);
230
        }
231
#else
232
        ROUND(0);
233
        ROUND(1);
234
        ROUND(2);
235
        ROUND(3);
236
        ROUND(4);
237
        ROUND(5);
238
        ROUND(6);
239
        ROUND(7);
240
        ROUND(8);
241
        ROUND(9);
242
        ROUND(10);
243
        ROUND(11);
244
#endif
245

246
        for (i = 0; i < 8; ++i) {
247
            S->h[i] = v[i] ^= v[i + 8] ^ S->h[i];
248
        }
249
#undef G
250
#undef ROUND
251
        blocks += increment;
252
        len -= increment;
253
    } while (len);
254
}
255

256
/* Absorb the input data into the hash state.  Always returns 1. */
257
int ossl_blake2b_update(BLAKE2B_CTX *c, const void *data, size_t datalen)
258
{
259
    const uint8_t *in = data;
260
    size_t fill;
261

262
    /*
263
     * Intuitively one would expect intermediate buffer, c->buf, to
264
     * store incomplete blocks. But in this case we are interested to
265
     * temporarily stash even complete blocks, because last one in the
266
     * stream has to be treated in special way, and at this point we
267
     * don't know if last block in *this* call is last one "ever". This
268
     * is the reason for why |datalen| is compared as >, and not >=.
269
     */
270
    fill = sizeof(c->buf) - c->buflen;
271
    if (datalen > fill) {
272
        if (c->buflen) {
273
            memcpy(c->buf + c->buflen, in, fill); /* Fill buffer */
274
            blake2b_compress(c, c->buf, BLAKE2B_BLOCKBYTES);
275
            c->buflen = 0;
276
            in += fill;
277
            datalen -= fill;
278
        }
279
        if (datalen > BLAKE2B_BLOCKBYTES) {
280
            size_t stashlen = datalen % BLAKE2B_BLOCKBYTES;
281
            /*
282
             * If |datalen| is a multiple of the blocksize, stash
283
             * last complete block, it can be final one...
284
             */
285
            stashlen = stashlen ? stashlen : BLAKE2B_BLOCKBYTES;
286
            datalen -= stashlen;
287
            blake2b_compress(c, in, datalen);
288
            in += datalen;
289
            datalen = stashlen;
290
        }
291
    }
292

293
    assert(datalen <= BLAKE2B_BLOCKBYTES);
294

295
    memcpy(c->buf + c->buflen, in, datalen);
296
    c->buflen += datalen; /* Be lazy, do not compress */
297

298
    return 1;
299
}
300

301
/*
302
 * Calculate the final hash and save it in md.
303
 * Always returns 1.
304
 */
305
int ossl_blake2b_final(unsigned char *md, BLAKE2B_CTX *c)
306
{
307
    uint8_t outbuffer[BLAKE2B_OUTBYTES] = { 0 };
308
    uint8_t *target = outbuffer;
309
    int iter = (c->outlen + 7) / 8;
310
    int i;
311

312
    /* Avoid writing to the temporary buffer if possible */
313
    if ((c->outlen % sizeof(c->h[0])) == 0)
314
        target = md;
315

316
    blake2b_set_lastblock(c);
317
    /* Padding */
318
    memset(c->buf + c->buflen, 0, sizeof(c->buf) - c->buflen);
319
    blake2b_compress(c, c->buf, c->buflen);
320

321
    /* Output full hash to buffer */
322
    for (i = 0; i < iter; ++i)
323
        store64(target + sizeof(c->h[i]) * i, c->h[i]);
324

325
    if (target != md) {
326
        memcpy(md, target, c->outlen);
327
        OPENSSL_cleanse(target, sizeof(outbuffer));
328
    }
329

330
    OPENSSL_cleanse(c, sizeof(BLAKE2B_CTX));
331
    return 1;
332
}
333

334
Product

Resources

Company
