1
/*
2
 * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
3
 *
4
 * Licensed under the Apache License 2.0 (the "License").  You may not use
5
 * this file except in compliance with the License.  You can obtain a copy
6
 * in the file LICENSE in the source distribution or at
7
 * https://www.openssl.org/source/license.html
8
 */
9

10
/*
11
 * Derived from the BLAKE2 reference implementation written by Samuel Neves.
12
 * Copyright 2012, Samuel Neves <[email protected]>
13
 * More information about the BLAKE2 hash function and its implementations
14
 * can be found at https://blake2.net.
15
 */
16

17
#include <assert.h>
18
#include <string.h>
19
#include <openssl/crypto.h>
20
#include "blake2_impl.h"
21
#include "prov/blake2.h"
22

23
static const uint32_t blake2s_IV[8] = {
24
    0x6A09E667U, 0xBB67AE85U, 0x3C6EF372U, 0xA54FF53AU,
25
    0x510E527FU, 0x9B05688CU, 0x1F83D9ABU, 0x5BE0CD19U
26
};
27

28
static const uint8_t blake2s_sigma[10][16] = {
29
    { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
30
    { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 },
31
    { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 },
32
    { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 },
33
    { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 },
34
    { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 },
35
    { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 },
36
    { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 },
37
    { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 },
38
    { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 },
39
};
40

41
/* Set that it's the last block we'll compress */
42
static ossl_inline void blake2s_set_lastblock(BLAKE2S_CTX *S)
43
{
44
    S->f[0] = -1;
45
}
46

47
/* Initialize the hashing state. */
48
static ossl_inline void blake2s_init0(BLAKE2S_CTX *S)
49
{
50
    int i;
51

52
    memset(S, 0, sizeof(BLAKE2S_CTX));
53
    for (i = 0; i < 8; ++i) {
54
        S->h[i] = blake2s_IV[i];
55
    }
56
}
57

58
/* init xors IV with input parameter block and sets the output length */
59
static void blake2s_init_param(BLAKE2S_CTX *S, const BLAKE2S_PARAM *P)
60
{
61
    size_t i;
62
    const uint8_t *p = (const uint8_t *)(P);
63

64
    blake2s_init0(S);
65
    S->outlen = P->digest_length;
66

67
    /* The param struct is carefully hand packed, and should be 32 bytes on
68
     * every platform. */
69
    assert(sizeof(BLAKE2S_PARAM) == 32);
70
    /* IV XOR ParamBlock */
71
    for (i = 0; i < 8; ++i) {
72
        S->h[i] ^= load32(&p[i * 4]);
73
    }
74
}
75

76
void ossl_blake2s_param_init(BLAKE2S_PARAM *P)
77
{
78
    P->digest_length = BLAKE2S_DIGEST_LENGTH;
79
    P->key_length = 0;
80
    P->fanout = 1;
81
    P->depth = 1;
82
    store32(P->leaf_length, 0);
83
    store48(P->node_offset, 0);
84
    P->node_depth = 0;
85
    P->inner_length = 0;
86
    memset(P->salt, 0, sizeof(P->salt));
87
    memset(P->personal, 0, sizeof(P->personal));
88
}
89

90
void ossl_blake2s_param_set_digest_length(BLAKE2S_PARAM *P, uint8_t outlen)
91
{
92
    P->digest_length = outlen;
93
}
94

95
void ossl_blake2s_param_set_key_length(BLAKE2S_PARAM *P, uint8_t keylen)
96
{
97
    P->key_length = keylen;
98
}
99

100
void ossl_blake2s_param_set_personal(BLAKE2S_PARAM *P, const uint8_t *personal,
101
    size_t len)
102
{
103
    memcpy(P->personal, personal, len);
104
    memset(P->personal + len, 0, BLAKE2S_PERSONALBYTES - len);
105
}
106

107
void ossl_blake2s_param_set_salt(BLAKE2S_PARAM *P, const uint8_t *salt,
108
    size_t len)
109
{
110
    memcpy(P->salt, salt, len);
111
    memset(P->salt + len, 0, BLAKE2S_SALTBYTES - len);
112
}
113

114
/*
115
 * Initialize the hashing context with the given parameter block.
116
 * Always returns 1.
117
 */
118
int ossl_blake2s_init(BLAKE2S_CTX *c, const BLAKE2S_PARAM *P)
119
{
120
    blake2s_init_param(c, P);
121
    return 1;
122
}
123

124
/*
125
 * Initialize the hashing context with the given parameter block and key.
126
 * Always returns 1.
127
 */
128
int ossl_blake2s_init_key(BLAKE2S_CTX *c, const BLAKE2S_PARAM *P,
129
    const void *key)
130
{
131
    blake2s_init_param(c, P);
132

133
    /* Pad the key to form first data block */
134
    {
135
        uint8_t block[BLAKE2S_BLOCKBYTES] = { 0 };
136

137
        memcpy(block, key, P->key_length);
138
        ossl_blake2s_update(c, block, BLAKE2S_BLOCKBYTES);
139
        OPENSSL_cleanse(block, BLAKE2S_BLOCKBYTES);
140
    }
141

142
    return 1;
143
}
144

145
/* Permute the state while xoring in the block of data. */
146
static void blake2s_compress(BLAKE2S_CTX *S,
147
    const uint8_t *blocks,
148
    size_t len)
149
{
150
    uint32_t m[16];
151
    uint32_t v[16];
152
    size_t i;
153
    size_t increment;
154

155
    /*
156
     * There are two distinct usage vectors for this function:
157
     *
158
     * a) BLAKE2s_Update uses it to process complete blocks,
159
     *    possibly more than one at a time;
160
     *
161
     * b) BLAK2s_Final uses it to process last block, always
162
     *    single but possibly incomplete, in which case caller
163
     *    pads input with zeros.
164
     */
165
    assert(len < BLAKE2S_BLOCKBYTES || len % BLAKE2S_BLOCKBYTES == 0);
166

167
    /*
168
     * Since last block is always processed with separate call,
169
     * |len| not being multiple of complete blocks can be observed
170
     * only with |len| being less than BLAKE2S_BLOCKBYTES ("less"
171
     * including even zero), which is why following assignment doesn't
172
     * have to reside inside the main loop below.
173
     */
174
    increment = len < BLAKE2S_BLOCKBYTES ? len : BLAKE2S_BLOCKBYTES;
175

176
    for (i = 0; i < 8; ++i) {
177
        v[i] = S->h[i];
178
    }
179

180
    do {
181
        for (i = 0; i < 16; ++i) {
182
            m[i] = load32(blocks + i * sizeof(m[i]));
183
        }
184

185
        /* blake2s_increment_counter */
186
        S->t[0] += increment;
187
        S->t[1] += (S->t[0] < increment);
188

189
        v[8] = blake2s_IV[0];
190
        v[9] = blake2s_IV[1];
191
        v[10] = blake2s_IV[2];
192
        v[11] = blake2s_IV[3];
193
        v[12] = S->t[0] ^ blake2s_IV[4];
194
        v[13] = S->t[1] ^ blake2s_IV[5];
195
        v[14] = S->f[0] ^ blake2s_IV[6];
196
        v[15] = S->f[1] ^ blake2s_IV[7];
197
#define G(r, i, a, b, c, d)                         \
198
    do {                                            \
199
        a = a + b + m[blake2s_sigma[r][2 * i + 0]]; \
200
        d = rotr32(d ^ a, 16);                      \
201
        c = c + d;                                  \
202
        b = rotr32(b ^ c, 12);                      \
203
        a = a + b + m[blake2s_sigma[r][2 * i + 1]]; \
204
        d = rotr32(d ^ a, 8);                       \
205
        c = c + d;                                  \
206
        b = rotr32(b ^ c, 7);                       \
207
    } while (0)
208
#define ROUND(r)                           \
209
    do {                                   \
210
        G(r, 0, v[0], v[4], v[8], v[12]);  \
211
        G(r, 1, v[1], v[5], v[9], v[13]);  \
212
        G(r, 2, v[2], v[6], v[10], v[14]); \
213
        G(r, 3, v[3], v[7], v[11], v[15]); \
214
        G(r, 4, v[0], v[5], v[10], v[15]); \
215
        G(r, 5, v[1], v[6], v[11], v[12]); \
216
        G(r, 6, v[2], v[7], v[8], v[13]);  \
217
        G(r, 7, v[3], v[4], v[9], v[14]);  \
218
    } while (0)
219
#if defined(OPENSSL_SMALL_FOOTPRINT)
220
        /* almost 3x reduction on x86_64, 4.5x on ARMv8, 4x on ARMv4 */
221
        for (i = 0; i < 10; i++) {
222
            ROUND(i);
223
        }
224
#else
225
        ROUND(0);
226
        ROUND(1);
227
        ROUND(2);
228
        ROUND(3);
229
        ROUND(4);
230
        ROUND(5);
231
        ROUND(6);
232
        ROUND(7);
233
        ROUND(8);
234
        ROUND(9);
235
#endif
236

237
        for (i = 0; i < 8; ++i) {
238
            S->h[i] = v[i] ^= v[i + 8] ^ S->h[i];
239
        }
240
#undef G
241
#undef ROUND
242
        blocks += increment;
243
        len -= increment;
244
    } while (len);
245
}
246

247
/* Absorb the input data into the hash state.  Always returns 1. */
248
int ossl_blake2s_update(BLAKE2S_CTX *c, const void *data, size_t datalen)
249
{
250
    const uint8_t *in = data;
251
    size_t fill;
252

253
    /*
254
     * Intuitively one would expect intermediate buffer, c->buf, to
255
     * store incomplete blocks. But in this case we are interested to
256
     * temporarily stash even complete blocks, because last one in the
257
     * stream has to be treated in special way, and at this point we
258
     * don't know if last block in *this* call is last one "ever". This
259
     * is the reason for why |datalen| is compared as >, and not >=.
260
     */
261
    fill = sizeof(c->buf) - c->buflen;
262
    if (datalen > fill) {
263
        if (c->buflen) {
264
            memcpy(c->buf + c->buflen, in, fill); /* Fill buffer */
265
            blake2s_compress(c, c->buf, BLAKE2S_BLOCKBYTES);
266
            c->buflen = 0;
267
            in += fill;
268
            datalen -= fill;
269
        }
270
        if (datalen > BLAKE2S_BLOCKBYTES) {
271
            size_t stashlen = datalen % BLAKE2S_BLOCKBYTES;
272
            /*
273
             * If |datalen| is a multiple of the blocksize, stash
274
             * last complete block, it can be final one...
275
             */
276
            stashlen = stashlen ? stashlen : BLAKE2S_BLOCKBYTES;
277
            datalen -= stashlen;
278
            blake2s_compress(c, in, datalen);
279
            in += datalen;
280
            datalen = stashlen;
281
        }
282
    }
283

284
    assert(datalen <= BLAKE2S_BLOCKBYTES);
285

286
    memcpy(c->buf + c->buflen, in, datalen);
287
    c->buflen += datalen; /* Be lazy, do not compress */
288

289
    return 1;
290
}
291

292
/*
293
 * Calculate the final hash and save it in md.
294
 * Always returns 1.
295
 */
296
int ossl_blake2s_final(unsigned char *md, BLAKE2S_CTX *c)
297
{
298
    uint8_t outbuffer[BLAKE2S_OUTBYTES] = { 0 };
299
    uint8_t *target = outbuffer;
300
    int iter = (c->outlen + 3) / 4;
301
    int i;
302

303
    /* Avoid writing to the temporary buffer if possible */
304
    if ((c->outlen % sizeof(c->h[0])) == 0)
305
        target = md;
306

307
    blake2s_set_lastblock(c);
308
    /* Padding */
309
    memset(c->buf + c->buflen, 0, sizeof(c->buf) - c->buflen);
310
    blake2s_compress(c, c->buf, c->buflen);
311

312
    /* Output full hash to buffer */
313
    for (i = 0; i < iter; ++i)
314
        store32(target + sizeof(c->h[i]) * i, c->h[i]);
315

316
    if (target != md) {
317
        memcpy(md, target, c->outlen);
318
        OPENSSL_cleanse(target, sizeof(outbuffer));
319
    }
320

321
    OPENSSL_cleanse(c, sizeof(BLAKE2S_CTX));
322
    return 1;
323
}
324

325