1
/*
2
 * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
3
 *
4
 * Licensed under the Apache License 2.0 (the "License").  You may not use
5
 * this file except in compliance with the License.  You can obtain a copy
6
 * in the file LICENSE in the source distribution or at
7
 * https://www.openssl.org/source/license.html
8
 */
9

10
/*
11
 * Derived from the BLAKE2 reference implementation written by Samuel Neves.
12
 * Copyright 2012, Samuel Neves <[email protected]>
13
 * More information about the BLAKE2 hash function and its implementations
14
 * can be found at https://blake2.net.
15
 */
16

17
#include <assert.h>
18
#include <string.h>
19
#include <openssl/crypto.h>
20
#include "blake2_impl.h"
21
#include "prov/blake2.h"
22

23
static const uint32_t blake2s_IV[8] = {
24
    0x6A09E667U, 0xBB67AE85U, 0x3C6EF372U, 0xA54FF53AU,
25
    0x510E527FU, 0x9B05688CU, 0x1F83D9ABU, 0x5BE0CD19U
26
};
27

28
static const uint8_t blake2s_sigma[10][16] = {
29
    {  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15 } ,
30
    { 14, 10,  4,  8,  9, 15, 13,  6,  1, 12,  0,  2, 11,  7,  5,  3 } ,
31
    { 11,  8, 12,  0,  5,  2, 15, 13, 10, 14,  3,  6,  7,  1,  9,  4 } ,
32
    {  7,  9,  3,  1, 13, 12, 11, 14,  2,  6,  5, 10,  4,  0, 15,  8 } ,
33
    {  9,  0,  5,  7,  2,  4, 10, 15, 14,  1, 11, 12,  6,  8,  3, 13 } ,
34
    {  2, 12,  6, 10,  0, 11,  8,  3,  4, 13,  7,  5, 15, 14,  1,  9 } ,
35
    { 12,  5,  1, 15, 14, 13,  4, 10,  0,  7,  6,  3,  9,  2,  8, 11 } ,
36
    { 13, 11,  7, 14, 12,  1,  3,  9,  5,  0, 15,  4,  8,  6,  2, 10 } ,
37
    {  6, 15, 14,  9, 11,  3,  0,  8, 12,  2, 13,  7,  1,  4, 10,  5 } ,
38
    { 10,  2,  8,  4,  7,  6,  1,  5, 15, 11,  9, 14,  3, 12, 13 , 0 } ,
39
};
40

41
/* Set that it's the last block we'll compress */
42
static ossl_inline void blake2s_set_lastblock(BLAKE2S_CTX *S)
43
{
44
    S->f[0] = -1;
45
}
46

47
/* Initialize the hashing state. */
48
static ossl_inline void blake2s_init0(BLAKE2S_CTX *S)
49
{
50
    int i;
51

52
    memset(S, 0, sizeof(BLAKE2S_CTX));
53
    for (i = 0; i < 8; ++i) {
54
        S->h[i] = blake2s_IV[i];
55
    }
56
}
57

58
/* init xors IV with input parameter block and sets the output length */
59
static void blake2s_init_param(BLAKE2S_CTX *S, const BLAKE2S_PARAM *P)
60
{
61
    size_t i;
62
    const uint8_t *p = (const uint8_t *)(P);
63

64
    blake2s_init0(S);
65
    S->outlen = P->digest_length;
66

67
    /* The param struct is carefully hand packed, and should be 32 bytes on
68
     * every platform. */
69
    assert(sizeof(BLAKE2S_PARAM) == 32);
70
    /* IV XOR ParamBlock */
71
    for (i = 0; i < 8; ++i) {
72
        S->h[i] ^= load32(&p[i*4]);
73
    }
74
}
75

76
void ossl_blake2s_param_init(BLAKE2S_PARAM *P)
77
{
78
    P->digest_length = BLAKE2S_DIGEST_LENGTH;
79
    P->key_length    = 0;
80
    P->fanout        = 1;
81
    P->depth         = 1;
82
    store32(P->leaf_length, 0);
83
    store48(P->node_offset, 0);
84
    P->node_depth    = 0;
85
    P->inner_length  = 0;
86
    memset(P->salt,     0, sizeof(P->salt));
87
    memset(P->personal, 0, sizeof(P->personal));
88
}
89

90
void ossl_blake2s_param_set_digest_length(BLAKE2S_PARAM *P, uint8_t outlen)
91
{
92
    P->digest_length = outlen;
93
}
94

95
void ossl_blake2s_param_set_key_length(BLAKE2S_PARAM *P, uint8_t keylen)
96
{
97
    P->key_length = keylen;
98
}
99

100
void ossl_blake2s_param_set_personal(BLAKE2S_PARAM *P, const uint8_t *personal,
101
                                     size_t len)
102
{
103
    memcpy(P->personal, personal, len);
104
    memset(P->personal + len, 0, BLAKE2S_PERSONALBYTES - len);
105
}
106

107
void ossl_blake2s_param_set_salt(BLAKE2S_PARAM *P, const uint8_t *salt,
108
                                 size_t len)
109
{
110
    memcpy(P->salt, salt, len);
111
    memset(P->salt + len, 0, BLAKE2S_SALTBYTES - len);}
112

113
/*
114
 * Initialize the hashing context with the given parameter block.
115
 * Always returns 1.
116
 */
117
int ossl_blake2s_init(BLAKE2S_CTX *c, const BLAKE2S_PARAM *P)
118
{
119
    blake2s_init_param(c, P);
120
    return 1;
121
}
122

123
/*
124
 * Initialize the hashing context with the given parameter block and key.
125
 * Always returns 1.
126
 */
127
int ossl_blake2s_init_key(BLAKE2S_CTX *c, const BLAKE2S_PARAM *P,
128
                          const void *key)
129
{
130
    blake2s_init_param(c, P);
131

132
    /* Pad the key to form first data block */
133
    {
134
        uint8_t block[BLAKE2S_BLOCKBYTES] = {0};
135

136
        memcpy(block, key, P->key_length);
137
        ossl_blake2s_update(c, block, BLAKE2S_BLOCKBYTES);
138
        OPENSSL_cleanse(block, BLAKE2S_BLOCKBYTES);
139
    }
140

141
    return 1;
142
}
143

144
/* Permute the state while xoring in the block of data. */
145
static void blake2s_compress(BLAKE2S_CTX *S,
146
                            const uint8_t *blocks,
147
                            size_t len)
148
{
149
    uint32_t m[16];
150
    uint32_t v[16];
151
    size_t i;
152
    size_t increment;
153

154
    /*
155
     * There are two distinct usage vectors for this function:
156
     *
157
     * a) BLAKE2s_Update uses it to process complete blocks,
158
     *    possibly more than one at a time;
159
     *
160
     * b) BLAK2s_Final uses it to process last block, always
161
     *    single but possibly incomplete, in which case caller
162
     *    pads input with zeros.
163
     */
164
    assert(len < BLAKE2S_BLOCKBYTES || len % BLAKE2S_BLOCKBYTES == 0);
165

166
    /*
167
     * Since last block is always processed with separate call,
168
     * |len| not being multiple of complete blocks can be observed
169
     * only with |len| being less than BLAKE2S_BLOCKBYTES ("less"
170
     * including even zero), which is why following assignment doesn't
171
     * have to reside inside the main loop below.
172
     */
173
    increment = len < BLAKE2S_BLOCKBYTES ? len : BLAKE2S_BLOCKBYTES;
174

175
    for (i = 0; i < 8; ++i) {
176
        v[i] = S->h[i];
177
    }
178

179
    do {
180
        for (i = 0; i < 16; ++i) {
181
            m[i] = load32(blocks + i * sizeof(m[i]));
182
        }
183

184
        /* blake2s_increment_counter */
185
        S->t[0] += increment;
186
        S->t[1] += (S->t[0] < increment);
187

188
        v[ 8] = blake2s_IV[0];
189
        v[ 9] = blake2s_IV[1];
190
        v[10] = blake2s_IV[2];
191
        v[11] = blake2s_IV[3];
192
        v[12] = S->t[0] ^ blake2s_IV[4];
193
        v[13] = S->t[1] ^ blake2s_IV[5];
194
        v[14] = S->f[0] ^ blake2s_IV[6];
195
        v[15] = S->f[1] ^ blake2s_IV[7];
196
#define G(r,i,a,b,c,d) \
197
        do { \
198
            a = a + b + m[blake2s_sigma[r][2*i+0]]; \
199
            d = rotr32(d ^ a, 16); \
200
            c = c + d; \
201
            b = rotr32(b ^ c, 12); \
202
            a = a + b + m[blake2s_sigma[r][2*i+1]]; \
203
            d = rotr32(d ^ a, 8); \
204
            c = c + d; \
205
            b = rotr32(b ^ c, 7); \
206
        } while (0)
207
#define ROUND(r)  \
208
        do { \
209
            G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \
210
            G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \
211
            G(r,2,v[ 2],v[ 6],v[10],v[14]); \
212
            G(r,3,v[ 3],v[ 7],v[11],v[15]); \
213
            G(r,4,v[ 0],v[ 5],v[10],v[15]); \
214
            G(r,5,v[ 1],v[ 6],v[11],v[12]); \
215
            G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \
216
            G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \
217
        } while (0)
218
#if defined(OPENSSL_SMALL_FOOTPRINT)
219
        /* almost 3x reduction on x86_64, 4.5x on ARMv8, 4x on ARMv4 */
220
        for (i = 0; i < 10; i++) {
221
            ROUND(i);
222
        }
223
#else
224
        ROUND(0);
225
        ROUND(1);
226
        ROUND(2);
227
        ROUND(3);
228
        ROUND(4);
229
        ROUND(5);
230
        ROUND(6);
231
        ROUND(7);
232
        ROUND(8);
233
        ROUND(9);
234
#endif
235

236
        for (i = 0; i < 8; ++i) {
237
            S->h[i] = v[i] ^= v[i + 8] ^ S->h[i];
238
        }
239
#undef G
240
#undef ROUND
241
        blocks += increment;
242
        len -= increment;
243
    } while (len);
244
}
245

246
/* Absorb the input data into the hash state.  Always returns 1. */
247
int ossl_blake2s_update(BLAKE2S_CTX *c, const void *data, size_t datalen)
248
{
249
    const uint8_t *in = data;
250
    size_t fill;
251

252
    /*
253
     * Intuitively one would expect intermediate buffer, c->buf, to
254
     * store incomplete blocks. But in this case we are interested to
255
     * temporarily stash even complete blocks, because last one in the
256
     * stream has to be treated in special way, and at this point we
257
     * don't know if last block in *this* call is last one "ever". This
258
     * is the reason for why |datalen| is compared as >, and not >=.
259
     */
260
    fill = sizeof(c->buf) - c->buflen;
261
    if (datalen > fill) {
262
        if (c->buflen) {
263
            memcpy(c->buf + c->buflen, in, fill); /* Fill buffer */
264
            blake2s_compress(c, c->buf, BLAKE2S_BLOCKBYTES);
265
            c->buflen = 0;
266
            in += fill;
267
            datalen -= fill;
268
        }
269
        if (datalen > BLAKE2S_BLOCKBYTES) {
270
            size_t stashlen = datalen % BLAKE2S_BLOCKBYTES;
271
            /*
272
             * If |datalen| is a multiple of the blocksize, stash
273
             * last complete block, it can be final one...
274
             */
275
            stashlen = stashlen ? stashlen : BLAKE2S_BLOCKBYTES;
276
            datalen -= stashlen;
277
            blake2s_compress(c, in, datalen);
278
            in += datalen;
279
            datalen = stashlen;
280
        }
281
    }
282

283
    assert(datalen <= BLAKE2S_BLOCKBYTES);
284

285
    memcpy(c->buf + c->buflen, in, datalen);
286
    c->buflen += datalen; /* Be lazy, do not compress */
287

288
    return 1;
289
}
290

291
/*
292
 * Calculate the final hash and save it in md.
293
 * Always returns 1.
294
 */
295
int ossl_blake2s_final(unsigned char *md, BLAKE2S_CTX *c)
296
{
297
    uint8_t outbuffer[BLAKE2S_OUTBYTES] = {0};
298
    uint8_t *target = outbuffer;
299
    int iter = (c->outlen + 3) / 4;
300
    int i;
301

302
    /* Avoid writing to the temporary buffer if possible */
303
    if ((c->outlen % sizeof(c->h[0])) == 0)
304
        target = md;
305

306
    blake2s_set_lastblock(c);
307
    /* Padding */
308
    memset(c->buf + c->buflen, 0, sizeof(c->buf) - c->buflen);
309
    blake2s_compress(c, c->buf, c->buflen);
310

311
    /* Output full hash to buffer */
312
    for (i = 0; i < iter; ++i)
313
        store32(target + sizeof(c->h[i]) * i, c->h[i]);
314

315
    if (target != md) {
316
        memcpy(md, target, c->outlen);
317
        OPENSSL_cleanse(target, sizeof(outbuffer));
318
    }
319

320
    OPENSSL_cleanse(c, sizeof(BLAKE2S_CTX));
321
    return 1;
322
}
323

324