1e1051a39Sopenharmony_ci/* 2e1051a39Sopenharmony_ci * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. 3e1051a39Sopenharmony_ci * 4e1051a39Sopenharmony_ci * Licensed under the Apache License 2.0 (the "License"). You may not use 5e1051a39Sopenharmony_ci * this file except in compliance with the License. You can obtain a copy 6e1051a39Sopenharmony_ci * in the file LICENSE in the source distribution or at 7e1051a39Sopenharmony_ci * https://www.openssl.org/source/license.html 8e1051a39Sopenharmony_ci */ 9e1051a39Sopenharmony_ci 10e1051a39Sopenharmony_ci/* 11e1051a39Sopenharmony_ci * Derived from the BLAKE2 reference implementation written by Samuel Neves. 12e1051a39Sopenharmony_ci * Copyright 2012, Samuel Neves <sneves@dei.uc.pt> 13e1051a39Sopenharmony_ci * More information about the BLAKE2 hash function and its implementations 14e1051a39Sopenharmony_ci * can be found at https://blake2.net. 15e1051a39Sopenharmony_ci */ 16e1051a39Sopenharmony_ci 17e1051a39Sopenharmony_ci#include <assert.h> 18e1051a39Sopenharmony_ci#include <string.h> 19e1051a39Sopenharmony_ci#include <openssl/crypto.h> 20e1051a39Sopenharmony_ci#include "blake2_impl.h" 21e1051a39Sopenharmony_ci#include "prov/blake2.h" 22e1051a39Sopenharmony_ci 23e1051a39Sopenharmony_cistatic const uint32_t blake2s_IV[8] = 24e1051a39Sopenharmony_ci{ 25e1051a39Sopenharmony_ci 0x6A09E667U, 0xBB67AE85U, 0x3C6EF372U, 0xA54FF53AU, 26e1051a39Sopenharmony_ci 0x510E527FU, 0x9B05688CU, 0x1F83D9ABU, 0x5BE0CD19U 27e1051a39Sopenharmony_ci}; 28e1051a39Sopenharmony_ci 29e1051a39Sopenharmony_cistatic const uint8_t blake2s_sigma[10][16] = 30e1051a39Sopenharmony_ci{ 31e1051a39Sopenharmony_ci { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } , 32e1051a39Sopenharmony_ci { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } , 33e1051a39Sopenharmony_ci { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 } , 34e1051a39Sopenharmony_ci { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 } , 35e1051a39Sopenharmony_ci { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 } , 36e1051a39Sopenharmony_ci { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 } , 37e1051a39Sopenharmony_ci { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 } , 38e1051a39Sopenharmony_ci { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 } , 39e1051a39Sopenharmony_ci { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 } , 40e1051a39Sopenharmony_ci { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13 , 0 } , 41e1051a39Sopenharmony_ci}; 42e1051a39Sopenharmony_ci 43e1051a39Sopenharmony_ci/* Set that it's the last block we'll compress */ 44e1051a39Sopenharmony_cistatic ossl_inline void blake2s_set_lastblock(BLAKE2S_CTX *S) 45e1051a39Sopenharmony_ci{ 46e1051a39Sopenharmony_ci S->f[0] = -1; 47e1051a39Sopenharmony_ci} 48e1051a39Sopenharmony_ci 49e1051a39Sopenharmony_ci/* Initialize the hashing state. */ 50e1051a39Sopenharmony_cistatic ossl_inline void blake2s_init0(BLAKE2S_CTX *S) 51e1051a39Sopenharmony_ci{ 52e1051a39Sopenharmony_ci int i; 53e1051a39Sopenharmony_ci 54e1051a39Sopenharmony_ci memset(S, 0, sizeof(BLAKE2S_CTX)); 55e1051a39Sopenharmony_ci for (i = 0; i < 8; ++i) { 56e1051a39Sopenharmony_ci S->h[i] = blake2s_IV[i]; 57e1051a39Sopenharmony_ci } 58e1051a39Sopenharmony_ci} 59e1051a39Sopenharmony_ci 60e1051a39Sopenharmony_ci/* init xors IV with input parameter block and sets the output length */ 61e1051a39Sopenharmony_cistatic void blake2s_init_param(BLAKE2S_CTX *S, const BLAKE2S_PARAM *P) 62e1051a39Sopenharmony_ci{ 63e1051a39Sopenharmony_ci size_t i; 64e1051a39Sopenharmony_ci const uint8_t *p = (const uint8_t *)(P); 65e1051a39Sopenharmony_ci 66e1051a39Sopenharmony_ci blake2s_init0(S); 67e1051a39Sopenharmony_ci S->outlen = P->digest_length; 68e1051a39Sopenharmony_ci 69e1051a39Sopenharmony_ci /* The param struct is carefully hand packed, and should be 32 bytes on 70e1051a39Sopenharmony_ci * every platform. */ 71e1051a39Sopenharmony_ci assert(sizeof(BLAKE2S_PARAM) == 32); 72e1051a39Sopenharmony_ci /* IV XOR ParamBlock */ 73e1051a39Sopenharmony_ci for (i = 0; i < 8; ++i) { 74e1051a39Sopenharmony_ci S->h[i] ^= load32(&p[i*4]); 75e1051a39Sopenharmony_ci } 76e1051a39Sopenharmony_ci} 77e1051a39Sopenharmony_ci 78e1051a39Sopenharmony_civoid ossl_blake2s_param_init(BLAKE2S_PARAM *P) 79e1051a39Sopenharmony_ci{ 80e1051a39Sopenharmony_ci P->digest_length = BLAKE2S_DIGEST_LENGTH; 81e1051a39Sopenharmony_ci P->key_length = 0; 82e1051a39Sopenharmony_ci P->fanout = 1; 83e1051a39Sopenharmony_ci P->depth = 1; 84e1051a39Sopenharmony_ci store32(P->leaf_length, 0); 85e1051a39Sopenharmony_ci store48(P->node_offset, 0); 86e1051a39Sopenharmony_ci P->node_depth = 0; 87e1051a39Sopenharmony_ci P->inner_length = 0; 88e1051a39Sopenharmony_ci memset(P->salt, 0, sizeof(P->salt)); 89e1051a39Sopenharmony_ci memset(P->personal, 0, sizeof(P->personal)); 90e1051a39Sopenharmony_ci} 91e1051a39Sopenharmony_ci 92e1051a39Sopenharmony_civoid ossl_blake2s_param_set_digest_length(BLAKE2S_PARAM *P, uint8_t outlen) 93e1051a39Sopenharmony_ci{ 94e1051a39Sopenharmony_ci P->digest_length = outlen; 95e1051a39Sopenharmony_ci} 96e1051a39Sopenharmony_ci 97e1051a39Sopenharmony_civoid ossl_blake2s_param_set_key_length(BLAKE2S_PARAM *P, uint8_t keylen) 98e1051a39Sopenharmony_ci{ 99e1051a39Sopenharmony_ci P->key_length = keylen; 100e1051a39Sopenharmony_ci} 101e1051a39Sopenharmony_ci 102e1051a39Sopenharmony_civoid ossl_blake2s_param_set_personal(BLAKE2S_PARAM *P, const uint8_t *personal, 103e1051a39Sopenharmony_ci size_t len) 104e1051a39Sopenharmony_ci{ 105e1051a39Sopenharmony_ci memcpy(P->personal, personal, len); 106e1051a39Sopenharmony_ci memset(P->personal + len, 0, BLAKE2S_PERSONALBYTES - len); 107e1051a39Sopenharmony_ci} 108e1051a39Sopenharmony_ci 109e1051a39Sopenharmony_civoid ossl_blake2s_param_set_salt(BLAKE2S_PARAM *P, const uint8_t *salt, 110e1051a39Sopenharmony_ci size_t len) 111e1051a39Sopenharmony_ci{ 112e1051a39Sopenharmony_ci memcpy(P->salt, salt, len); 113e1051a39Sopenharmony_ci memset(P->salt + len, 0, BLAKE2S_SALTBYTES - len);} 114e1051a39Sopenharmony_ci 115e1051a39Sopenharmony_ci/* 116e1051a39Sopenharmony_ci * Initialize the hashing context with the given parameter block. 117e1051a39Sopenharmony_ci * Always returns 1. 118e1051a39Sopenharmony_ci */ 119e1051a39Sopenharmony_ciint ossl_blake2s_init(BLAKE2S_CTX *c, const BLAKE2S_PARAM *P) 120e1051a39Sopenharmony_ci{ 121e1051a39Sopenharmony_ci blake2s_init_param(c, P); 122e1051a39Sopenharmony_ci return 1; 123e1051a39Sopenharmony_ci} 124e1051a39Sopenharmony_ci 125e1051a39Sopenharmony_ci/* 126e1051a39Sopenharmony_ci * Initialize the hashing context with the given parameter block and key. 127e1051a39Sopenharmony_ci * Always returns 1. 128e1051a39Sopenharmony_ci */ 129e1051a39Sopenharmony_ciint ossl_blake2s_init_key(BLAKE2S_CTX *c, const BLAKE2S_PARAM *P, 130e1051a39Sopenharmony_ci const void *key) 131e1051a39Sopenharmony_ci{ 132e1051a39Sopenharmony_ci blake2s_init_param(c, P); 133e1051a39Sopenharmony_ci 134e1051a39Sopenharmony_ci /* Pad the key to form first data block */ 135e1051a39Sopenharmony_ci { 136e1051a39Sopenharmony_ci uint8_t block[BLAKE2S_BLOCKBYTES] = {0}; 137e1051a39Sopenharmony_ci 138e1051a39Sopenharmony_ci memcpy(block, key, P->key_length); 139e1051a39Sopenharmony_ci ossl_blake2s_update(c, block, BLAKE2S_BLOCKBYTES); 140e1051a39Sopenharmony_ci OPENSSL_cleanse(block, BLAKE2S_BLOCKBYTES); 141e1051a39Sopenharmony_ci } 142e1051a39Sopenharmony_ci 143e1051a39Sopenharmony_ci return 1; 144e1051a39Sopenharmony_ci} 145e1051a39Sopenharmony_ci 146e1051a39Sopenharmony_ci/* Permute the state while xoring in the block of data. */ 147e1051a39Sopenharmony_cistatic void blake2s_compress(BLAKE2S_CTX *S, 148e1051a39Sopenharmony_ci const uint8_t *blocks, 149e1051a39Sopenharmony_ci size_t len) 150e1051a39Sopenharmony_ci{ 151e1051a39Sopenharmony_ci uint32_t m[16]; 152e1051a39Sopenharmony_ci uint32_t v[16]; 153e1051a39Sopenharmony_ci size_t i; 154e1051a39Sopenharmony_ci size_t increment; 155e1051a39Sopenharmony_ci 156e1051a39Sopenharmony_ci /* 157e1051a39Sopenharmony_ci * There are two distinct usage vectors for this function: 158e1051a39Sopenharmony_ci * 159e1051a39Sopenharmony_ci * a) BLAKE2s_Update uses it to process complete blocks, 160e1051a39Sopenharmony_ci * possibly more than one at a time; 161e1051a39Sopenharmony_ci * 162e1051a39Sopenharmony_ci * b) BLAK2s_Final uses it to process last block, always 163e1051a39Sopenharmony_ci * single but possibly incomplete, in which case caller 164e1051a39Sopenharmony_ci * pads input with zeros. 165e1051a39Sopenharmony_ci */ 166e1051a39Sopenharmony_ci assert(len < BLAKE2S_BLOCKBYTES || len % BLAKE2S_BLOCKBYTES == 0); 167e1051a39Sopenharmony_ci 168e1051a39Sopenharmony_ci /* 169e1051a39Sopenharmony_ci * Since last block is always processed with separate call, 170e1051a39Sopenharmony_ci * |len| not being multiple of complete blocks can be observed 171e1051a39Sopenharmony_ci * only with |len| being less than BLAKE2S_BLOCKBYTES ("less" 172e1051a39Sopenharmony_ci * including even zero), which is why following assignment doesn't 173e1051a39Sopenharmony_ci * have to reside inside the main loop below. 174e1051a39Sopenharmony_ci */ 175e1051a39Sopenharmony_ci increment = len < BLAKE2S_BLOCKBYTES ? len : BLAKE2S_BLOCKBYTES; 176e1051a39Sopenharmony_ci 177e1051a39Sopenharmony_ci for (i = 0; i < 8; ++i) { 178e1051a39Sopenharmony_ci v[i] = S->h[i]; 179e1051a39Sopenharmony_ci } 180e1051a39Sopenharmony_ci 181e1051a39Sopenharmony_ci do { 182e1051a39Sopenharmony_ci for (i = 0; i < 16; ++i) { 183e1051a39Sopenharmony_ci m[i] = load32(blocks + i * sizeof(m[i])); 184e1051a39Sopenharmony_ci } 185e1051a39Sopenharmony_ci 186e1051a39Sopenharmony_ci /* blake2s_increment_counter */ 187e1051a39Sopenharmony_ci S->t[0] += increment; 188e1051a39Sopenharmony_ci S->t[1] += (S->t[0] < increment); 189e1051a39Sopenharmony_ci 190e1051a39Sopenharmony_ci v[ 8] = blake2s_IV[0]; 191e1051a39Sopenharmony_ci v[ 9] = blake2s_IV[1]; 192e1051a39Sopenharmony_ci v[10] = blake2s_IV[2]; 193e1051a39Sopenharmony_ci v[11] = blake2s_IV[3]; 194e1051a39Sopenharmony_ci v[12] = S->t[0] ^ blake2s_IV[4]; 195e1051a39Sopenharmony_ci v[13] = S->t[1] ^ blake2s_IV[5]; 196e1051a39Sopenharmony_ci v[14] = S->f[0] ^ blake2s_IV[6]; 197e1051a39Sopenharmony_ci v[15] = S->f[1] ^ blake2s_IV[7]; 198e1051a39Sopenharmony_ci#define G(r,i,a,b,c,d) \ 199e1051a39Sopenharmony_ci do { \ 200e1051a39Sopenharmony_ci a = a + b + m[blake2s_sigma[r][2*i+0]]; \ 201e1051a39Sopenharmony_ci d = rotr32(d ^ a, 16); \ 202e1051a39Sopenharmony_ci c = c + d; \ 203e1051a39Sopenharmony_ci b = rotr32(b ^ c, 12); \ 204e1051a39Sopenharmony_ci a = a + b + m[blake2s_sigma[r][2*i+1]]; \ 205e1051a39Sopenharmony_ci d = rotr32(d ^ a, 8); \ 206e1051a39Sopenharmony_ci c = c + d; \ 207e1051a39Sopenharmony_ci b = rotr32(b ^ c, 7); \ 208e1051a39Sopenharmony_ci } while (0) 209e1051a39Sopenharmony_ci#define ROUND(r) \ 210e1051a39Sopenharmony_ci do { \ 211e1051a39Sopenharmony_ci G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \ 212e1051a39Sopenharmony_ci G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \ 213e1051a39Sopenharmony_ci G(r,2,v[ 2],v[ 6],v[10],v[14]); \ 214e1051a39Sopenharmony_ci G(r,3,v[ 3],v[ 7],v[11],v[15]); \ 215e1051a39Sopenharmony_ci G(r,4,v[ 0],v[ 5],v[10],v[15]); \ 216e1051a39Sopenharmony_ci G(r,5,v[ 1],v[ 6],v[11],v[12]); \ 217e1051a39Sopenharmony_ci G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \ 218e1051a39Sopenharmony_ci G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \ 219e1051a39Sopenharmony_ci } while (0) 220e1051a39Sopenharmony_ci#if defined(OPENSSL_SMALL_FOOTPRINT) 221e1051a39Sopenharmony_ci /* almost 3x reduction on x86_64, 4.5x on ARMv8, 4x on ARMv4 */ 222e1051a39Sopenharmony_ci for (i = 0; i < 10; i++) { 223e1051a39Sopenharmony_ci ROUND(i); 224e1051a39Sopenharmony_ci } 225e1051a39Sopenharmony_ci#else 226e1051a39Sopenharmony_ci ROUND(0); 227e1051a39Sopenharmony_ci ROUND(1); 228e1051a39Sopenharmony_ci ROUND(2); 229e1051a39Sopenharmony_ci ROUND(3); 230e1051a39Sopenharmony_ci ROUND(4); 231e1051a39Sopenharmony_ci ROUND(5); 232e1051a39Sopenharmony_ci ROUND(6); 233e1051a39Sopenharmony_ci ROUND(7); 234e1051a39Sopenharmony_ci ROUND(8); 235e1051a39Sopenharmony_ci ROUND(9); 236e1051a39Sopenharmony_ci#endif 237e1051a39Sopenharmony_ci 238e1051a39Sopenharmony_ci for (i = 0; i < 8; ++i) { 239e1051a39Sopenharmony_ci S->h[i] = v[i] ^= v[i + 8] ^ S->h[i]; 240e1051a39Sopenharmony_ci } 241e1051a39Sopenharmony_ci#undef G 242e1051a39Sopenharmony_ci#undef ROUND 243e1051a39Sopenharmony_ci blocks += increment; 244e1051a39Sopenharmony_ci len -= increment; 245e1051a39Sopenharmony_ci } while (len); 246e1051a39Sopenharmony_ci} 247e1051a39Sopenharmony_ci 248e1051a39Sopenharmony_ci/* Absorb the input data into the hash state. Always returns 1. */ 249e1051a39Sopenharmony_ciint ossl_blake2s_update(BLAKE2S_CTX *c, const void *data, size_t datalen) 250e1051a39Sopenharmony_ci{ 251e1051a39Sopenharmony_ci const uint8_t *in = data; 252e1051a39Sopenharmony_ci size_t fill; 253e1051a39Sopenharmony_ci 254e1051a39Sopenharmony_ci /* 255e1051a39Sopenharmony_ci * Intuitively one would expect intermediate buffer, c->buf, to 256e1051a39Sopenharmony_ci * store incomplete blocks. But in this case we are interested to 257e1051a39Sopenharmony_ci * temporarily stash even complete blocks, because last one in the 258e1051a39Sopenharmony_ci * stream has to be treated in special way, and at this point we 259e1051a39Sopenharmony_ci * don't know if last block in *this* call is last one "ever". This 260e1051a39Sopenharmony_ci * is the reason for why |datalen| is compared as >, and not >=. 261e1051a39Sopenharmony_ci */ 262e1051a39Sopenharmony_ci fill = sizeof(c->buf) - c->buflen; 263e1051a39Sopenharmony_ci if (datalen > fill) { 264e1051a39Sopenharmony_ci if (c->buflen) { 265e1051a39Sopenharmony_ci memcpy(c->buf + c->buflen, in, fill); /* Fill buffer */ 266e1051a39Sopenharmony_ci blake2s_compress(c, c->buf, BLAKE2S_BLOCKBYTES); 267e1051a39Sopenharmony_ci c->buflen = 0; 268e1051a39Sopenharmony_ci in += fill; 269e1051a39Sopenharmony_ci datalen -= fill; 270e1051a39Sopenharmony_ci } 271e1051a39Sopenharmony_ci if (datalen > BLAKE2S_BLOCKBYTES) { 272e1051a39Sopenharmony_ci size_t stashlen = datalen % BLAKE2S_BLOCKBYTES; 273e1051a39Sopenharmony_ci /* 274e1051a39Sopenharmony_ci * If |datalen| is a multiple of the blocksize, stash 275e1051a39Sopenharmony_ci * last complete block, it can be final one... 276e1051a39Sopenharmony_ci */ 277e1051a39Sopenharmony_ci stashlen = stashlen ? stashlen : BLAKE2S_BLOCKBYTES; 278e1051a39Sopenharmony_ci datalen -= stashlen; 279e1051a39Sopenharmony_ci blake2s_compress(c, in, datalen); 280e1051a39Sopenharmony_ci in += datalen; 281e1051a39Sopenharmony_ci datalen = stashlen; 282e1051a39Sopenharmony_ci } 283e1051a39Sopenharmony_ci } 284e1051a39Sopenharmony_ci 285e1051a39Sopenharmony_ci assert(datalen <= BLAKE2S_BLOCKBYTES); 286e1051a39Sopenharmony_ci 287e1051a39Sopenharmony_ci memcpy(c->buf + c->buflen, in, datalen); 288e1051a39Sopenharmony_ci c->buflen += datalen; /* Be lazy, do not compress */ 289e1051a39Sopenharmony_ci 290e1051a39Sopenharmony_ci return 1; 291e1051a39Sopenharmony_ci} 292e1051a39Sopenharmony_ci 293e1051a39Sopenharmony_ci/* 294e1051a39Sopenharmony_ci * Calculate the final hash and save it in md. 295e1051a39Sopenharmony_ci * Always returns 1. 296e1051a39Sopenharmony_ci */ 297e1051a39Sopenharmony_ciint ossl_blake2s_final(unsigned char *md, BLAKE2S_CTX *c) 298e1051a39Sopenharmony_ci{ 299e1051a39Sopenharmony_ci uint8_t outbuffer[BLAKE2S_OUTBYTES] = {0}; 300e1051a39Sopenharmony_ci uint8_t *target = outbuffer; 301e1051a39Sopenharmony_ci int iter = (c->outlen + 3) / 4; 302e1051a39Sopenharmony_ci int i; 303e1051a39Sopenharmony_ci 304e1051a39Sopenharmony_ci /* Avoid writing to the temporary buffer if possible */ 305e1051a39Sopenharmony_ci if ((c->outlen % sizeof(c->h[0])) == 0) 306e1051a39Sopenharmony_ci target = md; 307e1051a39Sopenharmony_ci 308e1051a39Sopenharmony_ci blake2s_set_lastblock(c); 309e1051a39Sopenharmony_ci /* Padding */ 310e1051a39Sopenharmony_ci memset(c->buf + c->buflen, 0, sizeof(c->buf) - c->buflen); 311e1051a39Sopenharmony_ci blake2s_compress(c, c->buf, c->buflen); 312e1051a39Sopenharmony_ci 313e1051a39Sopenharmony_ci /* Output full hash to buffer */ 314e1051a39Sopenharmony_ci for (i = 0; i < iter; ++i) 315e1051a39Sopenharmony_ci store32(target + sizeof(c->h[i]) * i, c->h[i]); 316e1051a39Sopenharmony_ci 317e1051a39Sopenharmony_ci if (target != md) 318e1051a39Sopenharmony_ci memcpy(md, target, c->outlen); 319e1051a39Sopenharmony_ci 320e1051a39Sopenharmony_ci OPENSSL_cleanse(c, sizeof(BLAKE2S_CTX)); 321e1051a39Sopenharmony_ci return 1; 322e1051a39Sopenharmony_ci} 323