ยปCore Development>Code coverage>Modules/_blake2/impl/blake2s-ref.c

Python code coverage for Modules/_blake2/impl/blake2s-ref.c

#countcontent
1n/a/*
2n/a BLAKE2 reference source code package - reference C implementations
3n/a
4n/a Copyright 2012, Samuel Neves <sneves@dei.uc.pt>. You may use this under the
5n/a terms of the CC0, the OpenSSL Licence, or the Apache Public License 2.0, at
6n/a your option. The terms of these licenses can be found at:
7n/a
8n/a - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0
9n/a - OpenSSL license : https://www.openssl.org/source/license.html
10n/a - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0
11n/a
12n/a More information about the BLAKE2 hash function can be found at
13n/a https://blake2.net.
14n/a*/
15n/a
16n/a#include <stdint.h>
17n/a#include <string.h>
18n/a#include <stdio.h>
19n/a
20n/a#include "blake2.h"
21n/a#include "blake2-impl.h"
22n/a
23n/astatic const uint32_t blake2s_IV[8] =
24n/a{
25n/a 0x6A09E667UL, 0xBB67AE85UL, 0x3C6EF372UL, 0xA54FF53AUL,
26n/a 0x510E527FUL, 0x9B05688CUL, 0x1F83D9ABUL, 0x5BE0CD19UL
27n/a};
28n/a
29n/astatic const uint8_t blake2s_sigma[10][16] =
30n/a{
31n/a { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } ,
32n/a { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } ,
33n/a { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 } ,
34n/a { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 } ,
35n/a { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 } ,
36n/a { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 } ,
37n/a { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 } ,
38n/a { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 } ,
39n/a { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 } ,
40n/a { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13 , 0 } ,
41n/a};
42n/a
43n/aBLAKE2_LOCAL_INLINE(int) blake2s_set_lastnode( blake2s_state *S )
44n/a{
45n/a S->f[1] = -1;
46n/a return 0;
47n/a}
48n/a
49n/aBLAKE2_LOCAL_INLINE(int) blake2s_clear_lastnode( blake2s_state *S )
50n/a{
51n/a S->f[1] = 0;
52n/a return 0;
53n/a}
54n/a
55n/a/* Some helper functions, not necessarily useful */
56n/aBLAKE2_LOCAL_INLINE(int) blake2s_is_lastblock( const blake2s_state *S )
57n/a{
58n/a return S->f[0] != 0;
59n/a}
60n/a
61n/aBLAKE2_LOCAL_INLINE(int) blake2s_set_lastblock( blake2s_state *S )
62n/a{
63n/a if( S->last_node ) blake2s_set_lastnode( S );
64n/a
65n/a S->f[0] = -1;
66n/a return 0;
67n/a}
68n/a
69n/aBLAKE2_LOCAL_INLINE(int) blake2s_clear_lastblock( blake2s_state *S )
70n/a{
71n/a if( S->last_node ) blake2s_clear_lastnode( S );
72n/a
73n/a S->f[0] = 0;
74n/a return 0;
75n/a}
76n/a
77n/aBLAKE2_LOCAL_INLINE(int) blake2s_increment_counter( blake2s_state *S, const uint32_t inc )
78n/a{
79n/a S->t[0] += inc;
80n/a S->t[1] += ( S->t[0] < inc );
81n/a return 0;
82n/a}
83n/a
84n/a/* Parameter-related functions */
85n/aBLAKE2_LOCAL_INLINE(int) blake2s_param_set_digest_length( blake2s_param *P, const uint8_t digest_length )
86n/a{
87n/a P->digest_length = digest_length;
88n/a return 0;
89n/a}
90n/a
91n/aBLAKE2_LOCAL_INLINE(int) blake2s_param_set_fanout( blake2s_param *P, const uint8_t fanout )
92n/a{
93n/a P->fanout = fanout;
94n/a return 0;
95n/a}
96n/a
97n/aBLAKE2_LOCAL_INLINE(int) blake2s_param_set_max_depth( blake2s_param *P, const uint8_t depth )
98n/a{
99n/a P->depth = depth;
100n/a return 0;
101n/a}
102n/a
103n/aBLAKE2_LOCAL_INLINE(int) blake2s_param_set_leaf_length( blake2s_param *P, const uint32_t leaf_length )
104n/a{
105n/a store32( &P->leaf_length, leaf_length );
106n/a return 0;
107n/a}
108n/a
109n/aBLAKE2_LOCAL_INLINE(int) blake2s_param_set_node_offset( blake2s_param *P, const uint64_t node_offset )
110n/a{
111n/a store48( P->node_offset, node_offset );
112n/a return 0;
113n/a}
114n/a
115n/aBLAKE2_LOCAL_INLINE(int) blake2s_param_set_node_depth( blake2s_param *P, const uint8_t node_depth )
116n/a{
117n/a P->node_depth = node_depth;
118n/a return 0;
119n/a}
120n/a
121n/aBLAKE2_LOCAL_INLINE(int) blake2s_param_set_inner_length( blake2s_param *P, const uint8_t inner_length )
122n/a{
123n/a P->inner_length = inner_length;
124n/a return 0;
125n/a}
126n/a
127n/aBLAKE2_LOCAL_INLINE(int) blake2s_param_set_salt( blake2s_param *P, const uint8_t salt[BLAKE2S_SALTBYTES] )
128n/a{
129n/a memcpy( P->salt, salt, BLAKE2S_SALTBYTES );
130n/a return 0;
131n/a}
132n/a
133n/aBLAKE2_LOCAL_INLINE(int) blake2s_param_set_personal( blake2s_param *P, const uint8_t personal[BLAKE2S_PERSONALBYTES] )
134n/a{
135n/a memcpy( P->personal, personal, BLAKE2S_PERSONALBYTES );
136n/a return 0;
137n/a}
138n/a
139n/aBLAKE2_LOCAL_INLINE(int) blake2s_init0( blake2s_state *S )
140n/a{
141n/a int i;
142n/a memset( S, 0, sizeof( blake2s_state ) );
143n/a
144n/a for( i = 0; i < 8; ++i ) S->h[i] = blake2s_IV[i];
145n/a
146n/a return 0;
147n/a}
148n/a
149n/a/* init2 xors IV with input parameter block */
150n/aint blake2s_init_param( blake2s_state *S, const blake2s_param *P )
151n/a{
152n/a const uint32_t *p = ( const uint32_t * )( P );
153n/a size_t i;
154n/a
155n/a blake2s_init0( S );
156n/a
157n/a /* IV XOR ParamBlock */
158n/a for( i = 0; i < 8; ++i )
159n/a S->h[i] ^= load32( &p[i] );
160n/a
161n/a return 0;
162n/a}
163n/a
164n/a
165n/a/* Sequential blake2s initialization */
166n/aint blake2s_init( blake2s_state *S, const uint8_t outlen )
167n/a{
168n/a blake2s_param P[1];
169n/a
170n/a /* Move interval verification here? */
171n/a if ( ( !outlen ) || ( outlen > BLAKE2S_OUTBYTES ) ) return -1;
172n/a
173n/a P->digest_length = outlen;
174n/a P->key_length = 0;
175n/a P->fanout = 1;
176n/a P->depth = 1;
177n/a store32( &P->leaf_length, 0 );
178n/a store48( &P->node_offset, 0 );
179n/a P->node_depth = 0;
180n/a P->inner_length = 0;
181n/a /* memset(P->reserved, 0, sizeof(P->reserved) ); */
182n/a memset( P->salt, 0, sizeof( P->salt ) );
183n/a memset( P->personal, 0, sizeof( P->personal ) );
184n/a return blake2s_init_param( S, P );
185n/a}
186n/a
187n/aint blake2s_init_key( blake2s_state *S, const uint8_t outlen, const void *key, const uint8_t keylen )
188n/a{
189n/a blake2s_param P[1];
190n/a
191n/a if ( ( !outlen ) || ( outlen > BLAKE2S_OUTBYTES ) ) return -1;
192n/a
193n/a if ( !key || !keylen || keylen > BLAKE2S_KEYBYTES ) return -1;
194n/a
195n/a P->digest_length = outlen;
196n/a P->key_length = keylen;
197n/a P->fanout = 1;
198n/a P->depth = 1;
199n/a store32( &P->leaf_length, 0 );
200n/a store48( &P->node_offset, 0 );
201n/a P->node_depth = 0;
202n/a P->inner_length = 0;
203n/a /* memset(P->reserved, 0, sizeof(P->reserved) ); */
204n/a memset( P->salt, 0, sizeof( P->salt ) );
205n/a memset( P->personal, 0, sizeof( P->personal ) );
206n/a
207n/a if( blake2s_init_param( S, P ) < 0 ) return -1;
208n/a
209n/a {
210n/a uint8_t block[BLAKE2S_BLOCKBYTES];
211n/a memset( block, 0, BLAKE2S_BLOCKBYTES );
212n/a memcpy( block, key, keylen );
213n/a blake2s_update( S, block, BLAKE2S_BLOCKBYTES );
214n/a secure_zero_memory( block, BLAKE2S_BLOCKBYTES ); /* Burn the key from stack */
215n/a }
216n/a return 0;
217n/a}
218n/a
219n/astatic int blake2s_compress( blake2s_state *S, const uint8_t block[BLAKE2S_BLOCKBYTES] )
220n/a{
221n/a uint32_t m[16];
222n/a uint32_t v[16];
223n/a size_t i;
224n/a
225n/a for( i = 0; i < 16; ++i )
226n/a m[i] = load32( block + i * sizeof( m[i] ) );
227n/a
228n/a for( i = 0; i < 8; ++i )
229n/a v[i] = S->h[i];
230n/a
231n/a v[ 8] = blake2s_IV[0];
232n/a v[ 9] = blake2s_IV[1];
233n/a v[10] = blake2s_IV[2];
234n/a v[11] = blake2s_IV[3];
235n/a v[12] = S->t[0] ^ blake2s_IV[4];
236n/a v[13] = S->t[1] ^ blake2s_IV[5];
237n/a v[14] = S->f[0] ^ blake2s_IV[6];
238n/a v[15] = S->f[1] ^ blake2s_IV[7];
239n/a#define G(r,i,a,b,c,d) \
240n/a do { \
241n/a a = a + b + m[blake2s_sigma[r][2*i+0]]; \
242n/a d = rotr32(d ^ a, 16); \
243n/a c = c + d; \
244n/a b = rotr32(b ^ c, 12); \
245n/a a = a + b + m[blake2s_sigma[r][2*i+1]]; \
246n/a d = rotr32(d ^ a, 8); \
247n/a c = c + d; \
248n/a b = rotr32(b ^ c, 7); \
249n/a } while(0)
250n/a#define ROUND(r) \
251n/a do { \
252n/a G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \
253n/a G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \
254n/a G(r,2,v[ 2],v[ 6],v[10],v[14]); \
255n/a G(r,3,v[ 3],v[ 7],v[11],v[15]); \
256n/a G(r,4,v[ 0],v[ 5],v[10],v[15]); \
257n/a G(r,5,v[ 1],v[ 6],v[11],v[12]); \
258n/a G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \
259n/a G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \
260n/a } while(0)
261n/a ROUND( 0 );
262n/a ROUND( 1 );
263n/a ROUND( 2 );
264n/a ROUND( 3 );
265n/a ROUND( 4 );
266n/a ROUND( 5 );
267n/a ROUND( 6 );
268n/a ROUND( 7 );
269n/a ROUND( 8 );
270n/a ROUND( 9 );
271n/a
272n/a for( i = 0; i < 8; ++i )
273n/a S->h[i] = S->h[i] ^ v[i] ^ v[i + 8];
274n/a
275n/a#undef G
276n/a#undef ROUND
277n/a return 0;
278n/a}
279n/a
280n/a
281n/aint blake2s_update( blake2s_state *S, const uint8_t *in, uint64_t inlen )
282n/a{
283n/a while( inlen > 0 )
284n/a {
285n/a size_t left = S->buflen;
286n/a size_t fill = 2 * BLAKE2S_BLOCKBYTES - left;
287n/a
288n/a if( inlen > fill )
289n/a {
290n/a memcpy( S->buf + left, in, fill ); /* Fill buffer */
291n/a S->buflen += fill;
292n/a blake2s_increment_counter( S, BLAKE2S_BLOCKBYTES );
293n/a blake2s_compress( S, S->buf ); /* Compress */
294n/a memcpy( S->buf, S->buf + BLAKE2S_BLOCKBYTES, BLAKE2S_BLOCKBYTES ); /* Shift buffer left */
295n/a S->buflen -= BLAKE2S_BLOCKBYTES;
296n/a in += fill;
297n/a inlen -= fill;
298n/a }
299n/a else /* inlen <= fill */
300n/a {
301n/a memcpy( S->buf + left, in, (size_t)inlen );
302n/a S->buflen += (size_t)inlen; /* Be lazy, do not compress */
303n/a in += inlen;
304n/a inlen -= inlen;
305n/a }
306n/a }
307n/a
308n/a return 0;
309n/a}
310n/a
311n/aint blake2s_final( blake2s_state *S, uint8_t *out, uint8_t outlen )
312n/a{
313n/a uint8_t buffer[BLAKE2S_OUTBYTES] = {0};
314n/a int i;
315n/a
316n/a if( out == NULL || outlen == 0 || outlen > BLAKE2S_OUTBYTES )
317n/a return -1;
318n/a
319n/a if( blake2s_is_lastblock( S ) )
320n/a return -1;
321n/a
322n/a
323n/a if( S->buflen > BLAKE2S_BLOCKBYTES )
324n/a {
325n/a blake2s_increment_counter( S, BLAKE2S_BLOCKBYTES );
326n/a blake2s_compress( S, S->buf );
327n/a S->buflen -= BLAKE2S_BLOCKBYTES;
328n/a memmove( S->buf, S->buf + BLAKE2S_BLOCKBYTES, S->buflen );
329n/a }
330n/a
331n/a blake2s_increment_counter( S, ( uint32_t )S->buflen );
332n/a blake2s_set_lastblock( S );
333n/a memset( S->buf + S->buflen, 0, 2 * BLAKE2S_BLOCKBYTES - S->buflen ); /* Padding */
334n/a blake2s_compress( S, S->buf );
335n/a
336n/a for( i = 0; i < 8; ++i ) /* Output full hash to temp buffer */
337n/a store32( buffer + sizeof( S->h[i] ) * i, S->h[i] );
338n/a
339n/a memcpy( out, buffer, outlen );
340n/a return 0;
341n/a}
342n/a
343n/aint blake2s( uint8_t *out, const void *in, const void *key, const uint8_t outlen, const uint64_t inlen, uint8_t keylen )
344n/a{
345n/a blake2s_state S[1];
346n/a
347n/a /* Verify parameters */
348n/a if ( NULL == in && inlen > 0 ) return -1;
349n/a
350n/a if ( NULL == out ) return -1;
351n/a
352n/a if ( NULL == key && keylen > 0) return -1;
353n/a
354n/a if( !outlen || outlen > BLAKE2S_OUTBYTES ) return -1;
355n/a
356n/a if( keylen > BLAKE2S_KEYBYTES ) return -1;
357n/a
358n/a if( keylen > 0 )
359n/a {
360n/a if( blake2s_init_key( S, outlen, key, keylen ) < 0 ) return -1;
361n/a }
362n/a else
363n/a {
364n/a if( blake2s_init( S, outlen ) < 0 ) return -1;
365n/a }
366n/a
367n/a blake2s_update( S, ( const uint8_t * )in, inlen );
368n/a blake2s_final( S, out, outlen );
369n/a return 0;
370n/a}
371n/a
372n/a#if defined(SUPERCOP)
373n/aint crypto_hash( unsigned char *out, unsigned char *in, unsigned long long inlen )
374n/a{
375n/a return blake2s( out, in, NULL, BLAKE2S_OUTBYTES, inlen, 0 );
376n/a}
377n/a#endif
378n/a
379n/a#if defined(BLAKE2S_SELFTEST)
380n/a#include <string.h>
381n/a#include "blake2-kat.h"
382n/aint main( int argc, char **argv )
383n/a{
384n/a uint8_t key[BLAKE2S_KEYBYTES];
385n/a uint8_t buf[KAT_LENGTH];
386n/a size_t i;
387n/a
388n/a for( i = 0; i < BLAKE2S_KEYBYTES; ++i )
389n/a key[i] = ( uint8_t )i;
390n/a
391n/a for( i = 0; i < KAT_LENGTH; ++i )
392n/a buf[i] = ( uint8_t )i;
393n/a
394n/a for( i = 0; i < KAT_LENGTH; ++i )
395n/a {
396n/a uint8_t hash[BLAKE2S_OUTBYTES];
397n/a blake2s( hash, buf, key, BLAKE2S_OUTBYTES, i, BLAKE2S_KEYBYTES );
398n/a
399n/a if( 0 != memcmp( hash, blake2s_keyed_kat[i], BLAKE2S_OUTBYTES ) )
400n/a {
401n/a puts( "error" );
402n/a return -1;
403n/a }
404n/a }
405n/a
406n/a puts( "ok" );
407n/a return 0;
408n/a}
409n/a#endif
410n/a
411n/a