Coverage Report

Created: 2022-08-24 06:37

/src/wolfssl-normal-math/wolfcrypt/src/blake2b.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
   BLAKE2 reference source code package - reference C implementations
3
4
   Written in 2012 by Samuel Neves <sneves@dei.uc.pt>
5
6
   To the extent possible under law, the author(s) have dedicated all copyright
7
   and related and neighboring rights to this software to the public domain
8
   worldwide. This software is distributed without any warranty.
9
10
   You should have received a copy of the CC0 Public Domain Dedication along with
11
   this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
12
*/
13
/* blake2b.c
14
 *
15
 * Copyright (C) 2006-2022 wolfSSL Inc.
16
 *
17
 * This file is part of wolfSSL.
18
 *
19
 * wolfSSL is free software; you can redistribute it and/or modify
20
 * it under the terms of the GNU General Public License as published by
21
 * the Free Software Foundation; either version 2 of the License, or
22
 * (at your option) any later version.
23
 *
24
 * wolfSSL is distributed in the hope that it will be useful,
25
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
26
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
27
 * GNU General Public License for more details.
28
 *
29
 * You should have received a copy of the GNU General Public License
30
 * along with this program; if not, write to the Free Software
31
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
32
 */
33
34
35
36
#ifdef HAVE_CONFIG_H
37
    #include <config.h>
38
#endif
39
40
#include <wolfssl/wolfcrypt/settings.h>
41
42
#ifdef HAVE_BLAKE2
43
44
#include <wolfssl/wolfcrypt/blake2.h>
45
#include <wolfssl/wolfcrypt/blake2-impl.h>
46
#include <wolfssl/wolfcrypt/error-crypt.h>
47
48
49
static const word64 blake2b_IV[8] =
50
{
51
  0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL,
52
  0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL,
53
  0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL,
54
  0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL
55
};
56
57
static const byte blake2b_sigma[12][16] =
58
{
59
  {  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15 } ,
60
  { 14, 10,  4,  8,  9, 15, 13,  6,  1, 12,  0,  2, 11,  7,  5,  3 } ,
61
  { 11,  8, 12,  0,  5,  2, 15, 13, 10, 14,  3,  6,  7,  1,  9,  4 } ,
62
  {  7,  9,  3,  1, 13, 12, 11, 14,  2,  6,  5, 10,  4,  0, 15,  8 } ,
63
  {  9,  0,  5,  7,  2,  4, 10, 15, 14,  1, 11, 12,  6,  8,  3, 13 } ,
64
  {  2, 12,  6, 10,  0, 11,  8,  3,  4, 13,  7,  5, 15, 14,  1,  9 } ,
65
  { 12,  5,  1, 15, 14, 13,  4, 10,  0,  7,  6,  3,  9,  2,  8, 11 } ,
66
  { 13, 11,  7, 14, 12,  1,  3,  9,  5,  0, 15,  4,  8,  6,  2, 10 } ,
67
  {  6, 15, 14,  9, 11,  3,  0,  8, 12,  2, 13,  7,  1,  4, 10,  5 } ,
68
  { 10,  2,  8,  4,  7,  6,  1,  5, 15, 11,  9, 14,  3, 12, 13 , 0 } ,
69
  {  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15 } ,
70
  { 14, 10,  4,  8,  9, 15, 13,  6,  1, 12,  0,  2, 11,  7,  5,  3 }
71
};
72
73
74
static WC_INLINE int blake2b_set_lastnode( blake2b_state *S )
75
0
{
76
0
  S->f[1] = ~0ULL;
77
0
  return 0;
78
0
}
79
80
/* Some helper functions, not necessarily useful */
81
static WC_INLINE int blake2b_set_lastblock( blake2b_state *S )
82
0
{
83
0
  if( S->last_node ) blake2b_set_lastnode( S );
84
85
0
  S->f[0] = ~0ULL;
86
0
  return 0;
87
0
}
88
89
static WC_INLINE int blake2b_increment_counter( blake2b_state *S, const word64
90
                                             inc )
91
0
{
92
0
  S->t[0] += inc;
93
0
  S->t[1] += ( S->t[0] < inc );
94
0
  return 0;
95
0
}
96
97
static WC_INLINE int blake2b_init0( blake2b_state *S )
98
0
{
99
0
  int i;
100
0
  XMEMSET( S, 0, sizeof( blake2b_state ) );
101
102
0
  for( i = 0; i < 8; ++i ) S->h[i] = blake2b_IV[i];
103
104
0
  return 0;
105
0
}
106
107
/* init xors IV with input parameter block */
108
int blake2b_init_param( blake2b_state *S, const blake2b_param *P )
109
0
{
110
0
  word32 i;
111
0
  byte *p ;
112
0
  blake2b_init0( S );
113
0
  p =  ( byte * )( P );
114
115
  /* IV XOR ParamBlock */
116
0
  for( i = 0; i < 8; ++i )
117
0
    S->h[i] ^= load64( p + sizeof( S->h[i] ) * i );
118
119
0
  return 0;
120
0
}
121
122
123
int blake2b_init( blake2b_state *S, const byte outlen )
124
0
{
125
#ifdef WOLFSSL_BLAKE2B_INIT_EACH_FIELD
126
  blake2b_param P[1];
127
#else
128
0
  volatile blake2b_param P[1];
129
0
#endif
130
131
0
  if ( ( !outlen ) || ( outlen > BLAKE2B_OUTBYTES ) ) return BAD_FUNC_ARG;
132
133
#ifdef WOLFSSL_BLAKE2B_INIT_EACH_FIELD
134
  P->digest_length = outlen;
135
  P->key_length    = 0;
136
  P->fanout        = 1;
137
  P->depth         = 1;
138
  store32( &P->leaf_length, 0 );
139
  store64( &P->node_offset, 0 );
140
  P->node_depth    = 0;
141
  P->inner_length  = 0;
142
  XMEMSET( P->reserved, 0, sizeof( P->reserved ) );
143
  XMEMSET( P->salt,     0, sizeof( P->salt ) );
144
  XMEMSET( P->personal, 0, sizeof( P->personal ) );
145
#else
146
0
  XMEMSET( (blake2b_param *)P, 0, sizeof( *P ) );
147
0
  P->digest_length = outlen;
148
0
  P->fanout        = 1;
149
0
  P->depth         = 1;
150
0
#endif
151
0
  return blake2b_init_param( S, (blake2b_param *)P );
152
0
}
153
154
155
int blake2b_init_key( blake2b_state *S, const byte outlen, const void *key,
156
                      const byte keylen )
157
0
{
158
0
  int ret = 0;
159
#ifdef WOLFSSL_BLAKE2B_INIT_EACH_FIELD
160
  blake2b_param P[1];
161
#else
162
0
  volatile blake2b_param P[1];
163
0
#endif
164
165
0
  if ( ( !outlen ) || ( outlen > BLAKE2B_OUTBYTES ) ) return BAD_FUNC_ARG;
166
167
0
  if ( !key || !keylen || keylen > BLAKE2B_KEYBYTES ) return BAD_FUNC_ARG;
168
169
#ifdef WOLFSSL_BLAKE2B_INIT_EACH_FIELD
170
  P->digest_length = outlen;
171
  P->key_length    = keylen;
172
  P->fanout        = 1;
173
  P->depth         = 1;
174
  store32( &P->leaf_length, 0 );
175
  store64( &P->node_offset, 0 );
176
  P->node_depth    = 0;
177
  P->inner_length  = 0;
178
  XMEMSET( P->reserved, 0, sizeof( P->reserved ) );
179
  XMEMSET( P->salt,     0, sizeof( P->salt ) );
180
  XMEMSET( P->personal, 0, sizeof( P->personal ) );
181
#else
182
0
  XMEMSET( (blake2b_param *)P, 0, sizeof( *P ) );
183
0
  P->digest_length = outlen;
184
0
  P->key_length    = keylen;
185
0
  P->fanout        = 1;
186
0
  P->depth         = 1;
187
0
#endif
188
189
0
  ret = blake2b_init_param( S, (blake2b_param *)P );
190
0
  if ( ret < 0 ) return ret;
191
192
0
  {
193
0
#ifdef WOLFSSL_SMALL_STACK
194
0
    byte* block;
195
196
0
    block = (byte*)XMALLOC(BLAKE2B_BLOCKBYTES, NULL, DYNAMIC_TYPE_TMP_BUFFER);
197
198
0
    if ( block == NULL ) return MEMORY_E;
199
#else
200
    byte block[BLAKE2B_BLOCKBYTES];
201
#endif
202
203
0
    XMEMSET( block, 0, BLAKE2B_BLOCKBYTES );
204
0
    XMEMCPY( block, key, keylen );
205
0
    ret = blake2b_update( S, block, BLAKE2B_BLOCKBYTES );
206
0
    secure_zero_memory( block, BLAKE2B_BLOCKBYTES ); /* Burn the key from */
207
                                                     /* memory */
208
209
0
#ifdef WOLFSSL_SMALL_STACK
210
0
    XFREE(block, NULL, DYNAMIC_TYPE_TMP_BUFFER);
211
0
#endif
212
0
  }
213
0
  return ret;
214
0
}
215
216
static WC_INLINE int blake2b_compress(
217
    blake2b_state *S,
218
    const byte block[BLAKE2B_BLOCKBYTES],
219
    word64* m,
220
    word64* v)
221
0
{
222
0
  int i;
223
224
0
  for( i = 0; i < 16; ++i )
225
0
    m[i] = load64( block + i * sizeof( m[i] ) );
226
227
0
  for( i = 0; i < 8; ++i )
228
0
    v[i] = S->h[i];
229
230
0
  v[ 8] = blake2b_IV[0];
231
0
  v[ 9] = blake2b_IV[1];
232
0
  v[10] = blake2b_IV[2];
233
0
  v[11] = blake2b_IV[3];
234
0
  v[12] = S->t[0] ^ blake2b_IV[4];
235
0
  v[13] = S->t[1] ^ blake2b_IV[5];
236
0
  v[14] = S->f[0] ^ blake2b_IV[6];
237
0
  v[15] = S->f[1] ^ blake2b_IV[7];
238
0
#define G(r,i,a,b,c,d) \
239
0
  do { \
240
0
      (a) = (a) + (b) + m[blake2b_sigma[r][2*(i)+0]];   \
241
0
      (d) = rotr64((d) ^ (a), 32);                      \
242
0
      (c) = (c) + (d);                                  \
243
0
      (b) = rotr64((b) ^ (c), 24);                      \
244
0
      (a) = (a) + (b) + m[blake2b_sigma[r][2*(i)+1]];   \
245
0
      (d) = rotr64((d) ^ (a), 16);                      \
246
0
      (c) = (c) + (d);                                  \
247
0
      (b) = rotr64((b) ^ (c), 63);                      \
248
0
  } while(0)
249
0
#define ROUND(r)  \
250
0
  do { \
251
0
    G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \
252
0
    G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \
253
0
    G(r,2,v[ 2],v[ 6],v[10],v[14]); \
254
0
    G(r,3,v[ 3],v[ 7],v[11],v[15]); \
255
0
    G(r,4,v[ 0],v[ 5],v[10],v[15]); \
256
0
    G(r,5,v[ 1],v[ 6],v[11],v[12]); \
257
0
    G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \
258
0
    G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \
259
0
  } while(0)
260
0
  ROUND( 0 );
261
0
  ROUND( 1 );
262
0
  ROUND( 2 );
263
0
  ROUND( 3 );
264
0
  ROUND( 4 );
265
0
  ROUND( 5 );
266
0
  ROUND( 6 );
267
0
  ROUND( 7 );
268
0
  ROUND( 8 );
269
0
  ROUND( 9 );
270
0
  ROUND( 10 );
271
0
  ROUND( 11 );
272
273
0
  for( i = 0; i < 8; ++i )
274
0
    S->h[i] = S->h[i] ^ v[i] ^ v[i + 8];
275
276
0
#undef G
277
0
#undef ROUND
278
279
0
  return 0;
280
0
}
281
282
/* inlen now in bytes */
283
int blake2b_update( blake2b_state *S, const byte *in, word64 inlen )
284
0
{
285
0
  int ret = 0;
286
0
#ifdef WOLFSSL_SMALL_STACK
287
0
  word64* m;
288
0
  word64* v;
289
290
0
  m = (word64*)XMALLOC(sizeof(word64) * 32, NULL, DYNAMIC_TYPE_TMP_BUFFER);
291
292
0
  if ( m == NULL ) return MEMORY_E;
293
294
0
  v = &m[16];
295
#else
296
  word64 m[16];
297
  word64 v[16];
298
#endif
299
300
0
  while( inlen > 0 )
301
0
  {
302
0
    word64 left = S->buflen;
303
0
    word64 fill = 2 * BLAKE2B_BLOCKBYTES - left;
304
305
0
    if( inlen > fill )
306
0
    {
307
0
      XMEMCPY( S->buf + left, in, (wolfssl_word)fill ); /* Fill buffer */
308
0
      S->buflen += fill;
309
0
      blake2b_increment_counter( S, BLAKE2B_BLOCKBYTES );
310
311
0
      {
312
0
          ret = blake2b_compress( S, S->buf, m, v );
313
0
          if (ret < 0) break;
314
0
      }
315
316
0
      XMEMCPY( S->buf, S->buf + BLAKE2B_BLOCKBYTES, BLAKE2B_BLOCKBYTES );
317
              /* Shift buffer left */
318
0
      S->buflen -= BLAKE2B_BLOCKBYTES;
319
0
      in += fill;
320
0
      inlen -= fill;
321
0
    }
322
0
    else /* inlen <= fill */
323
0
    {
324
0
      XMEMCPY( S->buf + left, in, (wolfssl_word)inlen );
325
0
      S->buflen += inlen; /* Be lazy, do not compress */
326
0
      inlen = 0;
327
0
    }
328
0
  }
329
330
0
#ifdef WOLFSSL_SMALL_STACK
331
0
  XFREE(m, NULL, DYNAMIC_TYPE_TMP_BUFFER);
332
0
#endif
333
334
0
  return ret;
335
0
}
336
337
/* Is this correct? */
338
int blake2b_final( blake2b_state *S, byte *out, byte outlen )
339
0
{
340
0
  int ret = 0;
341
0
  byte buffer[BLAKE2B_OUTBYTES];
342
0
  int     i;
343
0
#ifdef WOLFSSL_SMALL_STACK
344
0
  word64* m;
345
0
  word64* v;
346
347
0
  m = (word64*)XMALLOC(sizeof(word64) * 32, NULL, DYNAMIC_TYPE_TMP_BUFFER);
348
349
0
  if ( m == NULL ) return MEMORY_E;
350
351
0
  v = &m[16];
352
#else
353
  word64 m[16];
354
  word64 v[16];
355
#endif
356
357
0
  if( S->buflen > BLAKE2B_BLOCKBYTES )
358
0
  {
359
0
    blake2b_increment_counter( S, BLAKE2B_BLOCKBYTES );
360
361
0
    {
362
0
      ret = blake2b_compress( S, S->buf, m, v );
363
0
      if (ret < 0) goto out;
364
0
    }
365
366
0
    S->buflen -= BLAKE2B_BLOCKBYTES;
367
0
    XMEMCPY( S->buf, S->buf + BLAKE2B_BLOCKBYTES, (wolfssl_word)S->buflen );
368
0
  }
369
370
0
  blake2b_increment_counter( S, S->buflen );
371
0
  blake2b_set_lastblock( S );
372
0
  XMEMSET( S->buf + S->buflen, 0, (wolfssl_word)(2 * BLAKE2B_BLOCKBYTES - S->buflen) );
373
         /* Padding */
374
0
  {
375
0
    ret = blake2b_compress( S, S->buf, m, v );
376
0
    if (ret < 0) goto out;
377
0
  }
378
379
0
  for( i = 0; i < 8; ++i ) /* Output full hash to temp buffer */
380
0
    store64( buffer + sizeof( S->h[i] ) * i, S->h[i] );
381
382
0
  XMEMCPY( out, buffer, outlen );
383
384
0
 out:
385
386
0
#ifdef WOLFSSL_SMALL_STACK
387
0
  XFREE(m, NULL, DYNAMIC_TYPE_TMP_BUFFER);
388
0
#endif
389
390
0
  return ret;
391
0
}
392
393
/* inlen, at least, should be word64. Others can be size_t. */
394
int blake2b( byte *out, const void *in, const void *key, const byte outlen,
395
             const word64 inlen, byte keylen )
396
0
{
397
0
  blake2b_state S[1];
398
399
  /* Verify parameters */
400
0
  if ( NULL == in ) return BAD_FUNC_ARG;
401
402
0
  if ( NULL == out ) return BAD_FUNC_ARG;
403
404
0
  if( NULL == key ) keylen = 0;
405
406
0
  if( keylen > 0 )
407
0
  {
408
0
    int ret = blake2b_init_key( S, outlen, key, keylen );
409
0
    if (ret < 0) return ret;
410
0
  }
411
0
  else
412
0
  {
413
0
    int ret = blake2b_init( S, outlen );
414
0
    if (ret < 0) return ret;
415
0
  }
416
417
0
  {
418
0
    int ret = blake2b_update( S, ( byte * )in, inlen );
419
0
    if (ret < 0) return ret;
420
0
  }
421
422
0
  return blake2b_final( S, out, outlen );
423
0
}
424
425
#if defined(BLAKE2B_SELFTEST)
426
#include <string.h>
427
#include "blake2-kat.h"
428
int main( int argc, char **argv )
429
{
430
  byte key[BLAKE2B_KEYBYTES];
431
  byte buf[KAT_LENGTH];
432
433
  for( word32 i = 0; i < BLAKE2B_KEYBYTES; ++i )
434
    key[i] = ( byte )i;
435
436
  for( word32 i = 0; i < KAT_LENGTH; ++i )
437
    buf[i] = ( byte )i;
438
439
  for( word32 i = 0; i < KAT_LENGTH; ++i )
440
  {
441
    byte hash[BLAKE2B_OUTBYTES];
442
    if ( blake2b( hash, buf, key, BLAKE2B_OUTBYTES, i, BLAKE2B_KEYBYTES ) < 0 )
443
    {
444
      puts( "error" );
445
      return -1;
446
    }
447
448
    if( 0 != XMEMCMP( hash, blake2b_keyed_kat[i], BLAKE2B_OUTBYTES ) )
449
    {
450
      puts( "error" );
451
      return -1;
452
    }
453
  }
454
455
  puts( "ok" );
456
  return 0;
457
}
458
#endif
459
460
461
/* wolfCrypt API */
462
463
/* Init Blake2b digest, track size in case final doesn't want to "remember" */
464
int wc_InitBlake2b(Blake2b* b2b, word32 digestSz)
465
0
{
466
0
    if (b2b == NULL){
467
0
        return BAD_FUNC_ARG;
468
0
    }
469
0
    b2b->digestSz = digestSz;
470
471
0
    return blake2b_init(b2b->S, (byte)digestSz);
472
0
}
473
474
/* Init Blake2b digest with key, track size in case final doesn't want to "remember" */
475
int wc_InitBlake2b_WithKey(Blake2b* b2b, word32 digestSz, const byte *key, word32 keylen)
476
0
{
477
0
    if (b2b == NULL){
478
0
        return BAD_FUNC_ARG;
479
0
    }
480
0
    b2b->digestSz = digestSz;
481
482
0
    if (keylen >= 256)
483
0
        return BAD_FUNC_ARG;
484
485
0
    if (key)
486
0
        return blake2b_init_key(b2b->S, (byte)digestSz, key, (byte)keylen);
487
0
    else
488
0
        return blake2b_init(b2b->S, (byte)digestSz);
489
0
}
490
491
/* Blake2b Update */
492
int wc_Blake2bUpdate(Blake2b* b2b, const byte* data, word32 sz)
493
0
{
494
0
    return blake2b_update(b2b->S, data, sz);
495
0
}
496
497
498
/* Blake2b Final, if pass in zero size we use init digestSz */
499
int wc_Blake2bFinal(Blake2b* b2b, byte* final, word32 requestSz)
500
0
{
501
0
    word32 sz = requestSz ? requestSz : b2b->digestSz;
502
503
0
    return blake2b_final(b2b->S, final, (byte)sz);
504
0
}
505
506
507
/* end CTaoCrypt API */
508
509
#endif  /* HAVE_BLAKE2 */
510