/src/wolfssl-heapmath/wolfcrypt/src/blake2b.c

Source (jump to first uncovered line)
/*
   BLAKE2 reference source code package - reference C implementations

   Written in 2012 by Samuel Neves <sneves@dei.uc.pt>

   To the extent possible under law, the author(s) have dedicated all copyright
   and related and neighboring rights to this software to the public domain
   worldwide. This software is distributed without any warranty.

   You should have received a copy of the CC0 Public Domain Dedication along with
   this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
/* blake2b.c
 *
 * Copyright (C) 2006-2025 wolfSSL Inc.
 *
 * This file is part of wolfSSL.
 *
 * wolfSSL is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 3 of the License, or
 * (at your option) any later version.
 *
 * wolfSSL is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
 */

#include <wolfssl/wolfcrypt/libwolfssl_sources.h>

#ifdef HAVE_BLAKE2

#include <wolfssl/wolfcrypt/blake2.h>
#include <wolfssl/wolfcrypt/blake2-impl.h>

static const word64 blake2b_IV[8] =
{
  W64LIT(0x6a09e667f3bcc908), W64LIT(0xbb67ae8584caa73b),
  W64LIT(0x3c6ef372fe94f82b), W64LIT(0xa54ff53a5f1d36f1),
  W64LIT(0x510e527fade682d1), W64LIT(0x9b05688c2b3e6c1f),
  W64LIT(0x1f83d9abfb41bd6b), W64LIT(0x5be0cd19137e2179)
};

static const byte blake2b_sigma[12][16] =
{
  {  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15 } ,
  { 14, 10,  4,  8,  9, 15, 13,  6,  1, 12,  0,  2, 11,  7,  5,  3 } ,
  { 11,  8, 12,  0,  5,  2, 15, 13, 10, 14,  3,  6,  7,  1,  9,  4 } ,
  {  7,  9,  3,  1, 13, 12, 11, 14,  2,  6,  5, 10,  4,  0, 15,  8 } ,
  {  9,  0,  5,  7,  2,  4, 10, 15, 14,  1, 11, 12,  6,  8,  3, 13 } ,
  {  2, 12,  6, 10,  0, 11,  8,  3,  4, 13,  7,  5, 15, 14,  1,  9 } ,
  { 12,  5,  1, 15, 14, 13,  4, 10,  0,  7,  6,  3,  9,  2,  8, 11 } ,
  { 13, 11,  7, 14, 12,  1,  3,  9,  5,  0, 15,  4,  8,  6,  2, 10 } ,
  {  6, 15, 14,  9, 11,  3,  0,  8, 12,  2, 13,  7,  1,  4, 10,  5 } ,
  { 10,  2,  8,  4,  7,  6,  1,  5, 15, 11,  9, 14,  3, 12, 13 , 0 } ,
  {  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15 } ,
  { 14, 10,  4,  8,  9, 15, 13,  6,  1, 12,  0,  2, 11,  7,  5,  3 }
};


static WC_INLINE int blake2b_set_lastnode( blake2b_state *S )
{
  S->f[1] = ~W64LIT(0);
  return 0;
}

/* Some helper functions, not necessarily useful */
static WC_INLINE int blake2b_set_lastblock( blake2b_state *S )
{
  if( S->last_node ) blake2b_set_lastnode( S );

  S->f[0] = ~W64LIT(0);
  return 0;
}

static WC_INLINE int blake2b_increment_counter( blake2b_state *S, const word64
                                             inc )
{
  S->t[0] += inc;
  S->t[1] += ( S->t[0] < inc );
  return 0;
}

static WC_INLINE int blake2b_init0( blake2b_state *S )
{
  int i;
  XMEMSET( S, 0, sizeof( blake2b_state ) );

  for( i = 0; i < 8; ++i ) S->h[i] = blake2b_IV[i];

  return 0;
}

/* init xors IV with input parameter block */
int blake2b_init_param( blake2b_state *S, const blake2b_param *P )
{
  word32 i;
  byte *p ;
  blake2b_init0( S );
  p =  ( byte * )( P );

  /* IV XOR ParamBlock */
  for( i = 0; i < 8; ++i )
    S->h[i] ^= load64( p + sizeof( S->h[i] ) * i );

  return 0;
}


int blake2b_init( blake2b_state *S, const byte outlen )
{
#ifdef WOLFSSL_BLAKE2B_INIT_EACH_FIELD
  blake2b_param P[1];
#else
  volatile blake2b_param P[1];
#endif

  if ( ( !outlen ) || ( outlen > BLAKE2B_OUTBYTES ) ) return BAD_FUNC_ARG;

#ifdef WOLFSSL_BLAKE2B_INIT_EACH_FIELD
  P->digest_length = outlen;
  P->key_length    = 0;
  P->fanout        = 1;
  P->depth         = 1;
  store32( &P->leaf_length, 0 );
  store64( &P->node_offset, 0 );
  P->node_depth    = 0;
  P->inner_length  = 0;
  XMEMSET( P->reserved, 0, sizeof( P->reserved ) );
  XMEMSET( P->salt,     0, sizeof( P->salt ) );
  XMEMSET( P->personal, 0, sizeof( P->personal ) );
#else
  XMEMSET( (blake2b_param *)P, 0, sizeof( *P ) );
  P->digest_length = outlen;
  P->fanout        = 1;
  P->depth         = 1;
#endif
  return blake2b_init_param( S, (blake2b_param *)P );
}


int blake2b_init_key( blake2b_state *S, const byte outlen, const void *key,
                      const byte keylen )
{
  int ret = 0;
#ifdef WOLFSSL_BLAKE2B_INIT_EACH_FIELD
  blake2b_param P[1];
#else
  volatile blake2b_param P[1];
#endif

  if ( ( !outlen ) || ( outlen > BLAKE2B_OUTBYTES ) ) return BAD_FUNC_ARG;

  if ( !key || !keylen || keylen > BLAKE2B_KEYBYTES ) return BAD_FUNC_ARG;

#ifdef WOLFSSL_BLAKE2B_INIT_EACH_FIELD
  P->digest_length = outlen;
  P->key_length    = keylen;
  P->fanout        = 1;
  P->depth         = 1;
  store32( &P->leaf_length, 0 );
  store64( &P->node_offset, 0 );
  P->node_depth    = 0;
  P->inner_length  = 0;
  XMEMSET( P->reserved, 0, sizeof( P->reserved ) );
  XMEMSET( P->salt,     0, sizeof( P->salt ) );
  XMEMSET( P->personal, 0, sizeof( P->personal ) );
#else
  XMEMSET( (blake2b_param *)P, 0, sizeof( *P ) );
  P->digest_length = outlen;
  P->key_length    = keylen;
  P->fanout        = 1;
  P->depth         = 1;
#endif

  ret = blake2b_init_param( S, (blake2b_param *)P );
  if ( ret < 0 ) return ret;

  {
#ifdef WOLFSSL_SMALL_STACK
    byte* block;

    block = (byte*)XMALLOC(BLAKE2B_BLOCKBYTES, NULL, DYNAMIC_TYPE_TMP_BUFFER);

    if ( block == NULL ) return MEMORY_E;
#else
    byte block[BLAKE2B_BLOCKBYTES];
#endif

    XMEMSET( block, 0, BLAKE2B_BLOCKBYTES );
    XMEMCPY( block, key, keylen );
    ret = blake2b_update( S, block, BLAKE2B_BLOCKBYTES );
    secure_zero_memory( block, BLAKE2B_BLOCKBYTES ); /* Burn the key from */
                                                     /* memory */

#ifdef WOLFSSL_SMALL_STACK
    XFREE(block, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif
  }
  return ret;
}

static WC_INLINE int blake2b_compress(
    blake2b_state *S,
    const byte block[BLAKE2B_BLOCKBYTES],
    word64* m,
    word64* v)
{
  word64 i;

  for( i = 0; i < 16; ++i )
    m[i] = load64( block + i * sizeof( m[i] ) );

  for( i = 0; i < 8; ++i )
    v[i] = S->h[i];

  v[ 8] = blake2b_IV[0];
  v[ 9] = blake2b_IV[1];
  v[10] = blake2b_IV[2];
  v[11] = blake2b_IV[3];
  v[12] = S->t[0] ^ blake2b_IV[4];
  v[13] = S->t[1] ^ blake2b_IV[5];
  v[14] = S->f[0] ^ blake2b_IV[6];
  v[15] = S->f[1] ^ blake2b_IV[7];
#define G(r,i,a,b,c,d) \
  do { \
      (a) = (a) + (b) + m[blake2b_sigma[r][2*(i)+0]];   \
      (d) = rotr64((d) ^ (a), 32);                      \
      (c) = (c) + (d);                                  \
      (b) = rotr64((b) ^ (c), 24);                      \
      (a) = (a) + (b) + m[blake2b_sigma[r][2*(i)+1]];   \
      (d) = rotr64((d) ^ (a), 16);                      \
      (c) = (c) + (d);                                  \
      (b) = rotr64((b) ^ (c), 63);                      \
  } while(0)
#define ROUND(r)  \
  do { \
    G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \
    G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \
    G(r,2,v[ 2],v[ 6],v[10],v[14]); \
    G(r,3,v[ 3],v[ 7],v[11],v[15]); \
    G(r,4,v[ 0],v[ 5],v[10],v[15]); \
    G(r,5,v[ 1],v[ 6],v[11],v[12]); \
    G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \
    G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \
  } while(0)
  ROUND( 0 );
  ROUND( 1 );
  ROUND( 2 );
  ROUND( 3 );
  ROUND( 4 );
  ROUND( 5 );
  ROUND( 6 );
  ROUND( 7 );
  ROUND( 8 );
  ROUND( 9 );
  ROUND( 10 );
  ROUND( 11 );

  for( i = 0; i < 8; ++i )
    S->h[i] = S->h[i] ^ v[i] ^ v[i + 8];

#undef G
#undef ROUND

  return 0;
}

/* inlen now in bytes */
int blake2b_update( blake2b_state *S, const byte *in, word64 inlen )
{
  int ret = 0;
#ifdef WOLFSSL_SMALL_STACK
  word64* m;
  word64* v;

  m = (word64*)XMALLOC(sizeof(word64) * 32, NULL, DYNAMIC_TYPE_TMP_BUFFER);

  if ( m == NULL ) return MEMORY_E;

  v = &m[16];
#else
  word64 m[16];
  word64 v[16];
#endif

  while( inlen > 0 )
  {
    word64 left = S->buflen;
    word64 fill = 2 * BLAKE2B_BLOCKBYTES - left;

    if( inlen > fill )
    {
      XMEMCPY( S->buf + left, in, (wolfssl_word)fill ); /* Fill buffer */
      S->buflen += fill;
      blake2b_increment_counter( S, BLAKE2B_BLOCKBYTES );

      {
          ret = blake2b_compress( S, S->buf, m, v );
          if (ret < 0) break;
      }

      XMEMCPY( S->buf, S->buf + BLAKE2B_BLOCKBYTES, BLAKE2B_BLOCKBYTES );
              /* Shift buffer left */
      S->buflen -= BLAKE2B_BLOCKBYTES;
      in += fill;
      inlen -= fill;
    }
    else /* inlen <= fill */
    {
      XMEMCPY( S->buf + left, in, (wolfssl_word)inlen );
      S->buflen += inlen; /* Be lazy, do not compress */
      inlen = 0;
    }
  }

#ifdef WOLFSSL_SMALL_STACK
  XFREE(m, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

  return ret;
}

/* Is this correct? */
int blake2b_final( blake2b_state *S, byte *out, byte outlen )
{
  int ret = 0;
  byte buffer[BLAKE2B_OUTBYTES];
  word64    i;
#ifdef WOLFSSL_SMALL_STACK
  word64* m;
  word64* v;

  m = (word64*)XMALLOC(sizeof(word64) * 32, NULL, DYNAMIC_TYPE_TMP_BUFFER);

  if ( m == NULL ) return MEMORY_E;

  v = &m[16];
#else
  word64 m[16];
  word64 v[16];
#endif

  if( S->buflen > BLAKE2B_BLOCKBYTES )
  {
    blake2b_increment_counter( S, BLAKE2B_BLOCKBYTES );

    {
      ret = blake2b_compress( S, S->buf, m, v );
      if (ret < 0) goto out;
    }

    S->buflen -= BLAKE2B_BLOCKBYTES;
    if ( S->buflen > BLAKE2B_BLOCKBYTES )
      return BAD_LENGTH_E;
    XMEMMOVE( S->buf, S->buf + BLAKE2B_BLOCKBYTES, (wolfssl_word)S->buflen );
  }

  blake2b_increment_counter( S, S->buflen );
  blake2b_set_lastblock( S );
  XMEMSET( S->buf + S->buflen, 0, (wolfssl_word)(2 * BLAKE2B_BLOCKBYTES - S->buflen) );
         /* Padding */
  {
    ret = blake2b_compress( S, S->buf, m, v );
    if (ret < 0) goto out;
  }

  for( i = 0; i < 8; ++i ) /* Output full hash to temp buffer */
    store64( buffer + sizeof( S->h[i] ) * i, S->h[i] );

  XMEMCPY( out, buffer, outlen );

 out:

#ifdef WOLFSSL_SMALL_STACK
  XFREE(m, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

  return ret;
}

/* inlen, at least, should be word64. Others can be size_t. */
int blake2b( byte *out, const void *in, const void *key, const byte outlen,
             const word64 inlen, byte keylen )
{
  blake2b_state S[1];

  /* Verify parameters */
  if ( NULL == in ) return BAD_FUNC_ARG;

  if ( NULL == out ) return BAD_FUNC_ARG;

  if( NULL == key ) keylen = 0;

  if( keylen > 0 )
  {
    int ret = blake2b_init_key( S, outlen, key, keylen );
    if (ret < 0) return ret;
  }
  else
  {
    int ret = blake2b_init( S, outlen );
    if (ret < 0) return ret;
  }

  {
    int ret = blake2b_update( S, ( byte * )in, inlen );
    if (ret < 0) return ret;
  }

  return blake2b_final( S, out, outlen );
}

#if defined(BLAKE2B_SELFTEST)
#include <string.h>
#include "blake2-kat.h"
int main( int argc, char **argv )
{
  byte key[BLAKE2B_KEYBYTES];
  byte buf[KAT_LENGTH];

  for( word32 i = 0; i < BLAKE2B_KEYBYTES; ++i )
    key[i] = ( byte )i;

  for( word32 i = 0; i < KAT_LENGTH; ++i )
    buf[i] = ( byte )i;

  for( word32 i = 0; i < KAT_LENGTH; ++i )
  {
    byte hash[BLAKE2B_OUTBYTES];
    if ( blake2b( hash, buf, key, BLAKE2B_OUTBYTES, i, BLAKE2B_KEYBYTES ) < 0 )
    {
      puts( "error" );
      return -1;
    }

    if( 0 != XMEMCMP( hash, blake2b_keyed_kat[i], BLAKE2B_OUTBYTES ) )
    {
      puts( "error" );
      return -1;
    }
  }

  puts( "ok" );
  return 0;
}
#endif


/* wolfCrypt API */

/* Init Blake2b digest, track size in case final doesn't want to "remember" */
int wc_InitBlake2b(Blake2b* b2b, word32 digestSz)
{
    if (b2b == NULL){
        return BAD_FUNC_ARG;
    }
    b2b->digestSz = digestSz;

    return blake2b_init(b2b->S, (byte)digestSz);
}

/* Init Blake2b digest with key, track size in case final doesn't want to "remember" */
int wc_InitBlake2b_WithKey(Blake2b* b2b, word32 digestSz, const byte *key, word32 keylen)
{
    if (b2b == NULL){
        return BAD_FUNC_ARG;
    }
    b2b->digestSz = digestSz;

    if (keylen >= 256)
        return BAD_FUNC_ARG;

    if (key)
        return blake2b_init_key(b2b->S, (byte)digestSz, key, (byte)keylen);
    else
        return blake2b_init(b2b->S, (byte)digestSz);
}

/* Blake2b Update */
int wc_Blake2bUpdate(Blake2b* b2b, const byte* data, word32 sz)
{
    if (b2b == NULL){
        return BAD_FUNC_ARG;
    }
    if (data == NULL && sz != 0){
        return BAD_FUNC_ARG;
    }
    if (sz == 0){
        return 0;
    }

    return blake2b_update(b2b->S, data, sz);
}


/* Blake2b Final, if pass in zero size we use init digestSz */
int wc_Blake2bFinal(Blake2b* b2b, byte* final, word32 requestSz)
{
    word32 sz;

    if (b2b == NULL){
        return BAD_FUNC_ARG;
    }
    if (final == NULL){
        return BAD_FUNC_ARG;
    }

    sz = requestSz ? requestSz : b2b->digestSz;

    return blake2b_final(b2b->S, final, (byte)sz);
}


/* end CTaoCrypt API */

#endif  /* HAVE_BLAKE2 */


Coverage Report

Created: 2025-07-23 06:59

Line	Count	Source (jump to first uncovered line)
1		/*
2		BLAKE2 reference source code package - reference C implementations
3
4		Written in 2012 by Samuel Neves <sneves@dei.uc.pt>
5
6		To the extent possible under law, the author(s) have dedicated all copyright
7		and related and neighboring rights to this software to the public domain
8		worldwide. This software is distributed without any warranty.
9
10		You should have received a copy of the CC0 Public Domain Dedication along with
11		this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
12		*/
13		/* blake2b.c
14		*
15		* Copyright (C) 2006-2025 wolfSSL Inc.
16		*
17		* This file is part of wolfSSL.
18		*
19		* wolfSSL is free software; you can redistribute it and/or modify
20		* it under the terms of the GNU General Public License as published by
21		* the Free Software Foundation; either version 3 of the License, or
22		* (at your option) any later version.
23		*
24		* wolfSSL is distributed in the hope that it will be useful,
25		* but WITHOUT ANY WARRANTY; without even the implied warranty of
26		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27		* GNU General Public License for more details.
28		*
29		* You should have received a copy of the GNU General Public License
30		* along with this program; if not, write to the Free Software
31		* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
32		*/
33
34		#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
35
36		#ifdef HAVE_BLAKE2
37
38		#include <wolfssl/wolfcrypt/blake2.h>
39		#include <wolfssl/wolfcrypt/blake2-impl.h>
40
41		static const word64 blake2b_IV[8] =
42		{
43		W64LIT(0x6a09e667f3bcc908), W64LIT(0xbb67ae8584caa73b),
44		W64LIT(0x3c6ef372fe94f82b), W64LIT(0xa54ff53a5f1d36f1),
45		W64LIT(0x510e527fade682d1), W64LIT(0x9b05688c2b3e6c1f),
46		W64LIT(0x1f83d9abfb41bd6b), W64LIT(0x5be0cd19137e2179)
47		};
48
49		static const byte blake2b_sigma[12][16] =
50		{
51		{ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } ,
52		{ 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } ,
53		{ 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 } ,
54		{ 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 } ,
55		{ 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 } ,
56		{ 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 } ,
57		{ 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 } ,
58		{ 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 } ,
59		{ 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 } ,
60		{ 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13 , 0 } ,
61		{ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } ,
62		{ 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }
63		};
64
65
66		static WC_INLINE int blake2b_set_lastnode( blake2b_state *S )
67	0	{
68	0	S->f[1] = ~W64LIT(0);
69	0	return 0;
70	0	}
71
72		/* Some helper functions, not necessarily useful */
73		static WC_INLINE int blake2b_set_lastblock( blake2b_state *S )
74	0	{
75	0	if( S->last_node ) blake2b_set_lastnode( S );
76
77	0	S->f[0] = ~W64LIT(0);
78	0	return 0;
79	0	}
80
81		static WC_INLINE int blake2b_increment_counter( blake2b_state *S, const word64
82		inc )
83	0	{
84	0	S->t[0] += inc;
85	0	S->t[1] += ( S->t[0] < inc );
86	0	return 0;
87	0	}
88
89		static WC_INLINE int blake2b_init0( blake2b_state *S )
90	0	{
91	0	int i;
92	0	XMEMSET( S, 0, sizeof( blake2b_state ) );
93
94	0	for( i = 0; i < 8; ++i ) S->h[i] = blake2b_IV[i];
95
96	0	return 0;
97	0	}
98
99		/* init xors IV with input parameter block */
100		int blake2b_init_param( blake2b_state S, const blake2b_param P )
101	0	{
102	0	word32 i;
103	0	byte *p ;
104	0	blake2b_init0( S );
105	0	p = ( byte * )( P );
106
107		/* IV XOR ParamBlock */
108	0	for( i = 0; i < 8; ++i )
109	0	S->h[i] ^= load64( p + sizeof( S->h[i] ) * i );
110
111	0	return 0;
112	0	}
113
114
115		int blake2b_init( blake2b_state *S, const byte outlen )
116	0	{
117		#ifdef WOLFSSL_BLAKE2B_INIT_EACH_FIELD
118		blake2b_param P[1];
119		#else
120	0	volatile blake2b_param P[1];
121	0	#endif
122
123	0	if ( ( !outlen ) \|\| ( outlen > BLAKE2B_OUTBYTES ) ) return BAD_FUNC_ARG;
124
125		#ifdef WOLFSSL_BLAKE2B_INIT_EACH_FIELD
126		P->digest_length = outlen;
127		P->key_length = 0;
128		P->fanout = 1;
129		P->depth = 1;
130		store32( &P->leaf_length, 0 );
131		store64( &P->node_offset, 0 );
132		P->node_depth = 0;
133		P->inner_length = 0;
134		XMEMSET( P->reserved, 0, sizeof( P->reserved ) );
135		XMEMSET( P->salt, 0, sizeof( P->salt ) );
136		XMEMSET( P->personal, 0, sizeof( P->personal ) );
137		#else
138	0	XMEMSET( (blake2b_param )P, 0, sizeof( P ) );
139	0	P->digest_length = outlen;
140	0	P->fanout = 1;
141	0	P->depth = 1;
142	0	#endif
143	0	return blake2b_init_param( S, (blake2b_param *)P );
144	0	}
145
146
147		int blake2b_init_key( blake2b_state S, const byte outlen, const void key,
148		const byte keylen )
149	0	{
150	0	int ret = 0;
151		#ifdef WOLFSSL_BLAKE2B_INIT_EACH_FIELD
152		blake2b_param P[1];
153		#else
154	0	volatile blake2b_param P[1];
155	0	#endif
156
157	0	if ( ( !outlen ) \|\| ( outlen > BLAKE2B_OUTBYTES ) ) return BAD_FUNC_ARG;
158
159	0	if ( !key \|\| !keylen \|\| keylen > BLAKE2B_KEYBYTES ) return BAD_FUNC_ARG;
160
161		#ifdef WOLFSSL_BLAKE2B_INIT_EACH_FIELD
162		P->digest_length = outlen;
163		P->key_length = keylen;
164		P->fanout = 1;
165		P->depth = 1;
166		store32( &P->leaf_length, 0 );
167		store64( &P->node_offset, 0 );
168		P->node_depth = 0;
169		P->inner_length = 0;
170		XMEMSET( P->reserved, 0, sizeof( P->reserved ) );
171		XMEMSET( P->salt, 0, sizeof( P->salt ) );
172		XMEMSET( P->personal, 0, sizeof( P->personal ) );
173		#else
174	0	XMEMSET( (blake2b_param )P, 0, sizeof( P ) );
175	0	P->digest_length = outlen;
176	0	P->key_length = keylen;
177	0	P->fanout = 1;
178	0	P->depth = 1;
179	0	#endif
180
181	0	ret = blake2b_init_param( S, (blake2b_param *)P );
182	0	if ( ret < 0 ) return ret;
183
184	0	{
185	0	#ifdef WOLFSSL_SMALL_STACK
186	0	byte* block;
187
188	0	block = (byte*)XMALLOC(BLAKE2B_BLOCKBYTES, NULL, DYNAMIC_TYPE_TMP_BUFFER);
189
190	0	if ( block == NULL ) return MEMORY_E;
191		#else
192		byte block[BLAKE2B_BLOCKBYTES];
193		#endif
194
195	0	XMEMSET( block, 0, BLAKE2B_BLOCKBYTES );
196	0	XMEMCPY( block, key, keylen );
197	0	ret = blake2b_update( S, block, BLAKE2B_BLOCKBYTES );
198	0	secure_zero_memory( block, BLAKE2B_BLOCKBYTES ); /* Burn the key from */
199		/* memory */
200
201	0	#ifdef WOLFSSL_SMALL_STACK
202	0	XFREE(block, NULL, DYNAMIC_TYPE_TMP_BUFFER);
203	0	#endif
204	0	}
205	0	return ret;
206	0	}
207
208		static WC_INLINE int blake2b_compress(
209		blake2b_state *S,
210		const byte block[BLAKE2B_BLOCKBYTES],
211		word64* m,
212		word64* v)
213	0	{
214	0	word64 i;
215
216	0	for( i = 0; i < 16; ++i )
217	0	m[i] = load64( block + i * sizeof( m[i] ) );
218
219	0	for( i = 0; i < 8; ++i )
220	0	v[i] = S->h[i];
221
222	0	v[ 8] = blake2b_IV[0];
223	0	v[ 9] = blake2b_IV[1];
224	0	v[10] = blake2b_IV[2];
225	0	v[11] = blake2b_IV[3];
226	0	v[12] = S->t[0] ^ blake2b_IV[4];
227	0	v[13] = S->t[1] ^ blake2b_IV[5];
228	0	v[14] = S->f[0] ^ blake2b_IV[6];
229	0	v[15] = S->f[1] ^ blake2b_IV[7];
230	0	#define G(r,i,a,b,c,d) \
231	0	do { \
232	0	(a) = (a) + (b) + m[blake2b_sigma[r][2*(i)+0]]; \
233	0	(d) = rotr64((d) ^ (a), 32); \
234	0	(c) = (c) + (d); \
235	0	(b) = rotr64((b) ^ (c), 24); \
236	0	(a) = (a) + (b) + m[blake2b_sigma[r][2*(i)+1]]; \
237	0	(d) = rotr64((d) ^ (a), 16); \
238	0	(c) = (c) + (d); \
239	0	(b) = rotr64((b) ^ (c), 63); \
240	0	} while(0)
241	0	#define ROUND(r) \
242	0	do { \
243	0	G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \
244	0	G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \
245	0	G(r,2,v[ 2],v[ 6],v[10],v[14]); \
246	0	G(r,3,v[ 3],v[ 7],v[11],v[15]); \
247	0	G(r,4,v[ 0],v[ 5],v[10],v[15]); \
248	0	G(r,5,v[ 1],v[ 6],v[11],v[12]); \
249	0	G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \
250	0	G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \
251	0	} while(0)
252	0	ROUND( 0 );
253	0	ROUND( 1 );
254	0	ROUND( 2 );
255	0	ROUND( 3 );
256	0	ROUND( 4 );
257	0	ROUND( 5 );
258	0	ROUND( 6 );
259	0	ROUND( 7 );
260	0	ROUND( 8 );
261	0	ROUND( 9 );
262	0	ROUND( 10 );
263	0	ROUND( 11 );
264
265	0	for( i = 0; i < 8; ++i )
266	0	S->h[i] = S->h[i] ^ v[i] ^ v[i + 8];
267
268	0	#undef G
269	0	#undef ROUND
270
271	0	return 0;
272	0	}
273
274		/* inlen now in bytes */
275		int blake2b_update( blake2b_state S, const byte in, word64 inlen )
276	0	{
277	0	int ret = 0;
278	0	#ifdef WOLFSSL_SMALL_STACK
279	0	word64* m;
280	0	word64* v;
281
282	0	m = (word64)XMALLOC(sizeof(word64) 32, NULL, DYNAMIC_TYPE_TMP_BUFFER);
283
284	0	if ( m == NULL ) return MEMORY_E;
285
286	0	v = &m[16];
287		#else
288		word64 m[16];
289		word64 v[16];
290		#endif
291
292	0	while( inlen > 0 )
293	0	{
294	0	word64 left = S->buflen;
295	0	word64 fill = 2 * BLAKE2B_BLOCKBYTES - left;
296
297	0	if( inlen > fill )
298	0	{
299	0	XMEMCPY( S->buf + left, in, (wolfssl_word)fill ); /* Fill buffer */
300	0	S->buflen += fill;
301	0	blake2b_increment_counter( S, BLAKE2B_BLOCKBYTES );
302
303	0	{
304	0	ret = blake2b_compress( S, S->buf, m, v );
305	0	if (ret < 0) break;
306	0	}
307
308	0	XMEMCPY( S->buf, S->buf + BLAKE2B_BLOCKBYTES, BLAKE2B_BLOCKBYTES );
309		/* Shift buffer left */
310	0	S->buflen -= BLAKE2B_BLOCKBYTES;
311	0	in += fill;
312	0	inlen -= fill;
313	0	}
314	0	else /* inlen <= fill */
315	0	{
316	0	XMEMCPY( S->buf + left, in, (wolfssl_word)inlen );
317	0	S->buflen += inlen; /* Be lazy, do not compress */
318	0	inlen = 0;
319	0	}
320	0	}
321
322	0	#ifdef WOLFSSL_SMALL_STACK
323	0	XFREE(m, NULL, DYNAMIC_TYPE_TMP_BUFFER);
324	0	#endif
325
326	0	return ret;
327	0	}
328
329		/* Is this correct? */
330		int blake2b_final( blake2b_state S, byte out, byte outlen )
331	0	{
332	0	int ret = 0;
333	0	byte buffer[BLAKE2B_OUTBYTES];
334	0	word64 i;
335	0	#ifdef WOLFSSL_SMALL_STACK
336	0	word64* m;
337	0	word64* v;
338
339	0	m = (word64)XMALLOC(sizeof(word64) 32, NULL, DYNAMIC_TYPE_TMP_BUFFER);
340
341	0	if ( m == NULL ) return MEMORY_E;
342
343	0	v = &m[16];
344		#else
345		word64 m[16];
346		word64 v[16];
347		#endif
348
349	0	if( S->buflen > BLAKE2B_BLOCKBYTES )
350	0	{
351	0	blake2b_increment_counter( S, BLAKE2B_BLOCKBYTES );
352
353	0	{
354	0	ret = blake2b_compress( S, S->buf, m, v );
355	0	if (ret < 0) goto out;
356	0	}
357
358	0	S->buflen -= BLAKE2B_BLOCKBYTES;
359	0	if ( S->buflen > BLAKE2B_BLOCKBYTES )
360	0	return BAD_LENGTH_E;
361	0	XMEMMOVE( S->buf, S->buf + BLAKE2B_BLOCKBYTES, (wolfssl_word)S->buflen );
362	0	}
363
364	0	blake2b_increment_counter( S, S->buflen );
365	0	blake2b_set_lastblock( S );
366	0	XMEMSET( S->buf + S->buflen, 0, (wolfssl_word)(2 * BLAKE2B_BLOCKBYTES - S->buflen) );
367		/* Padding */
368	0	{
369	0	ret = blake2b_compress( S, S->buf, m, v );
370	0	if (ret < 0) goto out;
371	0	}
372
373	0	for( i = 0; i < 8; ++i ) /* Output full hash to temp buffer */
374	0	store64( buffer + sizeof( S->h[i] ) * i, S->h[i] );
375
376	0	XMEMCPY( out, buffer, outlen );
377
378	0	out:
379
380	0	#ifdef WOLFSSL_SMALL_STACK
381	0	XFREE(m, NULL, DYNAMIC_TYPE_TMP_BUFFER);
382	0	#endif
383
384	0	return ret;
385	0	}
386
387		/* inlen, at least, should be word64. Others can be size_t. */
388		int blake2b( byte out, const void in, const void *key, const byte outlen,
389		const word64 inlen, byte keylen )
390	0	{
391	0	blake2b_state S[1];
392
393		/* Verify parameters */
394	0	if ( NULL == in ) return BAD_FUNC_ARG;
395
396	0	if ( NULL == out ) return BAD_FUNC_ARG;
397
398	0	if( NULL == key ) keylen = 0;
399
400	0	if( keylen > 0 )
401	0	{
402	0	int ret = blake2b_init_key( S, outlen, key, keylen );
403	0	if (ret < 0) return ret;
404	0	}
405	0	else
406	0	{
407	0	int ret = blake2b_init( S, outlen );
408	0	if (ret < 0) return ret;
409	0	}
410
411	0	{
412	0	int ret = blake2b_update( S, ( byte * )in, inlen );
413	0	if (ret < 0) return ret;
414	0	}
415
416	0	return blake2b_final( S, out, outlen );
417	0	}
418
419		#if defined(BLAKE2B_SELFTEST)
420		#include <string.h>
421		#include "blake2-kat.h"
422		int main( int argc, char **argv )
423		{
424		byte key[BLAKE2B_KEYBYTES];
425		byte buf[KAT_LENGTH];
426
427		for( word32 i = 0; i < BLAKE2B_KEYBYTES; ++i )
428		key[i] = ( byte )i;
429
430		for( word32 i = 0; i < KAT_LENGTH; ++i )
431		buf[i] = ( byte )i;
432
433		for( word32 i = 0; i < KAT_LENGTH; ++i )
434		{
435		byte hash[BLAKE2B_OUTBYTES];
436		if ( blake2b( hash, buf, key, BLAKE2B_OUTBYTES, i, BLAKE2B_KEYBYTES ) < 0 )
437		{
438		puts( "error" );
439		return -1;
440		}
441
442		if( 0 != XMEMCMP( hash, blake2b_keyed_kat[i], BLAKE2B_OUTBYTES ) )
443		{
444		puts( "error" );
445		return -1;
446		}
447		}
448
449		puts( "ok" );
450		return 0;
451		}
452		#endif
453
454
455		/* wolfCrypt API */
456
457		/* Init Blake2b digest, track size in case final doesn't want to "remember" */
458		int wc_InitBlake2b(Blake2b* b2b, word32 digestSz)
459	0	{
460	0	if (b2b == NULL){
461	0	return BAD_FUNC_ARG;
462	0	}
463	0	b2b->digestSz = digestSz;
464
465	0	return blake2b_init(b2b->S, (byte)digestSz);
466	0	}
467
468		/* Init Blake2b digest with key, track size in case final doesn't want to "remember" */
469		int wc_InitBlake2b_WithKey(Blake2b* b2b, word32 digestSz, const byte *key, word32 keylen)
470	0	{
471	0	if (b2b == NULL){
472	0	return BAD_FUNC_ARG;
473	0	}
474	0	b2b->digestSz = digestSz;
475
476	0	if (keylen >= 256)
477	0	return BAD_FUNC_ARG;
478
479	0	if (key)
480	0	return blake2b_init_key(b2b->S, (byte)digestSz, key, (byte)keylen);
481	0	else
482	0	return blake2b_init(b2b->S, (byte)digestSz);
483	0	}
484
485		/* Blake2b Update */
486		int wc_Blake2bUpdate(Blake2b* b2b, const byte* data, word32 sz)
487	0	{
488	0	if (b2b == NULL){
489	0	return BAD_FUNC_ARG;
490	0	}
491	0	if (data == NULL && sz != 0){
492	0	return BAD_FUNC_ARG;
493	0	}
494	0	if (sz == 0){
495	0	return 0;
496	0	}
497
498	0	return blake2b_update(b2b->S, data, sz);
499	0	}
500
501
502		/* Blake2b Final, if pass in zero size we use init digestSz */
503		int wc_Blake2bFinal(Blake2b* b2b, byte* final, word32 requestSz)
504	0	{
505	0	word32 sz;
506
507	0	if (b2b == NULL){
508	0	return BAD_FUNC_ARG;
509	0	}
510	0	if (final == NULL){
511	0	return BAD_FUNC_ARG;
512	0	}
513
514	0	sz = requestSz ? requestSz : b2b->digestSz;
515
516	0	return blake2b_final(b2b->S, final, (byte)sz);
517	0	}
518
519
520		/* end CTaoCrypt API */
521
522		#endif /* HAVE_BLAKE2 */
523