/src/wolfssl-sp-math-all/wolfcrypt/src/blake2s.c

Source
/*
   BLAKE2 reference source code package - reference C implementations

   Written in 2012 by Samuel Neves <sneves@dei.uc.pt>

   To the extent possible under law, the author(s) have dedicated all copyright
   and related and neighboring rights to this software to the public domain
   worldwide. This software is distributed without any warranty.

   You should have received a copy of the CC0 Public Domain Dedication along with
   this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
/* blake2s.c
 *
 * Copyright (C) 2006-2025 wolfSSL Inc.
 *
 * This file is part of wolfSSL.
 *
 * wolfSSL is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 3 of the License, or
 * (at your option) any later version.
 *
 * wolfSSL is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
 */

#include <wolfssl/wolfcrypt/libwolfssl_sources.h>

#ifdef HAVE_BLAKE2S

#include <wolfssl/wolfcrypt/blake2.h>
#include <wolfssl/wolfcrypt/blake2-impl.h>

static const word32 blake2s_IV[8] =
{
  0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
  0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19
};

static const byte blake2s_sigma[10][16] =
{
  {  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15 } ,
  { 14, 10,  4,  8,  9, 15, 13,  6,  1, 12,  0,  2, 11,  7,  5,  3 } ,
  { 11,  8, 12,  0,  5,  2, 15, 13, 10, 14,  3,  6,  7,  1,  9,  4 } ,
  {  7,  9,  3,  1, 13, 12, 11, 14,  2,  6,  5, 10,  4,  0, 15,  8 } ,
  {  9,  0,  5,  7,  2,  4, 10, 15, 14,  1, 11, 12,  6,  8,  3, 13 } ,
  {  2, 12,  6, 10,  0, 11,  8,  3,  4, 13,  7,  5, 15, 14,  1,  9 } ,
  { 12,  5,  1, 15, 14, 13,  4, 10,  0,  7,  6,  3,  9,  2,  8, 11 } ,
  { 13, 11,  7, 14, 12,  1,  3,  9,  5,  0, 15,  4,  8,  6,  2, 10 } ,
  {  6, 15, 14,  9, 11,  3,  0,  8, 12,  2, 13,  7,  1,  4, 10,  5 } ,
  { 10,  2,  8,  4,  7,  6,  1,  5, 15, 11,  9, 14,  3, 12, 13 , 0 }
};


static WC_INLINE int blake2s_set_lastnode( blake2s_state *S )
{
  S->f[1] = ~0U;
  return 0;
}

/* Some helper functions, not necessarily useful */
static WC_INLINE int blake2s_set_lastblock( blake2s_state *S )
{
  if( S->last_node ) blake2s_set_lastnode( S );

  S->f[0] = ~0U;
  return 0;
}

static WC_INLINE int blake2s_increment_counter( blake2s_state *S, const word32
                                             inc )
{
  S->t[0] += inc;
  S->t[1] += ( S->t[0] < inc );
  return 0;
}

static WC_INLINE int blake2s_init0( blake2s_state *S )
{
  int i;
  XMEMSET( S, 0, sizeof( blake2s_state ) );

  for( i = 0; i < 8; ++i ) S->h[i] = blake2s_IV[i];

  return 0;
}

/* init xors IV with input parameter block */
int blake2s_init_param( blake2s_state *S, const blake2s_param *P )
{
  word32 i;
  byte *p ;
  blake2s_init0( S );
  p =  ( byte * )( P );

  /* IV XOR ParamBlock */
  for( i = 0; i < 8; ++i )
    S->h[i] ^= load32( p + sizeof( S->h[i] ) * i );

  return 0;
}



int blake2s_init( blake2s_state *S, const byte outlen )
{
#ifdef WOLFSSL_BLAKE2S_INIT_EACH_FIELD
  blake2s_param P[1];
#else
  volatile blake2s_param P[1];
#endif

  if ( ( !outlen ) || ( outlen > BLAKE2S_OUTBYTES ) ) return BAD_FUNC_ARG;

#ifdef WOLFSSL_BLAKE2S_INIT_EACH_FIELD
  P->digest_length = outlen;
  P->key_length    = 0;
  P->fanout        = 1;
  P->depth         = 1;
  store32( &P->leaf_length, 0 );
  store32( &P->node_offset, 0 );
  P->node_depth    = 0;
  P->inner_length  = 0;
  XMEMSET( P->salt,     0, sizeof( P->salt ) );
  XMEMSET( P->personal, 0, sizeof( P->personal ) );
#else
  XMEMSET( (blake2s_param *)P, 0, sizeof( *P ) );
  P->digest_length = outlen;
  P->fanout        = 1;
  P->depth         = 1;
#endif
  return blake2s_init_param( S, (blake2s_param *)P );
}


int blake2s_init_key( blake2s_state *S, const byte outlen, const void *key,
                      const byte keylen )
{
  int ret = 0;
#ifdef WOLFSSL_BLAKE2S_INIT_EACH_FIELD
  blake2s_param P[1];
#else
  volatile blake2s_param P[1];
#endif

  if ( ( !outlen ) || ( outlen > BLAKE2S_OUTBYTES ) ) return BAD_FUNC_ARG;

  if ( !key || !keylen || keylen > BLAKE2S_KEYBYTES ) return BAD_FUNC_ARG;

#ifdef WOLFSSL_BLAKE2S_INIT_EACH_FIELD
  P->digest_length = outlen;
  P->key_length    = keylen;
  P->fanout        = 1;
  P->depth         = 1;
  store32( &P->leaf_length, 0 );
  store64( &P->node_offset, 0 );
  P->node_depth    = 0;
  P->inner_length  = 0;
  XMEMSET( P->salt,     0, sizeof( P->salt ) );
  XMEMSET( P->personal, 0, sizeof( P->personal ) );
#else
  XMEMSET( (blake2s_param *)P, 0, sizeof( *P ) );
  P->digest_length = outlen;
  P->key_length    = keylen;
  P->fanout        = 1;
  P->depth         = 1;
#endif

  ret = blake2s_init_param( S, (blake2s_param *)P );
  if (ret < 0)
      return ret;

  {
#ifdef WOLFSSL_SMALL_STACK
    byte* block;

    block = (byte*)XMALLOC(BLAKE2S_BLOCKBYTES, NULL, DYNAMIC_TYPE_TMP_BUFFER);

    if ( block == NULL ) return MEMORY_E;
#else
    byte block[BLAKE2S_BLOCKBYTES];
#endif

    XMEMSET( block, 0, BLAKE2S_BLOCKBYTES );
    XMEMCPY( block, key, keylen );
    ret = blake2s_update( S, block, BLAKE2S_BLOCKBYTES );
    secure_zero_memory( block, BLAKE2S_BLOCKBYTES ); /* Burn the key from */
                                                     /* memory */

    WC_FREE_VAR_EX(block, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  }
  return ret;
}

static WC_INLINE int blake2s_compress(
    blake2s_state *S,
    const byte block[BLAKE2S_BLOCKBYTES],
    word32* m,
    word32* v)
{
  word32 i;

  for( i = 0; i < 16; ++i )
    m[i] = load32( block + i * sizeof( m[i] ) );

  for( i = 0; i < 8; ++i )
    v[i] = S->h[i];

  v[ 8] = blake2s_IV[0];
  v[ 9] = blake2s_IV[1];
  v[10] = blake2s_IV[2];
  v[11] = blake2s_IV[3];
  v[12] = S->t[0] ^ blake2s_IV[4];
  v[13] = S->t[1] ^ blake2s_IV[5];
  v[14] = S->f[0] ^ blake2s_IV[6];
  v[15] = S->f[1] ^ blake2s_IV[7];
#define G(r,i,a,b,c,d) \
  do { \
      (a) = (a) + (b) + m[blake2s_sigma[r][2*(i)+0]];   \
      (d) = rotr32((d) ^ (a), 16);                      \
      (c) = (c) + (d);                                  \
      (b) = rotr32((b) ^ (c), 12);                      \
      (a) = (a) + (b) + m[blake2s_sigma[r][2*(i)+1]];   \
      (d) = rotr32((d) ^ (a), 8);                       \
      (c) = (c) + (d);                                  \
      (b) = rotr32((b) ^ (c), 7);                       \
  } while(0)
#define ROUND(r)  \
  do { \
    G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \
    G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \
    G(r,2,v[ 2],v[ 6],v[10],v[14]); \
    G(r,3,v[ 3],v[ 7],v[11],v[15]); \
    G(r,4,v[ 0],v[ 5],v[10],v[15]); \
    G(r,5,v[ 1],v[ 6],v[11],v[12]); \
    G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \
    G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \
  } while(0)
  ROUND( 0 );
  ROUND( 1 );
  ROUND( 2 );
  ROUND( 3 );
  ROUND( 4 );
  ROUND( 5 );
  ROUND( 6 );
  ROUND( 7 );
  ROUND( 8 );
  ROUND( 9 );

  for( i = 0; i < 8; ++i )
    S->h[i] = S->h[i] ^ v[i] ^ v[i + 8];

#undef G
#undef ROUND

  return 0;
}

/* inlen now in bytes */
int blake2s_update( blake2s_state *S, const byte *in, word32 inlen )
{
  int ret = 0;
#ifdef WOLFSSL_SMALL_STACK
  word32* m;
  word32* v;

  m = (word32*)XMALLOC(sizeof(word32) * 32, NULL, DYNAMIC_TYPE_TMP_BUFFER);

  if ( m == NULL ) return MEMORY_E;

  v = &m[16];
#else
  word32 m[16];
  word32 v[16];
#endif

  while( inlen > 0 )
  {
    word32 left = S->buflen;
    word32 fill = 2 * BLAKE2S_BLOCKBYTES - left;

    if( inlen > fill )
    {
      XMEMCPY( S->buf + left, in, (wolfssl_word)fill ); /* Fill buffer */
      S->buflen += fill;
      blake2s_increment_counter( S, BLAKE2S_BLOCKBYTES );

      {
          ret= blake2s_compress( S, S->buf, m, v );
          if (ret < 0) break;
      }

      XMEMCPY( S->buf, S->buf + BLAKE2S_BLOCKBYTES, BLAKE2S_BLOCKBYTES );
              /* Shift buffer left */
      S->buflen -= BLAKE2S_BLOCKBYTES;
      in += fill;
      inlen -= fill;
    }
    else /* inlen <= fill */
    {
      XMEMCPY( S->buf + left, in, (wolfssl_word)inlen );
      S->buflen += inlen; /* Be lazy, do not compress */
      inlen = 0;
    }
  }

  WC_FREE_VAR_EX(m, NULL, DYNAMIC_TYPE_TMP_BUFFER);

  return ret;
}

/* Is this correct? */
int blake2s_final( blake2s_state *S, byte *out, byte outlen )
{
  int ret = 0;
  word32    i;
  byte buffer[BLAKE2S_BLOCKBYTES];
#ifdef WOLFSSL_SMALL_STACK
  word32* m;
  word32* v;

  m = (word32*)XMALLOC(sizeof(word32) * 32, NULL, DYNAMIC_TYPE_TMP_BUFFER);

  if ( m == NULL ) return MEMORY_E;

  v = &m[16];
#else
  word32 m[16];
  word32 v[16];
#endif

  if( S->buflen > BLAKE2S_BLOCKBYTES )
  {
    blake2s_increment_counter( S, BLAKE2S_BLOCKBYTES );

    {
        ret = blake2s_compress( S, S->buf, m, v );
        if (ret < 0) goto out;
    }

    S->buflen -= BLAKE2S_BLOCKBYTES;
    XMEMCPY( S->buf, S->buf + BLAKE2S_BLOCKBYTES, (wolfssl_word)S->buflen );
  }

  blake2s_increment_counter( S, S->buflen );
  blake2s_set_lastblock( S );
  XMEMSET( S->buf + S->buflen, 0, (wolfssl_word)(2 * BLAKE2S_BLOCKBYTES - S->buflen) );
         /* Padding */
  {
      ret = blake2s_compress( S, S->buf, m, v );
      if (ret < 0) goto out;
  }

  for( i = 0; i < 8; ++i ) /* Output full hash to temp buffer */
    store64( buffer + sizeof( S->h[i] ) * i, S->h[i] );

  XMEMCPY( out, buffer, outlen );

 out:

  WC_FREE_VAR_EX(m, NULL, DYNAMIC_TYPE_TMP_BUFFER);

  return ret;
}

/* inlen, at least, should be word32. Others can be size_t. */
int blake2s( byte *out, const void *in, const void *key, const byte outlen,
             const word32 inlen, byte keylen )
{
  blake2s_state S[1];

  /* Verify parameters */
  if ( NULL == in ) return BAD_FUNC_ARG;

  if ( NULL == out ) return BAD_FUNC_ARG;

  if( NULL == key ) keylen = 0;

  if( keylen > 0 )
  {
      int ret = blake2s_init_key( S, outlen, key, keylen );
      if (ret < 0) return ret;
  }
  else
  {
      int ret = blake2s_init( S, outlen );
      if (ret < 0) return ret;
  }

  {
      int ret = blake2s_update( S, ( byte * )in, inlen );
      if (ret < 0) return ret;
  }

  return blake2s_final( S, out, outlen );
}

#if defined(BLAKE2S_SELFTEST)
#include <string.h>
#include "blake2-kat.h"
int main( int argc, char **argv )
{
  byte key[BLAKE2S_KEYBYTES];
  byte buf[KAT_LENGTH];

  for( word32 i = 0; i < BLAKE2S_KEYBYTES; ++i )
    key[i] = ( byte )i;

  for( word32 i = 0; i < KAT_LENGTH; ++i )
    buf[i] = ( byte )i;

  for( word32 i = 0; i < KAT_LENGTH; ++i )
  {
    byte hash[BLAKE2S_OUTBYTES];
    if ( blake2s( hash, buf, key, BLAKE2S_OUTBYTES, i, BLAKE2S_KEYBYTES ) < 0 )
    {
      puts( "error" );
      return -1;
    }

    if( 0 != XMEMCMP( hash, blake2s_keyed_kat[i], BLAKE2S_OUTBYTES ) )
    {
      puts( "error" );
      return -1;
    }
  }

  puts( "ok" );
  return 0;
}
#endif


/* wolfCrypt API */

/* Init Blake2s digest, track size in case final doesn't want to "remember" */
int wc_InitBlake2s(Blake2s* b2s, word32 digestSz)
{
    if (b2s == NULL){
        return BAD_FUNC_ARG;
    }
    b2s->digestSz = digestSz;

    return blake2s_init(b2s->S, (byte)digestSz);
}


/* Init Blake2s digest with key, track size in case final doesn't want to "remember" */
int wc_InitBlake2s_WithKey(Blake2s* b2s, word32 digestSz, const byte *key, word32 keylen)
{
    if (b2s == NULL){
        return BAD_FUNC_ARG;
    }
    b2s->digestSz = digestSz;

    if (keylen >= 256)
        return BAD_FUNC_ARG;

    if (key)
        return blake2s_init_key(b2s->S, (byte)digestSz, key, (byte)keylen);
    else
        return blake2s_init(b2s->S, (byte)digestSz);
}


/* Blake2s Update */
int wc_Blake2sUpdate(Blake2s* b2s, const byte* data, word32 sz)
{
    if (b2s == NULL){
        return BAD_FUNC_ARG;
    }
    if (data == NULL && sz != 0){
        return BAD_FUNC_ARG;
    }
    if (sz == 0){
        return 0;
    }

    return blake2s_update(b2s->S, data, sz);
}


/* Blake2s Final, if pass in zero size we use init digestSz */
int wc_Blake2sFinal(Blake2s* b2s, byte* final, word32 requestSz)
{
    word32 sz;

    if (b2s == NULL){
        return BAD_FUNC_ARG;
    }
    if (final == NULL){
        return BAD_FUNC_ARG;
    }

    sz = requestSz ? requestSz : b2s->digestSz;

    return blake2s_final(b2s->S, final, (byte)sz);
}


/* end CTaoCrypt API */

#endif  /* HAVE_BLAKE2S */


Coverage Report

Created: 2026-01-06 06:52

Line	Count	Source
1		/*
2		BLAKE2 reference source code package - reference C implementations
3
4		Written in 2012 by Samuel Neves <sneves@dei.uc.pt>
5
6		To the extent possible under law, the author(s) have dedicated all copyright
7		and related and neighboring rights to this software to the public domain
8		worldwide. This software is distributed without any warranty.
9
10		You should have received a copy of the CC0 Public Domain Dedication along with
11		this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
12		*/
13		/* blake2s.c
14		*
15		* Copyright (C) 2006-2025 wolfSSL Inc.
16		*
17		* This file is part of wolfSSL.
18		*
19		* wolfSSL is free software; you can redistribute it and/or modify
20		* it under the terms of the GNU General Public License as published by
21		* the Free Software Foundation; either version 3 of the License, or
22		* (at your option) any later version.
23		*
24		* wolfSSL is distributed in the hope that it will be useful,
25		* but WITHOUT ANY WARRANTY; without even the implied warranty of
26		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27		* GNU General Public License for more details.
28		*
29		* You should have received a copy of the GNU General Public License
30		* along with this program; if not, write to the Free Software
31		* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
32		*/
33
34		#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
35
36		#ifdef HAVE_BLAKE2S
37
38		#include <wolfssl/wolfcrypt/blake2.h>
39		#include <wolfssl/wolfcrypt/blake2-impl.h>
40
41		static const word32 blake2s_IV[8] =
42		{
43		0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
44		0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19
45		};
46
47		static const byte blake2s_sigma[10][16] =
48		{
49		{ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } ,
50		{ 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } ,
51		{ 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 } ,
52		{ 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 } ,
53		{ 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 } ,
54		{ 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 } ,
55		{ 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 } ,
56		{ 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 } ,
57		{ 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 } ,
58		{ 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13 , 0 }
59		};
60
61
62		static WC_INLINE int blake2s_set_lastnode( blake2s_state *S )
63	0	{
64	0	S->f[1] = ~0U;
65	0	return 0;
66	0	}
67
68		/* Some helper functions, not necessarily useful */
69		static WC_INLINE int blake2s_set_lastblock( blake2s_state *S )
70	0	{
71	0	if( S->last_node ) blake2s_set_lastnode( S );
72
73	0	S->f[0] = ~0U;
74	0	return 0;
75	0	}
76
77		static WC_INLINE int blake2s_increment_counter( blake2s_state *S, const word32
78		inc )
79	0	{
80	0	S->t[0] += inc;
81	0	S->t[1] += ( S->t[0] < inc );
82	0	return 0;
83	0	}
84
85		static WC_INLINE int blake2s_init0( blake2s_state *S )
86	0	{
87	0	int i;
88	0	XMEMSET( S, 0, sizeof( blake2s_state ) );
89
90	0	for( i = 0; i < 8; ++i ) S->h[i] = blake2s_IV[i];
91
92	0	return 0;
93	0	}
94
95		/* init xors IV with input parameter block */
96		int blake2s_init_param( blake2s_state S, const blake2s_param P )
97	0	{
98	0	word32 i;
99	0	byte *p ;
100	0	blake2s_init0( S );
101	0	p = ( byte * )( P );
102
103		/* IV XOR ParamBlock */
104	0	for( i = 0; i < 8; ++i )
105	0	S->h[i] ^= load32( p + sizeof( S->h[i] ) * i );
106
107	0	return 0;
108	0	}
109
110
111
112		int blake2s_init( blake2s_state *S, const byte outlen )
113	0	{
114		#ifdef WOLFSSL_BLAKE2S_INIT_EACH_FIELD
115		blake2s_param P[1];
116		#else
117	0	volatile blake2s_param P[1];
118	0	#endif
119
120	0	if ( ( !outlen ) \|\| ( outlen > BLAKE2S_OUTBYTES ) ) return BAD_FUNC_ARG;
121
122		#ifdef WOLFSSL_BLAKE2S_INIT_EACH_FIELD
123		P->digest_length = outlen;
124		P->key_length = 0;
125		P->fanout = 1;
126		P->depth = 1;
127		store32( &P->leaf_length, 0 );
128		store32( &P->node_offset, 0 );
129		P->node_depth = 0;
130		P->inner_length = 0;
131		XMEMSET( P->salt, 0, sizeof( P->salt ) );
132		XMEMSET( P->personal, 0, sizeof( P->personal ) );
133		#else
134	0	XMEMSET( (blake2s_param )P, 0, sizeof( P ) );
135	0	P->digest_length = outlen;
136	0	P->fanout = 1;
137	0	P->depth = 1;
138	0	#endif
139	0	return blake2s_init_param( S, (blake2s_param *)P );
140	0	}
141
142
143		int blake2s_init_key( blake2s_state S, const byte outlen, const void key,
144		const byte keylen )
145	0	{
146	0	int ret = 0;
147		#ifdef WOLFSSL_BLAKE2S_INIT_EACH_FIELD
148		blake2s_param P[1];
149		#else
150	0	volatile blake2s_param P[1];
151	0	#endif
152
153	0	if ( ( !outlen ) \|\| ( outlen > BLAKE2S_OUTBYTES ) ) return BAD_FUNC_ARG;
154
155	0	if ( !key \|\| !keylen \|\| keylen > BLAKE2S_KEYBYTES ) return BAD_FUNC_ARG;
156
157		#ifdef WOLFSSL_BLAKE2S_INIT_EACH_FIELD
158		P->digest_length = outlen;
159		P->key_length = keylen;
160		P->fanout = 1;
161		P->depth = 1;
162		store32( &P->leaf_length, 0 );
163		store64( &P->node_offset, 0 );
164		P->node_depth = 0;
165		P->inner_length = 0;
166		XMEMSET( P->salt, 0, sizeof( P->salt ) );
167		XMEMSET( P->personal, 0, sizeof( P->personal ) );
168		#else
169	0	XMEMSET( (blake2s_param )P, 0, sizeof( P ) );
170	0	P->digest_length = outlen;
171	0	P->key_length = keylen;
172	0	P->fanout = 1;
173	0	P->depth = 1;
174	0	#endif
175
176	0	ret = blake2s_init_param( S, (blake2s_param *)P );
177	0	if (ret < 0)
178	0	return ret;
179
180	0	{
181	0	#ifdef WOLFSSL_SMALL_STACK
182	0	byte* block;
183
184	0	block = (byte*)XMALLOC(BLAKE2S_BLOCKBYTES, NULL, DYNAMIC_TYPE_TMP_BUFFER);
185
186	0	if ( block == NULL ) return MEMORY_E;
187		#else
188		byte block[BLAKE2S_BLOCKBYTES];
189		#endif
190
191	0	XMEMSET( block, 0, BLAKE2S_BLOCKBYTES );
192	0	XMEMCPY( block, key, keylen );
193	0	ret = blake2s_update( S, block, BLAKE2S_BLOCKBYTES );
194	0	secure_zero_memory( block, BLAKE2S_BLOCKBYTES ); /* Burn the key from */
195		/* memory */
196
197	0	WC_FREE_VAR_EX(block, NULL, DYNAMIC_TYPE_TMP_BUFFER);
198	0	}
199	0	return ret;
200	0	}
201
202		static WC_INLINE int blake2s_compress(
203		blake2s_state *S,
204		const byte block[BLAKE2S_BLOCKBYTES],
205		word32* m,
206		word32* v)
207	0	{
208	0	word32 i;
209
210	0	for( i = 0; i < 16; ++i )
211	0	m[i] = load32( block + i * sizeof( m[i] ) );
212
213	0	for( i = 0; i < 8; ++i )
214	0	v[i] = S->h[i];
215
216	0	v[ 8] = blake2s_IV[0];
217	0	v[ 9] = blake2s_IV[1];
218	0	v[10] = blake2s_IV[2];
219	0	v[11] = blake2s_IV[3];
220	0	v[12] = S->t[0] ^ blake2s_IV[4];
221	0	v[13] = S->t[1] ^ blake2s_IV[5];
222	0	v[14] = S->f[0] ^ blake2s_IV[6];
223	0	v[15] = S->f[1] ^ blake2s_IV[7];
224	0	#define G(r,i,a,b,c,d) \
225	0	do { \
226	0	(a) = (a) + (b) + m[blake2s_sigma[r][2*(i)+0]]; \
227	0	(d) = rotr32((d) ^ (a), 16); \
228	0	(c) = (c) + (d); \
229	0	(b) = rotr32((b) ^ (c), 12); \
230	0	(a) = (a) + (b) + m[blake2s_sigma[r][2*(i)+1]]; \
231	0	(d) = rotr32((d) ^ (a), 8); \
232	0	(c) = (c) + (d); \
233	0	(b) = rotr32((b) ^ (c), 7); \
234	0	} while(0)
235	0	#define ROUND(r) \
236	0	do { \
237	0	G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \
238	0	G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \
239	0	G(r,2,v[ 2],v[ 6],v[10],v[14]); \
240	0	G(r,3,v[ 3],v[ 7],v[11],v[15]); \
241	0	G(r,4,v[ 0],v[ 5],v[10],v[15]); \
242	0	G(r,5,v[ 1],v[ 6],v[11],v[12]); \
243	0	G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \
244	0	G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \
245	0	} while(0)
246	0	ROUND( 0 );
247	0	ROUND( 1 );
248	0	ROUND( 2 );
249	0	ROUND( 3 );
250	0	ROUND( 4 );
251	0	ROUND( 5 );
252	0	ROUND( 6 );
253	0	ROUND( 7 );
254	0	ROUND( 8 );
255	0	ROUND( 9 );
256
257	0	for( i = 0; i < 8; ++i )
258	0	S->h[i] = S->h[i] ^ v[i] ^ v[i + 8];
259
260	0	#undef G
261	0	#undef ROUND
262
263	0	return 0;
264	0	}
265
266		/* inlen now in bytes */
267		int blake2s_update( blake2s_state S, const byte in, word32 inlen )
268	0	{
269	0	int ret = 0;
270	0	#ifdef WOLFSSL_SMALL_STACK
271	0	word32* m;
272	0	word32* v;
273
274	0	m = (word32)XMALLOC(sizeof(word32) 32, NULL, DYNAMIC_TYPE_TMP_BUFFER);
275
276	0	if ( m == NULL ) return MEMORY_E;
277
278	0	v = &m[16];
279		#else
280		word32 m[16];
281		word32 v[16];
282		#endif
283
284	0	while( inlen > 0 )
285	0	{
286	0	word32 left = S->buflen;
287	0	word32 fill = 2 * BLAKE2S_BLOCKBYTES - left;
288
289	0	if( inlen > fill )
290	0	{
291	0	XMEMCPY( S->buf + left, in, (wolfssl_word)fill ); /* Fill buffer */
292	0	S->buflen += fill;
293	0	blake2s_increment_counter( S, BLAKE2S_BLOCKBYTES );
294
295	0	{
296	0	ret= blake2s_compress( S, S->buf, m, v );
297	0	if (ret < 0) break;
298	0	}
299
300	0	XMEMCPY( S->buf, S->buf + BLAKE2S_BLOCKBYTES, BLAKE2S_BLOCKBYTES );
301		/* Shift buffer left */
302	0	S->buflen -= BLAKE2S_BLOCKBYTES;
303	0	in += fill;
304	0	inlen -= fill;
305	0	}
306	0	else /* inlen <= fill */
307	0	{
308	0	XMEMCPY( S->buf + left, in, (wolfssl_word)inlen );
309	0	S->buflen += inlen; /* Be lazy, do not compress */
310	0	inlen = 0;
311	0	}
312	0	}
313
314	0	WC_FREE_VAR_EX(m, NULL, DYNAMIC_TYPE_TMP_BUFFER);
315
316	0	return ret;
317	0	}
318
319		/* Is this correct? */
320		int blake2s_final( blake2s_state S, byte out, byte outlen )
321	0	{
322	0	int ret = 0;
323	0	word32 i;
324	0	byte buffer[BLAKE2S_BLOCKBYTES];
325	0	#ifdef WOLFSSL_SMALL_STACK
326	0	word32* m;
327	0	word32* v;
328
329	0	m = (word32)XMALLOC(sizeof(word32) 32, NULL, DYNAMIC_TYPE_TMP_BUFFER);
330
331	0	if ( m == NULL ) return MEMORY_E;
332
333	0	v = &m[16];
334		#else
335		word32 m[16];
336		word32 v[16];
337		#endif
338
339	0	if( S->buflen > BLAKE2S_BLOCKBYTES )
340	0	{
341	0	blake2s_increment_counter( S, BLAKE2S_BLOCKBYTES );
342
343	0	{
344	0	ret = blake2s_compress( S, S->buf, m, v );
345	0	if (ret < 0) goto out;
346	0	}
347
348	0	S->buflen -= BLAKE2S_BLOCKBYTES;
349	0	XMEMCPY( S->buf, S->buf + BLAKE2S_BLOCKBYTES, (wolfssl_word)S->buflen );
350	0	}
351
352	0	blake2s_increment_counter( S, S->buflen );
353	0	blake2s_set_lastblock( S );
354	0	XMEMSET( S->buf + S->buflen, 0, (wolfssl_word)(2 * BLAKE2S_BLOCKBYTES - S->buflen) );
355		/* Padding */
356	0	{
357	0	ret = blake2s_compress( S, S->buf, m, v );
358	0	if (ret < 0) goto out;
359	0	}
360
361	0	for( i = 0; i < 8; ++i ) /* Output full hash to temp buffer */
362	0	store64( buffer + sizeof( S->h[i] ) * i, S->h[i] );
363
364	0	XMEMCPY( out, buffer, outlen );
365
366	0	out:
367
368	0	WC_FREE_VAR_EX(m, NULL, DYNAMIC_TYPE_TMP_BUFFER);
369
370	0	return ret;
371	0	}
372
373		/* inlen, at least, should be word32. Others can be size_t. */
374		int blake2s( byte out, const void in, const void *key, const byte outlen,
375		const word32 inlen, byte keylen )
376	0	{
377	0	blake2s_state S[1];
378
379		/* Verify parameters */
380	0	if ( NULL == in ) return BAD_FUNC_ARG;
381
382	0	if ( NULL == out ) return BAD_FUNC_ARG;
383
384	0	if( NULL == key ) keylen = 0;
385
386	0	if( keylen > 0 )
387	0	{
388	0	int ret = blake2s_init_key( S, outlen, key, keylen );
389	0	if (ret < 0) return ret;
390	0	}
391	0	else
392	0	{
393	0	int ret = blake2s_init( S, outlen );
394	0	if (ret < 0) return ret;
395	0	}
396
397	0	{
398	0	int ret = blake2s_update( S, ( byte * )in, inlen );
399	0	if (ret < 0) return ret;
400	0	}
401
402	0	return blake2s_final( S, out, outlen );
403	0	}
404
405		#if defined(BLAKE2S_SELFTEST)
406		#include <string.h>
407		#include "blake2-kat.h"
408		int main( int argc, char **argv )
409		{
410		byte key[BLAKE2S_KEYBYTES];
411		byte buf[KAT_LENGTH];
412
413		for( word32 i = 0; i < BLAKE2S_KEYBYTES; ++i )
414		key[i] = ( byte )i;
415
416		for( word32 i = 0; i < KAT_LENGTH; ++i )
417		buf[i] = ( byte )i;
418
419		for( word32 i = 0; i < KAT_LENGTH; ++i )
420		{
421		byte hash[BLAKE2S_OUTBYTES];
422		if ( blake2s( hash, buf, key, BLAKE2S_OUTBYTES, i, BLAKE2S_KEYBYTES ) < 0 )
423		{
424		puts( "error" );
425		return -1;
426		}
427
428		if( 0 != XMEMCMP( hash, blake2s_keyed_kat[i], BLAKE2S_OUTBYTES ) )
429		{
430		puts( "error" );
431		return -1;
432		}
433		}
434
435		puts( "ok" );
436		return 0;
437		}
438		#endif
439
440
441		/* wolfCrypt API */
442
443		/* Init Blake2s digest, track size in case final doesn't want to "remember" */
444		int wc_InitBlake2s(Blake2s* b2s, word32 digestSz)
445	0	{
446	0	if (b2s == NULL){
447	0	return BAD_FUNC_ARG;
448	0	}
449	0	b2s->digestSz = digestSz;
450
451	0	return blake2s_init(b2s->S, (byte)digestSz);
452	0	}
453
454
455		/* Init Blake2s digest with key, track size in case final doesn't want to "remember" */
456		int wc_InitBlake2s_WithKey(Blake2s* b2s, word32 digestSz, const byte *key, word32 keylen)
457	0	{
458	0	if (b2s == NULL){
459	0	return BAD_FUNC_ARG;
460	0	}
461	0	b2s->digestSz = digestSz;
462
463	0	if (keylen >= 256)
464	0	return BAD_FUNC_ARG;
465
466	0	if (key)
467	0	return blake2s_init_key(b2s->S, (byte)digestSz, key, (byte)keylen);
468	0	else
469	0	return blake2s_init(b2s->S, (byte)digestSz);
470	0	}
471
472
473		/* Blake2s Update */
474		int wc_Blake2sUpdate(Blake2s* b2s, const byte* data, word32 sz)
475	0	{
476	0	if (b2s == NULL){
477	0	return BAD_FUNC_ARG;
478	0	}
479	0	if (data == NULL && sz != 0){
480	0	return BAD_FUNC_ARG;
481	0	}
482	0	if (sz == 0){
483	0	return 0;
484	0	}
485
486	0	return blake2s_update(b2s->S, data, sz);
487	0	}
488
489
490		/* Blake2s Final, if pass in zero size we use init digestSz */
491		int wc_Blake2sFinal(Blake2s* b2s, byte* final, word32 requestSz)
492	0	{
493	0	word32 sz;
494
495	0	if (b2s == NULL){
496	0	return BAD_FUNC_ARG;
497	0	}
498	0	if (final == NULL){
499	0	return BAD_FUNC_ARG;
500	0	}
501
502	0	sz = requestSz ? requestSz : b2s->digestSz;
503
504	0	return blake2s_final(b2s->S, final, (byte)sz);
505	0	}
506
507
508		/* end CTaoCrypt API */
509
510		#endif /* HAVE_BLAKE2S */
511