2 * BLAKE2 reference source code package - reference C implementations
4 * Copyright 2012, Samuel Neves <sneves@dei.uc.pt>.
5 * You may use this under the terms of the CC0, the OpenSSL Licence, or the
6 * Apache Public License 2.0, at your option. The terms of these licenses can
9 * - OpenSSL license : https://www.openssl.org/source/license.html
10 * - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0
11 * - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0
13 * More information about the BLAKE2 hash function can be found at
17 /* crypto/blake2/blake2s.c */
22 #include <openssl/crypto.h>
24 #include "internal/blake2_locl.h"
25 #include "blake2_impl.h"
27 static const uint32_t blake2s_IV[8] =
29 0x6A09E667UL, 0xBB67AE85UL, 0x3C6EF372UL, 0xA54FF53AUL,
30 0x510E527FUL, 0x9B05688CUL, 0x1F83D9ABUL, 0x5BE0CD19UL
33 static const uint8_t blake2s_sigma[10][16] =
35 { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } ,
36 { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } ,
37 { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 } ,
38 { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 } ,
39 { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 } ,
40 { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 } ,
41 { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 } ,
42 { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 } ,
43 { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 } ,
44 { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13 , 0 } ,
47 /* Some helper functions, not necessarily useful */
48 static inline void blake2s_set_lastblock(BLAKE2S_CTX *S)
53 /* Increment the data hashed couter. */
54 static inline void blake2s_increment_counter(BLAKE2S_CTX *S,
58 S->t[1] += (S->t[0] < inc);
61 /* Initialize the hashing state. */
62 static inline void blake2s_init0(BLAKE2S_CTX *S)
66 memset(S, 0, sizeof(BLAKE2S_CTX));
67 for(i = 0; i < 8; ++i) {
68 S->h[i] = blake2s_IV[i];
72 /* init2 xors IV with input parameter block */
73 static void blake2s_init_param(BLAKE2S_CTX *S, const BLAKE2S_PARAM *P)
75 const uint32_t *p = (const uint32_t *)(P);
78 /* The param struct is carefully hand packed, and should be 32 bytes on
80 OPENSSL_assert(sizeof(BLAKE2S_PARAM) == 32);
82 /* IV XOR ParamBlock */
83 for(i = 0; i < 8; ++i) {
84 S->h[i] ^= load32(&p[i]);
88 /* Initialize the hashing context. Always returns 1. */
89 int BLAKE2s_Init(BLAKE2S_CTX *c)
93 P->digest_length = BLAKE2S_DIGEST_LENGTH;
97 store32(&P->leaf_length, 0);
98 store48(&P->node_offset, 0);
101 /* memset(P->reserved, 0, sizeof(P->reserved)); */
102 memset(P->salt, 0, sizeof(P->salt));
103 memset(P->personal, 0, sizeof(P->personal));
104 blake2s_init_param(c, P);
108 /* Permute the state while xoring in the block of data. */
109 static void blake2s_compress(BLAKE2S_CTX *S,
110 const uint8_t block[BLAKE2S_BLOCKBYTES])
116 for(i = 0; i < 16; ++i) {
117 m[i] = load32(block + i * sizeof(m[i]));
120 for(i = 0; i < 8; ++i) {
124 v[ 8] = blake2s_IV[0];
125 v[ 9] = blake2s_IV[1];
126 v[10] = blake2s_IV[2];
127 v[11] = blake2s_IV[3];
128 v[12] = S->t[0] ^ blake2s_IV[4];
129 v[13] = S->t[1] ^ blake2s_IV[5];
130 v[14] = S->f[0] ^ blake2s_IV[6];
131 v[15] = S->f[1] ^ blake2s_IV[7];
132 #define G(r,i,a,b,c,d) \
134 a = a + b + m[blake2s_sigma[r][2*i+0]]; \
135 d = rotr32(d ^ a, 16); \
137 b = rotr32(b ^ c, 12); \
138 a = a + b + m[blake2s_sigma[r][2*i+1]]; \
139 d = rotr32(d ^ a, 8); \
141 b = rotr32(b ^ c, 7); \
145 G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \
146 G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \
147 G(r,2,v[ 2],v[ 6],v[10],v[14]); \
148 G(r,3,v[ 3],v[ 7],v[11],v[15]); \
149 G(r,4,v[ 0],v[ 5],v[10],v[15]); \
150 G(r,5,v[ 1],v[ 6],v[11],v[12]); \
151 G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \
152 G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \
165 for(i = 0; i < 8; ++i) {
166 S->h[i] = S->h[i] ^ v[i] ^ v[i + 8];
173 /* Absorb the input data into the hash state. Always returns 1. */
174 int BLAKE2s_Update(BLAKE2S_CTX *c, const void *data, size_t datalen)
176 const uint8_t *in = data;
180 fill = sizeof(c->buf) - c->buflen;
181 /* Must be >, not >=, so that last block can be hashed differently */
183 memcpy(c->buf + c->buflen, in, fill); /* Fill buffer */
184 blake2s_increment_counter(c, BLAKE2S_BLOCKBYTES);
185 blake2s_compress(c, c->buf); /* Compress */
189 } else { /* datalen <= fill */
190 memcpy(c->buf + c->buflen, in, datalen);
191 c->buflen += datalen; /* Be lazy, do not compress */
200 * Finalize the hash state in a way that avoids length extension attacks.
203 int BLAKE2s_Final(unsigned char *md, BLAKE2S_CTX *c)
207 blake2s_increment_counter(c, (uint32_t)c->buflen);
208 blake2s_set_lastblock(c);
210 memset(c->buf + c->buflen, 0, sizeof(c->buf) - c->buflen);
211 blake2s_compress(c, c->buf);
213 /* Output full hash to temp buffer */
214 for(i = 0; i < 8; ++i) {
215 store32(md + sizeof(c->h[i]) * i, c->h[i]);
218 OPENSSL_cleanse(c, sizeof(BLAKE2S_CTX));