source: asp3_tinet_ecnl_rx/trunk/wolfssl-3.12.2/wolfcrypt/src/blake2b.c@ 337

Last change on this file since 337 was 337, checked in by coas-nagasima, 6 years ago

ASP3版ECNLを追加
  • Property svn:eol-style set to native
  • Property svn:mime-type set to text/x-csrc;charset=UTF-8
File size: 11.1 KB
Line 
1/*
2 BLAKE2 reference source code package - reference C implementations
3
4 Written in 2012 by Samuel Neves <sneves@dei.uc.pt>
5
6 To the extent possible under law, the author(s) have dedicated all copyright
7 and related and neighboring rights to this software to the public domain
8 worldwide. This software is distributed without any warranty.
9
10 You should have received a copy of the CC0 Public Domain Dedication along with
11 this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
12*/
13/* blake2b.c
14 *
15 * Copyright (C) 2006-2017 wolfSSL Inc.
16 *
17 * This file is part of wolfSSL.
18 *
19 * wolfSSL is free software; you can redistribute it and/or modify
20 * it under the terms of the GNU General Public License as published by
21 * the Free Software Foundation; either version 2 of the License, or
22 * (at your option) any later version.
23 *
24 * wolfSSL is distributed in the hope that it will be useful,
25 * but WITHOUT ANY WARRANTY; without even the implied warranty of
26 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27 * GNU General Public License for more details.
28 *
29 * You should have received a copy of the GNU General Public License
30 * along with this program; if not, write to the Free Software
31 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
32 */
33
34
35
36#ifdef HAVE_CONFIG_H
37 #include <config.h>
38#endif
39
40#include <wolfssl/wolfcrypt/settings.h>
41
42#ifdef HAVE_BLAKE2
43
44#include <wolfssl/wolfcrypt/blake2.h>
45#include <wolfssl/wolfcrypt/blake2-impl.h>
46
47
48static const word64 blake2b_IV[8] =
49{
50 0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL,
51 0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL,
52 0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL,
53 0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL
54};
55
56static const byte blake2b_sigma[12][16] =
57{
58 { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } ,
59 { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } ,
60 { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 } ,
61 { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 } ,
62 { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 } ,
63 { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 } ,
64 { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 } ,
65 { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 } ,
66 { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 } ,
67 { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13 , 0 } ,
68 { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } ,
69 { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }
70};
71
72
73static INLINE int blake2b_set_lastnode( blake2b_state *S )
74{
75 S->f[1] = ~0ULL;
76 return 0;
77}
78
79/* Some helper functions, not necessarily useful */
80static INLINE int blake2b_set_lastblock( blake2b_state *S )
81{
82 if( S->last_node ) blake2b_set_lastnode( S );
83
84 S->f[0] = ~0ULL;
85 return 0;
86}
87
88static INLINE int blake2b_increment_counter( blake2b_state *S, const word64
89 inc )
90{
91 S->t[0] += inc;
92 S->t[1] += ( S->t[0] < inc );
93 return 0;
94}
95
96static INLINE int blake2b_init0( blake2b_state *S )
97{
98 int i;
99 XMEMSET( S, 0, sizeof( blake2b_state ) );
100
101 for( i = 0; i < 8; ++i ) S->h[i] = blake2b_IV[i];
102
103 return 0;
104}
105
106/* init xors IV with input parameter block */
107int blake2b_init_param( blake2b_state *S, const blake2b_param *P )
108{
109 word32 i;
110 byte *p ;
111 blake2b_init0( S );
112 p = ( byte * )( P );
113
114 /* IV XOR ParamBlock */
115 for( i = 0; i < 8; ++i )
116 S->h[i] ^= load64( p + sizeof( S->h[i] ) * i );
117
118 return 0;
119}
120
121
122
123int blake2b_init( blake2b_state *S, const byte outlen )
124{
125 blake2b_param P[1];
126
127 if ( ( !outlen ) || ( outlen > BLAKE2B_OUTBYTES ) ) return -1;
128
129#ifdef WOLFSSL_BLAKE2B_INIT_EACH_FIELD
130 P->digest_length = outlen;
131 P->key_length = 0;
132 P->fanout = 1;
133 P->depth = 1;
134 store32( &P->leaf_length, 0 );
135 store64( &P->node_offset, 0 );
136 P->node_depth = 0;
137 P->inner_length = 0;
138 XMEMSET( P->reserved, 0, sizeof( P->reserved ) );
139 XMEMSET( P->salt, 0, sizeof( P->salt ) );
140 XMEMSET( P->personal, 0, sizeof( P->personal ) );
141#else
142 XMEMSET( P, 0, sizeof( *P ) );
143 P->digest_length = outlen;
144 P->fanout = 1;
145 P->depth = 1;
146#endif
147 return blake2b_init_param( S, P );
148}
149
150
151int blake2b_init_key( blake2b_state *S, const byte outlen, const void *key,
152 const byte keylen )
153{
154 blake2b_param P[1];
155
156 if ( ( !outlen ) || ( outlen > BLAKE2B_OUTBYTES ) ) return -1;
157
158 if ( !key || !keylen || keylen > BLAKE2B_KEYBYTES ) return -1;
159
160#ifdef WOLFSSL_BLAKE2B_INIT_EACH_FIELD
161 P->digest_length = outlen;
162 P->key_length = keylen;
163 P->fanout = 1;
164 P->depth = 1;
165 store32( &P->leaf_length, 0 );
166 store64( &P->node_offset, 0 );
167 P->node_depth = 0;
168 P->inner_length = 0;
169 XMEMSET( P->reserved, 0, sizeof( P->reserved ) );
170 XMEMSET( P->salt, 0, sizeof( P->salt ) );
171 XMEMSET( P->personal, 0, sizeof( P->personal ) );
172#else
173 XMEMSET( P, 0, sizeof( *P ) );
174 P->digest_length = outlen;
175 P->key_length = keylen;
176 P->fanout = 1;
177 P->depth = 1;
178#endif
179
180 if( blake2b_init_param( S, P ) < 0 ) return -1;
181
182 {
183#ifdef WOLFSSL_SMALL_STACK
184 byte* block;
185
186 block = (byte*)XMALLOC(BLAKE2B_BLOCKBYTES, NULL, DYNAMIC_TYPE_TMP_BUFFER);
187
188 if ( block == NULL ) return -1;
189#else
190 byte block[BLAKE2B_BLOCKBYTES];
191#endif
192
193 XMEMSET( block, 0, BLAKE2B_BLOCKBYTES );
194 XMEMCPY( block, key, keylen );
195 blake2b_update( S, block, BLAKE2B_BLOCKBYTES );
196 secure_zero_memory( block, BLAKE2B_BLOCKBYTES ); /* Burn the key from */
197 /* memory */
198
199#ifdef WOLFSSL_SMALL_STACK
200 XFREE(block, NULL, DYNAMIC_TYPE_TMP_BUFFER);
201#endif
202 }
203 return 0;
204}
205
206static int blake2b_compress( blake2b_state *S,
207 const byte block[BLAKE2B_BLOCKBYTES] )
208{
209 int i;
210
211#ifdef WOLFSSL_SMALL_STACK
212 word64* m;
213 word64* v;
214
215 m = (word64*)XMALLOC(sizeof(word64) * 16, NULL, DYNAMIC_TYPE_TMP_BUFFER);
216
217 if ( m == NULL ) return -1;
218
219 v = (word64*)XMALLOC(sizeof(word64) * 16, NULL, DYNAMIC_TYPE_TMP_BUFFER);
220
221 if ( v == NULL )
222 {
223 XFREE(m, NULL, DYNAMIC_TYPE_TMP_BUFFER);
224 return -1;
225 }
226#else
227 word64 m[16];
228 word64 v[16];
229#endif
230
231 for( i = 0; i < 16; ++i )
232 m[i] = load64( block + i * sizeof( m[i] ) );
233
234 for( i = 0; i < 8; ++i )
235 v[i] = S->h[i];
236
237 v[ 8] = blake2b_IV[0];
238 v[ 9] = blake2b_IV[1];
239 v[10] = blake2b_IV[2];
240 v[11] = blake2b_IV[3];
241 v[12] = S->t[0] ^ blake2b_IV[4];
242 v[13] = S->t[1] ^ blake2b_IV[5];
243 v[14] = S->f[0] ^ blake2b_IV[6];
244 v[15] = S->f[1] ^ blake2b_IV[7];
245#define G(r,i,a,b,c,d) \
246 do { \
247 a = a + b + m[blake2b_sigma[r][2*i+0]]; \
248 d = rotr64(d ^ a, 32); \
249 c = c + d; \
250 b = rotr64(b ^ c, 24); \
251 a = a + b + m[blake2b_sigma[r][2*i+1]]; \
252 d = rotr64(d ^ a, 16); \
253 c = c + d; \
254 b = rotr64(b ^ c, 63); \
255 } while(0)
256#define ROUND(r) \
257 do { \
258 G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \
259 G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \
260 G(r,2,v[ 2],v[ 6],v[10],v[14]); \
261 G(r,3,v[ 3],v[ 7],v[11],v[15]); \
262 G(r,4,v[ 0],v[ 5],v[10],v[15]); \
263 G(r,5,v[ 1],v[ 6],v[11],v[12]); \
264 G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \
265 G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \
266 } while(0)
267 ROUND( 0 );
268 ROUND( 1 );
269 ROUND( 2 );
270 ROUND( 3 );
271 ROUND( 4 );
272 ROUND( 5 );
273 ROUND( 6 );
274 ROUND( 7 );
275 ROUND( 8 );
276 ROUND( 9 );
277 ROUND( 10 );
278 ROUND( 11 );
279
280 for( i = 0; i < 8; ++i )
281 S->h[i] = S->h[i] ^ v[i] ^ v[i + 8];
282
283#undef G
284#undef ROUND
285
286#ifdef WOLFSSL_SMALL_STACK
287 XFREE(m, NULL, DYNAMIC_TYPE_TMP_BUFFER);
288 XFREE(v, NULL, DYNAMIC_TYPE_TMP_BUFFER);
289#endif
290
291 return 0;
292}
293
294/* inlen now in bytes */
295int blake2b_update( blake2b_state *S, const byte *in, word64 inlen )
296{
297 while( inlen > 0 )
298 {
299 word64 left = S->buflen;
300 word64 fill = 2 * BLAKE2B_BLOCKBYTES - left;
301
302 if( inlen > fill )
303 {
304 XMEMCPY( S->buf + left, in, (wolfssl_word)fill ); /* Fill buffer */
305 S->buflen += fill;
306 blake2b_increment_counter( S, BLAKE2B_BLOCKBYTES );
307
308 if ( blake2b_compress( S, S->buf ) < 0 ) return -1; /* Compress */
309
310 XMEMCPY( S->buf, S->buf + BLAKE2B_BLOCKBYTES, BLAKE2B_BLOCKBYTES );
311 /* Shift buffer left */
312 S->buflen -= BLAKE2B_BLOCKBYTES;
313 in += fill;
314 inlen -= fill;
315 }
316 else /* inlen <= fill */
317 {
318 XMEMCPY( S->buf + left, in, (wolfssl_word)inlen );
319 S->buflen += inlen; /* Be lazy, do not compress */
320 in += inlen;
321 inlen -= inlen;
322 }
323 }
324
325 return 0;
326}
327
328/* Is this correct? */
329int blake2b_final( blake2b_state *S, byte *out, byte outlen )
330{
331 byte buffer[BLAKE2B_OUTBYTES];
332 int i;
333
334 if( S->buflen > BLAKE2B_BLOCKBYTES )
335 {
336 blake2b_increment_counter( S, BLAKE2B_BLOCKBYTES );
337
338 if ( blake2b_compress( S, S->buf ) < 0 ) return -1;
339
340 S->buflen -= BLAKE2B_BLOCKBYTES;
341 XMEMCPY( S->buf, S->buf + BLAKE2B_BLOCKBYTES, (wolfssl_word)S->buflen );
342 }
343
344 blake2b_increment_counter( S, S->buflen );
345 blake2b_set_lastblock( S );
346 XMEMSET( S->buf + S->buflen, 0, (wolfssl_word)(2 * BLAKE2B_BLOCKBYTES - S->buflen) );
347 /* Padding */
348 if ( blake2b_compress( S, S->buf ) < 0 ) return -1;
349
350 for( i = 0; i < 8; ++i ) /* Output full hash to temp buffer */
351 store64( buffer + sizeof( S->h[i] ) * i, S->h[i] );
352
353 XMEMCPY( out, buffer, outlen );
354 return 0;
355}
356
357/* inlen, at least, should be word64. Others can be size_t. */
358int blake2b( byte *out, const void *in, const void *key, const byte outlen,
359 const word64 inlen, byte keylen )
360{
361 blake2b_state S[1];
362
363 /* Verify parameters */
364 if ( NULL == in ) return -1;
365
366 if ( NULL == out ) return -1;
367
368 if( NULL == key ) keylen = 0;
369
370 if( keylen > 0 )
371 {
372 if( blake2b_init_key( S, outlen, key, keylen ) < 0 ) return -1;
373 }
374 else
375 {
376 if( blake2b_init( S, outlen ) < 0 ) return -1;
377 }
378
379 if ( blake2b_update( S, ( byte * )in, inlen ) < 0) return -1;
380
381 return blake2b_final( S, out, outlen );
382}
383
384#if defined(BLAKE2B_SELFTEST)
385#include <string.h>
386#include "blake2-kat.h"
387int main( int argc, char **argv )
388{
389 byte key[BLAKE2B_KEYBYTES];
390 byte buf[KAT_LENGTH];
391
392 for( word32 i = 0; i < BLAKE2B_KEYBYTES; ++i )
393 key[i] = ( byte )i;
394
395 for( word32 i = 0; i < KAT_LENGTH; ++i )
396 buf[i] = ( byte )i;
397
398 for( word32 i = 0; i < KAT_LENGTH; ++i )
399 {
400 byte hash[BLAKE2B_OUTBYTES];
401 if ( blake2b( hash, buf, key, BLAKE2B_OUTBYTES, i, BLAKE2B_KEYBYTES ) < 0 )
402 {
403 puts( "error" );
404 return -1;
405 }
406
407 if( 0 != XMEMCMP( hash, blake2b_keyed_kat[i], BLAKE2B_OUTBYTES ) )
408 {
409 puts( "error" );
410 return -1;
411 }
412 }
413
414 puts( "ok" );
415 return 0;
416}
417#endif
418
419
420/* wolfCrypt API */
421
422/* Init Blake2b digest, track size in case final doesn't want to "remember" */
423int wc_InitBlake2b(Blake2b* b2b, word32 digestSz)
424{
425 b2b->digestSz = digestSz;
426
427 return blake2b_init(b2b->S, (byte)digestSz);
428}
429
430
431/* Blake2b Update */
432int wc_Blake2bUpdate(Blake2b* b2b, const byte* data, word32 sz)
433{
434 return blake2b_update(b2b->S, data, sz);
435}
436
437
438/* Blake2b Final, if pass in zero size we use init digestSz */
439int wc_Blake2bFinal(Blake2b* b2b, byte* final, word32 requestSz)
440{
441 word32 sz = requestSz ? requestSz : b2b->digestSz;
442
443 return blake2b_final(b2b->S, final, (byte)sz);
444}
445
446
447/* end CTaoCrypt API */
448
449#endif /* HAVE_BLAKE2 */
450
Note: See TracBrowser for help on using the repository browser.