Qu Wenruo | b98e8a2 | 2021-12-27 14:12:07 +0800 | [diff] [blame] | 1 | /* SPDX-License-Identifier: CC0-1.0 */ |
| 2 | /* |
| 3 | BLAKE2 reference source code package - reference C implementations |
| 4 | |
| 5 | Copyright 2012, Samuel Neves <sneves@dei.uc.pt>. You may use this under the |
| 6 | terms of the CC0, the OpenSSL Licence, or the Apache Public License 2.0, at |
| 7 | your option. The terms of these licenses can be found at: |
| 8 | |
| 9 | - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0 |
| 10 | - OpenSSL license : https://www.openssl.org/source/license.html |
| 11 | - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0 |
| 12 | |
| 13 | More information about the BLAKE2 hash function can be found at |
| 14 | https://blake2.net. |
| 15 | */ |
| 16 | |
| 17 | /* |
| 18 | * Cross-ported from BLAKE2 (https://github.com/BLAKE2/BLAKE2). |
| 19 | * Modifications includes: |
| 20 | * |
| 21 | * - Remove unused features like selftest |
| 22 | * - Use u-boot library functions/macros |
| 23 | */ |
| 24 | #include <stdint.h> |
| 25 | #include <string.h> |
| 26 | #include <stdio.h> |
| 27 | #include <u-boot/blake2.h> |
| 28 | #include "blake2-impl.h" |
| 29 | |
| 30 | static const uint64_t blake2b_IV[8] = |
| 31 | { |
| 32 | 0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL, |
| 33 | 0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL, |
| 34 | 0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL, |
| 35 | 0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL |
| 36 | }; |
| 37 | |
| 38 | static const uint8_t blake2b_sigma[12][16] = |
| 39 | { |
| 40 | { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } , |
| 41 | { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } , |
| 42 | { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 } , |
| 43 | { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 } , |
| 44 | { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 } , |
| 45 | { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 } , |
| 46 | { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 } , |
| 47 | { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 } , |
| 48 | { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 } , |
| 49 | { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13 , 0 } , |
| 50 | { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } , |
| 51 | { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } |
| 52 | }; |
| 53 | |
| 54 | |
| 55 | static void blake2b_set_lastnode( blake2b_state *S ) |
| 56 | { |
| 57 | S->f[1] = (uint64_t)-1; |
| 58 | } |
| 59 | |
| 60 | /* Some helper functions, not necessarily useful */ |
| 61 | static int blake2b_is_lastblock( const blake2b_state *S ) |
| 62 | { |
| 63 | return S->f[0] != 0; |
| 64 | } |
| 65 | |
| 66 | static void blake2b_set_lastblock( blake2b_state *S ) |
| 67 | { |
| 68 | if( S->last_node ) blake2b_set_lastnode( S ); |
| 69 | |
| 70 | S->f[0] = (uint64_t)-1; |
| 71 | } |
| 72 | |
| 73 | static void blake2b_increment_counter( blake2b_state *S, const uint64_t inc ) |
| 74 | { |
| 75 | S->t[0] += inc; |
| 76 | S->t[1] += ( S->t[0] < inc ); |
| 77 | } |
| 78 | |
| 79 | static void blake2b_init0( blake2b_state *S ) |
| 80 | { |
| 81 | size_t i; |
| 82 | memset( S, 0, sizeof( blake2b_state ) ); |
| 83 | |
| 84 | for( i = 0; i < 8; ++i ) S->h[i] = blake2b_IV[i]; |
| 85 | } |
| 86 | |
| 87 | /* init xors IV with input parameter block */ |
| 88 | int blake2b_init_param( blake2b_state *S, const blake2b_param *P ) |
| 89 | { |
| 90 | const uint8_t *p = ( const uint8_t * )( P ); |
| 91 | size_t i; |
| 92 | |
| 93 | blake2b_init0( S ); |
| 94 | |
| 95 | /* IV XOR ParamBlock */ |
| 96 | for( i = 0; i < 8; ++i ) |
| 97 | S->h[i] ^= load64( p + sizeof( S->h[i] ) * i ); |
| 98 | |
| 99 | S->outlen = P->digest_length; |
| 100 | return 0; |
| 101 | } |
| 102 | |
| 103 | |
| 104 | |
| 105 | int blake2b_init( blake2b_state *S, size_t outlen ) |
| 106 | { |
| 107 | blake2b_param P[1]; |
| 108 | |
| 109 | if ( ( !outlen ) || ( outlen > BLAKE2B_OUTBYTES ) ) return -1; |
| 110 | |
| 111 | P->digest_length = (uint8_t)outlen; |
| 112 | P->key_length = 0; |
| 113 | P->fanout = 1; |
| 114 | P->depth = 1; |
| 115 | store32( &P->leaf_length, 0 ); |
| 116 | store32( &P->node_offset, 0 ); |
| 117 | store32( &P->xof_length, 0 ); |
| 118 | P->node_depth = 0; |
| 119 | P->inner_length = 0; |
| 120 | memset( P->reserved, 0, sizeof( P->reserved ) ); |
| 121 | memset( P->salt, 0, sizeof( P->salt ) ); |
| 122 | memset( P->personal, 0, sizeof( P->personal ) ); |
| 123 | return blake2b_init_param( S, P ); |
| 124 | } |
| 125 | |
| 126 | |
| 127 | int blake2b_init_key( blake2b_state *S, size_t outlen, const void *key, size_t keylen ) |
| 128 | { |
| 129 | blake2b_param P[1]; |
| 130 | |
| 131 | if ( ( !outlen ) || ( outlen > BLAKE2B_OUTBYTES ) ) return -1; |
| 132 | |
| 133 | if ( !key || !keylen || keylen > BLAKE2B_KEYBYTES ) return -1; |
| 134 | |
| 135 | P->digest_length = (uint8_t)outlen; |
| 136 | P->key_length = (uint8_t)keylen; |
| 137 | P->fanout = 1; |
| 138 | P->depth = 1; |
| 139 | store32( &P->leaf_length, 0 ); |
| 140 | store32( &P->node_offset, 0 ); |
| 141 | store32( &P->xof_length, 0 ); |
| 142 | P->node_depth = 0; |
| 143 | P->inner_length = 0; |
| 144 | memset( P->reserved, 0, sizeof( P->reserved ) ); |
| 145 | memset( P->salt, 0, sizeof( P->salt ) ); |
| 146 | memset( P->personal, 0, sizeof( P->personal ) ); |
| 147 | |
| 148 | if( blake2b_init_param( S, P ) < 0 ) return -1; |
| 149 | |
| 150 | { |
| 151 | uint8_t block[BLAKE2B_BLOCKBYTES]; |
| 152 | memset( block, 0, BLAKE2B_BLOCKBYTES ); |
| 153 | memcpy( block, key, keylen ); |
| 154 | blake2b_update( S, block, BLAKE2B_BLOCKBYTES ); |
| 155 | secure_zero_memory( block, BLAKE2B_BLOCKBYTES ); /* Burn the key from stack */ |
| 156 | } |
| 157 | return 0; |
| 158 | } |
| 159 | |
| 160 | #define G(r,i,a,b,c,d) \ |
| 161 | do { \ |
| 162 | a = a + b + m[blake2b_sigma[r][2*i+0]]; \ |
| 163 | d = rotr64(d ^ a, 32); \ |
| 164 | c = c + d; \ |
| 165 | b = rotr64(b ^ c, 24); \ |
| 166 | a = a + b + m[blake2b_sigma[r][2*i+1]]; \ |
| 167 | d = rotr64(d ^ a, 16); \ |
| 168 | c = c + d; \ |
| 169 | b = rotr64(b ^ c, 63); \ |
| 170 | } while(0) |
| 171 | |
| 172 | #define R(r) \ |
| 173 | do { \ |
| 174 | G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \ |
| 175 | G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \ |
| 176 | G(r,2,v[ 2],v[ 6],v[10],v[14]); \ |
| 177 | G(r,3,v[ 3],v[ 7],v[11],v[15]); \ |
| 178 | G(r,4,v[ 0],v[ 5],v[10],v[15]); \ |
| 179 | G(r,5,v[ 1],v[ 6],v[11],v[12]); \ |
| 180 | G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \ |
| 181 | G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \ |
| 182 | } while(0) |
| 183 | |
| 184 | static void blake2b_compress( blake2b_state *S, const uint8_t block[BLAKE2B_BLOCKBYTES] ) |
| 185 | { |
| 186 | uint64_t m[16]; |
| 187 | uint64_t v[16]; |
| 188 | size_t i; |
| 189 | |
| 190 | for( i = 0; i < 16; ++i ) { |
| 191 | m[i] = load64( block + i * sizeof( m[i] ) ); |
| 192 | } |
| 193 | |
| 194 | for( i = 0; i < 8; ++i ) { |
| 195 | v[i] = S->h[i]; |
| 196 | } |
| 197 | |
| 198 | v[ 8] = blake2b_IV[0]; |
| 199 | v[ 9] = blake2b_IV[1]; |
| 200 | v[10] = blake2b_IV[2]; |
| 201 | v[11] = blake2b_IV[3]; |
| 202 | v[12] = blake2b_IV[4] ^ S->t[0]; |
| 203 | v[13] = blake2b_IV[5] ^ S->t[1]; |
| 204 | v[14] = blake2b_IV[6] ^ S->f[0]; |
| 205 | v[15] = blake2b_IV[7] ^ S->f[1]; |
| 206 | |
| 207 | R( 0 ); |
| 208 | R( 1 ); |
| 209 | R( 2 ); |
| 210 | R( 3 ); |
| 211 | R( 4 ); |
| 212 | R( 5 ); |
| 213 | R( 6 ); |
| 214 | R( 7 ); |
| 215 | R( 8 ); |
| 216 | R( 9 ); |
| 217 | R( 10 ); |
| 218 | R( 11 ); |
| 219 | |
| 220 | for( i = 0; i < 8; ++i ) { |
| 221 | S->h[i] = S->h[i] ^ v[i] ^ v[i + 8]; |
| 222 | } |
| 223 | } |
| 224 | |
| 225 | #undef G |
| 226 | #undef R |
| 227 | |
| 228 | int blake2b_update( blake2b_state *S, const void *pin, size_t inlen ) |
| 229 | { |
| 230 | const unsigned char * in = (const unsigned char *)pin; |
| 231 | if( inlen > 0 ) |
| 232 | { |
| 233 | size_t left = S->buflen; |
| 234 | size_t fill = BLAKE2B_BLOCKBYTES - left; |
| 235 | if( inlen > fill ) |
| 236 | { |
| 237 | S->buflen = 0; |
| 238 | memcpy( S->buf + left, in, fill ); /* Fill buffer */ |
| 239 | blake2b_increment_counter( S, BLAKE2B_BLOCKBYTES ); |
| 240 | blake2b_compress( S, S->buf ); /* Compress */ |
| 241 | in += fill; inlen -= fill; |
| 242 | while(inlen > BLAKE2B_BLOCKBYTES) { |
| 243 | blake2b_increment_counter(S, BLAKE2B_BLOCKBYTES); |
| 244 | blake2b_compress( S, in ); |
| 245 | in += BLAKE2B_BLOCKBYTES; |
| 246 | inlen -= BLAKE2B_BLOCKBYTES; |
| 247 | } |
| 248 | } |
| 249 | memcpy( S->buf + S->buflen, in, inlen ); |
| 250 | S->buflen += inlen; |
| 251 | } |
| 252 | return 0; |
| 253 | } |
| 254 | |
| 255 | int blake2b_final( blake2b_state *S, void *out, size_t outlen ) |
| 256 | { |
| 257 | uint8_t buffer[BLAKE2B_OUTBYTES] = {0}; |
| 258 | size_t i; |
| 259 | |
| 260 | if( out == NULL || outlen < S->outlen ) |
| 261 | return -1; |
| 262 | |
| 263 | if( blake2b_is_lastblock( S ) ) |
| 264 | return -1; |
| 265 | |
| 266 | blake2b_increment_counter( S, S->buflen ); |
| 267 | blake2b_set_lastblock( S ); |
| 268 | memset( S->buf + S->buflen, 0, BLAKE2B_BLOCKBYTES - S->buflen ); /* Padding */ |
| 269 | blake2b_compress( S, S->buf ); |
| 270 | |
| 271 | for( i = 0; i < 8; ++i ) /* Output full hash to temp buffer */ |
| 272 | store64( buffer + sizeof( S->h[i] ) * i, S->h[i] ); |
| 273 | |
| 274 | memcpy( out, buffer, S->outlen ); |
| 275 | secure_zero_memory(buffer, sizeof(buffer)); |
| 276 | return 0; |
| 277 | } |
| 278 | |
| 279 | /* inlen, at least, should be uint64_t. Others can be size_t. */ |
| 280 | int blake2b( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen ) |
| 281 | { |
| 282 | blake2b_state S[1]; |
| 283 | |
| 284 | /* Verify parameters */ |
| 285 | if ( NULL == in && inlen > 0 ) return -1; |
| 286 | |
| 287 | if ( NULL == out ) return -1; |
| 288 | |
| 289 | if( NULL == key && keylen > 0 ) return -1; |
| 290 | |
| 291 | if( !outlen || outlen > BLAKE2B_OUTBYTES ) return -1; |
| 292 | |
| 293 | if( keylen > BLAKE2B_KEYBYTES ) return -1; |
| 294 | |
| 295 | if( keylen > 0 ) |
| 296 | { |
| 297 | if( blake2b_init_key( S, outlen, key, keylen ) < 0 ) return -1; |
| 298 | } |
| 299 | else |
| 300 | { |
| 301 | if( blake2b_init( S, outlen ) < 0 ) return -1; |
| 302 | } |
| 303 | |
| 304 | blake2b_update( S, ( const uint8_t * )in, inlen ); |
| 305 | blake2b_final( S, out, outlen ); |
| 306 | return 0; |
| 307 | } |
| 308 | |
| 309 | int blake2( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen ) { |
| 310 | return blake2b(out, outlen, in, inlen, key, keylen); |
| 311 | } |