search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
macros.h replaced with smaller headers, U8TO*_?E() renamed and converted to static...
[rofl0r-kripto.git] / lib / hash / blake2s.c
blobf2ec6a8e14338ba9944d7b3aa2d49bb3ba0fb63a
1 /*
2 * Copyright (C) 2013 Gregor Pintar <grpintar@gmail.com>
3 *
4 * Permission is granted to deal in this work without any restriction,
5 * including unlimited rights to use, publicly perform, publish,
6 * reproduce, relicence, modify, merge, and/or distribute in any form,
7 * for any purpose, with or without fee, and by any means.
8 *
9 * This work is provided "AS IS" and WITHOUT WARRANTY of any kind,
10 * to the utmost extent permitted by applicable law. In no event
11 * shall a licensor, author or contributor be held liable for any
12 * issues arising in any way out of dealing in the work.
13 */
14
15 #include <stdint.h>
16 #include <stddef.h>
17 #include <stdlib.h>
18 #include <limits.h>
19 #include <assert.h>
20
21 #include <kripto/loadstore.h>
22 #include <kripto/rotate.h>
23 #include <kripto/memwipe.h>
24 #include <kripto/hash.h>
25 #include <kripto/desc/hash.h>
26
27 #include <kripto/hash/blake2s.h>
28
29 struct kripto_hash
30 {
31 const kripto_hash_desc *hash;
32 unsigned int r;
33 uint32_t h[8];
34 uint32_t len[2];
35 uint32_t f;
36 uint8_t buf[64];
37 unsigned int i;
38 };
39
40 static const uint8_t sigma[10][16] =
41 {
42 { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15},
43 {14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3},
44 {11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4},
45 { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8},
46 { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13},
47 { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9},
48 {12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11},
49 {13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10},
50 { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5},
51 {10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0}
52 };
53
54 static const uint32_t iv[8] =
55 {
56 0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A,
57 0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19
58 };
59
60 static kripto_hash *blake2s_recreate
61 (
62 kripto_hash *s,
63 unsigned int r,
64 size_t len
65 )
66 {
67 s->r = r;
68 if(!s->r) s->r = 10;
69
70 s->f = s->len[0] = s->len[1] = s->i = 0;
71
72 /* s->h[0] = iv[0] ^ 0x01010020; */
73 s->h[0] = iv[0] ^ 0x01010000 ^ (uint8_t)len;
74 s->h[1] = iv[1];
75 s->h[2] = iv[2];
76 s->h[3] = iv[3];
77 s->h[4] = iv[4];
78 s->h[5] = iv[5];
79 s->h[6] = iv[6];
80 s->h[7] = iv[7];
81
82 return s;
83 }
84
85 #define G(A, B, C, D, M0, M1) \
86 { \
87 A += B + (M0); \
88 D = ROR32(D ^ A, 16); \
89 C += D; \
90 B = ROR32(B ^ C, 12); \
91 \
92 A += B + (M1); \
93 D = ROR32(D ^ A, 8); \
94 C += D; \
95 B = ROR32(B ^ C, 7); \
96 }
97
98 static void blake2s_process(kripto_hash *s, const uint8_t *data)
99 {
100 uint32_t x0;
101 uint32_t x1;
102 uint32_t x2;
103 uint32_t x3;
104 uint32_t x4;
105 uint32_t x5;
106 uint32_t x6;
107 uint32_t x7;
108 uint32_t x8;
109 uint32_t x9;
110 uint32_t x10;
111 uint32_t x11;
112 uint32_t x12;
113 uint32_t x13;
114 uint32_t x14;
115 uint32_t x15;
116 uint32_t m[16];
117 unsigned int r;
118 unsigned int i;
119
120 m[0] = LOAD32L(data);
121 m[1] = LOAD32L(data + 4);
122 m[2] = LOAD32L(data + 8);
123 m[3] = LOAD32L(data + 12);
124 m[4] = LOAD32L(data + 16);
125 m[5] = LOAD32L(data + 20);
126 m[6] = LOAD32L(data + 24);
127 m[7] = LOAD32L(data + 28);
128 m[8] = LOAD32L(data + 32);
129 m[9] = LOAD32L(data + 36);
130 m[10] = LOAD32L(data + 40);
131 m[11] = LOAD32L(data + 44);
132 m[12] = LOAD32L(data + 48);
133 m[13] = LOAD32L(data + 52);
134 m[14] = LOAD32L(data + 56);
135 m[15] = LOAD32L(data + 60);
136
137 x0 = s->h[0];
138 x1 = s->h[1];
139 x2 = s->h[2];
140 x3 = s->h[3];
141 x4 = s->h[4];
142 x5 = s->h[5];
143 x6 = s->h[6];
144 x7 = s->h[7];
145 x8 = iv[0];
146 x9 = iv[1];
147 x10 = iv[2];
148 x11 = iv[3];
149 x12 = iv[4] ^ s->len[0];
150 x13 = iv[5] ^ s->len[1];
151 x14 = iv[6] ^ s->f;
152 x15 = iv[7];
153
154 for(r = 0, i = 0; r < s->r; r++, i++)
155 {
156 if(i == 10) i = 0;
157
158 G(x0, x4, x8, x12, m[sigma[i][0]], m[sigma[i][1]]);
159 G(x1, x5, x9, x13, m[sigma[i][2]], m[sigma[i][3]]);
160 G(x2, x6, x10, x14, m[sigma[i][4]], m[sigma[i][5]]);
161 G(x3, x7, x11, x15, m[sigma[i][6]], m[sigma[i][7]]);
162
163 G(x0, x5, x10, x15, m[sigma[i][8]], m[sigma[i][9]]);
164 G(x1, x6, x11, x12, m[sigma[i][10]], m[sigma[i][11]]);
165 G(x2, x7, x8, x13, m[sigma[i][12]], m[sigma[i][13]]);
166 G(x3, x4, x9, x14, m[sigma[i][14]], m[sigma[i][15]]);
167 }
168
169 kripto_memwipe(m, 64);
170
171 s->h[0] ^= x0 ^ x8;
172 s->h[1] ^= x1 ^ x9;
173 s->h[2] ^= x2 ^ x10;
174 s->h[3] ^= x3 ^ x11;
175 s->h[4] ^= x4 ^ x12;
176 s->h[5] ^= x5 ^ x13;
177 s->h[6] ^= x6 ^ x14;
178 s->h[7] ^= x7 ^ x15;
179 }
180
181 static void blake2s_input
182 (
183 kripto_hash *s,
184 const void *in,
185 size_t len
186 )
187 {
188 size_t i;
189
190 for(i = 0; i < len; i++)
191 {
192 if(s->i == 64)
193 {
194 s->len[0] += 64;
195 if(!s->len[0])
196 {
197 s->len[1]++;
198 assert(s->len[1]);
199 }
200
201 blake2s_process(s, s->buf);
202 s->i = 0;
203 }
204
205 s->buf[s->i++] = CU8(in)[i];
206 }
207 }
208
209 static void blake2s_finish(kripto_hash *s)
210 {
211 s->len[0] += s->i;
212 if(s->len[0] < s->i) s->len[1]++;
213
214 while(s->i < 64) s->buf[s->i++] = 0;
215
216 s->f = 0xFFFFFFFF;
217
218 blake2s_process(s, s->buf);
219
220 s->i = 0;
221 }
222
223 static void blake2s_output(kripto_hash *s, void *out, size_t len)
224 {
225 unsigned int i;
226
227 if(!s->f) blake2s_finish(s);
228
229 /* little endian */
230 for(i = 0; i < len; s->i++, i++)
231 {
232 U8(out)[i] = s->h[s->i >> 2];
233 s->h[s->i >> 2] >>= 8;
234 }
235 }
236
237 static kripto_hash *blake2s_create(unsigned int r, size_t len)
238 {
239 kripto_hash *s;
240
241 s = malloc(sizeof(kripto_hash));
242 if(!s) return 0;
243
244 s->hash = kripto_hash_blake2s;
245
246 (void)blake2s_recreate(s, r, len);
247
248 return s;
249 }
250
251 static void blake2s_destroy(kripto_hash *s)
252 {
253 kripto_memwipe(s, sizeof(kripto_hash));
254 free(s);
255 }
256
257 static int blake2s_hash
258 (
259 unsigned int r,
260 const void *in,
261 size_t in_len,
262 void *out,
263 size_t out_len
264 )
265 {
266 kripto_hash s;
267
268 (void)blake2s_recreate(&s, r, out_len);
269 blake2s_input(&s, in, in_len);
270 blake2s_output(&s, out, out_len);
271
272 kripto_memwipe(&s, sizeof(kripto_hash));
273
274 return 0;
275 }
276
277 static const kripto_hash_desc blake2s =
278 {
279 &blake2s_create,
280 &blake2s_recreate,
281 &blake2s_input,
282 &blake2s_output,
283 &blake2s_destroy,
284 &blake2s_hash,
285 32, /* max output */
286 64 /* block_size */
287 };
288
289 const kripto_hash_desc *const kripto_hash_blake2s = &blake2s;