diff options
author | Bill Cox <waywardgeek@google.com> | 2016-03-09 23:08:31 +0100 |
---|---|---|
committer | Rich Salz <rsalz@openssl.org> | 2016-03-11 10:39:10 -0500 |
commit | 2d0b44126763f989a4cbffbffe9d0c7518158bb7 (patch) | |
tree | 241855d2b5a9b91688f969bf849037f6a0343594 | |
parent | 40f43f8a2e7c75f032672d198604e4fbd6a60fd8 (diff) |
Add blake2 support.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
-rwxr-xr-x | Configure | 4 | ||||
-rw-r--r-- | Makefile.in | 2 | ||||
-rw-r--r-- | apps/openssl.c | 3 | ||||
-rw-r--r-- | apps/progs.h | 6 | ||||
-rw-r--r-- | apps/progs.pl | 2 | ||||
-rw-r--r-- | crypto/blake2/Makefile.in | 48 | ||||
-rw-r--r-- | crypto/blake2/blake2_impl.h | 144 | ||||
-rw-r--r-- | crypto/blake2/blake2b.c | 225 | ||||
-rw-r--r-- | crypto/blake2/blake2s.c | 220 | ||||
-rw-r--r-- | crypto/blake2/build.info | 3 | ||||
-rw-r--r-- | crypto/evp/Makefile.in | 4 | ||||
-rw-r--r-- | crypto/evp/build.info | 2 | ||||
-rw-r--r-- | crypto/evp/c_alld.c | 4 | ||||
-rw-r--r-- | crypto/evp/m_blake2b.c | 62 | ||||
-rw-r--r-- | crypto/evp/m_blake2s.c | 62 | ||||
-rw-r--r-- | crypto/include/internal/blake2_locl.h | 98 | ||||
-rw-r--r-- | crypto/objects/obj_dat.h | 22 | ||||
-rw-r--r-- | crypto/objects/obj_mac.num | 2 | ||||
-rw-r--r-- | crypto/objects/objects.txt | 3 | ||||
-rw-r--r-- | doc/apps/dgst.pod | 2 | ||||
-rw-r--r-- | doc/crypto/EVP_DigestInit.pod | 17 | ||||
-rw-r--r-- | doc/standards.txt | 2 | ||||
-rw-r--r-- | include/openssl/evp.h | 4 | ||||
-rw-r--r-- | include/openssl/obj_mac.h | 10 | ||||
-rw-r--r-- | include/openssl/objects.h | 10 | ||||
-rw-r--r-- | test/evptests.txt | 57 | ||||
-rw-r--r-- | util/libcrypto.num | 2 | ||||
-rwxr-xr-x | util/mkdef.pl | 2 | ||||
-rwxr-xr-x | util/mkfiles.pl | 1 |
29 files changed, 1004 insertions, 19 deletions
@@ -220,7 +220,7 @@ $config{dirs} = [ "crypto", "ssl", "engines", "apps", "test", "tools" ]; # crypto/ subdirectories to build $config{sdirs} = [ "objects", - "md2", "md4", "md5", "sha", "mdc2", "hmac", "ripemd", "whrlpool", "poly1305", + "md2", "md4", "md5", "sha", "mdc2", "hmac", "ripemd", "whrlpool", "poly1305", "blake2", "des", "aes", "rc2", "rc4", "rc5", "idea", "bf", "cast", "camellia", "seed", "chacha", "modes", "bn", "ec", "rsa", "dsa", "dh", "dso", "engine", "buffer", "bio", "stack", "lhash", "rand", "err", @@ -243,6 +243,7 @@ my @disablables = ( "autoalginit", "autoerrinit", "bf", + "blake2", "camellia", "capieng", "cast", @@ -1787,6 +1788,7 @@ print "MODES_OBJ =$target{modes_obj}\n"; print "PADLOCK_OBJ =$target{padlock_obj}\n"; print "CHACHA_ENC =$target{chacha_obj}\n"; print "POLY1305_OBJ =$target{poly1305_obj}\n"; +print "BLAKE2_OBJ =$target{blake2_obj}\n"; print "PROCESSOR =$config{processor}\n"; print "RANLIB =$target{ranlib}\n"; print "ARFLAGS =$target{arflags}\n"; diff --git a/Makefile.in b/Makefile.in index e7b3f99650..d101df1ca8 100644 --- a/Makefile.in +++ b/Makefile.in @@ -137,6 +137,7 @@ RC5_ENC= {- $target{rc5_obj} -} MD5_ASM_OBJ= {- $target{md5_obj} -} SHA1_ASM_OBJ= {- $target{sha1_obj} -} RMD160_ASM_OBJ= {- $target{rmd160_obj} -} +BLAKE2_OBJ= {- $target{blake2_obj} -} WP_ASM_OBJ= {- $target{wp_obj} -} CMLL_ENC= {- $target{cmll_obj} -} MODES_ASM_OBJ= {- $target{modes_obj} -} @@ -281,6 +282,7 @@ BUILDENV= LC_ALL=C PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)'\ SHA1_ASM_OBJ='$(SHA1_ASM_OBJ)' \ MD5_ASM_OBJ='$(MD5_ASM_OBJ)' \ RMD160_ASM_OBJ='$(RMD160_ASM_OBJ)' \ + BLAKE2_OBJ='$(BLAKE2_OBJ)' \ WP_ASM_OBJ='$(WP_ASM_OBJ)' \ MODES_ASM_OBJ='$(MODES_ASM_OBJ)' \ PADLOCK_ASM_OBJ='$(PADLOCK_ASM_OBJ)' \ diff --git a/apps/openssl.c b/apps/openssl.c index e0694fc3b4..d460a6b886 100644 --- a/apps/openssl.c +++ b/apps/openssl.c @@ -650,6 +650,9 @@ static void list_disabled(void) #ifdef OPENSSL_NO_BF BIO_puts(bio_out, "BF\n"); #endif +#ifndef OPENSSL_NO_BLAKE2 + BIO_puts(bio_out, "BLAKE2\n"); +#endif #ifdef OPENSSL_NO_CAMELLIA BIO_puts(bio_out, "CAMELLIA\n"); #endif diff --git a/apps/progs.h b/apps/progs.h index 266e48dc78..77b4555cd5 100644 --- a/apps/progs.h +++ b/apps/progs.h @@ -225,6 +225,12 @@ static FUNCTION functions[] = { #ifndef OPENSSL_NO_RMD160 { FT_md, "rmd160", dgst_main}, #endif +#ifndef OPENSSL_NO_BLAKE2B + { FT_md, "blake2b", dgst_main}, +#endif +#ifndef OPENSSL_NO_BLAKE2S + { FT_md, "blake2s", dgst_main}, +#endif #ifndef OPENSSL_NO_AES { FT_cipher, "aes-128-cbc", enc_main, enc_options }, #endif diff --git a/apps/progs.pl b/apps/progs.pl index b87aef610e..f24b91bde8 100644 --- a/apps/progs.pl +++ b/apps/progs.pl @@ -84,7 +84,7 @@ foreach ( "md2", "md4", "md5", "md_ghost94", "sha1", "sha224", "sha256", "sha384", "sha512", - "mdc2", "rmd160" + "mdc2", "rmd160", "blake2b", "blake2s" ) { printf "#ifndef OPENSSL_NO_".uc($_)."\n" if ! /sha/; printf " { FT_md, \"".$_."\", dgst_main},\n"; diff --git a/crypto/blake2/Makefile.in b/crypto/blake2/Makefile.in new file mode 100644 index 0000000000..b992c853ae --- /dev/null +++ b/crypto/blake2/Makefile.in @@ -0,0 +1,48 @@ +# +# OpenSSL/crypto/blake2/Makefile +# + +DIR= blake2 +TOP= ../.. +CC= cc +CPP= $(CC) -E +INCLUDES= +CFLAG=-g +AR= ar r + +CFLAGS= $(INCLUDES) $(CFLAG) $(SHARED_CFLAG) +ASFLAGS= $(INCLUDES) $(ASFLAG) +AFLAGS= $(ASFLAGS) + +GENERAL=Makefile + +LIB=$(TOP)/libcrypto.a +LIBSRC=blake2b.c blake2s.c +LIBOBJ=blake2b.o blake2s.o + +SRC= $(LIBSRC) + +ALL= $(GENERAL) $(SRC) $(HEADER) + +top: + (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) + +all: lib + +lib: $(LIBOBJ) + $(AR) $(LIB) $(LIBOBJ) + $(RANLIB) $(LIB) || echo Never mind. + @touch lib + +files: + $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO + +update: depend + +depend: + $(TOP)/util/domd $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) + +clean: + rm -f *.s *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff + +# DO NOT DELETE THIS LINE -- make depend depends on it. diff --git a/crypto/blake2/blake2_impl.h b/crypto/blake2/blake2_impl.h new file mode 100644 index 0000000000..6490e1e155 --- /dev/null +++ b/crypto/blake2/blake2_impl.h @@ -0,0 +1,144 @@ +/* + * BLAKE2 reference source code package - reference C implementations + * + * Copyright 2012, Samuel Neves <sneves@dei.uc.pt>. + * You may use this under the terms of the CC0, the OpenSSL Licence, or the + * Apache Public License 2.0, at your option. The terms of these licenses can + * be found at: + * + * - OpenSSL license : https://www.openssl.org/source/license.html + * - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0 + * - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0 + * + * More information about the BLAKE2 hash function can be found at + * https://blake2.net. + */ + +/* crypto/blake2/blake2_impl.h */ + +#include <stdint.h> +#include <string.h> + +static inline uint32_t load32(const void *src) +{ +#if defined(L_ENDIAN) + uint32_t w; + memcpy(&w, src, sizeof(w)); + return w; +#else + const uint8_t *p = (const uint8_t *)src; + uint32_t w = *p++; + w |= (uint32_t)(*p++) << 8; + w |= (uint32_t)(*p++) << 16; + w |= (uint32_t)(*p++) << 24; + return w; +#endif +} + +static inline uint64_t load64(const void *src) +{ +#if defined(L_ENDIAN) + uint64_t w; + memcpy(&w, src, sizeof(w)); + return w; +#else + const uint8_t *p = (const uint8_t *)src; + uint64_t w = *p++; + w |= (uint64_t)(*p++) << 8; + w |= (uint64_t)(*p++) << 16; + w |= (uint64_t)(*p++) << 24; + w |= (uint64_t)(*p++) << 32; + w |= (uint64_t)(*p++) << 40; + w |= (uint64_t)(*p++) << 48; + w |= (uint64_t)(*p++) << 56; + return w; +#endif +} + +static inline void store32(void *dst, uint32_t w) +{ +#if defined(L_ENDIAN) + memcpy(dst, &w, sizeof(w)); +#else + uint8_t *p = (uint8_t *)dst; + *p++ = (uint8_t)w; + w >>= 8; + *p++ = (uint8_t)w; + w >>= 8; + *p++ = (uint8_t)w; + w >>= 8; + *p++ = (uint8_t)w; +#endif +} + +static inline void store64(void *dst, uint64_t w) +{ +#if defined(L_ENDIAN) + memcpy(dst, &w, sizeof(w)); +#else + uint8_t *p = (uint8_t *)dst; + *p++ = (uint8_t)w; + w >>= 8; + *p++ = (uint8_t)w; + w >>= 8; + *p++ = (uint8_t)w; + w >>= 8; + *p++ = (uint8_t)w; + w >>= 8; + *p++ = (uint8_t)w; + w >>= 8; + *p++ = (uint8_t)w; + w >>= 8; + *p++ = (uint8_t)w; + w >>= 8; + *p++ = (uint8_t)w; +#endif +} + +static inline uint64_t load48(const void *src) +{ + const uint8_t *p = (const uint8_t *)src; + uint64_t w = *p++; + w |= (uint64_t)(*p++) << 8; + w |= (uint64_t)(*p++) << 16; + w |= (uint64_t)(*p++) << 24; + w |= (uint64_t)(*p++) << 32; + w |= (uint64_t)(*p++) << 40; + return w; +} + +static inline void store48(void *dst, uint64_t w) +{ + uint8_t *p = (uint8_t *)dst; + *p++ = (uint8_t)w; + w >>= 8; + *p++ = (uint8_t)w; + w >>= 8; + *p++ = (uint8_t)w; + w >>= 8; + *p++ = (uint8_t)w; + w >>= 8; + *p++ = (uint8_t)w; + w >>= 8; + *p++ = (uint8_t)w; +} + +static inline uint32_t rotl32(const uint32_t w, const unsigned c) +{ + return (w << c) | (w >> (32 - c)); +} + +static inline uint64_t rotl64(const uint64_t w, const unsigned c) +{ + return (w << c) | (w >> (64 - c)); +} + +static inline uint32_t rotr32(const uint32_t w, const unsigned c) +{ + return (w >> c) | (w << (32 - c)); +} + +static inline uint64_t rotr64(const uint64_t w, const unsigned c) +{ + return (w >> c) | (w << (64 - c)); +} diff --git a/crypto/blake2/blake2b.c b/crypto/blake2/blake2b.c new file mode 100644 index 0000000000..23ad58359c --- /dev/null +++ b/crypto/blake2/blake2b.c @@ -0,0 +1,225 @@ +/* + * BLAKE2 reference source code package - reference C implementations + * + * Copyright 2012, Samuel Neves <sneves@dei.uc.pt>. + * You may use this under the terms of the CC0, the OpenSSL Licence, or the + * Apache Public License 2.0, at your option. The terms of these licenses can + * be found at: + * + * - OpenSSL license : https://www.openssl.org/source/license.html + * - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0 + * - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0 + * + * More information about the BLAKE2 hash function can be found at + * https://blake2.net. + */ + +/* crypto/blake2/blake2b.c */ + +#include <stdint.h> +#include <string.h> +#include <stdio.h> +#include <openssl/crypto.h> + +#include "internal/blake2_locl.h" +#include "blake2_impl.h" + +static const uint64_t blake2b_IV[8] = +{ + 0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL, + 0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL, + 0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL, + 0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL +}; + +static const uint8_t blake2b_sigma[12][16] = +{ + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } , + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } , + { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 } , + { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 } , + { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 } , + { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 } , + { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 } , + { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 } , + { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 } , + { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13 , 0 } , + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } , + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } +}; + +/* Some helper functions, not necessarily useful */ +static inline void blake2b_set_lastblock(BLAKE2B_CTX *S) +{ + S->f[0] = -1; +} + +/* Increment the data hashed couter. */ +static inline void blake2b_increment_counter(BLAKE2B_CTX *S, + const uint64_t inc) +{ + S->t[0] += inc; + S->t[1] += (S->t[0] < inc); +} + +/* Initialize the hashing state. */ +static inline void blake2b_init0(BLAKE2B_CTX *S) +{ + int i; + memset(S, 0, sizeof(BLAKE2B_CTX)); + + for(i = 0; i < 8; ++i) { + S->h[i] = blake2b_IV[i]; + } +} + +/* init xors IV with input parameter block */ +static void blake2b_init_param(BLAKE2B_CTX *S, const BLAKE2B_PARAM *P) +{ + size_t i; + const uint8_t *p = (const uint8_t *)(P); + blake2b_init0(S); + + /* The param struct is carefully hand packed, and should be 64 bytes on + * every platform. */ + OPENSSL_assert(sizeof(BLAKE2B_PARAM) == 64); + /* IV XOR ParamBlock */ + for(i = 0; i < 8; ++i) { + S->h[i] ^= load64(p + sizeof(S->h[i]) * i); + } +} + +/* Initialize the hashing context. Always returns 1. */ +int BLAKE2b_Init(BLAKE2B_CTX *c) +{ + BLAKE2B_PARAM P[1]; + P->digest_length = BLAKE2B_DIGEST_LENGTH; + P->key_length = 0; + P->fanout = 1; + P->depth = 1; + store32(&P->leaf_length, 0); + store64(&P->node_offset, 0); + P->node_depth = 0; + P->inner_length = 0; + memset(P->reserved, 0, sizeof(P->reserved)); + memset(P->salt, 0, sizeof(P->salt)); + memset(P->personal, 0, sizeof(P->personal)); + blake2b_init_param(c, P); + return 1; +} + +/* Permute the state while xoring in the block of data. */ +static void blake2b_compress(BLAKE2B_CTX *S, + const uint8_t block[BLAKE2B_BLOCKBYTES]) +{ + uint64_t m[16]; + uint64_t v[16]; + int i; + + for(i = 0; i < 16; ++i) { + m[i] = load64(block + i * sizeof(m[i])); + } + + for(i = 0; i < 8; ++i) { + v[i] = S->h[i]; + } + + v[8] = blake2b_IV[0]; + v[9] = blake2b_IV[1]; + v[10] = blake2b_IV[2]; + v[11] = blake2b_IV[3]; + v[12] = S->t[0] ^ blake2b_IV[4]; + v[13] = S->t[1] ^ blake2b_IV[5]; + v[14] = S->f[0] ^ blake2b_IV[6]; + v[15] = S->f[1] ^ blake2b_IV[7]; +#define G(r,i,a,b,c,d) \ + do { \ + a = a + b + m[blake2b_sigma[r][2*i+0]]; \ + d = rotr64(d ^ a, 32); \ + c = c + d; \ + b = rotr64(b ^ c, 24); \ + a = a + b + m[blake2b_sigma[r][2*i+1]]; \ + d = rotr64(d ^ a, 16); \ + c = c + d; \ + b = rotr64(b ^ c, 63); \ + } while(0) +#define ROUND(r) \ + do { \ + G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \ + G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \ + G(r,2,v[ 2],v[ 6],v[10],v[14]); \ + G(r,3,v[ 3],v[ 7],v[11],v[15]); \ + G(r,4,v[ 0],v[ 5],v[10],v[15]); \ + G(r,5,v[ 1],v[ 6],v[11],v[12]); \ + G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \ + G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \ + } while(0) + ROUND(0); + ROUND(1); + ROUND(2); + ROUND(3); + ROUND(4); + ROUND(5); + ROUND(6); + ROUND(7); + ROUND(8); + ROUND(9); + ROUND(10); + ROUND(11); + + for(i = 0; i < 8; ++i) { + S->h[i] = S->h[i] ^ v[i] ^ v[i + 8]; + } + +#undef G +#undef ROUND +} + +/* Absorb the input data into the hash state. Always returns 1. */ +int BLAKE2b_Update(BLAKE2B_CTX *c, const void *data, size_t datalen) +{ + const uint8_t *in = data; + size_t fill; + + while(datalen > 0) { + fill = sizeof(c->buf) - c->buflen; + /* Must be >, not >=, so that last block can be hashed differently */ + if(datalen > fill) { + memcpy(c->buf + c->buflen, in, fill); /* Fill buffer */ + blake2b_increment_counter(c, BLAKE2B_BLOCKBYTES); + blake2b_compress(c, c->buf); /* Compress */ + c->buflen = 0; + in += fill; + datalen -= fill; + } else { /* datalen <= fill */ + memcpy(c->buf + c->buflen, in, datalen); + c->buflen += datalen; /* Be lazy, do not compress */ + return 1; + } + } + + return 1; +} + +/* + * Finalize the hash state in a way that avoids length extension attacks. + * Always returns 1. + */ +int BLAKE2b_Final(unsigned char *md, BLAKE2B_CTX *c) +{ + int i; + + blake2b_increment_counter(c, c->buflen); + blake2b_set_lastblock(c); + /* Padding */ + memset(c->buf + c->buflen, 0, sizeof(c->buf) - c->buflen); + blake2b_compress(c, c->buf); + + /* Output full hash to message digest */ + for(i = 0; i < 8; ++i) { + store64(md + sizeof(c->h[i]) * i, c->h[i]); + } + + OPENSSL_cleanse(c, sizeof(BLAKE2B_CTX)); + return 1; +} diff --git a/crypto/blake2/blake2s.c b/crypto/blake2/blake2s.c new file mode 100644 index 0000000000..174d20cd21 --- /dev/null +++ b/crypto/blake2/blake2s.c @@ -0,0 +1,220 @@ +/* + * BLAKE2 reference source code package - reference C implementations + * + * Copyright 2012, Samuel Neves <sneves@dei.uc.pt>. + * You may use this under the terms of the CC0, the OpenSSL Licence, or the + * Apache Public License 2.0, at your option. The terms of these licenses can + * be found at: + * + * - OpenSSL license : https://www.openssl.org/source/license.html + * - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0 + * - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0 + * + * More information about the BLAKE2 hash function can be found at + * https://blake2.net. + */ + +/* crypto/blake2/blake2s.c */ + +#include <stdint.h> +#include <string.h> +#include <stdio.h> +#include <openssl/crypto.h> + +#include "internal/blake2_locl.h" +#include "blake2_impl.h" + +static const uint32_t blake2s_IV[8] = +{ + 0x6A09E667UL, 0xBB67AE85UL, 0x3C6EF372UL, 0xA54FF53AUL, + 0x510E527FUL, 0x9B05688CUL, 0x1F83D9ABUL, 0x5BE0CD19UL +}; + +static const uint8_t blake2s_sigma[10][16] = +{ + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } , + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } , + { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 } , + { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 } , + { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 } , + { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 } , + { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 } , + { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 } , + { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 } , + { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13 , 0 } , +}; + +/* Some helper functions, not necessarily useful */ +static inline void blake2s_set_lastblock(BLAKE2S_CTX *S) +{ + S->f[0] = -1; +} + +/* Increment the data hashed couter. */ +static inline void blake2s_increment_counter(BLAKE2S_CTX *S, + const uint32_t inc) +{ + S->t[0] += inc; + S->t[1] += (S->t[0] < inc); +} + +/* Initialize the hashing state. */ +static inline void blake2s_init0(BLAKE2S_CTX *S) +{ + int i; + + memset(S, 0, sizeof(BLAKE2S_CTX)); + for(i = 0; i < 8; ++i) { + S->h[i] = blake2s_IV[i]; + } +} + +/* init2 xors IV with input parameter block */ +static void blake2s_init_param(BLAKE2S_CTX *S, const BLAKE2S_PARAM *P) +{ + const uint32_t *p = (const uint32_t *)(P); + size_t i; + + /* The param struct is carefully hand packed, and should be 32 bytes on + * every platform. */ + OPENSSL_assert(sizeof(BLAKE2S_PARAM) == 32); + blake2s_init0(S); + /* IV XOR ParamBlock */ + for(i = 0; i < 8; ++i) { + S->h[i] ^= load32(&p[i]); + } +} + +/* Initialize the hashing context. Always returns 1. */ +int BLAKE2s_Init(BLAKE2S_CTX *c) +{ + BLAKE2S_PARAM P[1]; + + P->digest_length = BLAKE2S_DIGEST_LENGTH; + P->key_length = 0; + P->fanout = 1; + P->depth = 1; + store32(&P->leaf_length, 0); + store48(&P->node_offset, 0); + P->node_depth = 0; + P->inner_length = 0; + /* memset(P->reserved, 0, sizeof(P->reserved)); */ + memset(P->salt, 0, sizeof(P->salt)); + memset(P->personal, 0, sizeof(P->personal)); + blake2s_init_param(c, P); + return 1; +} + +/* Permute the state while xoring in the block of data. */ +static void blake2s_compress(BLAKE2S_CTX *S, + const uint8_t block[BLAKE2S_BLOCKBYTES]) +{ + uint32_t m[16]; + uint32_t v[16]; + size_t i; + + for(i = 0; i < 16; ++i) { + m[i] = load32(block + i * sizeof(m[i])); + } + + for(i = 0; i < 8; ++i) { + v[i] = S->h[i]; + } + + v[ 8] = blake2s_IV[0]; + v[ 9] = blake2s_IV[1]; + v[10] = blake2s_IV[2]; + v[11] = blake2s_IV[3]; + v[12] = S->t[0] ^ blake2s_IV[4]; + v[13] = S->t[1] ^ blake2s_IV[5]; + v[14] = S->f[0] ^ blake2s_IV[6]; + v[15] = S->f[1] ^ blake2s_IV[7]; +#define G(r,i,a,b,c,d) \ + do { \ + a = a + b + m[blake2s_sigma[r][2*i+0]]; \ + d = rotr32(d ^ a, 16); \ + c = c + d; \ + b = rotr32(b ^ c, 12); \ + a = a + b + m[blake2s_sigma[r][2*i+1]]; \ + d = rotr32(d ^ a, 8); \ + c = c + d; \ + b = rotr32(b ^ c, 7); \ + } while(0) +#define ROUND(r) \ + do { \ + G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \ + G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \ + G(r,2,v[ 2],v[ 6],v[10],v[14]); \ + G(r,3,v[ 3],v[ 7],v[11],v[15]); \ + G(r,4,v[ 0],v[ 5],v[10],v[15]); \ + G(r,5,v[ 1],v[ 6],v[11],v[12]); \ + G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \ + G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \ + } while(0) + ROUND(0); + ROUND(1); + ROUND(2); + ROUND(3); + ROUND(4); + ROUND(5); + ROUND(6); + ROUND(7); + ROUND(8); + ROUND(9); + + for(i = 0; i < 8; ++i) { + S->h[i] = S->h[i] ^ v[i] ^ v[i + 8]; + } + +#undef G +#undef ROUND +} + +/* Absorb the input data into the hash state. Always returns 1. */ +int BLAKE2s_Update(BLAKE2S_CTX *c, const void *data, size_t datalen) +{ + const uint8_t *in = data; + size_t fill; + + while(datalen > 0) { + fill = sizeof(c->buf) - c->buflen; + /* Must be >, not >=, so that last block can be hashed differently */ + if(datalen > fill) { + memcpy(c->buf + c->buflen, in, fill); /* Fill buffer */ + blake2s_increment_counter(c, BLAKE2S_BLOCKBYTES); + blake2s_compress(c, c->buf); /* Compress */ + c->buflen = 0; + in += fill; + datalen -= fill; + } else { /* datalen <= fill */ + memcpy(c->buf + c->buflen, in, datalen); + c->buflen += datalen; /* Be lazy, do not compress */ + return 1; + } + } + + return 1; +} + +/* + * Finalize the hash state in a way that avoids length extension attacks. + * Always returns 1. + */ +int BLAKE2s_Final(unsigned char *md, BLAKE2S_CTX *c) +{ + int i; + + blake2s_increment_counter(c, (uint32_t)c->buflen); + blake2s_set_lastblock(c); + /* Padding */ + memset(c->buf + c->buflen, 0, sizeof(c->buf) - c->buflen); + blake2s_compress(c, c->buf); + + /* Output full hash to temp buffer */ + for(i = 0; i < 8; ++i) { + store32(md + sizeof(c->h[i]) * i, c->h[i]); + } + + OPENSSL_cleanse(c, sizeof(BLAKE2S_CTX)); + return 1; +} diff --git a/crypto/blake2/build.info b/crypto/blake2/build.info new file mode 100644 index 0000000000..f2b8f41990 --- /dev/null +++ b/crypto/blake2/build.info @@ -0,0 +1,3 @@ +LIBS=../../libcrypto +SOURCE[../../libcrypto]=\ + blake2b.c blake2s.c diff --git a/crypto/evp/Makefile.in b/crypto/evp/Makefile.in index 5b24ae5909..d7b12035a4 100644 --- a/crypto/evp/Makefile.in +++ b/crypto/evp/Makefile.in @@ -20,7 +20,7 @@ LIBSRC= encode.c digest.c evp_enc.c evp_key.c evp_cnf.c \ e_rc4.c e_aes.c names.c e_seed.c \ e_xcbc_d.c e_rc2.c e_cast.c e_rc5.c \ m_null.c m_md2.c m_md4.c m_md5.c m_sha1.c m_wp.c \ - m_md5_sha1.c m_mdc2.c m_ripemd.c \ + m_md5_sha1.c m_mdc2.c m_ripemd.c m_blake2b.c m_blake2s.c \ p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c \ bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \ c_allc.c c_alld.c evp_lib.c bio_ok.c \ @@ -34,7 +34,7 @@ LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_cnf.o \ e_rc4.o e_aes.o names.o e_seed.o \ e_xcbc_d.o e_rc2.o e_cast.o e_rc5.o \ m_null.o m_md2.o m_md4.o m_md5.o m_sha1.o m_wp.o \ - m_md5_sha1.o m_mdc2.o m_ripemd.o \ + m_md5_sha1.o m_mdc2.o m_ripemd.o m_blake2b.o m_blake2s.o \ p_open.o p_seal.o p_sign.o p_verify.o p_lib.o p_enc.o p_dec.o \ bio_md.o bio_b64.o bio_enc.o evp_err.o e_null.o \ c_allc.o c_alld.o evp_lib.o bio_ok.o \ diff --git a/crypto/evp/build.info b/crypto/evp/build.info index bf633dc713..8dc60f6414 100644 --- a/crypto/evp/build.info +++ b/crypto/evp/build.info @@ -5,7 +5,7 @@ SOURCE[../../libcrypto]=\ e_rc4.c e_aes.c names.c e_seed.c \ e_xcbc_d.c e_rc2.c e_cast.c e_rc5.c \ m_null.c m_md2.c m_md4.c m_md5.c m_sha1.c m_wp.c \ - m_md5_sha1.c m_mdc2.c m_ripemd.c \ + m_md5_sha1.c m_mdc2.c m_ripemd.c m_blake2b.c m_blake2s.c \ p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c \ bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \ c_allc.c c_alld.c evp_lib.c bio_ok.c \ diff --git a/crypto/evp/c_alld.c b/crypto/evp/c_alld.c index e28ba3df12..78be9fbc6a 100644 --- a/crypto/evp/c_alld.c +++ b/crypto/evp/c_alld.c @@ -90,4 +90,8 @@ void openssl_add_all_digests_internal(void) #ifndef OPENSSL_NO_WHIRLPOOL EVP_add_digest(EVP_whirlpool()); #endif +#ifndef OPENSSL_NO_BLAKE2 + EVP_add_digest(EVP_blake2b()); + EVP_add_digest(EVP_blake2s()); +#endif } diff --git a/crypto/evp/m_blake2b.c b/crypto/evp/m_blake2b.c new file mode 100644 index 0000000000..e3cf6f30a5 --- /dev/null +++ b/crypto/evp/m_blake2b.c @@ -0,0 +1,62 @@ +/* + * BLAKE2 reference source code package - reference C implementations + * + * Copyright 2012, Samuel Neves <sneves@dei.uc.pt>. + * You may use this under the terms of the CC0, the OpenSSL Licence, or the + * Apache Public License 2.0, at your option. The terms of these licenses can + * be found at: + * + * - OpenSSL license : https://www.openssl.org/source/license.html + * - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0 + * - CC0 1.0 Universal : http://www.apache.org/licenses/LICENSE-2.0 + * + * More information about the BLAKE2 hash function can be found at + * https://blake2.net. + */ + +/* crypto/evp/m_blake2b.c */ + +#include <stdio.h> +#include "internal/cryptlib.h" + +#ifndef OPENSSL_NO_BLAKE2 + +# include <openssl/evp.h> +# include <openssl/objects.h> |