|
| 1 | +/* |
| 2 | + * The blake256_* and blake224_* functions are largely copied from |
| 3 | + * blake256_light.c and blake224_light.c from the BLAKE website: |
| 4 | + * |
| 5 | + * http://131002.net/blake/ |
| 6 | + * |
| 7 | + * The hmac_* functions implement HMAC-BLAKE-256 and HMAC-BLAKE-224. |
| 8 | + * HMAC is specified by RFC 2104. |
| 9 | + */ |
| 10 | + |
| 11 | +#include <string.h> |
| 12 | +#include <stdio.h> |
| 13 | +#include <stdint.h> |
| 14 | +#include "c_blake256.h" |
| 15 | + |
| 16 | +#define U8TO32(p) \ |
| 17 | + (((uint32_t)((p)[0]) << 24) | ((uint32_t)((p)[1]) << 16) | \ |
| 18 | + ((uint32_t)((p)[2]) << 8) | ((uint32_t)((p)[3]) )) |
| 19 | +#define U32TO8(p, v) \ |
| 20 | + (p)[0] = (uint8_t)((v) >> 24); (p)[1] = (uint8_t)((v) >> 16); \ |
| 21 | + (p)[2] = (uint8_t)((v) >> 8); (p)[3] = (uint8_t)((v) ); |
| 22 | + |
| 23 | +const uint8_t sigma[][16] = { |
| 24 | + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,10,11,12,13,14,15}, |
| 25 | + {14,10, 4, 8, 9,15,13, 6, 1,12, 0, 2,11, 7, 5, 3}, |
| 26 | + {11, 8,12, 0, 5, 2,15,13,10,14, 3, 6, 7, 1, 9, 4}, |
| 27 | + { 7, 9, 3, 1,13,12,11,14, 2, 6, 5,10, 4, 0,15, 8}, |
| 28 | + { 9, 0, 5, 7, 2, 4,10,15,14, 1,11,12, 6, 8, 3,13}, |
| 29 | + { 2,12, 6,10, 0,11, 8, 3, 4,13, 7, 5,15,14, 1, 9}, |
| 30 | + {12, 5, 1,15,14,13, 4,10, 0, 7, 6, 3, 9, 2, 8,11}, |
| 31 | + {13,11, 7,14,12, 1, 3, 9, 5, 0,15, 4, 8, 6, 2,10}, |
| 32 | + { 6,15,14, 9,11, 3, 0, 8,12, 2,13, 7, 1, 4,10, 5}, |
| 33 | + {10, 2, 8, 4, 7, 6, 1, 5,15,11, 9,14, 3,12,13, 0}, |
| 34 | + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,10,11,12,13,14,15}, |
| 35 | + {14,10, 4, 8, 9,15,13, 6, 1,12, 0, 2,11, 7, 5, 3}, |
| 36 | + {11, 8,12, 0, 5, 2,15,13,10,14, 3, 6, 7, 1, 9, 4}, |
| 37 | + { 7, 9, 3, 1,13,12,11,14, 2, 6, 5,10, 4, 0,15, 8} |
| 38 | +}; |
| 39 | + |
| 40 | +const uint32_t cst[16] = { |
| 41 | + 0x243F6A88, 0x85A308D3, 0x13198A2E, 0x03707344, |
| 42 | + 0xA4093822, 0x299F31D0, 0x082EFA98, 0xEC4E6C89, |
| 43 | + 0x452821E6, 0x38D01377, 0xBE5466CF, 0x34E90C6C, |
| 44 | + 0xC0AC29B7, 0xC97C50DD, 0x3F84D5B5, 0xB5470917 |
| 45 | +}; |
| 46 | + |
| 47 | +static const uint8_t padding[] = { |
| 48 | + 0x80,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, |
| 49 | + 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 |
| 50 | +}; |
| 51 | + |
| 52 | + |
| 53 | +void blake256_compress(state *S, const uint8_t *block) { |
| 54 | + uint32_t v[16], m[16], i; |
| 55 | + |
| 56 | +#define ROT(x,n) (((x)<<(32-n))|((x)>>(n))) |
| 57 | +#define G(a,b,c,d,e) \ |
| 58 | + v[a] += (m[sigma[i][e]] ^ cst[sigma[i][e+1]]) + v[b]; \ |
| 59 | + v[d] = ROT(v[d] ^ v[a],16); \ |
| 60 | + v[c] += v[d]; \ |
| 61 | + v[b] = ROT(v[b] ^ v[c],12); \ |
| 62 | + v[a] += (m[sigma[i][e+1]] ^ cst[sigma[i][e]])+v[b]; \ |
| 63 | + v[d] = ROT(v[d] ^ v[a], 8); \ |
| 64 | + v[c] += v[d]; \ |
| 65 | + v[b] = ROT(v[b] ^ v[c], 7); |
| 66 | + |
| 67 | + for (i = 0; i < 16; ++i) m[i] = U8TO32(block + i * 4); |
| 68 | + for (i = 0; i < 8; ++i) v[i] = S->h[i]; |
| 69 | + v[ 8] = S->s[0] ^ 0x243F6A88; |
| 70 | + v[ 9] = S->s[1] ^ 0x85A308D3; |
| 71 | + v[10] = S->s[2] ^ 0x13198A2E; |
| 72 | + v[11] = S->s[3] ^ 0x03707344; |
| 73 | + v[12] = 0xA4093822; |
| 74 | + v[13] = 0x299F31D0; |
| 75 | + v[14] = 0x082EFA98; |
| 76 | + v[15] = 0xEC4E6C89; |
| 77 | + |
| 78 | + if (S->nullt == 0) { |
| 79 | + v[12] ^= S->t[0]; |
| 80 | + v[13] ^= S->t[0]; |
| 81 | + v[14] ^= S->t[1]; |
| 82 | + v[15] ^= S->t[1]; |
| 83 | + } |
| 84 | + |
| 85 | + for (i = 0; i < 14; ++i) { |
| 86 | + G(0, 4, 8, 12, 0); |
| 87 | + G(1, 5, 9, 13, 2); |
| 88 | + G(2, 6, 10, 14, 4); |
| 89 | + G(3, 7, 11, 15, 6); |
| 90 | + G(3, 4, 9, 14, 14); |
| 91 | + G(2, 7, 8, 13, 12); |
| 92 | + G(0, 5, 10, 15, 8); |
| 93 | + G(1, 6, 11, 12, 10); |
| 94 | + } |
| 95 | + |
| 96 | + for (i = 0; i < 16; ++i) S->h[i % 8] ^= v[i]; |
| 97 | + for (i = 0; i < 8; ++i) S->h[i] ^= S->s[i % 4]; |
| 98 | +} |
| 99 | + |
| 100 | +void blake256_init(state *S) { |
| 101 | + S->h[0] = 0x6A09E667; |
| 102 | + S->h[1] = 0xBB67AE85; |
| 103 | + S->h[2] = 0x3C6EF372; |
| 104 | + S->h[3] = 0xA54FF53A; |
| 105 | + S->h[4] = 0x510E527F; |
| 106 | + S->h[5] = 0x9B05688C; |
| 107 | + S->h[6] = 0x1F83D9AB; |
| 108 | + S->h[7] = 0x5BE0CD19; |
| 109 | + S->t[0] = S->t[1] = S->buflen = S->nullt = 0; |
| 110 | + S->s[0] = S->s[1] = S->s[2] = S->s[3] = 0; |
| 111 | +} |
| 112 | + |
| 113 | +void blake224_init(state *S) { |
| 114 | + S->h[0] = 0xC1059ED8; |
| 115 | + S->h[1] = 0x367CD507; |
| 116 | + S->h[2] = 0x3070DD17; |
| 117 | + S->h[3] = 0xF70E5939; |
| 118 | + S->h[4] = 0xFFC00B31; |
| 119 | + S->h[5] = 0x68581511; |
| 120 | + S->h[6] = 0x64F98FA7; |
| 121 | + S->h[7] = 0xBEFA4FA4; |
| 122 | + S->t[0] = S->t[1] = S->buflen = S->nullt = 0; |
| 123 | + S->s[0] = S->s[1] = S->s[2] = S->s[3] = 0; |
| 124 | +} |
| 125 | + |
| 126 | +// datalen = number of bits |
| 127 | +void blake256_update(state *S, const uint8_t *data, uint64_t datalen) { |
| 128 | + int left = S->buflen >> 3; |
| 129 | + int fill = 64 - left; |
| 130 | + |
| 131 | + if (left && (((datalen >> 3) & 0x3F) >= (unsigned) fill)) { |
| 132 | + memcpy((void *) (S->buf + left), (void *) data, fill); |
| 133 | + S->t[0] += 512; |
| 134 | + if (S->t[0] == 0) S->t[1]++; |
| 135 | + blake256_compress(S, S->buf); |
| 136 | + data += fill; |
| 137 | + datalen -= (fill << 3); |
| 138 | + left = 0; |
| 139 | + } |
| 140 | + |
| 141 | + while (datalen >= 512) { |
| 142 | + S->t[0] += 512; |
| 143 | + if (S->t[0] == 0) S->t[1]++; |
| 144 | + blake256_compress(S, data); |
| 145 | + data += 64; |
| 146 | + datalen -= 512; |
| 147 | + } |
| 148 | + |
| 149 | + if (datalen > 0) { |
| 150 | + memcpy((void *) (S->buf + left), (void *) data, datalen >> 3); |
| 151 | + S->buflen = (left << 3) + datalen; |
| 152 | + } else { |
| 153 | + S->buflen = 0; |
| 154 | + } |
| 155 | +} |
| 156 | + |
| 157 | +// datalen = number of bits |
| 158 | +void blake224_update(state *S, const uint8_t *data, uint64_t datalen) { |
| 159 | + blake256_update(S, data, datalen); |
| 160 | +} |
| 161 | + |
| 162 | +void blake256_final_h(state *S, uint8_t *digest, uint8_t pa, uint8_t pb) { |
| 163 | + uint8_t msglen[8]; |
| 164 | + uint32_t lo = S->t[0] + S->buflen, hi = S->t[1]; |
| 165 | + if (lo < (unsigned) S->buflen) hi++; |
| 166 | + U32TO8(msglen + 0, hi); |
| 167 | + U32TO8(msglen + 4, lo); |
| 168 | + |
| 169 | + if (S->buflen == 440) { /* one padding byte */ |
| 170 | + S->t[0] -= 8; |
| 171 | + blake256_update(S, &pa, 8); |
| 172 | + } else { |
| 173 | + if (S->buflen < 440) { /* enough space to fill the block */ |
| 174 | + if (S->buflen == 0) S->nullt = 1; |
| 175 | + S->t[0] -= 440 - S->buflen; |
| 176 | + blake256_update(S, padding, 440 - S->buflen); |
| 177 | + } else { /* need 2 compressions */ |
| 178 | + S->t[0] -= 512 - S->buflen; |
| 179 | + blake256_update(S, padding, 512 - S->buflen); |
| 180 | + S->t[0] -= 440; |
| 181 | + blake256_update(S, padding + 1, 440); |
| 182 | + S->nullt = 1; |
| 183 | + } |
| 184 | + blake256_update(S, &pb, 8); |
| 185 | + S->t[0] -= 8; |
| 186 | + } |
| 187 | + S->t[0] -= 64; |
| 188 | + blake256_update(S, msglen, 64); |
| 189 | + |
| 190 | + U32TO8(digest + 0, S->h[0]); |
| 191 | + U32TO8(digest + 4, S->h[1]); |
| 192 | + U32TO8(digest + 8, S->h[2]); |
| 193 | + U32TO8(digest + 12, S->h[3]); |
| 194 | + U32TO8(digest + 16, S->h[4]); |
| 195 | + U32TO8(digest + 20, S->h[5]); |
| 196 | + U32TO8(digest + 24, S->h[6]); |
| 197 | + U32TO8(digest + 28, S->h[7]); |
| 198 | +} |
| 199 | + |
| 200 | +void blake256_final(state *S, uint8_t *digest) { |
| 201 | + blake256_final_h(S, digest, 0x81, 0x01); |
| 202 | +} |
| 203 | + |
| 204 | +void blake224_final(state *S, uint8_t *digest) { |
| 205 | + blake256_final_h(S, digest, 0x80, 0x00); |
| 206 | +} |
| 207 | + |
| 208 | +// inlen = number of bytes |
| 209 | +void blake256_hash(uint8_t *out, const uint8_t *in, uint64_t inlen) { |
| 210 | + state S; |
| 211 | + blake256_init(&S); |
| 212 | + blake256_update(&S, in, inlen * 8); |
| 213 | + blake256_final(&S, out); |
| 214 | +} |
| 215 | + |
| 216 | +// inlen = number of bytes |
| 217 | +void blake224_hash(uint8_t *out, const uint8_t *in, uint64_t inlen) { |
| 218 | + state S; |
| 219 | + blake224_init(&S); |
| 220 | + blake224_update(&S, in, inlen * 8); |
| 221 | + blake224_final(&S, out); |
| 222 | +} |
| 223 | + |
| 224 | +// keylen = number of bytes |
| 225 | +void hmac_blake256_init(hmac_state *S, const uint8_t *_key, uint64_t keylen) { |
| 226 | + const uint8_t *key = _key; |
| 227 | + uint8_t keyhash[32]; |
| 228 | + uint8_t pad[64]; |
| 229 | + uint64_t i; |
| 230 | + |
| 231 | + if (keylen > 64) { |
| 232 | + blake256_hash(keyhash, key, keylen); |
| 233 | + key = keyhash; |
| 234 | + keylen = 32; |
| 235 | + } |
| 236 | + |
| 237 | + blake256_init(&S->inner); |
| 238 | + memset(pad, 0x36, 64); |
| 239 | + for (i = 0; i < keylen; ++i) { |
| 240 | + pad[i] ^= key[i]; |
| 241 | + } |
| 242 | + blake256_update(&S->inner, pad, 512); |
| 243 | + |
| 244 | + blake256_init(&S->outer); |
| 245 | + memset(pad, 0x5c, 64); |
| 246 | + for (i = 0; i < keylen; ++i) { |
| 247 | + pad[i] ^= key[i]; |
| 248 | + } |
| 249 | + blake256_update(&S->outer, pad, 512); |
| 250 | + |
| 251 | + memset(keyhash, 0, 32); |
| 252 | +} |
| 253 | + |
| 254 | +// keylen = number of bytes |
| 255 | +void hmac_blake224_init(hmac_state *S, const uint8_t *_key, uint64_t keylen) { |
| 256 | + const uint8_t *key = _key; |
| 257 | + uint8_t keyhash[32]; |
| 258 | + uint8_t pad[64]; |
| 259 | + uint64_t i; |
| 260 | + |
| 261 | + if (keylen > 64) { |
| 262 | + blake256_hash(keyhash, key, keylen); |
| 263 | + key = keyhash; |
| 264 | + keylen = 28; |
| 265 | + } |
| 266 | + |
| 267 | + blake224_init(&S->inner); |
| 268 | + memset(pad, 0x36, 64); |
| 269 | + for (i = 0; i < keylen; ++i) { |
| 270 | + pad[i] ^= key[i]; |
| 271 | + } |
| 272 | + blake224_update(&S->inner, pad, 512); |
| 273 | + |
| 274 | + blake224_init(&S->outer); |
| 275 | + memset(pad, 0x5c, 64); |
| 276 | + for (i = 0; i < keylen; ++i) { |
| 277 | + pad[i] ^= key[i]; |
| 278 | + } |
| 279 | + blake224_update(&S->outer, pad, 512); |
| 280 | + |
| 281 | + memset(keyhash, 0, 32); |
| 282 | +} |
| 283 | + |
| 284 | +// datalen = number of bits |
| 285 | +void hmac_blake256_update(hmac_state *S, const uint8_t *data, uint64_t datalen) { |
| 286 | + // update the inner state |
| 287 | + blake256_update(&S->inner, data, datalen); |
| 288 | +} |
| 289 | + |
| 290 | +// datalen = number of bits |
| 291 | +void hmac_blake224_update(hmac_state *S, const uint8_t *data, uint64_t datalen) { |
| 292 | + // update the inner state |
| 293 | + blake224_update(&S->inner, data, datalen); |
| 294 | +} |
| 295 | + |
| 296 | +void hmac_blake256_final(hmac_state *S, uint8_t *digest) { |
| 297 | + uint8_t ihash[32]; |
| 298 | + blake256_final(&S->inner, ihash); |
| 299 | + blake256_update(&S->outer, ihash, 256); |
| 300 | + blake256_final(&S->outer, digest); |
| 301 | + memset(ihash, 0, 32); |
| 302 | +} |
| 303 | + |
| 304 | +void hmac_blake224_final(hmac_state *S, uint8_t *digest) { |
| 305 | + uint8_t ihash[32]; |
| 306 | + blake224_final(&S->inner, ihash); |
| 307 | + blake224_update(&S->outer, ihash, 224); |
| 308 | + blake224_final(&S->outer, digest); |
| 309 | + memset(ihash, 0, 32); |
| 310 | +} |
| 311 | + |
| 312 | +// keylen = number of bytes; inlen = number of bytes |
| 313 | +void hmac_blake256_hash(uint8_t *out, const uint8_t *key, uint64_t keylen, const uint8_t *in, uint64_t inlen) { |
| 314 | + hmac_state S; |
| 315 | + hmac_blake256_init(&S, key, keylen); |
| 316 | + hmac_blake256_update(&S, in, inlen * 8); |
| 317 | + hmac_blake256_final(&S, out); |
| 318 | +} |
| 319 | + |
| 320 | +// keylen = number of bytes; inlen = number of bytes |
| 321 | +void hmac_blake224_hash(uint8_t *out, const uint8_t *key, uint64_t keylen, const uint8_t *in, uint64_t inlen) { |
| 322 | + hmac_state S; |
| 323 | + hmac_blake224_init(&S, key, keylen); |
| 324 | + hmac_blake224_update(&S, in, inlen * 8); |
| 325 | + hmac_blake224_final(&S, out); |
| 326 | +} |
0 commit comments