Crypto++ 8.2
Free C&
blake2.cpp
1// blake2.cpp - written and placed in the public domain by Jeffrey Walton
2// and Zooko Wilcox-O'Hearn. Based on Aumasson, Neves,
3// Wilcox-O'Hearn and Winnerlein's reference BLAKE2
4// implementation at http://github.com/BLAKE2/BLAKE2.
5//
6// The BLAKE2b and BLAKE2s numbers are consistent with the BLAKE2 team's
7// numbers. However, we have an Altivec/POWER7 implementation of BLAKE2s,
8// and a POWER8 implementation of BLAKE2b (BLAKE2 is missing them). The
9// Altivec/POWER7 code is about 2x faster than C++ when using GCC 5.0 or
10// above. The POWER8 code is about 2.5x faster than C++ when using GCC 5.0
11// or above. If you use GCC 4.0 (PowerMac) or GCC 4.8 (GCC Compile Farm)
12// then the PowerPC code will be slower than C++. Be sure to use GCC 5.0
13// or above for PowerPC builds or disable Altivec for BLAKE2b and BLAKE2s
14// if using the old compilers.
15
16#include "pch.h"
17#include "config.h"
18#include "cryptlib.h"
19#include "argnames.h"
20#include "algparam.h"
21#include "blake2.h"
22#include "cpu.h"
23
24// Uncomment for benchmarking C++ against SSE2 or NEON.
25// Do so in both blake2.cpp and blake2-simd.cpp.
26// #undef CRYPTOPP_SSE41_AVAILABLE
27// #undef CRYPTOPP_ARM_NEON_AVAILABLE
28// #undef CRYPTOPP_ALTIVEC_AVAILABLE
29// #undef CRYPTOPP_POWER8_AVAILABLE
30
31// Disable NEON/ASIMD for Cortex-A53 and A57. The shifts are too slow and C/C++ is about
32// 3 cpb faster than NEON/ASIMD. Also see http://github.com/weidai11/cryptopp/issues/367.
33#if (defined(__aarch32__) || defined(__aarch64__)) && defined(CRYPTOPP_SLOW_ARMV8_SHIFT)
34# undef CRYPTOPP_ARM_NEON_AVAILABLE
35#endif
36
37// BLAKE2s bug on AIX 7.1 (POWER7) with XLC 12.01
38// https://github.com/weidai11/cryptopp/issues/743
39#if defined(__xlC__) && (__xlC__ < 0x0d01)
40# define CRYPTOPP_DISABLE_ALTIVEC 1
41# undef CRYPTOPP_POWER7_AVAILABLE
42# undef CRYPTOPP_POWER8_AVAILABLE
43# undef CRYPTOPP_ALTIVEC_AVAILABLE
44#endif
45
46NAMESPACE_BEGIN(CryptoPP)
47
48// Export the tables to the SIMD files
49extern const word32 BLAKE2S_IV[8];
50extern const word64 BLAKE2B_IV[8];
51
52CRYPTOPP_ALIGN_DATA(16)
53const word32 BLAKE2S_IV[8] = {
54 0x6A09E667UL, 0xBB67AE85UL, 0x3C6EF372UL, 0xA54FF53AUL,
55 0x510E527FUL, 0x9B05688CUL, 0x1F83D9ABUL, 0x5BE0CD19UL
56};
57
58CRYPTOPP_ALIGN_DATA(16)
59const word64 BLAKE2B_IV[8] = {
60 W64LIT(0x6a09e667f3bcc908), W64LIT(0xbb67ae8584caa73b),
61 W64LIT(0x3c6ef372fe94f82b), W64LIT(0xa54ff53a5f1d36f1),
62 W64LIT(0x510e527fade682d1), W64LIT(0x9b05688c2b3e6c1f),
63 W64LIT(0x1f83d9abfb41bd6b), W64LIT(0x5be0cd19137e2179)
64};
65
66NAMESPACE_END
67
68ANONYMOUS_NAMESPACE_BEGIN
69
70using CryptoPP::byte;
71using CryptoPP::word32;
72using CryptoPP::word64;
73using CryptoPP::rotrConstant;
74
75CRYPTOPP_ALIGN_DATA(16)
76const byte BLAKE2S_SIGMA[10][16] = {
77 { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
78 { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 },
79 { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 },
80 { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 },
81 { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 },
82 { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 },
83 { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 },
84 { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 },
85 { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 },
86 { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13 , 0 },
87};
88
89CRYPTOPP_ALIGN_DATA(16)
90const byte BLAKE2B_SIGMA[12][16] = {
91 { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
92 { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 },
93 { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 },
94 { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 },
95 { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 },
96 { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 },
97 { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 },
98 { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 },
99 { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 },
100 { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13 , 0 },
101 { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
102 { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }
103};
104
105template <unsigned int R, unsigned int N>
106inline void BLAKE2B_G(const word64 m[16], word64& a, word64& b, word64& c, word64& d)
107{
108 a = a + b + m[BLAKE2B_SIGMA[R][2*N+0]];
109 d = rotrConstant<32>(d ^ a);
110 c = c + d;
111 b = rotrConstant<24>(b ^ c);
112 a = a + b + m[BLAKE2B_SIGMA[R][2*N+1]];
113 d = rotrConstant<16>(d ^ a);
114 c = c + d;
115 b = rotrConstant<63>(b ^ c);
116}
117
118template <unsigned int R>
119inline void BLAKE2B_ROUND(const word64 m[16], word64 v[16])
120{
121 BLAKE2B_G<R,0>(m,v[ 0],v[ 4],v[ 8],v[12]);
122 BLAKE2B_G<R,1>(m,v[ 1],v[ 5],v[ 9],v[13]);
123 BLAKE2B_G<R,2>(m,v[ 2],v[ 6],v[10],v[14]);
124 BLAKE2B_G<R,3>(m,v[ 3],v[ 7],v[11],v[15]);
125 BLAKE2B_G<R,4>(m,v[ 0],v[ 5],v[10],v[15]);
126 BLAKE2B_G<R,5>(m,v[ 1],v[ 6],v[11],v[12]);
127 BLAKE2B_G<R,6>(m,v[ 2],v[ 7],v[ 8],v[13]);
128 BLAKE2B_G<R,7>(m,v[ 3],v[ 4],v[ 9],v[14]);
129}
130
131template <unsigned int R, unsigned int N>
132inline void BLAKE2S_G(const word32 m[16], word32& a, word32& b, word32& c, word32& d)
133{
134 a = a + b + m[BLAKE2S_SIGMA[R][2*N+0]];
135 d = rotrConstant<16>(d ^ a);
136 c = c + d;
137 b = rotrConstant<12>(b ^ c);
138 a = a + b + m[BLAKE2S_SIGMA[R][2*N+1]];
139 d = rotrConstant<8>(d ^ a);
140 c = c + d;
141 b = rotrConstant<7>(b ^ c);
142}
143
144template <unsigned int R>
145inline void BLAKE2S_ROUND(const word32 m[16], word32 v[])
146{
147 BLAKE2S_G<R,0>(m,v[ 0],v[ 4],v[ 8],v[12]);
148 BLAKE2S_G<R,1>(m,v[ 1],v[ 5],v[ 9],v[13]);
149 BLAKE2S_G<R,2>(m,v[ 2],v[ 6],v[10],v[14]);
150 BLAKE2S_G<R,3>(m,v[ 3],v[ 7],v[11],v[15]);
151 BLAKE2S_G<R,4>(m,v[ 0],v[ 5],v[10],v[15]);
152 BLAKE2S_G<R,5>(m,v[ 1],v[ 6],v[11],v[12]);
153 BLAKE2S_G<R,6>(m,v[ 2],v[ 7],v[ 8],v[13]);
154 BLAKE2S_G<R,7>(m,v[ 3],v[ 4],v[ 9],v[14]);
155}
156
157ANONYMOUS_NAMESPACE_END
158
159NAMESPACE_BEGIN(CryptoPP)
160
161void BLAKE2_Compress32_CXX(const byte* input, BLAKE2s_State& state);
162void BLAKE2_Compress64_CXX(const byte* input, BLAKE2b_State& state);
163
164#if CRYPTOPP_SSE41_AVAILABLE
165extern void BLAKE2_Compress32_SSE4(const byte* input, BLAKE2s_State& state);
166extern void BLAKE2_Compress64_SSE4(const byte* input, BLAKE2b_State& state);
167#endif
168
169#if CRYPTOPP_ARM_NEON_AVAILABLE
170extern void BLAKE2_Compress32_NEON(const byte* input, BLAKE2s_State& state);
171extern void BLAKE2_Compress64_NEON(const byte* input, BLAKE2b_State& state);
172#endif
173
174#if CRYPTOPP_POWER8_AVAILABLE
175extern void BLAKE2_Compress32_POWER8(const byte* input, BLAKE2s_State& state);
176#elif CRYPTOPP_ALTIVEC_AVAILABLE
177extern void BLAKE2_Compress32_ALTIVEC(const byte* input, BLAKE2s_State& state);
178#endif
179
180#if CRYPTOPP_POWER8_AVAILABLE
181extern void BLAKE2_Compress64_POWER8(const byte* input, BLAKE2b_State& state);
182#endif
183
185{
186#if defined(CRYPTOPP_SSE41_AVAILABLE)
187 if (HasSSE41())
188 return 16;
189 else
190#endif
191#if (CRYPTOPP_ARM_NEON_AVAILABLE)
192 if (HasNEON())
193 return 4;
194 else
195#endif
196#if (CRYPTOPP_POWER8_AVAILABLE)
197 if (HasPower8())
198 return 16;
199 else
200#endif
201 return GetAlignmentOf<word64>();
202}
203
204std::string BLAKE2b::AlgorithmProvider() const
205{
206#if defined(CRYPTOPP_SSE41_AVAILABLE)
207 if (HasSSE41())
208 return "SSE4.1";
209 else
210#endif
211#if (CRYPTOPP_ARM_NEON_AVAILABLE)
212 if (HasNEON())
213 return "NEON";
214 else
215#endif
216#if (CRYPTOPP_POWER8_AVAILABLE)
217 if (HasPower8())
218 return "Power8";
219 else
220#endif
221 return "C++";
222}
223
225{
226#if defined(CRYPTOPP_SSE41_AVAILABLE)
227 if (HasSSE41())
228 return 16;
229 else
230#endif
231#if (CRYPTOPP_ARM_NEON_AVAILABLE)
232 if (HasNEON())
233 return 4;
234 else
235#endif
236#if (CRYPTOPP_POWER8_AVAILABLE)
237 if (HasPower8())
238 return 16;
239 else
240#elif (CRYPTOPP_ALTIVEC_AVAILABLE)
241 if (HasAltivec())
242 return 16;
243 else
244#endif
245 return GetAlignmentOf<word32>();
246}
247
248std::string BLAKE2s::AlgorithmProvider() const
249{
250#if defined(CRYPTOPP_SSE41_AVAILABLE)
251 if (HasSSE41())
252 return "SSE4.1";
253 else
254#endif
255#if (CRYPTOPP_ARM_NEON_AVAILABLE)
256 if (HasNEON())
257 return "NEON";
258 else
259#endif
260#if (CRYPTOPP_POWER8_AVAILABLE)
261 if (HasPower8())
262 return "Power8";
263 else
264#elif (CRYPTOPP_ALTIVEC_AVAILABLE)
265 if (HasAltivec())
266 return "Altivec";
267 else
268#endif
269 return "C++";
270}
271
272void BLAKE2s_State::Reset()
273{
274 std::memset(m_hft, 0x00, m_hft.SizeInBytes());
275 m_len = 0;
276}
277
278void BLAKE2b_State::Reset()
279{
280 std::memset(m_hft, 0x00, m_hft.SizeInBytes());
281 m_len = 0;
282}
283
284BLAKE2s_ParameterBlock::BLAKE2s_ParameterBlock(size_t digestLen, size_t keyLen,
285 const byte* saltStr, size_t saltLen,
286 const byte* personalizationStr, size_t personalizationLen)
287{
288 Reset(digestLen, keyLen);
289
290 if (saltStr && saltLen)
291 memcpy_s(salt(), SALTSIZE, saltStr, saltLen);
292
293 if (personalizationStr && personalizationLen)
294 memcpy_s(personalization(), PERSONALIZATIONSIZE, personalizationStr, personalizationLen);
295}
296
297BLAKE2b_ParameterBlock::BLAKE2b_ParameterBlock(size_t digestLen, size_t keyLen,
298 const byte* saltStr, size_t saltLen,
299 const byte* personalizationStr, size_t personalizationLen)
300{
301 Reset(digestLen, keyLen);
302
303 if (saltStr && saltLen)
304 memcpy_s(salt(), SALTSIZE, saltStr, saltLen);
305
306 if (personalizationStr && personalizationLen)
307 memcpy_s(personalization(), PERSONALIZATIONSIZE, personalizationStr, personalizationLen);
308}
309
310void BLAKE2s_ParameterBlock::Reset(size_t digestLen, size_t keyLen)
311{
312 std::memset(m_data, 0x00, m_data.size());
313 m_data[DigestOff] = static_cast<byte>(digestLen);
314 m_data[KeyOff] = static_cast<byte>(keyLen);
315 m_data[FanoutOff] = m_data[DepthOff] = 1;
316}
317
318void BLAKE2b_ParameterBlock::Reset(size_t digestLen, size_t keyLen)
319{
320 std::memset(m_data, 0x00, m_data.size());
321 m_data[DigestOff] = static_cast<byte>(digestLen);
322 m_data[KeyOff] = static_cast<byte>(keyLen);
323 m_data[FanoutOff] = m_data[DepthOff] = 1;
324}
325
326BLAKE2s::BLAKE2s(bool treeMode, unsigned int digestSize)
327 : m_digestSize(digestSize), m_keyLength(0), m_treeMode(treeMode)
328{
329 CRYPTOPP_ASSERT(digestSize <= DIGESTSIZE);
330
331 UncheckedSetKey(NULLPTR, 0, MakeParameters
332 (Name::DigestSize(), (int)digestSize)
333 (Name::TreeMode(), treeMode));
334}
335
336BLAKE2b::BLAKE2b(bool treeMode, unsigned int digestSize)
337 : m_digestSize(digestSize), m_keyLength(0), m_treeMode(treeMode)
338{
339 CRYPTOPP_ASSERT(digestSize <= DIGESTSIZE);
340
341 UncheckedSetKey(NULLPTR, 0, MakeParameters
342 (Name::DigestSize(), (int)digestSize)
343 (Name::TreeMode(), treeMode));
344}
345
346BLAKE2s::BLAKE2s(unsigned int digestSize)
347 : m_digestSize(digestSize), m_keyLength(0), m_treeMode(false)
348{
349 CRYPTOPP_ASSERT(digestSize <= DIGESTSIZE);
350
351 UncheckedSetKey(NULLPTR, 0, MakeParameters
352 (Name::DigestSize(), (int)digestSize)
353 (Name::TreeMode(), false));
354}
355
356BLAKE2b::BLAKE2b(unsigned int digestSize)
357 : m_digestSize(digestSize), m_keyLength(0), m_treeMode(false)
358{
359 CRYPTOPP_ASSERT(digestSize <= DIGESTSIZE);
360
361 UncheckedSetKey(NULLPTR, 0, MakeParameters
362 (Name::DigestSize(), (int)digestSize)
363 (Name::TreeMode(), false));
364}
365
366BLAKE2s::BLAKE2s(const byte *key, size_t keyLength, const byte* salt, size_t saltLength,
367 const byte* personalization, size_t personalizationLength, bool treeMode, unsigned int digestSize)
368 : m_digestSize(digestSize), m_keyLength(static_cast<unsigned int>(keyLength)), m_treeMode(treeMode)
369{
370 CRYPTOPP_ASSERT(keyLength <= MAX_KEYLENGTH);
371 CRYPTOPP_ASSERT(digestSize <= DIGESTSIZE);
372 CRYPTOPP_ASSERT(saltLength <= SALTSIZE);
373 CRYPTOPP_ASSERT(personalizationLength <= PERSONALIZATIONSIZE);
374
375 UncheckedSetKey(key, static_cast<unsigned int>(keyLength), MakeParameters
376 (Name::DigestSize(),(int)digestSize)
377 (Name::TreeMode(),treeMode)
378 (Name::Salt(), ConstByteArrayParameter(salt, saltLength))
379 (Name::Personalization(), ConstByteArrayParameter(personalization, personalizationLength)));
380}
381
382BLAKE2b::BLAKE2b(const byte *key, size_t keyLength, const byte* salt, size_t saltLength,
383 const byte* personalization, size_t personalizationLength, bool treeMode, unsigned int digestSize)
384 : m_digestSize(digestSize), m_keyLength(static_cast<unsigned int>(keyLength)), m_treeMode(treeMode)
385{
386 CRYPTOPP_ASSERT(keyLength <= MAX_KEYLENGTH);
387 CRYPTOPP_ASSERT(digestSize <= DIGESTSIZE);
388 CRYPTOPP_ASSERT(saltLength <= SALTSIZE);
389 CRYPTOPP_ASSERT(personalizationLength <= PERSONALIZATIONSIZE);
390
391 UncheckedSetKey(key, static_cast<unsigned int>(keyLength), MakeParameters
392 (Name::DigestSize(),(int)digestSize)
393 (Name::TreeMode(),treeMode)
394 (Name::Salt(), ConstByteArrayParameter(salt, saltLength))
395 (Name::Personalization(), ConstByteArrayParameter(personalization, personalizationLength)));
396}
397
398void BLAKE2s::UncheckedSetKey(const byte *key, unsigned int length, const CryptoPP::NameValuePairs& params)
399{
400 if (key && length)
401 {
402 m_key.New(BLOCKSIZE);
403 std::memcpy(m_key, key, length);
404 std::memset(m_key + length, 0x00, BLOCKSIZE - length);
405 m_keyLength = length;
406 }
407 else
408 {
409 m_key.resize(0);
410 m_keyLength = 0;
411 }
412
413 m_digestSize = static_cast<unsigned int>(params.GetIntValueWithDefault(
414 Name::DigestSize(), static_cast<int>(m_digestSize)));
415
416 m_state.Reset();
417 m_block.Reset(m_digestSize, m_keyLength);
418 (void)params.GetValue(Name::TreeMode(), m_treeMode);
419
421 if (params.GetValue(Name::Salt(), t) && t.begin() && t.size())
422 memcpy_s(m_block.salt(), SALTSIZE, t.begin(), t.size());
423
424 if (params.GetValue(Name::Personalization(), t) && t.begin() && t.size())
425 memcpy_s(m_block.personalization(), PERSONALIZATIONSIZE, t.begin(), t.size());
426
427 Restart();
428}
429
430void BLAKE2b::UncheckedSetKey(const byte *key, unsigned int length, const CryptoPP::NameValuePairs& params)
431{
432 if (key && length)
433 {
434 m_key.New(BLOCKSIZE);
435 std::memcpy(m_key, key, length);
436 std::memset(m_key + length, 0x00, BLOCKSIZE - length);
437 m_keyLength = length;
438 }
439 else
440 {
441 m_key.resize(0);
442 m_keyLength = 0;
443 }
444
445 m_digestSize = static_cast<unsigned int>(params.GetIntValueWithDefault(
446 Name::DigestSize(), static_cast<int>(m_digestSize)));
447
448 m_state.Reset();
449 m_block.Reset(m_digestSize, m_keyLength);
450 (void)params.GetValue(Name::TreeMode(), m_treeMode);
451
453 if (params.GetValue(Name::Salt(), t) && t.begin() && t.size())
454 memcpy_s(m_block.salt(), SALTSIZE, t.begin(), t.size());
455
456 if (params.GetValue(Name::Personalization(), t) && t.begin() && t.size())
457 memcpy_s(m_block.personalization(), PERSONALIZATIONSIZE, t.begin(), t.size());
458
459 Restart();
460}
461
463{
464 static const word32 zero[2] = {0,0};
465 Restart(m_block, zero);
466}
467
469{
470 static const word64 zero[2] = {0,0};
471 Restart(m_block, zero);
472}
473
474void BLAKE2s::Restart(const BLAKE2s_ParameterBlock& block, const word32 counter[2])
475{
476 // We take a counter as a parameter to allow customized state.
477 m_state.Reset();
478 if (counter != NULLPTR)
479 {
480 word32* t = m_state.t();
481 t[0] = counter[0];
482 t[1] = counter[1];
483 }
484
485 // We take a parameter block as a parameter to allow customized state.
486 // Avoid the copy of the parameter block when we are passing our own block.
487 if (block.data() == m_block.data())
488 m_block.Reset(m_digestSize, m_keyLength);
489 else
490 {
491 std::memcpy(m_block.data(), block.data(), m_block.size());
492 m_block.m_data[BLAKE2s_ParameterBlock::DigestOff] = (byte)m_digestSize;
493 m_block.m_data[BLAKE2s_ParameterBlock::KeyOff] = (byte)m_keyLength;
494 }
495
496 const word32* iv = BLAKE2S_IV;
497 PutBlock<word32, LittleEndian, true> put(m_block.data(), m_state.h());
498 put(iv[0])(iv[1])(iv[2])(iv[3])(iv[4])(iv[5])(iv[6])(iv[7]);
499
500 // When BLAKE2 is keyed, the input stream is simply {key || 0 || message}.
501 // The key is padded to a full Blocksize with 0. Key it during Restart to
502 // avoid FirstPut and friends. Key size == 0 means no key.
503 if (m_keyLength)
504 Update(m_key, BLOCKSIZE);
505}
506
507void BLAKE2b::Restart(const BLAKE2b_ParameterBlock& block, const word64 counter[2])
508{
509 // We take a counter as a parameter to allow customized state.
510 m_state.Reset();
511 if (counter != NULLPTR)
512 {
513 word64* t = m_state.t();
514 t[0] = counter[0];
515 t[1] = counter[1];
516 }
517
518 // We take a parameter block as a parameter to allow customized state.
519 // Avoid the copy of the parameter block when we are passing our own block.
520 if (block.data() == m_block.data())
521 m_block.Reset(m_digestSize, m_keyLength);
522 else
523 {
524 std::memcpy(m_block.data(), block.data(), m_block.size());
525 m_block.m_data[BLAKE2b_ParameterBlock::DigestOff] = (byte)m_digestSize;
526 m_block.m_data[BLAKE2b_ParameterBlock::KeyOff] = (byte)m_keyLength;
527 }
528
529 const word64* iv = BLAKE2B_IV;
530 PutBlock<word64, LittleEndian, true> put(m_block.data(), m_state.h());
531 put(iv[0])(iv[1])(iv[2])(iv[3])(iv[4])(iv[5])(iv[6])(iv[7]);
532
533 // When BLAKE2 is keyed, the input stream is simply {key || 0 || message}.
534 // The key is padded to a full Blocksize with 0. Key it during Restart to
535 // avoid FirstPut and friends. Key size == 0 means no key.
536 if (m_keyLength)
537 Update(m_key, BLOCKSIZE);
538}
539
540void BLAKE2s::Update(const byte *input, size_t length)
541{
542 CRYPTOPP_ASSERT(input != NULLPTR || length == 0);
543
544 if (length > BLOCKSIZE - m_state.m_len)
545 {
546 if (m_state.m_len != 0)
547 {
548 // Complete current block
549 const size_t fill = BLOCKSIZE - m_state.m_len;
550 std::memcpy(m_state.m_buf+m_state.m_len, input, fill);
551
552 IncrementCounter(BLOCKSIZE);
553 Compress(m_state.m_buf);
554 m_state.m_len = 0;
555
556 length -= fill, input += fill;
557 }
558
559 // Compress in-place to avoid copies
560 while (length > BLOCKSIZE)
561 {
562 IncrementCounter(BLOCKSIZE);
563 Compress(input);
564 length -= BLOCKSIZE, input += BLOCKSIZE;
565 }
566 }
567
568 // Copy tail bytes
569 if (length)
570 {
571 CRYPTOPP_ASSERT(length <= BLOCKSIZE - m_state.m_len);
572 std::memcpy(m_state.m_buf+m_state.m_len, input, length);
573 m_state.m_len += static_cast<unsigned int>(length);
574 }
575}
576
577void BLAKE2b::Update(const byte *input, size_t length)
578{
579 CRYPTOPP_ASSERT(input != NULLPTR || length == 0);
580
581 if (length > BLOCKSIZE - m_state.m_len)
582 {
583 if (m_state.m_len != 0)
584 {
585 // Complete current block
586 const size_t fill = BLOCKSIZE - m_state.m_len;
587 std::memcpy(m_state.m_buf+m_state.m_len, input, fill);
588
589 IncrementCounter(BLOCKSIZE);
590 Compress(m_state.m_buf);
591 m_state.m_len = 0;
592
593 length -= fill, input += fill;
594 }
595
596 // Compress in-place to avoid copies
597 while (length > BLOCKSIZE)
598 {
599 CRYPTOPP_ASSERT(m_state.m_len == 0);
600 IncrementCounter(BLOCKSIZE);
601 Compress(input);
602 length -= BLOCKSIZE, input += BLOCKSIZE;
603 }
604 }
605
606 // Copy tail bytes
607 if (length)
608 {
609 CRYPTOPP_ASSERT(length <= BLOCKSIZE - m_state.m_len);
610 std::memcpy(m_state.m_buf + m_state.m_len, input, length);
611 m_state.m_len += static_cast<unsigned int>(length);
612 }
613}
614
615void BLAKE2s::TruncatedFinal(byte *hash, size_t size)
616{
617 CRYPTOPP_ASSERT(hash != NULLPTR);
618 this->ThrowIfInvalidTruncatedSize(size);
619 word32* f = m_state.f();
620
621 // Set last block unconditionally
622 f[0] = ~static_cast<word32>(0);
623
624 // Set last node if tree mode
625 if (m_treeMode)
626 f[1] = ~static_cast<word32>(0);
627
628 // Increment counter for tail bytes only
629 IncrementCounter(m_state.m_len);
630
631 std::memset(m_state.m_buf + m_state.m_len, 0x00, BLOCKSIZE - m_state.m_len);
632 Compress(m_state.m_buf);
633
634 // Copy to caller buffer
635 std::memcpy(hash, m_state.h(), size);
636
637 Restart();
638}
639
640void BLAKE2b::TruncatedFinal(byte *hash, size_t size)
641{
642 CRYPTOPP_ASSERT(hash != NULLPTR);
643 this->ThrowIfInvalidTruncatedSize(size);
644 word64* f = m_state.f();
645
646 // Set last block unconditionally
647 f[0] = ~static_cast<word64>(0);
648
649 // Set last node if tree mode
650 if (m_treeMode)
651 f[1] = ~static_cast<word64>(0);
652
653 // Increment counter for tail bytes only
654 IncrementCounter(m_state.m_len);
655
656 std::memset(m_state.m_buf + m_state.m_len, 0x00, BLOCKSIZE - m_state.m_len);
657 Compress(m_state.m_buf);
658
659 // Copy to caller buffer
660 std::memcpy(hash, m_state.h(), size);
661
662 Restart();
663}
664
665void BLAKE2s::IncrementCounter(size_t count)
666{
667 word32* t = m_state.t();
668 t[0] += static_cast<word32>(count);
669 t[1] += !!(t[0] < count);
670}
671
672void BLAKE2b::IncrementCounter(size_t count)
673{
674 word64* t = m_state.t();
675 t[0] += static_cast<word64>(count);
676 t[1] += !!(t[0] < count);
677}
678
679void BLAKE2s::Compress(const byte *input)
680{
681#if CRYPTOPP_SSE41_AVAILABLE
682 if(HasSSE41())
683 {
684 return BLAKE2_Compress32_SSE4(input, m_state);
685 }
686#endif
687#if CRYPTOPP_ARM_NEON_AVAILABLE
688 if(HasNEON())
689 {
690 return BLAKE2_Compress32_NEON(input, m_state);
691 }
692#endif
693#if CRYPTOPP_POWER8_AVAILABLE
694 if(HasPower8())
695 {
696 return BLAKE2_Compress32_POWER8(input, m_state);
697 }
698#elif CRYPTOPP_ALTIVEC_AVAILABLE
699 if(HasAltivec())
700 {
701 return BLAKE2_Compress32_ALTIVEC(input, m_state);
702 }
703#endif
704 return BLAKE2_Compress32_CXX(input, m_state);
705}
706
707void BLAKE2b::Compress(const byte *input)
708{
709#if CRYPTOPP_SSE41_AVAILABLE
710 if(HasSSE41())
711 {
712 return BLAKE2_Compress64_SSE4(input, m_state);
713 }
714#endif
715#if CRYPTOPP_ARM_NEON_AVAILABLE
716 if(HasNEON())
717 {
718 return BLAKE2_Compress64_NEON(input, m_state);
719 }
720#endif
721#if CRYPTOPP_POWER8_AVAILABLE
722 if(HasPower8())
723 {
724 return BLAKE2_Compress64_POWER8(input, m_state);
725 }
726#endif
727 return BLAKE2_Compress64_CXX(input, m_state);
728}
729
730void BLAKE2_Compress64_CXX(const byte* input, BLAKE2b_State& state)
731{
732 word64 m[16], v[16];
733
735 get1(m[0])(m[1])(m[2])(m[3])(m[4])(m[5])(m[6])(m[7])(m[8])(m[9])(m[10])(m[11])(m[12])(m[13])(m[14])(m[15]);
736
738 get2(v[0])(v[1])(v[2])(v[3])(v[4])(v[5])(v[6])(v[7]);
739
740 const word64* iv = BLAKE2B_IV;
741 const word64* tf = state.t();
742 v[ 8] = iv[0];
743 v[ 9] = iv[1];
744 v[10] = iv[2];
745 v[11] = iv[3];
746 v[12] = tf[0] ^ iv[4];
747 v[13] = tf[1] ^ iv[5];
748 v[14] = tf[2] ^ iv[6];
749 v[15] = tf[3] ^ iv[7];
750
751 BLAKE2B_ROUND<0>(m, v);
752 BLAKE2B_ROUND<1>(m, v);
753 BLAKE2B_ROUND<2>(m, v);
754 BLAKE2B_ROUND<3>(m, v);
755 BLAKE2B_ROUND<4>(m, v);
756 BLAKE2B_ROUND<5>(m, v);
757 BLAKE2B_ROUND<6>(m, v);
758 BLAKE2B_ROUND<7>(m, v);
759 BLAKE2B_ROUND<8>(m, v);
760 BLAKE2B_ROUND<9>(m, v);
761 BLAKE2B_ROUND<10>(m, v);
762 BLAKE2B_ROUND<11>(m, v);
763
764 word64* h = state.h();
765 for (unsigned int i = 0; i < 8; ++i)
766 h[i] = h[i] ^ ConditionalByteReverse(LITTLE_ENDIAN_ORDER, v[i] ^ v[i + 8]);
767}
768
769void BLAKE2_Compress32_CXX(const byte* input, BLAKE2s_State& state)
770{
771 word32 m[16], v[16];
772
774 get1(m[0])(m[1])(m[2])(m[3])(m[4])(m[5])(m[6])(m[7])(m[8])(m[9])(m[10])(m[11])(m[12])(m[13])(m[14])(m[15]);
775
777 get2(v[0])(v[1])(v[2])(v[3])(v[4])(v[5])(v[6])(v[7]);
778
779 const word32* iv = BLAKE2S_IV;
780 const word32* tf = state.t();
781 v[ 8] = iv[0];
782 v[ 9] = iv[1];
783 v[10] = iv[2];
784 v[11] = iv[3];
785 v[12] = tf[0] ^ iv[4];
786 v[13] = tf[1] ^ iv[5];
787 v[14] = tf[2] ^ iv[6];
788 v[15] = tf[3] ^ iv[7];
789
790 BLAKE2S_ROUND<0>(m, v);
791 BLAKE2S_ROUND<1>(m, v);
792 BLAKE2S_ROUND<2>(m, v);
793 BLAKE2S_ROUND<3>(m, v);
794 BLAKE2S_ROUND<4>(m, v);
795 BLAKE2S_ROUND<5>(m, v);
796 BLAKE2S_ROUND<6>(m, v);
797 BLAKE2S_ROUND<7>(m, v);
798 BLAKE2S_ROUND<8>(m, v);
799 BLAKE2S_ROUND<9>(m, v);
800
801 word32* h = state.h();
802 for (unsigned int i = 0; i < 8; ++i)
803 h[i] = h[i] ^ ConditionalByteReverse(LITTLE_ENDIAN_ORDER, v[i] ^ v[i + 8]);
804}
805
806NAMESPACE_END
Classes for working with NameValuePairs.
AlgorithmParameters MakeParameters(const char *name, const T &value, bool throwIfNotUsed=true)
Create an object that implements NameValuePairs.
Definition: algparam.h:502
Standard names for retrieving values by name when working with NameValuePairs.
Classes for BLAKE2b and BLAKE2s message digests and keyed message digests.
std::string AlgorithmProvider() const
Retrieve the provider of this algorithm.
Definition: blake2.cpp:204
void TruncatedFinal(byte *hash, size_t size)
Computes the hash of the current message.
Definition: blake2.cpp:640
unsigned int OptimalDataAlignment() const
Provides input and output data alignment for optimal performance.
Definition: blake2.cpp:184
void Restart()
Restart the hash.
Definition: blake2.cpp:468
void Update(const byte *input, size_t length)
Updates a hash with additional input.
Definition: blake2.cpp:577
BLAKE2b(bool treeMode=false, unsigned int digestSize=DIGESTSIZE)
Construct a BLAKE2b hash.
Definition: blake2.cpp:336
void Update(const byte *input, size_t length)
Updates a hash with additional input.
Definition: blake2.cpp:540
void Restart()
Restart the hash.
Definition: blake2.cpp:462
void TruncatedFinal(byte *hash, size_t size)
Computes the hash of the current message.
Definition: blake2.cpp:615
BLAKE2s(bool treeMode=false, unsigned int digestSize=DIGESTSIZE)
Construct a BLAKE2s hash.
Definition: blake2.cpp:326
std::string AlgorithmProvider() const
Retrieve the provider of this algorithm.
Definition: blake2.cpp:248
unsigned int OptimalDataAlignment() const
Provides input and output data alignment for optimal performance.
Definition: blake2.cpp:224
Used to pass byte array input as part of a NameValuePairs object.
Definition: algparam.h:21
const byte * begin() const
Pointer to the first byte in the memory block.
Definition: algparam.h:80
size_t size() const
Length of the memory block.
Definition: algparam.h:84
Access a block of memory.
Definition: misc.h:2455
Access a block of memory.
Definition: misc.h:2496
void New(size_type newSize)
Change size without preserving contents.
Definition: secblock.h:965
size_type SizeInBytes() const
Provides the number of bytes in the SecBlock.
Definition: secblock.h:811
size_type size() const
Provides the count of elements in the SecBlock.
Definition: secblock.h:797
void resize(size_type newSize)
Change size and preserve contents.
Definition: secblock.h:1031
Library configuration file.
Functions for CPU features and intrinsics.
bool HasAltivec()
Determine if a PowerPC processor has Altivec available.
Definition: cpu.h:614
bool HasNEON()
Determine if an ARM processor has Advanced SIMD available.
Definition: cpu.h:387
bool HasPower8()
Determine if a PowerPC processor has Power8 available.
Definition: cpu.h:640
bool HasSSE41()
Determines SSE4.1 availability.
Definition: cpu.h:142
Abstract base classes that provide a uniform interface to this library.
@ LITTLE_ENDIAN_ORDER
byte order is little-endian
Definition: cryptlib.h:145
void memcpy_s(void *dest, size_t sizeInBytes, const void *src, size_t count)
Bounds checking replacement for memcpy()
Definition: misc.h:443
T ConditionalByteReverse(ByteOrder order, T value)
Reverses bytes in a value depending upon endianness.
Definition: misc.h:2113
Crypto++ library namespace.
const char * DigestSize()
int, in bytes
Definition: argnames.h:79
const char * TreeMode()
byte
Definition: argnames.h:90
const char * Personalization()
ConstByteArrayParameter.
Definition: argnames.h:85
const char * Salt()
ConstByteArrayParameter.
Definition: argnames.h:87
Precompiled header file.
BLAKE2b parameter block.
Definition: blake2.h:112
BLAKE2b state information.
Definition: blake2.h:197
BLAKE2s parameter block.
Definition: blake2.h:61
BLAKE2s state information.
Definition: blake2.h:164
#define CRYPTOPP_ASSERT(exp)
Debugging and diagnostic assertion.
Definition: trap.h:69