b2xb and tests

ref/blake2.h

@@ -160,7 +160,7 @@ extern "C" {
   int blake2bp( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );
 
   int blake2xs( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );
-  //int blake2xb( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );
+  int blake2xb( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );
 
   /* This is simply an alias for blake2b */
   int blake2( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );

ref/blake2xb-ref.c

@@ -5,122 +5,143 @@
 #include "blake2.h"
 #include "blake2-impl.h"
 
-
-int blake2xb_init( blake2b_state *S, const uint16_t outlen, const void *key, const uint8_t keylen)
-{
+typedef struct blake2xb_state__ {
+  blake2b_state S[1];
   blake2b_param P[1];
+} blake2xb_state;
 
-  if ( !outlen ) return -1;
 
-  P->digest_length = BLAKE2B_OUTBYTES;
-  P->key_length    = keylen;
-  P->fanout        = 1;
-  P->depth         = 1;
-  store32( &P->leaf_length, 0 );
-  store32( &P->node_offset, 0 );
-  store32( &P->xof_length, outlen );
-  P->node_depth    = 0;
-  P->inner_length  = 0;
-  memset( P->reserved, 0, sizeof( P->reserved ) );
-  memset( P->salt,     0, sizeof( P->salt ) );
-  memset( P->personal, 0, sizeof( P->personal ) );
+int blake2xb_init( blake2xb_state *S, const size_t outlen, const void *key, size_t keylen)
+{
+  if ( outlen == 0 || outlen > 0xFFFFFFFFUL ) {
+    return -1;
+  }
 
-  if( blake2b_init_param( S, P ) < 0 ) return -1;
+  if (NULL == key || keylen > BLAKE2B_KEYBYTES) {
+    return -1;
+  }
 
-    if (keylen) 
-    {
-        if ( !key || keylen > BLAKE2B_KEYBYTES ) return -1;
-        uint8_t block[BLAKE2B_BLOCKBYTES];
-        memset( block, 0, BLAKE2B_BLOCKBYTES );
-        memcpy( block, key, keylen );
-        blake2b_update( S, block, BLAKE2B_BLOCKBYTES );
-        secure_zero_memory( block, BLAKE2B_BLOCKBYTES ); 
-    }
+  /* Initialize parameter block */
+  S->P->digest_length = BLAKE2B_OUTBYTES;
+  S->P->key_length    = keylen;
+  S->P->fanout        = 1;
+  S->P->depth         = 1;
+  store32( &S->P->leaf_length, 0 );
+  store32( &S->P->node_offset, 0 );
+  store32( &S->P->xof_length, outlen );
+  S->P->node_depth    = 0;
+  S->P->inner_length  = 0;
+  memset( S->P->reserved, 0, sizeof( S->P->reserved ) );
+  memset( S->P->salt,     0, sizeof( S->P->salt ) );
+  memset( S->P->personal, 0, sizeof( S->P->personal ) );
+
+  if( blake2b_init_param( S->S, S->P ) < 0 ) {
+    return -1;
+  }
+
+  if (keylen > 0) {
+    uint8_t block[BLAKE2B_BLOCKBYTES];
+    memset(block, 0, BLAKE2B_BLOCKBYTES);
+    memcpy(block, key, keylen);
+    blake2b_update(S->S, block, BLAKE2B_BLOCKBYTES);
+    secure_zero_memory(block, BLAKE2B_BLOCKBYTES);
+  }
   return 0;
 }
 
-
-int blake2xb_update( blake2b_state *S, const uint8_t *in, uint64_t inlen )
-{
-    if ( !in ) return -1;
-
-    return blake2b_update( S, in, inlen );
+int blake2xb_update( blake2xb_state *S, const void *in, size_t inlen ) {
+    return blake2b_update( S->S, in, inlen );
 }
 
-int blake2xb_final( blake2b_state *S, uint8_t *out, const uint16_t outlen) {
+int blake2xb_final( blake2xb_state *S, void *out, size_t outlen) {
 
-    blake2b_state C[1];
-    blake2b_param P[1];
-    int i;
-    uint16_t last_index = outlen/BLAKE2B_OUTBYTES;
-    uint8_t root[BLAKE2B_BLOCKBYTES];
+  blake2b_state C[1];
+  blake2b_param P[1];
+  uint32_t xof_length = load32(&S->P->xof_length);
+  uint8_t root[BLAKE2B_BLOCKBYTES];
+  size_t i;
 
-    if ( !out ) return 1;
+  if (NULL == out) {
+    return -1;
+  }
 
-    /* Finalize the root hash */
-    if (blake2b_final( S, root, BLAKE2B_OUTBYTES ) < 0 )
-        return -1;
-
-    /* Set common block structure values */
-    P->digest_length = BLAKE2B_OUTBYTES;
-    P->key_length    = 0;
-    P->fanout        = 0; 
-    P->depth         = 0;
-    store32( &P->leaf_length, BLAKE2B_OUTBYTES );
-    store32( &P->xof_length, outlen );
-    P->inner_length  = 0;
-    P->node_depth    = 0;
-    memset( P->reserved, 0, sizeof( P->reserved ) );
-    memset( P->salt,     0, sizeof( P->salt ) );
-    memset( P->personal, 0, sizeof( P->personal ) );
-
-    for( i = 0; i < last_index; ++ i ) {
-        /* Initialize state */
-        store32( &P->node_offset, i );
-        if( blake2b_init_param( C, P ) < 0 ) return -1;
-        /* Process key if needed */
-        blake2b_update( C, root, BLAKE2B_OUTBYTES);
-        blake2b_final( C, out + i*BLAKE2B_OUTBYTES, BLAKE2B_OUTBYTES );
+  /* outlen must match the output size defined in xof_length, */
+  /* unless it was -1, in which case anything goes except 0. */
+  if(xof_length == 0xFFFFFFFFUL) {
+    if(outlen == 0) {
+      return -1;
     }
-    /* Last instance */
-    store32( &P->node_offset, last_index);
-    P->digest_length = outlen % BLAKE2B_OUTBYTES;
-    if( blake2b_init_param( C, P ) < 0 ) return -1;
-    blake2b_update( C, root, BLAKE2B_OUTBYTES);
-    blake2b_final( C, out + last_index*BLAKE2B_OUTBYTES, outlen % BLAKE2B_OUTBYTES );
+  } else {
+    if(outlen != xof_length) {
+      return -1;
+    }
+  }
+
+  /* Finalize the root hash */
+  if (blake2b_final(S->S, root, BLAKE2B_OUTBYTES) < 0) {
+    return -1;
+  }
+
+  /* Set common block structure values */
+  /* Copy values from parent instance, and only change the ones below */
+  memcpy(P, S->P, sizeof(blake2b_param));
+  P->fanout = 0;
+  P->depth = 0;
+  store32(&P->leaf_length, BLAKE2B_OUTBYTES);
+  P->inner_length = BLAKE2B_OUTBYTES;
+  P->node_depth = 0;
+
+  for (i = 0; outlen > 0; ++i) {
+    const size_t block_size = (outlen < BLAKE2B_OUTBYTES) ? outlen : BLAKE2B_OUTBYTES;
+    /* Initialize state */
+    P->digest_length = block_size;
+    store32(&P->node_offset, i);
+    blake2b_init_param(C, P);
+    /* Process key if needed */
+    blake2b_update(C, root, BLAKE2B_OUTBYTES);
+    blake2b_final(C, (uint8_t *)out + i * BLAKE2B_OUTBYTES, block_size);
+    outlen -= block_size;
+  }
+  secure_zero_memory(root, sizeof(root));
+  secure_zero_memory(P, sizeof(P));
+  secure_zero_memory(C, sizeof(C));
+  /* Put blake2xb in an invalid state? cf. blake2s_is_lastblock */
+  return 0;
 
-     return 0;
 }
 
-int blake2xb( uint8_t *out, const void *in, const void *key, const
-uint16_t outlen, const uint64_t inlen, const uint8_t keylen ) 
+int blake2xb(void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen)
 {
-    blake2b_state S[1];
+  blake2xb_state S[1];
 
-    /* Verify parameters */
-    if ( NULL == in && inlen > 0 ) return -1;
+  /* Verify parameters */
+  if (NULL == in && inlen > 0)
+    return -1;
 
-    if ( NULL == out ) return -1;
+  if (NULL == out)
+    return -1;
 
-    if ( NULL == key && keylen > 0) return -1;
+  if (NULL == key && keylen > 0)
+    return -1;
 
-    if( keylen > BLAKE2B_KEYBYTES ) return -1;
+  if (keylen > BLAKE2B_KEYBYTES)
+    return -1;
 
-    if( !outlen ) return -1;
+  if (outlen == 0)
+    return -1;
 
-    /* Initialize the root block structure */
-    if ( blake2xb_init( S, outlen, key, keylen ) < 0 ) {
-        return -1;
-    }
+  /* Initialize the root block structure */
+  if (blake2xb_init(S, outlen, key, keylen) < 0) {
+    return -1;
+  }
 
-    /* Compute the root of the tree */
-    if ( blake2xb_update( S, ( const uint8_t * )in, inlen ) < 0 )
-        return -1;
+  /* Absorb the input message */
+  if (blake2xb_update(S, in, inlen) < 0) {
+    return -1;
+  }
 
-    /* Compute the final hash using the counter construction */
-    blake2xb_final( S, out, outlen );
-
-    return 0;
+  /* Compute the root node of the tree and the final hash using the counter construction */
+  return blake2xb_final(S, out, outlen);
 }
 
 #if defined(BLAKE2XB_SELFTEST)
@@ -130,26 +151,70 @@ int main( int argc, char **argv )
 {
   uint8_t key[BLAKE2B_KEYBYTES];
   uint8_t buf[BLAKE2_KAT_LENGTH];
+  size_t i, step;
 
-  for( size_t i = 0; i < BLAKE2B_KEYBYTES; ++i )
+  for( i = 0; i < BLAKE2B_KEYBYTES; ++i ) {
     key[i] = ( uint8_t )i;
-
-  for( size_t i = 0; i < BLAKE2_KAT_LENGTH; ++i )
-    buf[i] = ( uint8_t )i;
-
-  for( size_t i = 0; i < BLAKE2_KAT_LENGTH; ++i )
-  {
-      uint8_t hash[BLAKE2_KAT_LENGTH];
-      blake2xb( hash, buf, key, i, BLAKE2_KAT_LENGTH, BLAKE2B_KEYBYTES );
-
-      for( size_t j = 0; j < i; ++j ) {
-          printf("%02x", hash[j]);
-      }
-      printf("\n");
   }
 
-  //puts( "ok" );
+  for( i = 0; i < BLAKE2_KAT_LENGTH; ++i ) {
+    buf[i] = ( uint8_t )i;
+  }
+
+  /* Testing length of ouputs rather than inputs */
+  /* (Test of input lengths mostly covered by blake2s tests) */
+
+  /* Test simple API */
+  for( size_t outlen = 1; outlen <= BLAKE2_KAT_LENGTH; ++outlen )
+  {
+      uint8_t hash[BLAKE2_KAT_LENGTH] = {0};
+      blake2xb( hash, outlen, buf, BLAKE2_KAT_LENGTH, key, BLAKE2B_KEYBYTES );
+
+
+      if( 0 != memcmp( hash, blake2xb_keyed_kat[outlen-1], outlen ) )
+      {
+        goto fail;
+      }
+  }
+
+  /* Test streaming API */
+  for(step = 1; step < BLAKE2B_BLOCKBYTES; ++step) {
+    for (size_t outlen = 1; outlen <= BLAKE2_KAT_LENGTH; ++outlen) {
+      uint8_t hash[BLAKE2_KAT_LENGTH];
+      blake2xb_state S;
+      uint8_t * p = buf;
+      size_t mlen = BLAKE2_KAT_LENGTH;
+      int err = 0;
+
+      if( (err = blake2xb_init(&S, outlen, key, BLAKE2B_KEYBYTES)) < 0 ) {
+        goto fail;
+      }
+
+      while (mlen >= step) {
+        if ( (err = blake2xb_update(&S, p, step)) < 0 ) {
+          goto fail;
+        }
+        mlen -= step;
+        p += step;
+      }
+      if ( (err = blake2xb_update(&S, p, mlen)) < 0) {
+        goto fail;
+      }
+      if ( (err = blake2xb_final(&S, hash, outlen)) < 0) {
+        goto fail;
+      }
+
+      if (0 != memcmp(hash, blake2xb_keyed_kat[outlen-1], outlen)) {
+        goto fail;
+      }
+    }
+  }
+
+  puts( "ok" );
   return 0;
+fail:
+  puts("error");
+  return -1;
 }
 #endif
 

ref/blake2xs-ref.c

@@ -52,8 +52,8 @@ int blake2xs_update( blake2xs_state *S, const void *in, size_t inlen ) {
   return blake2s_update( S->S, in, inlen );
 }
 
-int blake2xs_final(blake2xs_state *S, void *out, size_t outlen)
-{
+int blake2xs_final(blake2xs_state *S, void *out, size_t outlen) {
+
   blake2s_state C[1];
   blake2s_param P[1];
   uint16_t xof_length = load16(&S->P->xof_length);

ref/genkat-c.c

@@ -76,7 +76,7 @@ do  \
     printf( "\t{\n\t\t" ); \
  \
   for( int j = 0; j < i; ++j ) \
-      printf( "0x%02X%s", hash[j], j && !( ( j + 1 ) % 8 ) ? ",\n\t\t" : ", " ); \
+      printf( "0x%02X%s", hash[j], ( j + 1 ) == LENGTH ? "\n"  : j && !( ( j + 1 ) % 8 ) ? ",\n\t\t" : ", " ); \
       \
   for( int j = i; j < LENGTH; ++j ) \
       printf( "0x00%s", ( j + 1 ) == LENGTH ? "\n" : j && !( ( j + 1 ) % 8 ) ? ",\n\t\t" : ", " ); \
@@ -99,7 +99,7 @@ do  \
     printf( "\t{\n\t\t" ); \
  \
   for( int j = 0; j < i; ++j ) \
-      printf( "0x%02X%s", hash[j], j && !( ( j + 1 ) % 8 ) ? ",\n\t\t" : ", " ); \
+      printf( "0x%02X%s", hash[j], ( j + 1 ) == LENGTH ? "\n" : j  && !( ( j + 1 ) % 8 ) ? ",\n\t\t" : ", " ); \
       \
   for( int j = i; j < LENGTH; ++j ) \
       printf( "0x00%s", ( j + 1 ) == LENGTH ? "\n" : j && !( ( j + 1 ) % 8 ) ? ",\n\t\t" : ", " ); \
@@ -138,8 +138,8 @@ int main( int argc, char **argv )
   MAKE_KEYED_KAT( blake2bp, BLAKE2B );
   MAKE_XOF_KAT( blake2xs );
   MAKE_XOF_KEYED_KAT( blake2xs, BLAKE2S );
-  //MAKE_XOF_KAT( blake2xs );
-  //MAKE_XOF_KEYED_KAT( blake2xs, BLAKE2S );
+  MAKE_XOF_KAT( blake2xb );
+  MAKE_XOF_KEYED_KAT( blake2xb, BLAKE2B );
   puts( "#endif" );
   return 0;
 }