View Javadoc
1   /*
2    * GordianKnot: Security Suite
3    * Copyright 2012-2026. Tony Washer
4    *
5    * Licensed under the Apache License, Version 2.0 (the "License"); you may not
6    * use this file except in compliance with the License.  You may obtain a copy
7    * of the License at
8    *
9    *   http://www.apache.org/licenses/LICENSE-2.0
10   *
11   * Unless required by applicable law or agreed to in writing, software
12   * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
13   * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  See the
14   * License for the specific language governing permissions and limitations under
15   * the License.
16   */
17  package io.github.tonywasher.joceanus.gordianknot.impl.ext.digests;
18  
19  import org.bouncycastle.util.Memoable;
20  import org.bouncycastle.util.Pack;
21  
22  /**
23   * Blake2s digest.
24   */
25  @SuppressWarnings("checkstyle:MagicNumber")
26  public class GordianBlake2sDigest
27          extends GordianBlake2Base {
28      /**
29       * Number of Rounds.
30       */
31      private static final int ROUNDS = 10;
32  
33      /**
34       * Block length.
35       */
36      private static final int BLOCK_LENGTH_BYTES = NUMWORDS * Integer.BYTES << 1;
37  
38      /**
39       * Blake2s Initialization Vector.
40       */
41      private static final int[] IV = {
42              // Produced from the square root of primes 2, 3, 5, 7, 11, 13, 17, 19.
43              // The same as SHA-256 IV.
44  
45              0x6a09e667, 0xbb67ae85, 0x3c6ef372,
46              0xa54ff53a, 0x510e527f, 0x9b05688c,
47              0x1f83d9ab, 0x5be0cd19
48      };
49  
50      /**
51       * The state.
52       */
53      private final int[] theH = new int[NUMWORDS];
54  
55      /**
56       * The workBuffer.
57       */
58      private final int[] theV = new int[NUMWORDS << 1];
59  
60      /**
61       * The messageBuffer.
62       */
63      private final int[] theM = new int[NUMWORDS << 1];
64  
65      /**
66       * Low Counter.
67       */
68      private int t0;
69  
70      /**
71       * High Counter.
72       */
73      private int t1;
74  
75      /**
76       * Constructor.
77       */
78      public GordianBlake2sDigest() {
79          /* Default to 256 bits */
80          this(256);
81      }
82  
83      /**
84       * Constructor.
85       *
86       * @param pLength the digest length in bits.
87       */
88      public GordianBlake2sDigest(final int pLength) {
89          /* Initialise underlying class */
90          super(ROUNDS, BLOCK_LENGTH_BYTES);
91  
92          /* Check digest length */
93          if ((pLength % Byte.SIZE) != 0 || pLength < 0 || pLength > 256) {
94              throw new IllegalArgumentException("Incorrect digest length");
95          }
96          setDigestLength(pLength / Byte.SIZE);
97          activateH();
98      }
99  
100     /**
101      * Constructor.
102      *
103      * @param pSource the source digest.
104      */
105     private GordianBlake2sDigest(final GordianBlake2sDigest pSource) {
106         /* Initialise underlying class */
107         super(pSource);
108 
109         /* Initialise from source */
110         reset((Memoable) pSource);
111     }
112 
113     @Override
114     public boolean isBlake2b() {
115         return false;
116     }
117 
118     @Override
119     public String getAlgorithmName() {
120         return "Blake2s-" + getDigestSize() * Byte.SIZE;
121     }
122 
123     @Override
124     public int getByteLength() {
125         return BLOCK_LENGTH_BYTES;
126     }
127 
128     @Override
129     public void reset() {
130         /* Reset counter */
131         t0 = 0;
132         t1 = 0;
133 
134         /* reset underlying class */
135         super.reset();
136     }
137 
138     @Override
139     public void reset(final Memoable pSource) {
140         /* Access source */
141         final GordianBlake2sDigest mySource = (GordianBlake2sDigest) pSource;
142 
143         /* reset underlying class */
144         super.reset(mySource);
145 
146         /* Reset counter */
147         t0 = mySource.t0;
148         t1 = mySource.t1;
149 
150         /* Copy state */
151         System.arraycopy(mySource.theH, 0, theH, 0, theH.length);
152     }
153 
154     @Override
155     public GordianBlake2sDigest copy() {
156         return new GordianBlake2sDigest(this);
157     }
158 
159     @Override
160     void adjustCounter(final int pCount) {
161         t0 += pCount;
162         if (t0 == 0) {
163             t1++;
164         }
165     }
166 
167     @Override
168     void completeCounter(final int pCount) {
169         t0 += pCount;
170         if (pCount > 0 && t0 == 0) {
171             t1++;
172         }
173     }
174 
175     @Override
176     void outputDigest(final byte[] pOut,
177                       final int pOutOffset) {
178         /* Loop to provide the output */
179         final int myDigestLen = getDigestSize();
180         for (int i = 0, j = 0; i < NUMWORDS && j < myDigestLen; i++, j += Integer.BYTES) {
181             /* Convert the next word to bytes */
182             final byte[] bytes = Pack.intToLittleEndian(theH[i]);
183 
184             if (j + Integer.BYTES < myDigestLen) {
185                 System.arraycopy(bytes, 0, pOut, pOutOffset + j, Integer.BYTES);
186             } else {
187                 System.arraycopy(bytes, 0, pOut, pOutOffset + j, myDigestLen - j);
188             }
189         }
190     }
191 
192     @Override
193     protected void activateH() {
194         /* Initialise from IV */
195         System.arraycopy(IV, 0, theH, 0, IV.length);
196 
197         /* Initialise first word */
198         theH[0] ^= getDigestSize() | (getKeyLen() << Byte.SIZE);
199         theH[0] ^= (getFanOut() | (getMaxDepth() << Byte.SIZE)) << Short.SIZE;
200 
201         /* Initialise second word */
202         theH[1] ^= getLeafLen();
203 
204         /* Initialise third word */
205         theH[2] ^= getNodeOffset();
206 
207         /* Initialise fourth word */
208         theH[3] ^= getXofLen();
209         theH[3] ^= (getNodeDepth() | (getInnerLen() << Byte.SIZE)) << Short.SIZE;
210 
211         /* Build salt section */
212         final byte[] mySalt = getSalt();
213         if (mySalt != null) {
214             theH[4] ^= Pack.littleEndianToInt(mySalt, 0);
215             theH[5] ^= Pack.littleEndianToInt(mySalt, Integer.BYTES);
216         }
217 
218         /* Build personalisation section */
219         final byte[] myPersonal = getPersonal();
220         if (myPersonal != null) {
221             theH[6] ^= Pack.littleEndianToInt(myPersonal, 0);
222             theH[7] ^= Pack.littleEndianToInt(myPersonal, Integer.BYTES);
223         }
224 
225         /* Initialise any keyBlock */
226         initKeyBlock();
227     }
228 
229     @Override
230     protected void initV() {
231         /* Copy in H and IV */
232         System.arraycopy(theH, 0, theV, 0, NUMWORDS);
233         System.arraycopy(IV, 0, theV, NUMWORDS, NUMWORDS);
234 
235         /* Fold in counters */
236         theV[12] ^= t0;
237         theV[13] ^= t1;
238 
239         /* Fold in finalisation flags */
240         if (isLastBlock()) {
241             theV[14] ^= -1;
242             if (isLastNode()) {
243                 theV[15] ^= -1;
244             }
245         }
246     }
247 
248     @Override
249     protected void initM(final byte[] pMessage,
250                          final int pMsgPos) {
251         /* Copy message bytes into word array */
252         for (int i = 0; i < NUMWORDS << 1; i++) {
253             theM[i] = Pack.littleEndianToInt(pMessage, pMsgPos + i * Integer.BYTES);
254         }
255     }
256 
257     @Override
258     protected void adjustH() {
259         /* Combine V into H */
260         for (int i = 0; i < NUMWORDS; i++) {
261             theH[i] ^= theV[i] ^ theV[i + NUMWORDS];
262         }
263     }
264 
265     @Override
266     protected void mixG(final int msgIdx1,
267                         final int msgIdx2,
268                         final int posA,
269                         final int posB,
270                         final int posC,
271                         final int posD) {
272         /* Perform the Round */
273         theV[posA] += theV[posB] + theM[msgIdx1];
274         theV[posD] = rotr32(theV[posD] ^ theV[posA], 16);
275         theV[posC] += theV[posD];
276         theV[posB] = rotr32(theV[posB] ^ theV[posC], 12);
277         theV[posA] += theV[posB] + theM[msgIdx2];
278         theV[posD] = rotr32(theV[posD] ^ theV[posA], 8);
279         theV[posC] += theV[posD];
280         theV[posB] = rotr32(theV[posB] ^ theV[posC], 7);
281     }
282 
283     /**
284      * Rotate an int right.
285      *
286      * @param x   the value to rotate
287      * @param rot the number of bits to rotate
288      * @return the result
289      */
290     private static int rotr32(final int x,
291                               final int rot) {
292         return x >>> rot | (x << (Integer.SIZE - rot));
293     }
294 }