summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBill Cox <waywardgeek@google.com>2016-03-09 23:08:31 +0100
committerRich Salz <rsalz@openssl.org>2016-03-11 16:39:10 +0100
commit2d0b44126763f989a4cbffbffe9d0c7518158bb7 (patch)
tree241855d2b5a9b91688f969bf849037f6a0343594
parentmove DSA_SIG definition into C source file (diff)
downloadopenssl-2d0b44126763f989a4cbffbffe9d0c7518158bb7.tar.xz
openssl-2d0b44126763f989a4cbffbffe9d0c7518158bb7.zip
Add blake2 support.
Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
-rwxr-xr-xConfigure4
-rw-r--r--Makefile.in2
-rw-r--r--apps/openssl.c3
-rw-r--r--apps/progs.h6
-rw-r--r--apps/progs.pl2
-rw-r--r--crypto/blake2/Makefile.in48
-rw-r--r--crypto/blake2/blake2_impl.h144
-rw-r--r--crypto/blake2/blake2b.c225
-rw-r--r--crypto/blake2/blake2s.c220
-rw-r--r--crypto/blake2/build.info3
-rw-r--r--crypto/evp/Makefile.in4
-rw-r--r--crypto/evp/build.info2
-rw-r--r--crypto/evp/c_alld.c4
-rw-r--r--crypto/evp/m_blake2b.c62
-rw-r--r--crypto/evp/m_blake2s.c62
-rw-r--r--crypto/include/internal/blake2_locl.h98
-rw-r--r--crypto/objects/obj_dat.h22
-rw-r--r--crypto/objects/obj_mac.num2
-rw-r--r--crypto/objects/objects.txt3
-rw-r--r--doc/apps/dgst.pod2
-rw-r--r--doc/crypto/EVP_DigestInit.pod17
-rw-r--r--doc/standards.txt2
-rw-r--r--include/openssl/evp.h4
-rw-r--r--include/openssl/obj_mac.h10
-rw-r--r--include/openssl/objects.h10
-rw-r--r--test/evptests.txt57
-rw-r--r--util/libcrypto.num2
-rwxr-xr-xutil/mkdef.pl2
-rwxr-xr-xutil/mkfiles.pl1
29 files changed, 1004 insertions, 19 deletions
diff --git a/Configure b/Configure
index 413efb09ad..17bc6c2c67 100755
--- a/Configure
+++ b/Configure
@@ -220,7 +220,7 @@ $config{dirs} = [ "crypto", "ssl", "engines", "apps", "test", "tools" ];
# crypto/ subdirectories to build
$config{sdirs} = [
"objects",
- "md2", "md4", "md5", "sha", "mdc2", "hmac", "ripemd", "whrlpool", "poly1305",
+ "md2", "md4", "md5", "sha", "mdc2", "hmac", "ripemd", "whrlpool", "poly1305", "blake2",
"des", "aes", "rc2", "rc4", "rc5", "idea", "bf", "cast", "camellia", "seed", "chacha", "modes",
"bn", "ec", "rsa", "dsa", "dh", "dso", "engine",
"buffer", "bio", "stack", "lhash", "rand", "err",
@@ -243,6 +243,7 @@ my @disablables = (
"autoalginit",
"autoerrinit",
"bf",
+ "blake2",
"camellia",
"capieng",
"cast",
@@ -1787,6 +1788,7 @@ print "MODES_OBJ =$target{modes_obj}\n";
print "PADLOCK_OBJ =$target{padlock_obj}\n";
print "CHACHA_ENC =$target{chacha_obj}\n";
print "POLY1305_OBJ =$target{poly1305_obj}\n";
+print "BLAKE2_OBJ =$target{blake2_obj}\n";
print "PROCESSOR =$config{processor}\n";
print "RANLIB =$target{ranlib}\n";
print "ARFLAGS =$target{arflags}\n";
diff --git a/Makefile.in b/Makefile.in
index e7b3f99650..d101df1ca8 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -137,6 +137,7 @@ RC5_ENC= {- $target{rc5_obj} -}
MD5_ASM_OBJ= {- $target{md5_obj} -}
SHA1_ASM_OBJ= {- $target{sha1_obj} -}
RMD160_ASM_OBJ= {- $target{rmd160_obj} -}
+BLAKE2_OBJ= {- $target{blake2_obj} -}
WP_ASM_OBJ= {- $target{wp_obj} -}
CMLL_ENC= {- $target{cmll_obj} -}
MODES_ASM_OBJ= {- $target{modes_obj} -}
@@ -281,6 +282,7 @@ BUILDENV= LC_ALL=C PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)'\
SHA1_ASM_OBJ='$(SHA1_ASM_OBJ)' \
MD5_ASM_OBJ='$(MD5_ASM_OBJ)' \
RMD160_ASM_OBJ='$(RMD160_ASM_OBJ)' \
+ BLAKE2_OBJ='$(BLAKE2_OBJ)' \
WP_ASM_OBJ='$(WP_ASM_OBJ)' \
MODES_ASM_OBJ='$(MODES_ASM_OBJ)' \
PADLOCK_ASM_OBJ='$(PADLOCK_ASM_OBJ)' \
diff --git a/apps/openssl.c b/apps/openssl.c
index e0694fc3b4..d460a6b886 100644
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -650,6 +650,9 @@ static void list_disabled(void)
#ifdef OPENSSL_NO_BF
BIO_puts(bio_out, "BF\n");
#endif
+#ifndef OPENSSL_NO_BLAKE2
+ BIO_puts(bio_out, "BLAKE2\n");
+#endif
#ifdef OPENSSL_NO_CAMELLIA
BIO_puts(bio_out, "CAMELLIA\n");
#endif
diff --git a/apps/progs.h b/apps/progs.h
index 266e48dc78..77b4555cd5 100644
--- a/apps/progs.h
+++ b/apps/progs.h
@@ -225,6 +225,12 @@ static FUNCTION functions[] = {
#ifndef OPENSSL_NO_RMD160
{ FT_md, "rmd160", dgst_main},
#endif
+#ifndef OPENSSL_NO_BLAKE2B
+ { FT_md, "blake2b", dgst_main},
+#endif
+#ifndef OPENSSL_NO_BLAKE2S
+ { FT_md, "blake2s", dgst_main},
+#endif
#ifndef OPENSSL_NO_AES
{ FT_cipher, "aes-128-cbc", enc_main, enc_options },
#endif
diff --git a/apps/progs.pl b/apps/progs.pl
index b87aef610e..f24b91bde8 100644
--- a/apps/progs.pl
+++ b/apps/progs.pl
@@ -84,7 +84,7 @@ foreach (
"md2", "md4", "md5",
"md_ghost94",
"sha1", "sha224", "sha256", "sha384", "sha512",
- "mdc2", "rmd160"
+ "mdc2", "rmd160", "blake2b", "blake2s"
) {
printf "#ifndef OPENSSL_NO_".uc($_)."\n" if ! /sha/;
printf " { FT_md, \"".$_."\", dgst_main},\n";
diff --git a/crypto/blake2/Makefile.in b/crypto/blake2/Makefile.in
new file mode 100644
index 0000000000..b992c853ae
--- /dev/null
+++ b/crypto/blake2/Makefile.in
@@ -0,0 +1,48 @@
+#
+# OpenSSL/crypto/blake2/Makefile
+#
+
+DIR= blake2
+TOP= ../..
+CC= cc
+CPP= $(CC) -E
+INCLUDES=
+CFLAG=-g
+AR= ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG) $(SHARED_CFLAG)
+ASFLAGS= $(INCLUDES) $(ASFLAG)
+AFLAGS= $(ASFLAGS)
+
+GENERAL=Makefile
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=blake2b.c blake2s.c
+LIBOBJ=blake2b.o blake2s.o
+
+SRC= $(LIBSRC)
+
+ALL= $(GENERAL) $(SRC) $(HEADER)
+
+top:
+ (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all: lib
+
+lib: $(LIBOBJ)
+ $(AR) $(LIB) $(LIBOBJ)
+ $(RANLIB) $(LIB) || echo Never mind.
+ @touch lib
+
+files:
+ $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
+
+update: depend
+
+depend:
+ $(TOP)/util/domd $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
+
+clean:
+ rm -f *.s *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
diff --git a/crypto/blake2/blake2_impl.h b/crypto/blake2/blake2_impl.h
new file mode 100644
index 0000000000..6490e1e155
--- /dev/null
+++ b/crypto/blake2/blake2_impl.h
@@ -0,0 +1,144 @@
+/*
+ * BLAKE2 reference source code package - reference C implementations
+ *
+ * Copyright 2012, Samuel Neves <sneves@dei.uc.pt>.
+ * You may use this under the terms of the CC0, the OpenSSL Licence, or the
+ * Apache Public License 2.0, at your option. The terms of these licenses can
+ * be found at:
+ *
+ * - OpenSSL license : https://www.openssl.org/source/license.html
+ * - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0
+ * - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0
+ *
+ * More information about the BLAKE2 hash function can be found at
+ * https://blake2.net.
+ */
+
+/* crypto/blake2/blake2_impl.h */
+
+#include <stdint.h>
+#include <string.h>
+
+static inline uint32_t load32(const void *src)
+{
+#if defined(L_ENDIAN)
+ uint32_t w;
+ memcpy(&w, src, sizeof(w));
+ return w;
+#else
+ const uint8_t *p = (const uint8_t *)src;
+ uint32_t w = *p++;
+ w |= (uint32_t)(*p++) << 8;
+ w |= (uint32_t)(*p++) << 16;
+ w |= (uint32_t)(*p++) << 24;
+ return w;
+#endif
+}
+
+static inline uint64_t load64(const void *src)
+{
+#if defined(L_ENDIAN)
+ uint64_t w;
+ memcpy(&w, src, sizeof(w));
+ return w;
+#else
+ const uint8_t *p = (const uint8_t *)src;
+ uint64_t w = *p++;
+ w |= (uint64_t)(*p++) << 8;
+ w |= (uint64_t)(*p++) << 16;
+ w |= (uint64_t)(*p++) << 24;
+ w |= (uint64_t)(*p++) << 32;
+ w |= (uint64_t)(*p++) << 40;
+ w |= (uint64_t)(*p++) << 48;
+ w |= (uint64_t)(*p++) << 56;
+ return w;
+#endif
+}
+
+static inline void store32(void *dst, uint32_t w)
+{
+#if defined(L_ENDIAN)
+ memcpy(dst, &w, sizeof(w));
+#else
+ uint8_t *p = (uint8_t *)dst;
+ *p++ = (uint8_t)w;
+ w >>= 8;
+ *p++ = (uint8_t)w;
+ w >>= 8;
+ *p++ = (uint8_t)w;
+ w >>= 8;
+ *p++ = (uint8_t)w;
+#endif
+}
+
+static inline void store64(void *dst, uint64_t w)
+{
+#if defined(L_ENDIAN)
+ memcpy(dst, &w, sizeof(w));
+#else
+ uint8_t *p = (uint8_t *)dst;
+ *p++ = (uint8_t)w;
+ w >>= 8;
+ *p++ = (uint8_t)w;
+ w >>= 8;
+ *p++ = (uint8_t)w;
+ w >>= 8;
+ *p++ = (uint8_t)w;
+ w >>= 8;
+ *p++ = (uint8_t)w;
+ w >>= 8;
+ *p++ = (uint8_t)w;
+ w >>= 8;
+ *p++ = (uint8_t)w;
+ w >>= 8;
+ *p++ = (uint8_t)w;
+#endif
+}
+
+static inline uint64_t load48(const void *src)
+{
+ const uint8_t *p = (const uint8_t *)src;
+ uint64_t w = *p++;
+ w |= (uint64_t)(*p++) << 8;
+ w |= (uint64_t)(*p++) << 16;
+ w |= (uint64_t)(*p++) << 24;
+ w |= (uint64_t)(*p++) << 32;
+ w |= (uint64_t)(*p++) << 40;
+ return w;
+}
+
+static inline void store48(void *dst, uint64_t w)
+{
+ uint8_t *p = (uint8_t *)dst;
+ *p++ = (uint8_t)w;
+ w >>= 8;
+ *p++ = (uint8_t)w;
+ w >>= 8;
+ *p++ = (uint8_t)w;
+ w >>= 8;
+ *p++ = (uint8_t)w;
+ w >>= 8;
+ *p++ = (uint8_t)w;
+ w >>= 8;
+ *p++ = (uint8_t)w;
+}
+
+static inline uint32_t rotl32(const uint32_t w, const unsigned c)
+{
+ return (w << c) | (w >> (32 - c));
+}
+
+static inline uint64_t rotl64(const uint64_t w, const unsigned c)
+{
+ return (w << c) | (w >> (64 - c));
+}
+
+static inline uint32_t rotr32(const uint32_t w, const unsigned c)
+{
+ return (w >> c) | (w << (32 - c));
+}
+
+static inline uint64_t rotr64(const uint64_t w, const unsigned c)
+{
+ return (w >> c) | (w << (64 - c));
+}
diff --git a/crypto/blake2/blake2b.c b/crypto/blake2/blake2b.c
new file mode 100644
index 0000000000..23ad58359c
--- /dev/null
+++ b/crypto/blake2/blake2b.c
@@ -0,0 +1,225 @@
+/*
+ * BLAKE2 reference source code package - reference C implementations
+ *
+ * Copyright 2012, Samuel Neves <sneves@dei.uc.pt>.
+ * You may use this under the terms of the CC0, the OpenSSL Licence, or the
+ * Apache Public License 2.0, at your option. The terms of these licenses can
+ * be found at:
+ *
+ * - OpenSSL license : https://www.openssl.org/source/license.html
+ * - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0
+ * - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0
+ *
+ * More information about the BLAKE2 hash function can be found at
+ * https://blake2.net.
+ */
+
+/* crypto/blake2/blake2b.c */
+
+#include <stdint.h>
+#include <string.h>
+#include <stdio.h>
+#include <openssl/crypto.h>
+
+#include "internal/blake2_locl.h"
+#include "blake2_impl.h"
+
+static const uint64_t blake2b_IV[8] =
+{
+ 0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL,
+ 0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL,
+ 0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL,
+ 0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL
+};
+
+static const uint8_t blake2b_sigma[12][16] =
+{
+ { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } ,
+ { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } ,
+ { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 } ,
+ { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 } ,
+ { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 } ,
+ { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 } ,
+ { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 } ,
+ { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 } ,
+ { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 } ,
+ { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13 , 0 } ,
+ { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } ,
+ { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }
+};
+
+/* Some helper functions, not necessarily useful */
+static inline void blake2b_set_lastblock(BLAKE2B_CTX *S)
+{
+ S->f[0] = -1;
+}
+
+/* Increment the data hashed couter. */
+static inline void blake2b_increment_counter(BLAKE2B_CTX *S,
+ const uint64_t inc)
+{
+ S->t[0] += inc;
+ S->t[1] += (S->t[0] < inc);
+}
+
+/* Initialize the hashing state. */
+static inline void blake2b_init0(BLAKE2B_CTX *S)
+{
+ int i;
+ memset(S, 0, sizeof(BLAKE2B_CTX));
+
+ for(i = 0; i < 8; ++i) {
+ S->h[i] = blake2b_IV[i];
+ }
+}
+
+/* init xors IV with input parameter block */
+static void blake2b_init_param(BLAKE2B_CTX *S, const BLAKE2B_PARAM *P)
+{
+ size_t i;
+ const uint8_t *p = (const uint8_t *)(P);
+ blake2b_init0(S);
+
+ /* The param struct is carefully hand packed, and should be 64 bytes on
+ * every platform. */
+ OPENSSL_assert(sizeof(BLAKE2B_PARAM) == 64);
+ /* IV XOR ParamBlock */
+ for(i = 0; i < 8; ++i) {
+ S->h[i] ^= load64(p + sizeof(S->h[i]) * i);
+ }
+}
+
+/* Initialize the hashing context. Always returns 1. */
+int BLAKE2b_Init(BLAKE2B_CTX *c)
+{
+ BLAKE2B_PARAM P[1];
+ P->digest_length = BLAKE2B_DIGEST_LENGTH;
+ P->key_length = 0;
+ P->fanout = 1;
+ P->depth = 1;
+ store32(&P->leaf_length, 0);
+ store64(&P->node_offset, 0);
+ P->node_depth = 0;
+ P->inner_length = 0;
+ memset(P->reserved, 0, sizeof(P->reserved));
+ memset(P->salt, 0, sizeof(P->salt));
+ memset(P->personal, 0, sizeof(P->personal));
+ blake2b_init_param(c, P);
+ return 1;
+}
+
+/* Permute the state while xoring in the block of data. */
+static void blake2b_compress(BLAKE2B_CTX *S,
+ const uint8_t block[BLAKE2B_BLOCKBYTES])
+{
+ uint64_t m[16];
+ uint64_t v[16];
+ int i;
+
+ for(i = 0; i < 16; ++i) {
+ m[i] = load64(block + i * sizeof(m[i]));
+ }
+
+ for(i = 0; i < 8; ++i) {
+ v[i] = S->h[i];
+ }
+
+ v[8] = blake2b_IV[0];
+ v[9] = blake2b_IV[1];
+ v[10] = blake2b_IV[2];
+ v[11] = blake2b_IV[3];
+ v[12] = S->t[0] ^ blake2b_IV[4];
+ v[13] = S->t[1] ^ blake2b_IV[5];
+ v[14] = S->f[0] ^ blake2b_IV[6];
+ v[15] = S->f[1] ^ blake2b_IV[7];
+#define G(r,i,a,b,c,d) \
+ do { \
+ a = a + b + m[blake2b_sigma[r][2*i+0]]; \
+ d = rotr64(d ^ a, 32); \
+ c = c + d; \
+ b = rotr64(b ^ c, 24); \
+ a = a + b + m[blake2b_sigma[r][2*i+1]]; \
+ d = rotr64(d ^ a, 16); \
+ c = c + d; \
+ b = rotr64(b ^ c, 63); \
+ } while(0)
+#define ROUND(r) \
+ do { \
+ G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \
+ G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \
+ G(r,2,v[ 2],v[ 6],v[10],v[14]); \
+ G(r,3,v[ 3],v[ 7],v[11],v[15]); \
+ G(r,4,v[ 0],v[ 5],v[10],v[15]); \
+ G(r,5,v[ 1],v[ 6],v[11],v[12]); \
+ G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \
+ G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \
+ } while(0)
+ ROUND(0);
+ ROUND(1);
+ ROUND(2);
+ ROUND(3);
+ ROUND(4);
+ ROUND(5);
+ ROUND(6);
+ ROUND(7);
+ ROUND(8);
+ ROUND(9);
+ ROUND(10);
+ ROUND(11);
+
+ for(i = 0; i < 8; ++i) {
+ S->h[i] = S->h[i] ^ v[i] ^ v[i + 8];
+ }
+
+#undef G
+#undef ROUND
+}
+
+/* Absorb the input data into the hash state. Always returns 1. */
+int BLAKE2b_Update(BLAKE2B_CTX *c, const void *data, size_t datalen)
+{
+ const uint8_t *in = data;
+ size_t fill;
+
+ while(datalen > 0) {
+ fill = sizeof(c->buf) - c->buflen;
+ /* Must be >, not >=, so that last block can be hashed differently */
+ if(datalen > fill) {
+ memcpy(c->buf + c->buflen, in, fill); /* Fill buffer */
+ blake2b_increment_counter(c, BLAKE2B_BLOCKBYTES);
+ blake2b_compress(c, c->buf); /* Compress */
+ c->buflen = 0;
+ in += fill;
+ datalen -= fill;
+ } else { /* datalen <= fill */
+ memcpy(c->buf + c->buflen, in, datalen);
+ c->buflen += datalen; /* Be lazy, do not compress */
+ return 1;
+ }
+ }
+
+ return 1;
+}
+
+/*
+ * Finalize the hash state in a way that avoids length extension attacks.
+ * Always returns 1.
+ */
+int BLAKE2b_Final(unsigned char *md, BLAKE2B_CTX *c)
+{
+ int i;
+
+ blake2b_increment_counter(c, c->buflen);
+ blake2b_set_lastblock(c);
+ /* Padding */
+ memset(c->buf + c->buflen, 0, sizeof(c->buf) - c->buflen);
+ blake2b_compress(c, c->buf);
+
+ /* Output full hash to message digest */
+ for(i = 0; i < 8; ++i) {
+ store64(md + sizeof(c->h[i]) * i, c->h[i]);
+ }
+
+ OPENSSL_cleanse(c, sizeof(BLAKE2B_CTX));
+ return 1;
+}
diff --git a/crypto/blake2/blake2s.c b/crypto/blake2/blake2s.c
new file mode 100644
index 0000000000..174d20cd21
--- /dev/null
+++ b/crypto/blake2/blake2s.c
@@ -0,0 +1,220 @@
+/*
+ * BLAKE2 reference source code package - reference C implementations
+ *
+ * Copyright 2012, Samuel Neves <sneves@dei.uc.pt>.
+ * You may use this under the terms of the CC0, the OpenSSL Licence, or the
+ * Apache Public License 2.0, at your option. The terms of these licenses can
+ * be found at:
+ *
+ * - OpenSSL license : https://www.openssl.org/source/license.html
+ * - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0
+ * - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0
+ *
+ * More information about the BLAKE2 hash function can be found at
+ * https://blake2.net.
+ */
+
+/* crypto/blake2/blake2s.c */
+
+#include <stdint.h>
+#include <string.h>
+#include <stdio.h>
+#include <openssl/crypto.h>
+
+#include "internal/blake2_locl.h"
+#include "blake2_impl.h"
+
+static const uint32_t blake2s_IV[8] =
+{
+ 0x6A09E667UL, 0xBB67AE85UL, 0x3C6EF372UL, 0xA54FF53AUL,
+ 0x510E527FUL, 0x9B05688CUL, 0x1F83D9ABUL, 0x5BE0CD19UL
+};
+
+static const uint8_t blake2s_sigma[10][16] =
+{
+ { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } ,
+ { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } ,
+ { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 } ,
+ { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 } ,
+ { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 } ,
+ { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 } ,
+ { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 } ,
+ { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 } ,
+ { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 } ,
+ { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13 , 0 } ,
+};
+
+/* Some helper functions, not necessarily useful */
+static inline void blake2s_set_lastblock(BLAKE2S_CTX *S)
+{
+ S->f[0] = -1;
+}
+
+/* Increment the data hashed couter. */
+static inline void blake2s_increment_counter(BLAKE2S_CTX *S,
+ const uint32_t inc)
+{
+ S->t[0] += inc;
+ S->t[1] += (S->t[0] < inc);
+}
+
+/* Initialize the hashing state. */
+static inline void blake2s_init0(BLAKE2S_CTX *S)
+{
+ int i;
+
+ memset(S, 0, sizeof(BLAKE2S_CTX));
+ for(i = 0; i < 8; ++i) {
+ S->h[i] = blake2s_IV[i];
+ }
+}
+
+/* init2 xors IV with input parameter block */
+static void blake2s_init_param(BLAKE2S_CTX *S, const BLAKE2S_PARAM *P)
+{
+ const uint32_t *p = (const uint32_t *)(P);
+ size_t i;
+
+ /* The param struct is carefully hand packed, and should be 32 bytes on
+ * every platform. */
+ OPENSSL_assert(sizeof(BLAKE2S_PARAM) == 32);
+ blake2s_init0(S);
+ /* IV XOR ParamBlock */
+ for(i = 0; i < 8; ++i) {
+ S->h[i] ^= load32(&p[i]);
+ }
+}
+
+/* Initialize the hashing context. Always returns 1. */
+int BLAKE2s_Init(BLAKE2S_CTX *c)
+{
+ BLAKE2S_PARAM P[1];
+
+ P->digest_length = BLAKE2S_DIGEST_LENGTH;
+ P->key_length = 0;
+ P->fanout = 1;
+ P->depth = 1;
+ store32(&P->leaf_length, 0);
+ store48(&P->node_offset, 0);
+ P->node_depth = 0;
+ P->inner_length = 0;
+ /* memset(P->reserved, 0, sizeof(P->reserved)); */
+ memset(P->salt, 0, sizeof(P->salt));
+ memset(P->personal, 0, sizeof(P->personal));
+ blake2s_init_param(c, P);
+ return 1;
+}
+
+/* Permute the state while xoring in the block of data. */
+static void blake2s_compress(BLAKE2S_CTX *S,
+ const uint8_t block[BLAKE2S_BLOCKBYTES])
+{
+ uint32_t m[16];
+ uint32_t v[16];
+ size_t i;
+
+ for(i = 0; i < 16; ++i) {
+ m[i] = load32(block + i * sizeof(m[i]));
+ }
+
+ for(i = 0; i < 8; ++i) {
+ v[i] = S->h[i];
+ }
+
+ v[ 8] = blake2s_IV[0];
+ v[ 9] = blake2s_IV[1];
+ v[10] = blake2s_IV[2];
+ v[11] = blake2s_IV[3];
+ v[12] = S->t[0] ^ blake2s_IV[4];
+ v[13] = S->t[1] ^ blake2s_IV[5];
+ v[14] = S->f[0] ^ blake2s_IV[6];
+ v[15] = S->f[1] ^ blake2s_IV[7];
+#define G(r,i,a,b,c,d) \
+ do { \
+ a = a + b + m[blake2s_sigma[r][2*i+0]]; \
+ d = rotr32(d ^ a, 16); \
+ c = c + d; \
+ b = rotr32(b ^ c, 12); \
+ a = a + b + m[blake2s_sigma[r][2*i+1]]; \
+ d = rotr32(d ^ a, 8); \
+ c = c + d; \
+ b = rotr32(b ^ c, 7); \
+ } while(0)
+#define ROUND(r) \
+ do { \
+ G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \
+ G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \
+ G(r,2,v[ 2],v[ 6],v[10],v[14]); \
+ G(r,3,v[ 3],v[ 7],v[11],v[15]); \
+ G(r,4,v[ 0],v[ 5],v[10],v[15]); \
+ G(r,5,v[ 1],v[ 6],v[11],v[12]); \
+ G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \
+ G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \
+ } while(0)
+ ROUND(0);
+ ROUND(1);
+ ROUND(2);
+ ROUND(3);
+ ROUND(4);
+ ROUND(5);
+ ROUND(6);
+ ROUND(7);
+ ROUND(8);
+ ROUND(9);
+
+ for(i = 0; i < 8; ++i) {
+ S->h[i] = S->h[i] ^ v[i] ^ v[i + 8];
+ }
+
+#undef G
+#undef ROUND
+}
+
+/* Absorb the input data into the hash state. Always returns 1. */
+int BLAKE2s_Update(BLAKE2S_CTX *c, const void *data, size_t datalen)
+{
+ const uint8_t *in = data;
+ size_t fill;
+
+ while(datalen > 0) {
+ fill = sizeof(c->buf) - c->buflen;
+ /* Must be >, not >=, so that last block can be hashed differently */
+ if(datalen > fill) {
+ memcpy(c->buf + c->buflen, in, fill); /* Fill buffer */
+ blake2s_increment_counter(c, BLAKE2S_BLOCKBYTES);
+ blake2s_compress(c, c->buf); /* Compress */
+ c->buflen = 0;
+ in += fill;
+ datalen -= fill;
+ } else { /* datalen <= fill */
+ memcpy(c->buf + c->buflen, in, datalen);
+ c->buflen += datalen; /* Be lazy, do not compress */
+ return 1;
+ }
+ }
+
+ return 1;
+}
+
+/*
+ * Finalize the hash state in a way that avoids length extension attacks.
+ * Always returns 1.
+ */
+int BLAKE2s_Final(unsigned char *md, BLAKE2S_CTX *c)
+{
+ int i;
+
+ blake2s_increment_counter(c, (uint32_t)c->buflen);
+ blake2s_set_lastblock(c);
+ /* Padding */
+ memset(c->buf + c->buflen, 0, sizeof(c->buf) - c->buflen);
+ blake2s_compress(c, c->buf);
+
+ /* Output full hash to temp buffer */
+ for(i = 0; i < 8; ++i) {
+ store32(md + sizeof(c->h[i]) * i, c->h[i]);
+ }
+
+ OPENSSL_cleanse(c, sizeof(BLAKE2S_CTX));
+ return 1;
+}
diff --git a/crypto/blake2/build.info b/crypto/blake2/build.info
new file mode 100644
index 0000000000..f2b8f41990
--- /dev/null
+++ b/crypto/blake2/build.info
@@ -0,0 +1,3 @@
+LIBS=../../libcrypto
+SOURCE[../../libcrypto]=\
+ blake2b.c blake2s.c
diff --git a/crypto/evp/Makefile.in b/crypto/evp/Makefile.in
index 5b24ae5909..d7b12035a4 100644
--- a/crypto/evp/Makefile.in
+++ b/crypto/evp/Makefile.in
@@ -20,7 +20,7 @@ LIBSRC= encode.c digest.c evp_enc.c evp_key.c evp_cnf.c \
e_rc4.c e_aes.c names.c e_seed.c \
e_xcbc_d.c e_rc2.c e_cast.c e_rc5.c \
m_null.c m_md2.c m_md4.c m_md5.c m_sha1.c m_wp.c \
- m_md5_sha1.c m_mdc2.c m_ripemd.c \
+ m_md5_sha1.c m_mdc2.c m_ripemd.c m_blake2b.c m_blake2s.c \
p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c \
bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \
c_allc.c c_alld.c evp_lib.c bio_ok.c \
@@ -34,7 +34,7 @@ LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_cnf.o \
e_rc4.o e_aes.o names.o e_seed.o \
e_xcbc_d.o e_rc2.o e_cast.o e_rc5.o \
m_null.o m_md2.o m_md4.o m_md5.o m_sha1.o m_wp.o \
- m_md5_sha1.o m_mdc2.o m_ripemd.o \
+ m_md5_sha1.o m_mdc2.o m_ripemd.o m_blake2b.o m_blake2s.o \
p_open.o p_seal.o p_sign.o p_verify.o p_lib.o p_enc.o p_dec.o \
bio_md.o bio_b64.o bio_enc.o evp_err.o e_null.o \
c_allc.o c_alld.o evp_lib.o bio_ok.o \
diff --git a/crypto/evp/build.info b/crypto/evp/build.info
index bf633dc713..8dc60f6414 100644
--- a/crypto/evp/build.info
+++ b/crypto/evp/build.info
@@ -5,7 +5,7 @@ SOURCE[../../libcrypto]=\
e_rc4.c e_aes.c names.c e_seed.c \
e_xcbc_d.c e_rc2.c e_cast.c e_rc5.c \
m_null.c m_md2.c m_md4.c m_md5.c m_sha1.c m_wp.c \
- m_md5_sha1.c m_mdc2.c m_ripemd.c \
+ m_md5_sha1.c m_mdc2.c m_ripemd.c m_blake2b.c m_blake2s.c \
p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c \
bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \
c_allc.c c_alld.c evp_lib.c bio_ok.c \
diff --git a/crypto/evp/c_alld.c b/crypto/evp/c_alld.c
index e28ba3df12..78be9fbc6a 100644
--- a/crypto/evp/c_alld.c
+++ b/crypto/evp/c_alld.c
@@ -90,4 +90,8 @@ void openssl_add_all_digests_internal(void)
#ifndef OPENSSL_NO_WHIRLPOOL
EVP_add_digest(EVP_whirlpool());
#endif
+#ifndef OPENSSL_NO_BLAKE2
+ EVP_add_digest(EVP_blake2b());
+ EVP_add_digest(EVP_blake2s());
+#endif
}
diff --git a/crypto/evp/m_blake2b.c b/crypto/evp/m_blake2b.c
new file mode 100644
index 0000000000..e3cf6f30a5
--- /dev/null
+++ b/crypto/evp/m_blake2b.c
@@ -0,0 +1,62 @@
+/*
+ * BLAKE2 reference source code package - reference C implementations
+ *
+ * Copyright 2012, Samuel Neves <sneves@dei.uc.pt>.
+ * You may use this under the terms of the CC0, the OpenSSL Licence, or the
+ * Apache Public License 2.0, at your option. The terms of these licenses can
+ * be found at:
+ *
+ * - OpenSSL license : https://www.openssl.org/source/license.html
+ * - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0
+ * - CC0 1.0 Universal : http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * More information about the BLAKE2 hash function can be found at
+ * https://blake2.net.
+ */
+
+/* crypto/evp/m_blake2b.c */
+
+#include <stdio.h>
+#include "internal/cryptlib.h"
+
+#ifndef OPENSSL_NO_BLAKE2
+
+# include <openssl/evp.h>
+# include <openssl/objects.h>
+# include "internal/blake2_locl.h"
+# include "internal/evp_int.h"
+
+static int init(EVP_MD_CTX *ctx)
+{
+ return BLAKE2b_Init(EVP_MD_CTX_md_data(ctx));
+}
+
+static int update(EVP_MD_CTX *ctx, const void *data, size_t count)
+{
+ return BLAKE2b_Update(EVP_MD_CTX_md_data(ctx), data, count);
+}
+
+static int final(EVP_MD_CTX *ctx, unsigned char *md)
+{
+ return BLAKE2b_Final(md, EVP_MD_CTX_md_data(ctx));
+}
+
+static const EVP_MD blake2b_md = {
+ NID_blake2b,
+ 0,
+ BLAKE2B_DIGEST_LENGTH,
+ 0,
+ init,
+ update,
+ final,
+ NULL,
+ NULL,
+ 0,
+ sizeof(EVP_MD *) + sizeof(BLAKE2B_CTX),
+};
+
+const EVP_MD *EVP_blake2b(void)
+{
+ return (&blake2b_md);
+}
+#endif
diff --git a/crypto/evp/m_blake2s.c b/crypto/evp/m_blake2s.c
new file mode 100644
index 0000000000..511b192c1d
--- /dev/null
+++ b/crypto/evp/m_blake2s.c
@@ -0,0 +1,62 @@
+/*
+ * BLAKE2 reference source code package - reference C implementations
+ *
+ * Copyright 2012, Samuel Neves <sneves@dei.uc.pt>.
+ * You may use this under the terms of the CC0, the OpenSSL Licence, or the
+ * Apache Public License 2.0, at your option. The terms of these licenses can
+ * be found at:
+ *
+ * - OpenSSL license : https://www.openssl.org/source/license.html
+ * - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0
+ * - CC0 1.0 Universal : http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * More information about the BLAKE2 hash function can be found at
+ * https://blake2.net.
+ */
+
+/* crypto/evp/m_blake2s.c */
+
+#include <stdio.h>
+#include "internal/cryptlib.h"
+
+#ifndef OPENSSL_NO_BLAKE2
+
+# include <openssl/evp.h>
+# include <openssl/objects.h>
+# include "internal/blake2_locl.h"
+# include "internal/evp_int.h"
+
+static int init(EVP_MD_CTX *ctx)
+{
+ return BLAKE2s_Init(EVP_MD_CTX_md_data(ctx));
+}
+
+static int update(EVP_MD_CTX *ctx, const void *data, size_t count)
+{
+ return BLAKE2s_Update(EVP_MD_CTX_md_data(ctx), data, count);
+}
+
+static int final(EVP_MD_CTX *ctx, unsigned char *md)
+{
+ return BLAKE2s_Final(md, EVP_MD_CTX_md_data(ctx));
+}
+
+static const EVP_MD blake2s_md = {
+ NID_blake2s,
+ 0,
+ BLAKE2S_DIGEST_LENGTH,
+ 0,
+ init,
+ update,
+ final,
+ NULL,
+ NULL,
+ 0,
+ sizeof(EVP_MD *) + sizeof(BLAKE2S_CTX),
+};
+
+const EVP_MD *EVP_blake2s(void)
+{
+ return (&blake2s_md);
+}
+#endif
diff --git a/crypto/include/internal/blake2_locl.h b/crypto/include/internal/blake2_locl.h
new file mode 100644
index 0000000000..1f19def632
--- /dev/null
+++ b/crypto/include/internal/blake2_locl.h
@@ -0,0 +1,98 @@
+/*
+ * BLAKE2 reference source code package - reference C implementations
+ *
+ * Copyright 2012, Samuel Neves <sneves@dei.uc.pt>.
+ * You may use this under the terms of the CC0, the OpenSSL Licence, or the
+ * Apache Public License 2.0, at your option. The terms of these licenses can
+ * be found at:
+ *
+ * - OpenSSL license : https://www.openssl.org/source/license.html
+ * - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0
+ * - CC0 1.0 Universal : http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * More information about the BLAKE2 hash function can be found at
+ * https://blake2.net.
+ */
+
+/* crypto/blake2/blake2_locl.h */
+
+#include <stddef.h>
+#include <stdint.h>
+
+# ifdef OPENSSL_NO_BLAKE2
+# error BLAKE2 is disabled.
+# endif
+
+#define BLAKE2S_BLOCKBYTES 64
+#define BLAKE2S_OUTBYTES 32
+#define BLAKE2S_KEYBYTES 32
+#define BLAKE2S_SALTBYTES 8
+#define BLAKE2S_PERSONALBYTES 8
+
+#define BLAKE2B_BLOCKBYTES 128
+#define BLAKE2B_OUTBYTES 64
+#define BLAKE2B_KEYBYTES 64
+#define BLAKE2B_SALTBYTES 16
+#define BLAKE2B_PERSONALBYTES 16
+
+struct blake2s_param_st {
+ uint8_t digest_length; /* 1 */
+ uint8_t key_length; /* 2 */
+ uint8_t fanout; /* 3 */
+ uint8_t depth; /* 4 */
+ uint32_t leaf_length; /* 8 */
+ uint8_t node_offset[6];/* 14 */
+ uint8_t node_depth; /* 15 */
+ uint8_t inner_length; /* 16 */
+ /* uint8_t reserved[0]; */
+ uint8_t salt[BLAKE2S_SALTBYTES]; /* 24 */
+ uint8_t personal[BLAKE2S_PERSONALBYTES]; /* 32 */
+};
+
+typedef struct blake2s_param_st BLAKE2S_PARAM;
+
+struct blake2s_ctx_st {
+ uint32_t h[8];
+ uint32_t t[2];
+ uint32_t f[2];
+ uint8_t buf[BLAKE2S_BLOCKBYTES];
+ size_t buflen;
+};
+
+struct blake2b_param_st {
+ uint8_t digest_length; /* 1 */
+ uint8_t key_length; /* 2 */
+ uint8_t fanout; /* 3 */
+ uint8_t depth; /* 4 */
+ uint32_t leaf_length; /* 8 */
+ uint64_t node_offset; /* 16 */
+ uint8_t node_depth; /* 17 */
+ uint8_t inner_length; /* 18 */
+ uint8_t reserved[14]; /* 32 */
+ uint8_t salt[BLAKE2B_SALTBYTES]; /* 48 */
+ uint8_t personal[BLAKE2B_PERSONALBYTES]; /* 64 */
+};
+
+typedef struct blake2b_param_st BLAKE2B_PARAM;
+
+struct blake2b_ctx_st {
+ uint64_t h[8];
+ uint64_t t[2];
+ uint64_t f[2];
+ uint8_t buf[BLAKE2B_BLOCKBYTES];
+ size_t buflen;
+};
+
+#define BLAKE2B_DIGEST_LENGTH 64
+#define BLAKE2S_DIGEST_LENGTH 32
+
+typedef struct blake2s_ctx_st BLAKE2S_CTX;
+typedef struct blake2b_ctx_st BLAKE2B_CTX;
+
+int BLAKE2b_Init(BLAKE2B_CTX *c);
+int BLAKE2b_Update(BLAKE2B_CTX *c, const void *data, size_t datalen);
+int BLAKE2b_Final(unsigned char *md, BLAKE2B_CTX *c);
+
+int BLAKE2s_Init(BLAKE2S_CTX *c);
+int BLAKE2s_Update(BLAKE2S_CTX *c, const void *data, size_t datalen);
+int BLAKE2s_Final(unsigned char *md, BLAKE2S_CTX *c);
diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
index 8cd3b2071e..c9314208a7 100644
--- a/crypto/objects/obj_dat.h
+++ b/crypto/objects/obj_dat.h
@@ -60,12 +60,12 @@
* [including the GNU Public Licence.]
*/
-#define NUM_NID 1054
-#define NUM_SN 1047
-#define NUM_LN 1047
-#define NUM_OBJ 951
+#define NUM_NID 1058
+#define NUM_SN 1049
+#define NUM_LN 1049
+#define NUM_OBJ 953
-static const unsigned char lvalues[6722]={
+static const unsigned char lvalues[6744]={
0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [ 0] OBJ_rsadsi */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, /* [ 6] OBJ_pkcs */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02, /* [ 13] OBJ_md2 */
@@ -1011,6 +1011,8 @@ static const unsigned char lvalues[6722]={
0x2B,0x06,0x01,0x05,0x02,0x03,0x05, /* [6696] OBJ_pkInitKDC */
0x2B,0x06,0x01,0x04,0x01,0xDA,0x47,0x0F,0x01,/* [6703] OBJ_X25519 */
0x2B,0x06,0x01,0x04,0x01,0xDA,0x47,0x0F,0x02,/* [6712] OBJ_X448 */
+0x2B,0x06,0x01,0x04,0x01,0x8D,0x3A,0x0C,0x02,0x01,0x10,/* [6721] OBJ_blake2b */
+0x2B,0x06,0x01,0x04,0x01,0x8D,0x3A,0x0C,0x02,0x02,0x08,/* [6732] OBJ_blake2s */
};
static const ASN1_OBJECT nid_objs[NUM_NID]={
@@ -2722,6 +2724,10 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={
{"AuthGOST12","auth-gost12",NID_auth_gost12,0,NULL,0},
{"AuthSRP","auth-srp",NID_auth_srp,0,NULL,0},
{"AuthNULL","auth-null",NID_auth_null,0,NULL,0},
+{NULL,NULL,NID_undef,0,NULL,0},
+{NULL,NULL,NID_undef,0,NULL,0},
+{"BLAKE2b","blake2b",NID_blake2b,11,&(lvalues[6721]),0},
+{"BLAKE2s","blake2s",NID_blake2s,11,&(lvalues[6732]),0},
};
static const unsigned int sn_objs[NUM_SN]={
@@ -2770,6 +2776,8 @@ static const unsigned int sn_objs[NUM_SN]={
93, /* "BF-CFB" */
92, /* "BF-ECB" */
94, /* "BF-OFB" */
+1056, /* "BLAKE2b" */
+1057, /* "BLAKE2s" */
14, /* "C" */
751, /* "CAMELLIA-128-CBC" */
962, /* "CAMELLIA-128-CCM" */
@@ -4008,6 +4016,8 @@ static const unsigned int ln_objs[NUM_LN]={
93, /* "bf-cfb" */
92, /* "bf-ecb" */
94, /* "bf-ofb" */
+1056, /* "blake2b" */
+1057, /* "blake2s" */
921, /* "brainpoolP160r1" */
922, /* "brainpoolP160t1" */
923, /* "brainpoolP192r1" */
@@ -5776,5 +5786,7 @@ static const unsigned int obj_objs[NUM_OBJ]={
955, /* OBJ_jurisdictionLocalityName 1 3 6 1 4 1 311 60 2 1 1 */
956, /* OBJ_jurisdictionStateOrProvinceName 1 3 6 1 4 1 311 60 2 1 2 */
957, /* OBJ_jurisdictionCountryName 1 3 6 1 4 1 311 60 2 1 3 */
+1056, /* OBJ_blake2b 1 3 6 1 4 1 1722 12 2 1 16 */
+1057, /* OBJ_blake2s 1 3 6 1 4 1 1722 12 2 2 8 */
};
diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
index 2a80d9d0c9..dfdb61aa5d 100644
--- a/crypto/objects/obj_mac.num
+++ b/crypto/objects/obj_mac.num
@@ -1053,3 +1053,5 @@ auth_srp 1052
auth_null 1053
fips_none 1054
fips_140_2 1055
+blake2b 1056
+blake2s 1057
diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
index a79968b85a..24b0f42e52 100644
--- a/crypto/objects/objects.txt
+++ b/crypto/objects/objects.txt
@@ -671,6 +671,9 @@ algorithm 29 : RSA-SHA1-2 : sha1WithRSA
1 3 36 3 2 1 : RIPEMD160 : ripemd160
1 3 36 3 3 1 2 : RSA-RIPEMD160 : ripemd160WithRSA
+1 3 6 1 4 1 1722 12 2 1 16 : BLAKE2b : blake2b
+1 3 6 1 4 1 1722 12 2 2 8 : BLAKE2s : blake2s
+
!Cname sxnet
1 3 101 1 4 1 : SXNetID : Strong Extranet ID
diff --git a/doc/apps/dgst.pod b/doc/apps/dgst.pod
index 1c595dcf74..7b3001e932 100644
--- a/doc/apps/dgst.pod
+++ b/doc/apps/dgst.pod
@@ -2,7 +2,7 @@
=head1 NAME
-dgst, sha, sha1, mdc2, ripemd160, sha224, sha256, sha384, sha512, md4, md5 - message digests
+dgst, sha, sha1, mdc2, ripemd160, sha224, sha256, sha384, sha512, md4, md5, blake2b, blake2s - message digests
=head1 SYNOPSIS
diff --git a/doc/crypto/EVP_DigestInit.pod b/doc/crypto/EVP_DigestInit.pod
index db9c04004e..fdc407fa32 100644
--- a/doc/crypto/EVP_DigestInit.pod
+++ b/doc/crypto/EVP_DigestInit.pod
@@ -8,8 +8,8 @@ EVP_DigestInit, EVP_DigestFinal, EVP_MD_CTX_copy, EVP_MD_type,
EVP_MD_pkey_type, EVP_MD_size, EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size,
EVP_MD_CTX_block_size, EVP_MD_CTX_type, EVP_md_null, EVP_md2, EVP_md5, EVP_sha1,
EVP_sha224, EVP_sha256, EVP_sha384, EVP_sha512, EVP_mdc2,
-EVP_ripemd160, EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj -
-EVP digest routines
+EVP_ripemd160, EVP_blake2b, EVP_blake2s, EVP_get_digestbyname,
+EVP_get_digestbynid, EVP_get_digestbyobj - EVP digest routines
=head1 SYNOPSIS
@@ -57,6 +57,8 @@ EVP digest routines
const EVP_MD *EVP_sha1(void);
const EVP_MD *EVP_mdc2(void);
const EVP_MD *EVP_ripemd160(void);
+ const EVP_MD *EVP_blake2b(void);
+ const EVP_MD *EVP_blake2s(void);
const EVP_MD *EVP_sha224(void);
const EVP_MD *EVP_sha256(void);
@@ -134,9 +136,10 @@ are no longer linked this function is only retained for compatibility
reasons.
EVP_md2(), EVP_md5(), EVP_sha1(), EVP_sha224(), EVP_sha256(),
-EVP_sha384(), EVP_sha512(), EVP_mdc2() and EVP_ripemd160() return B<EVP_MD>
-structures for the MD2, MD5, SHA1, SHA224, SHA256, SHA384, SHA512, MDC2
-and RIPEMD160 digest algorithms respectively.
+EVP_sha384(), EVP_sha512(), EVP_mdc2(), EVP_ripemd160(), EVP_blake2b, and
+EVP_blake2s return B<EVP_MD> structures for the MD2, MD5, SHA1, SHA224, SHA256,
+SHA384, SHA512, MDC2, RIPEMD160, BLAKE2b, and BLAKE2s digest algorithms
+respectively.
EVP_md_null() is a "null" message digest that does nothing: i.e. the hash it
returns is of zero length.
@@ -159,8 +162,8 @@ EVP_MD_size(), EVP_MD_block_size(), EVP_MD_CTX_size() and
EVP_MD_CTX_block_size() return the digest or block size in bytes.
EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha1(),
-EVP_mdc2() and EVP_ripemd160() return pointers to the
-corresponding EVP_MD structures.
+EVP_mdc2(), EVP_ripemd160(), EVP_blake2b(), and EVP_blake2s() return pointers
+to the corresponding EVP_MD structures.
EVP_get_digestbyname(), EVP_get_digestbynid() and EVP_get_digestbyobj()
return either an B<EVP_MD> structure or NULL if an error occurs.
diff --git a/doc/standards.txt b/doc/standards.txt
index d28b167d4a..747286433f 100644
--- a/doc/standards.txt
+++ b/doc/standards.txt
@@ -163,3 +163,5 @@ STARTTLS documents.
3657 Use of the Camellia Encryption Algorithm in Cryptographic
Message Syntax (CMS)
+
+7693 The BLAKE2 Cryptographic Hash and Message Authentication Code (MAC)
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index 4516db130e..c5598133e3 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -700,6 +700,10 @@ const EVP_MD *EVP_md4(void);
const EVP_MD *EVP_md5(void);
const EVP_MD *EVP_md5_sha1(void);
# endif
+# ifndef OPENSSL_NO_BLAKE2
+const EVP_MD *EVP_blake2b(void);
+const EVP_MD *EVP_blake2s(void);
+# endif
const EVP_MD *EVP_sha1(void);
const EVP_MD *EVP_sha224(void);
const EVP_MD *EVP_sha256(void);
diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h
index 4725a6c574..28d9637735 100644
--- a/include/openssl/obj_mac.h
+++ b/include/openssl/obj_mac.h
@@ -2078,6 +2078,16 @@
#define NID_ripemd160WithRSA 119
#define OBJ_ripemd160WithRSA 1L,3L,36L,3L,3L,1L,2L
+#define SN_blake2b "BLAKE2b"
+#define LN_blake2b "blake2b"
+#define NID_blake2b 1056
+#define OBJ_blake2b 1L,3L,6L,1L,4L,1L,1722L,12L,2L,1L,16L
+
+#define SN_blake2s "BLAKE2s"
+#define LN_blake2s "blake2s"
+#define NID_blake2s 1057
+#define OBJ_blake2s 1L,3L,6L,1L,4L,1L,1722L,12L,2L,2L,8L
+
#define SN_sxnet "SXNetID"
#define LN_sxnet "Strong Extranet ID"
#define NID_sxnet 143
diff --git a/include/openssl/objects.h b/include/openssl/objects.h
index 05bc9b0248..7766f3a32f 100644
--- a/include/openssl/objects.h
+++ b/include/openssl/objects.h
@@ -642,6 +642,16 @@
# define NID_ripemd160WithRSA 119
# define OBJ_ripemd160WithRSA 1L,3L,36L,3L,3L,1L,2L
+# define SN_blake2b "BLAKE2b"
+# define LN_blake2b "blake2b"
+# define NID_blake2b 1022
+# define OBJ_blake2b 1,3,6,1,4,1,1722,12,2,1,16
+
+# define SN_blake2s "BLAKE2s"
+# define LN_blake2s "blake2"
+# define NID_blake2s 1023
+# define OBJ_blake2s 1,3,6,1,4,1,1722,12,2,2,8
+
/*-
* Taken from rfc2040
* RC5_CBC_Parameters ::= SEQUENCE {
diff --git a/test/evptests.txt b/test/evptests.txt
index 0a45e2f71a..a9a711b6c4 100644
--- a/test/evptests.txt
+++ b/test/evptests.txt
@@ -2,6 +2,63 @@
#aadcipher:key:iv:plaintext:ciphertext:aad:tag:0/1(decrypt/encrypt)
#digest:::input:output
+# BLAKE2 tests, using same inputs as MD5
+Digest = BLAKE2s
+Input =
+Output = 69217a3079908094e11121d042354a7c1f55b6482ca1a51e1b250dfd1ed0eef9
+
+Digest = BLAKE2s
+Input = 61
+Output = 4a0d129873403037c2cd9b9048203687f6233fb6738956e0349bd4320fec3e90
+
+Digest = BLAKE2s
+Input = 616263
+Output = 508c5e8c327c14e2e1a72ba34eeb452f37458b209ed63a294d999b4c86675982
+
+Digest = BLAKE2s
+Input = 6d65737361676520646967657374
+Output = fa10ab775acf89b7d3c8a6e823d586f6b67bdbac4ce207fe145b7d3ac25cd28c
+
+Digest = BLAKE2s
+Input = 6162636465666768696a6b6c6d6e6f707172737475767778797a
+Output = bdf88eb1f86a0cdf0e840ba88fa118508369df186c7355b4b16cf79fa2710a12
+
+Digest = BLAKE2s
+Input = 4142434445464748494a4b4c4d4e4f505152535455565758595a6162636465666768696a6b6c6d6e6f707172737475767778797a30313233343536373839
+Output = c75439ea17e1de6fa4510c335dc3d3f343e6f9e1ce2773e25b4174f1df8b119b
+
+Digest = BLAKE2s
+Input = 3132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930
+Output = fdaedb290a0d5af9870864fec2e090200989dc9cd53a3c092129e8535e8b4f66
+
+Digest = BLAKE2b
+Input =
+Output = 786a02f742015903c6c6fd852552d272912f4740e15847618a86e217f71f5419d25e1031afee585313896444934eb04b903a685b1448b755d56f701afe9be2ce
+
+Digest = BLAKE2b
+Input = 61
+Output = 333fcb4ee1aa7c115355ec66ceac917c8bfd815bf7587d325aec1864edd24e34d5abe2c6b1b5ee3face62fed78dbef802f2a85cb91d455a8f5249d330853cb3c
+
+Digest = BLAKE2b
+Input = 616263
+Output = ba80a53f981c4d0d6a2797b69f12f6e94c212f14685ac4b74b12bb6fdbffa2d17d87c5392aab792dc252d5de4533cc9518d38aa8dbf1925ab92386edd4009923
+
+Digest = BLAKE2b
+Input = 6d65737361676520646967657374
+Output = 3c26ce487b1c0f062363afa3c675ebdbf5f4ef9bdc022cfbef91e3111cdc283840d8331fc30a8a0906cff4bcdbcd230c61aaec60fdfad457ed96b709a382359a
+
+Digest = BLAKE2b
+Input = 6162636465666768696a6b6c6d6e6f707172737475767778797a
+Output = c68ede143e416eb7b4aaae0d8e48e55dd529eafed10b1df1a61416953a2b0a5666c761e7d412e6709e31ffe221b7a7a73908cb95a4d120b8b090a87d1fbedb4c
+
+Digest = BLAKE2b
+Input = 4142434445464748494a4b4c4d4e4f505152535455565758595a6162636465666768696a6b6c6d6e6f707172737475767778797a30313233343536373839
+Output = 99964802e5c25e703722905d3fb80046b6bca698ca9e2cc7e49b4fe1fa087c2edf0312dfbb275cf250a1e542fd5dc2edd313f9c491127c2e8c0c9b24168e2d50
+
+Digest = BLAKE2b
+Input = 3132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930
+Output = 686f41ec5afff6e87e1f076f542aa466466ff5fbde162c48481ba48a748d842799f5b30f5b67fc684771b33b994206d05cc310f31914edd7b97e41860d77d282
+
# SHA(1) tests (from shatest.c)
Digest = SHA1
Input = 616263
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 7d893a1134..d23dbc44e9 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4057,3 +4057,5 @@ ECPKPARAMETERS_it 3923 1_1_0 EXIST:EXPORT_VAR_AS_FUNCTION:
EC_GROUP_get_ecparameters 3924 1_1_0 EXIST::FUNCTION:EC
DHparams_it 3925 1_1_0 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:DH
DHparams_it 3925 1_1_0 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:DH
+EVP_blake2b 3926 1_1_0 EXIST::FUNCTION:BLAKE2
+EVP_blake2s 3927 1_1_0 EXIST::FUNCTION:BLAKE2
diff --git a/util/mkdef.pl b/util/mkdef.pl
index a847b0b077..4578c9afc2 100755
--- a/util/mkdef.pl
+++ b/util/mkdef.pl
@@ -75,7 +75,7 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
"SHA256", "SHA512", "RMD160",
"MDC2", "WHIRLPOOL", "RSA", "DSA", "DH", "EC", "EC2M",
"HMAC", "AES", "CAMELLIA", "SEED", "GOST",
- "SCRYPT", "CHACHA", "POLY1305",
+ "SCRYPT", "CHACHA", "POLY1305", "BLAKE2",
# EC_NISTP_64_GCC_128
"EC_NISTP_64_GCC_128",
# Envelope "algorithms"
diff --git a/util/mkfiles.pl b/util/mkfiles.pl
index 1e5f84e049..0e4f71e04d 100755
--- a/util/mkfiles.pl
+++ b/util/mkfiles.pl
@@ -63,6 +63,7 @@ my @dirs = (
"crypto/async",
"crypto/chacha",
"crypto/poly1305",
+"crypto/blake2",
"crypto/kdf",
"ssl",
"apps",