Files @ 20fa1614ab45
Branch filter:

Location: CryptoJS/src/blake.js - annotation

Laman
FIX: unstretched password leaking through signature
// https://tools.ietf.org/html/rfc7693
import {MASK,int32s2bytes,bytes2int32s,zeroPad} from "./util.js";

const BLOCK_LEN=64;

const IV=[0x6A09E667,0xBB67AE85,0x3C6EF372,0xA54FF53A,0x510E527F,0x9B05688C,0x1F83D9AB,0x5BE0CD19];

function rrot(x,shift){
	return ((x>>>shift)|(x<<(32-shift)))&MASK;
}

/**
 * @param {number} outputLen output length in bytes, 1<=x<=32
 * @param {Array} key byte array, 0<=key.length<=32
 * @returns {BLAKE2S}
 */
export function BLAKE2S(outputLen=32,key=[]){
	this._buffer=[];
	this._dataLen=[0,0]; // low, high
	this._outputLen=outputLen;
	
	this._state=IV.slice();
	this._state[0]^=0x01010000^(key.length<<8)^this._outputLen;
	
	if(key.length>0){this.update(zeroPad(key,BLOCK_LEN));}
}

BLAKE2S.prototype.update=function(data){
	for(let i=0;i<data.length;i++){
		if(this._buffer.length==BLOCK_LEN){
			this._compress(false);
			this._buffer=[];
		}
		this._buffer.push(data[i]);
		this._dataLen[0]=(this._dataLen[0]+1)&MASK;
		if(this._dataLen[0]<this._buffer.length){this._dataLen[1]++;}
	}
};

BLAKE2S.prototype.digest=function(){
	this._buffer=zeroPad(this._buffer,BLOCK_LEN);
	this._compress(true);
	return int32s2bytes(this._state).slice(0,this._outputLen);
};

BLAKE2S.prototype._compress=function(last){
	const SIGMA=[
		[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15],
		[14,10,4,8,9,15,13,6,1,12,0,2,11,7,5,3],
		[11,8,12,0,5,2,15,13,10,14,3,6,7,1,9,4],
		[7,9,3,1,13,12,11,14,2,6,5,10,4,0,15,8],
		[9,0,5,7,2,4,10,15,14,1,11,12,6,8,3,13],
		[2,12,6,10,0,11,8,3,4,13,7,5,15,14,1,9],
		[12,5,1,15,14,13,4,10,0,7,6,3,9,2,8,11],
		[13,11,7,14,12,1,3,9,5,0,15,4,8,6,2,10],
		[6,15,14,9,11,3,0,8,12,2,13,7,1,4,10,5],
		[10,2,8,4,7,6,1,5,15,11,9,14,3,12,13,0]
	];
	let v=this._state.concat(IV);
	v[12]^=this._dataLen[0];
	v[13]^=this._dataLen[1];
	if(last){v[14]^=MASK;}
	let data=bytes2int32s(this._buffer);

	for(let i=0;i<10;i++){
		let perm=SIGMA[i%10];
		this._mix(v,0,4,8,12,data[perm[0]],data[perm[1]]);
		this._mix(v,1,5,9,13,data[perm[2]],data[perm[3]]);
		this._mix(v,2,6,10,14,data[perm[4]],data[perm[5]]);
		this._mix(v,3,7,11,15,data[perm[6]],data[perm[7]]);

		this._mix(v,0,5,10,15,data[perm[8]],data[perm[9]]);
		this._mix(v,1,6,11,12,data[perm[10]],data[perm[11]]);
		this._mix(v,2,7,8,13,data[perm[12]],data[perm[13]]);
		this._mix(v,3,4,9,14,data[perm[14]],data[perm[15]]);
	}

	this._state=this._state.map((x,i)=>x^v[i]^v[i+8]);
};

BLAKE2S.prototype._mix=function(arr,ia,ib,ic,id,x,y){
	let a=arr[ia], b=arr[ib], c=arr[ic], d=arr[id];
	a=(a+b+x)&MASK; d=rrot(d^a,16);
	c=(c+d)&MASK; b=rrot(b^c,12);
	a=(a+b+y)&MASK; d=rrot(d^a,8);
	c=(c+d)&MASK; b=rrot(b^c,7);
	arr[ia]=a; arr[ib]=b; arr[ic]=c; arr[id]=d;
};

export function blake2s(data,outputLen=32,key=[]){
	let h=new BLAKE2S(outputLen,key);
	for(let i=0;i<data.length;i+=BLOCK_LEN){h.update(data.slice(i,i+BLOCK_LEN));}
	return h.digest();
}