blake2b.c
Go to the documentation of this file.
1 /**
2  * @file blake2b.c
3  * @brief BLAKE2 cryptographic hash and MAC (BLAKE2b variant)
4  *
5  * @section License
6  *
7  * Copyright (C) 2010-2018 Oryx Embedded SARL. All rights reserved.
8  *
9  * This file is part of CycloneCrypto Open.
10  *
11  * This program is free software; you can redistribute it and/or
12  * modify it under the terms of the GNU General Public License
13  * as published by the Free Software Foundation; either version 2
14  * of the License, or (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License
22  * along with this program; if not, write to the Free Software Foundation,
23  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
24  *
25  * @section Description
26  *
27  * BLAKE2b is cryptographic hash function optimized for 64-bit platforms that
28  * produces digests of any size between 1 and 64 bytes. Refer to RFC 7693 for
29  * more details
30  *
31  * @author Oryx Embedded SARL (www.oryx-embedded.com)
32  * @version 1.9.0
33  **/
34 
35 //Switch to the appropriate trace level
36 #define TRACE_LEVEL CRYPTO_TRACE_LEVEL
37 
38 //Dependencies
39 #include "core/crypto.h"
40 #include "hash/blake2b.h"
41 
42 //Check crypto library configuration
43 #if (BLAKE2B_SUPPORT == ENABLED)
44 
45 //Mixing function G (borrowed from ChaCha quarter-round function)
46 #define G(a, b, c, d, x, y) \
47 { \
48  a += b + x; \
49  d ^= a; \
50  d = ROR64(d, 32); \
51  c += d; \
52  b ^= c; \
53  b = ROR64(b, 24); \
54  a += b + y; \
55  d ^= a; \
56  d = ROR64(d, 16); \
57  c += d; \
58  b ^= c; \
59  b = ROR64(b, 63); \
60 }
61 
62 //Message schedule SIGMA
63 static const uint8_t sigma[12][16] =
64 {
65  {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15},
66  {14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3},
67  {11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4},
68  {7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8},
69  {9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13},
70  {2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9},
71  {12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11},
72  {13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10},
73  {6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5},
74  {10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0},
75  {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15},
76  {14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3}
77 };
78 
79 //Initialization vector
80 static const uint64_t iv[8] =
81 {
82  0x6A09E667F3BCC908, 0xBB67AE8584CAA73B, 0x3C6EF372FE94F82B, 0xA54FF53A5F1D36F1,
83  0x510E527FADE682D1, 0x9B05688C2B3E6C1F, 0x1F83D9ABFB41BD6B, 0x5BE0CD19137E2179
84 };
85 
86 
87 /**
88  * @brief Digest a message using BLAKE2b
89  * @param[in] key Pointer to the key
90  * @param[in] keyLen Length of the key
91  * @param[in] data Pointer to the message being hashed
92  * @param[in] dataLen Length of the message
93  * @param[out] digest Pointer to the calculated digest
94  * @param[in] digestLen Expected length of the digest
95  * @return Error code
96  **/
97 
98 error_t blake2bCompute(const void *key, size_t keyLen, const void *data,
99  size_t dataLen, uint8_t *digest, size_t digestLen)
100 {
101  error_t error;
102  Blake2bContext *context;
103 
104  //Allocate a memory buffer to hold the BLAKE2b context
105  context = cryptoAllocMem(sizeof(Blake2bContext));
106 
107  //Successful memory allocation?
108  if(context != NULL)
109  {
110  //Initialize the hashing context
111  error = blake2bInit(context, key, keyLen, digestLen);
112 
113  //Check status code
114  if(!error)
115  {
116  //Digest the message
117  blake2bUpdate(context, data, dataLen);
118  //Finalize the BLAKE2b message digest
119  blake2bFinal(context, digest);
120  }
121 
122  //Free previously allocated memory
123  cryptoFreeMem(context);
124  }
125  else
126  {
127  //Failed to allocate memory
128  error = ERROR_OUT_OF_MEMORY;
129  }
130 
131  //Return status code
132  return error;
133 }
134 
135 
136 /**
137  * @brief Initialize BLAKE2b message digest context
138  * @param[in] context Pointer to the BLAKE2b context to initialize
139  * @param[in] key Pointer to the key
140  * @param[in] keyLen Length of the key
141  * @param[in] digestLen Expected length of the digest
142  * @return Error code
143  **/
144 
145 error_t blake2bInit(Blake2bContext *context, const void *key,
146  size_t keyLen, size_t digestLen)
147 {
148  size_t i;
149 
150  //Check the length of the key
151  if(keyLen > 64)
153 
154  //Check the length of the hash
155  if(digestLen < 1 || digestLen > 64)
157 
158  //Initialize state vector
159  for(i = 0; i < 8; i++)
160  {
161  context->h[i] = iv[i];
162  }
163 
164  //The first byte of the parameter block is the hash size in bytes
165  context->h[0] ^= digestLen;
166  //The second byte of the parameter block is the key size in bytes
167  context->h[0] ^= keyLen << 8;
168  //Bytes 2 and 3 are set as 01
169  context->h[0] ^= 0x01010000;
170 
171  //Number of bytes in the buffer
172  context->size = 0;
173 
174  //Total number of bytes
175  context->totalSize[0] = 0;
176  context->totalSize[1] = 0;
177 
178  //Size of the digest
179  context->digestSize = digestLen;
180 
181  //Clear input buffer
182  cryptoMemset(context->buffer, 0, 128);
183 
184  //Any secret key?
185  if(keyLen > 0)
186  {
187  //Copy the secret key
188  cryptoMemcpy(context->buffer, key, keyLen);
189  //The secret key is padded with zero bytes
190  context->size = 128;
191  }
192 
193  //Successful initialization
194  return NO_ERROR;
195 }
196 
197 
198 /**
199  * @brief Update the BLAKE2b context with a portion of the message being hashed
200  * @param[in] context Pointer to the BLAKE2b context
201  * @param[in] data Pointer to the buffer being hashed
202  * @param[in] length Length of the buffer
203  **/
204 
205 void blake2bUpdate(Blake2bContext *context, const void *data, size_t length)
206 {
207  size_t n;
208 
209  //Process the incoming data
210  while(length > 0)
211  {
212  //Each message block consists of 16 words
213  if(context->size == 128)
214  {
215  //Compress the 16-word block
216  blake2bProcessBlock(context, FALSE);
217  //Empty the buffer
218  context->size = 0;
219  }
220 
221  //The buffer can hold at most 128 bytes
222  n = MIN(length, 128 - context->size);
223 
224  //Copy the data to the buffer
225  cryptoMemcpy(context->buffer + context->size, data, n);
226  //Update the length of the buffer
227  context->size += n;
228 
229  //Advance the data pointer
230  data = (uint8_t *) data + n;
231  //Remaining bytes to process
232  length -= n;
233  }
234 }
235 
236 
237 /**
238  * @brief Finish the BLAKE2b message digest
239  * @param[in] context Pointer to the BLAKE2b context
240  * @param[out] digest Calculated digest (optional parameter)
241  **/
242 
243 void blake2bFinal(Blake2bContext *context, uint8_t *digest)
244 {
245  size_t i;
246 
247  //The last block is padded with zeros to full block size, if required
248  for(i = context->size; i < 128; i++)
249  {
250  context->buffer[i] = 0;
251  }
252 
253  //Compress the last block
254  blake2bProcessBlock(context, TRUE);
255 
256  //Convert from host byte order to big-endian byte order
257  for(i = 0; i < 8; i++)
258  {
259  context->h[i] = htole64(context->h[i]);
260  }
261 
262  //Copy the resulting digest
263  if(digest != NULL)
264  {
265  cryptoMemcpy(digest, context->digest, context->digestSize);
266  }
267 }
268 
269 
270 /**
271  * @brief Compression function F
272  * @param[in] context Pointer to the BLAKE2b context
273  * @param[in] last Flag indicating the last block
274  **/
275 
277 {
278  uint_t i;
279  uint64_t *m;
280  uint64_t v[16];
281 
282  //Initialize the working vector
283  for(i = 0; i < 8; i++)
284  {
285  //First half from state
286  v[i] = context->h[i];
287  //Second half from IV
288  v[i + 8] = iv[i];
289  }
290 
291  //Increment offset counter
292  context->totalSize[0] += context->size;
293 
294  //Propagate the carry if necessary
295  if(context->totalSize[0] < context->size)
296  {
297  context->totalSize[1]++;
298  }
299 
300  //Low word of the offset
301  v[12] ^= context->totalSize[0];
302  //High word of the offset
303  v[13] ^= context->totalSize[1];
304 
305  //Last block flag?
306  if(last)
307  {
308  //Invert all bits
309  v[14] = ~v[14];
310  }
311 
312  //Point to the message block vector
313  m = context->m;
314 
315  //Convert from little-endian byte order to host byte order
316  for(i = 0; i < 16; i++)
317  {
318  m[i] = letoh64(m[i]);
319  }
320 
321  //Cryptographic mixing
322  for(i = 0; i < 12; i++)
323  {
324  //The column rounds apply the quarter-round function to the four
325  //columns, from left to right
326  G(v[0], v[4], v[8], v[12], m[sigma[i][0]], m[sigma[i][1]]);
327  G(v[1], v[5], v[9], v[13], m[sigma[i][2]], m[sigma[i][3]]);
328  G(v[2], v[6], v[10], v[14], m[sigma[i][4]], m[sigma[i][5]]);
329  G(v[3], v[7], v[11], v[15], m[sigma[i][6]], m[sigma[i][7]]);
330 
331  //The diagonal rounds apply the quarter-round function to the top-left,
332  //bottom-right diagonal, followed by the pattern shifted one place to
333  //the right, for three more quarter-rounds
334  G(v[0], v[5], v[10], v[15], m[sigma[i][8]], m[sigma[i][9]]);
335  G(v[1], v[6], v[11], v[12], m[sigma[i][10]], m[sigma[i][11]]);
336  G(v[2], v[7], v[8], v[13], m[sigma[i][12]], m[sigma[i][13]]);
337  G(v[3], v[4], v[9], v[14], m[sigma[i][14]], m[sigma[i][15]]);
338  }
339 
340  //XOR the two halves
341  for(i = 0; i < 8; i++)
342  {
343  context->h[i] ^= v[i] ^ v[i + 8];
344  }
345 }
346 
347 #endif
#define cryptoMemcpy(dest, src, length)
Definition: crypto.h:590
#define cryptoFreeMem(p)
Definition: crypto.h:578
#define cryptoAllocMem(size)
Definition: crypto.h:573
error_t blake2bInit(Blake2bContext *context, const void *key, size_t keyLen, size_t digestLen)
Initialize BLAKE2b message digest context.
Definition: blake2b.c:145
General definitions for cryptographic algorithms.
Invalid parameter.
Definition: error.h:45
BLAKE2 cryptographic hash and MAC (BLAKE2b variant)
size_t size
Definition: blake2b.h:60
uint64_t h[8]
Definition: blake2b.h:52
uint64_t totalSize[2]
Definition: blake2b.h:61
uint8_t m
Definition: ndp.h:299
#define TRUE
Definition: os_port.h:48
#define G(a, b, c, d, x, y)
Definition: blake2b.c:46
uint16_t last
Definition: ipv4_frag.h:94
size_t digestSize
Definition: blake2b.h:62
void blake2bFinal(Blake2bContext *context, uint8_t *digest)
Finish the BLAKE2b message digest.
Definition: blake2b.c:243
#define MIN(a, b)
Definition: os_port.h:60
#define letoh64(value)
Definition: cpu_endian.h:413
Success.
Definition: error.h:42
void blake2bProcessBlock(Blake2bContext *context, bool_t last)
Compression function F.
Definition: blake2b.c:276
void blake2bUpdate(Blake2bContext *context, const void *data, size_t length)
Update the BLAKE2b context with a portion of the message being hashed.
Definition: blake2b.c:205
error_t
Error codes.
Definition: error.h:40
unsigned int uint_t
Definition: compiler_port.h:43
uint64_t m[16]
Definition: blake2b.h:57
uint8_t data[]
Definition: dtls_misc.h:167
BLAKE2b algorithm context.
Definition: blake2b.h:48
uint8_t digest[64]
Definition: blake2b.h:53
#define htole64(value)
Definition: cpu_endian.h:405
#define cryptoMemset(p, value, length)
Definition: crypto.h:584
uint8_t length
Definition: dtls_misc.h:140
uint8_t n
#define FALSE
Definition: os_port.h:44
int bool_t
Definition: compiler_port.h:47
uint8_t buffer[128]
Definition: blake2b.h:58
error_t blake2bCompute(const void *key, size_t keyLen, const void *data, size_t dataLen, uint8_t *digest, size_t digestLen)
Digest a message using BLAKE2b.
Definition: blake2b.c:98