blake2b.c
Go to the documentation of this file.
1 /**
2  * @file blake2b.c
3  * @brief BLAKE2 cryptographic hash and MAC (BLAKE2b variant)
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2010-2019 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneCrypto Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @section Description
28  *
29  * BLAKE2b is cryptographic hash function optimized for 64-bit platforms that
30  * produces digests of any size between 1 and 64 bytes. Refer to RFC 7693 for
31  * more details
32  *
33  * @author Oryx Embedded SARL (www.oryx-embedded.com)
34  * @version 1.9.6
35  **/
36 
37 //Switch to the appropriate trace level
38 #define TRACE_LEVEL CRYPTO_TRACE_LEVEL
39 
40 //Dependencies
41 #include "core/crypto.h"
42 #include "hash/blake2b.h"
43 
44 //Check crypto library configuration
45 #if (BLAKE2B_SUPPORT == ENABLED)
46 
47 //Mixing function G (borrowed from ChaCha quarter-round function)
48 #define G(a, b, c, d, x, y) \
49 { \
50  a += b + x; \
51  d ^= a; \
52  d = ROR64(d, 32); \
53  c += d; \
54  b ^= c; \
55  b = ROR64(b, 24); \
56  a += b + y; \
57  d ^= a; \
58  d = ROR64(d, 16); \
59  c += d; \
60  b ^= c; \
61  b = ROR64(b, 63); \
62 }
63 
64 //Message schedule SIGMA
65 static const uint8_t sigma[12][16] =
66 {
67  {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15},
68  {14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3},
69  {11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4},
70  {7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8},
71  {9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13},
72  {2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9},
73  {12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11},
74  {13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10},
75  {6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5},
76  {10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0},
77  {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15},
78  {14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3}
79 };
80 
81 //Initialization vector
82 static const uint64_t iv[8] =
83 {
84  0x6A09E667F3BCC908, 0xBB67AE8584CAA73B, 0x3C6EF372FE94F82B, 0xA54FF53A5F1D36F1,
85  0x510E527FADE682D1, 0x9B05688C2B3E6C1F, 0x1F83D9ABFB41BD6B, 0x5BE0CD19137E2179
86 };
87 
88 
89 /**
90  * @brief Digest a message using BLAKE2b
91  * @param[in] key Pointer to the key
92  * @param[in] keyLen Length of the key
93  * @param[in] data Pointer to the message being hashed
94  * @param[in] dataLen Length of the message
95  * @param[out] digest Pointer to the calculated digest
96  * @param[in] digestLen Expected length of the digest
97  * @return Error code
98  **/
99 
100 error_t blake2bCompute(const void *key, size_t keyLen, const void *data,
101  size_t dataLen, uint8_t *digest, size_t digestLen)
102 {
103  error_t error;
104  Blake2bContext *context;
105 
106  //Allocate a memory buffer to hold the BLAKE2b context
107  context = cryptoAllocMem(sizeof(Blake2bContext));
108 
109  //Successful memory allocation?
110  if(context != NULL)
111  {
112  //Initialize the hashing context
113  error = blake2bInit(context, key, keyLen, digestLen);
114 
115  //Check status code
116  if(!error)
117  {
118  //Digest the message
119  blake2bUpdate(context, data, dataLen);
120  //Finalize the BLAKE2b message digest
121  blake2bFinal(context, digest);
122  }
123 
124  //Free previously allocated memory
125  cryptoFreeMem(context);
126  }
127  else
128  {
129  //Failed to allocate memory
130  error = ERROR_OUT_OF_MEMORY;
131  }
132 
133  //Return status code
134  return error;
135 }
136 
137 
138 /**
139  * @brief Initialize BLAKE2b message digest context
140  * @param[in] context Pointer to the BLAKE2b context to initialize
141  * @param[in] key Pointer to the key
142  * @param[in] keyLen Length of the key
143  * @param[in] digestLen Expected length of the digest
144  * @return Error code
145  **/
146 
147 error_t blake2bInit(Blake2bContext *context, const void *key,
148  size_t keyLen, size_t digestLen)
149 {
150  size_t i;
151 
152  //Check the length of the key
153  if(keyLen > 64)
155 
156  //Check the length of the hash
157  if(digestLen < 1 || digestLen > 64)
159 
160  //Initialize state vector
161  for(i = 0; i < 8; i++)
162  {
163  context->h[i] = iv[i];
164  }
165 
166  //The first byte of the parameter block is the hash size in bytes
167  context->h[0] ^= digestLen;
168  //The second byte of the parameter block is the key size in bytes
169  context->h[0] ^= keyLen << 8;
170  //Bytes 2 and 3 are set as 01
171  context->h[0] ^= 0x01010000;
172 
173  //Number of bytes in the buffer
174  context->size = 0;
175 
176  //Total number of bytes
177  context->totalSize[0] = 0;
178  context->totalSize[1] = 0;
179 
180  //Size of the digest
181  context->digestSize = digestLen;
182 
183  //Clear input buffer
184  cryptoMemset(context->buffer, 0, 128);
185 
186  //Any secret key?
187  if(keyLen > 0)
188  {
189  //Copy the secret key
190  cryptoMemcpy(context->buffer, key, keyLen);
191  //The secret key is padded with zero bytes
192  context->size = 128;
193  }
194 
195  //Successful initialization
196  return NO_ERROR;
197 }
198 
199 
200 /**
201  * @brief Update the BLAKE2b context with a portion of the message being hashed
202  * @param[in] context Pointer to the BLAKE2b context
203  * @param[in] data Pointer to the buffer being hashed
204  * @param[in] length Length of the buffer
205  **/
206 
207 void blake2bUpdate(Blake2bContext *context, const void *data, size_t length)
208 {
209  size_t n;
210 
211  //Process the incoming data
212  while(length > 0)
213  {
214  //Each message block consists of 16 words
215  if(context->size == 128)
216  {
217  //Compress the 16-word block
218  blake2bProcessBlock(context, FALSE);
219  //Empty the buffer
220  context->size = 0;
221  }
222 
223  //The buffer can hold at most 128 bytes
224  n = MIN(length, 128 - context->size);
225 
226  //Copy the data to the buffer
227  cryptoMemcpy(context->buffer + context->size, data, n);
228  //Update the length of the buffer
229  context->size += n;
230 
231  //Advance the data pointer
232  data = (uint8_t *) data + n;
233  //Remaining bytes to process
234  length -= n;
235  }
236 }
237 
238 
239 /**
240  * @brief Finish the BLAKE2b message digest
241  * @param[in] context Pointer to the BLAKE2b context
242  * @param[out] digest Calculated digest (optional parameter)
243  **/
244 
245 void blake2bFinal(Blake2bContext *context, uint8_t *digest)
246 {
247  size_t i;
248 
249  //The last block is padded with zeros to full block size, if required
250  for(i = context->size; i < 128; i++)
251  {
252  context->buffer[i] = 0;
253  }
254 
255  //Compress the last block
256  blake2bProcessBlock(context, TRUE);
257 
258  //Convert from host byte order to big-endian byte order
259  for(i = 0; i < 8; i++)
260  {
261  context->h[i] = htole64(context->h[i]);
262  }
263 
264  //Copy the resulting digest
265  if(digest != NULL)
266  {
267  cryptoMemcpy(digest, context->digest, context->digestSize);
268  }
269 }
270 
271 
272 /**
273  * @brief Compression function F
274  * @param[in] context Pointer to the BLAKE2b context
275  * @param[in] last Flag indicating the last block
276  **/
277 
279 {
280  uint_t i;
281  uint64_t *m;
282  uint64_t v[16];
283 
284  //Initialize the working vector
285  for(i = 0; i < 8; i++)
286  {
287  //First half from state
288  v[i] = context->h[i];
289  //Second half from IV
290  v[i + 8] = iv[i];
291  }
292 
293  //Increment offset counter
294  context->totalSize[0] += context->size;
295 
296  //Propagate the carry if necessary
297  if(context->totalSize[0] < context->size)
298  {
299  context->totalSize[1]++;
300  }
301 
302  //Low word of the offset
303  v[12] ^= context->totalSize[0];
304  //High word of the offset
305  v[13] ^= context->totalSize[1];
306 
307  //Last block flag?
308  if(last)
309  {
310  //Invert all bits
311  v[14] = ~v[14];
312  }
313 
314  //Point to the message block vector
315  m = context->m;
316 
317  //Convert from little-endian byte order to host byte order
318  for(i = 0; i < 16; i++)
319  {
320  m[i] = letoh64(m[i]);
321  }
322 
323  //Cryptographic mixing
324  for(i = 0; i < 12; i++)
325  {
326  //The column rounds apply the quarter-round function to the four
327  //columns, from left to right
328  G(v[0], v[4], v[8], v[12], m[sigma[i][0]], m[sigma[i][1]]);
329  G(v[1], v[5], v[9], v[13], m[sigma[i][2]], m[sigma[i][3]]);
330  G(v[2], v[6], v[10], v[14], m[sigma[i][4]], m[sigma[i][5]]);
331  G(v[3], v[7], v[11], v[15], m[sigma[i][6]], m[sigma[i][7]]);
332 
333  //The diagonal rounds apply the quarter-round function to the top-left,
334  //bottom-right diagonal, followed by the pattern shifted one place to
335  //the right, for three more quarter-rounds
336  G(v[0], v[5], v[10], v[15], m[sigma[i][8]], m[sigma[i][9]]);
337  G(v[1], v[6], v[11], v[12], m[sigma[i][10]], m[sigma[i][11]]);
338  G(v[2], v[7], v[8], v[13], m[sigma[i][12]], m[sigma[i][13]]);
339  G(v[3], v[4], v[9], v[14], m[sigma[i][14]], m[sigma[i][15]]);
340  }
341 
342  //XOR the two halves
343  for(i = 0; i < 8; i++)
344  {
345  context->h[i] ^= v[i] ^ v[i + 8];
346  }
347 }
348 
349 #endif
uint8_t length
Definition: dtls_misc.h:149
#define htole64(value)
Definition: cpu_endian.h:407
#define letoh64(value)
Definition: cpu_endian.h:415
int bool_t
Definition: compiler_port.h:49
size_t size
Definition: blake2b.h:62
error_t blake2bInit(Blake2bContext *context, const void *key, size_t keyLen, size_t digestLen)
Initialize BLAKE2b message digest context.
Definition: blake2b.c:147
#define TRUE
Definition: os_port.h:50
error_t blake2bCompute(const void *key, size_t keyLen, const void *data, size_t dataLen, uint8_t *digest, size_t digestLen)
Digest a message using BLAKE2b.
Definition: blake2b.c:100
uint16_t last
Definition: ipv4_frag.h:96
@ ERROR_OUT_OF_MEMORY
Definition: error.h:63
uint64_t h[8]
Definition: blake2b.h:54
uint64_t totalSize[2]
Definition: blake2b.h:63
#define FALSE
Definition: os_port.h:46
@ ERROR_INVALID_PARAMETER
Invalid parameter.
Definition: error.h:47
size_t digestSize
Definition: blake2b.h:64
error_t
Error codes.
Definition: error.h:42
#define G(a, b, c, d, x, y)
Definition: blake2b.c:48
General definitions for cryptographic algorithms.
BLAKE2b algorithm context.
Definition: blake2b.h:50
#define MIN(a, b)
Definition: os_port.h:62
void blake2bFinal(Blake2bContext *context, uint8_t *digest)
Finish the BLAKE2b message digest.
Definition: blake2b.c:245
#define cryptoMemset(p, value, length)
Definition: crypto.h:636
BLAKE2 cryptographic hash and MAC (BLAKE2b variant)
uint8_t m
Definition: ndp.h:302
uint8_t n
uint8_t digest[64]
Definition: blake2b.h:55
#define cryptoMemcpy(dest, src, length)
Definition: crypto.h:642
#define cryptoFreeMem(p)
Definition: crypto.h:630
uint64_t m[16]
Definition: blake2b.h:59
#define cryptoAllocMem(size)
Definition: crypto.h:625
void blake2bProcessBlock(Blake2bContext *context, bool_t last)
Compression function F.
Definition: blake2b.c:278
void blake2bUpdate(Blake2bContext *context, const void *data, size_t length)
Update the BLAKE2b context with a portion of the message being hashed.
Definition: blake2b.c:207
unsigned int uint_t
Definition: compiler_port.h:45
uint8_t data[]
Definition: dtls_misc.h:176
uint8_t buffer[128]
Definition: blake2b.h:60
@ NO_ERROR
Success.
Definition: error.h:44