blake2s.c
Go to the documentation of this file.
1 /**
2  * @file blake2s.c
3  * @brief BLAKE2 cryptographic hash and MAC (BLAKE2s variant)
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2010-2019 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneCrypto Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @section Description
28  *
29  * BLAKE2s is cryptographic hash function optimized for 8- to 32-bit platforms
30  * that produces digests of any size between 1 and 32 bytes. Refer to RFC 7693
31  * for more details
32  *
33  * @author Oryx Embedded SARL (www.oryx-embedded.com)
34  * @version 1.9.6
35  **/
36 
37 //Switch to the appropriate trace level
38 #define TRACE_LEVEL CRYPTO_TRACE_LEVEL
39 
40 //Dependencies
41 #include "core/crypto.h"
42 #include "hash/blake2s.h"
43 
44 //Check crypto library configuration
45 #if (BLAKE2S_SUPPORT == ENABLED)
46 
47 //Mixing function G (borrowed from ChaCha quarter-round function)
48 #define G(a, b, c, d, x, y) \
49 { \
50  a += b + x; \
51  d ^= a; \
52  d = ROR32(d, 16); \
53  c += d; \
54  b ^= c; \
55  b = ROR32(b, 12); \
56  a += b + y; \
57  d ^= a; \
58  d = ROR32(d, 8); \
59  c += d; \
60  b ^= c; \
61  b = ROR32(b, 7); \
62 }
63 
64 //Message schedule SIGMA
65 static const uint8_t sigma[10][16] =
66 {
67  {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15},
68  {14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3},
69  {11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4},
70  {7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8},
71  {9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13},
72  {2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9},
73  {12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11},
74  {13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10},
75  {6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5},
76  {10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0}
77 };
78 
79 //Initialization vector
80 static const uint32_t iv[8] =
81 {
82  0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A,
83  0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19
84 };
85 
86 
87 /**
88  * @brief Digest a message using BLAKE2s
89  * @param[in] key Pointer to the key
90  * @param[in] keyLen Length of the key
91  * @param[in] data Pointer to the message being hashed
92  * @param[in] dataLen Length of the message
93  * @param[out] digest Pointer to the calculated digest
94  * @param[in] digestLen Expected length of the digest
95  * @return Error code
96  **/
97 
98 error_t blake2sCompute(const void *key, size_t keyLen, const void *data,
99  size_t dataLen, uint8_t *digest, size_t digestLen)
100 {
101  error_t error;
102  Blake2sContext *context;
103 
104  //Allocate a memory buffer to hold the BLAKE2s context
105  context = cryptoAllocMem(sizeof(Blake2sContext));
106 
107  //Successful memory allocation?
108  if(context != NULL)
109  {
110  //Initialize the hashing context
111  error = blake2sInit(context, key, keyLen, digestLen);
112 
113  //Check status code
114  if(!error)
115  {
116  //Digest the message
117  blake2sUpdate(context, data, dataLen);
118  //Finalize the BLAKE2s message digest
119  blake2sFinal(context, digest);
120  }
121 
122  //Free previously allocated memory
123  cryptoFreeMem(context);
124  }
125  else
126  {
127  //Failed to allocate memory
128  error = ERROR_OUT_OF_MEMORY;
129  }
130 
131  //Return status code
132  return error;
133 }
134 
135 
136 /**
137  * @brief Initialize BLAKE2s message digest context
138  * @param[in] context Pointer to the BLAKE2s context to initialize
139  * @param[in] key Pointer to the key
140  * @param[in] keyLen Length of the key
141  * @param[in] digestLen Expected length of the digest
142  * @return Error code
143  **/
144 
145 error_t blake2sInit(Blake2sContext *context, const void *key,
146  size_t keyLen, size_t digestLen)
147 {
148  size_t i;
149 
150  //Check the length of the key
151  if(keyLen > 32)
153 
154  //Check the length of the hash
155  if(digestLen < 1 || digestLen > 32)
157 
158  //Initialize state vector
159  for(i = 0; i < 8; i++)
160  {
161  context->h[i] = iv[i];
162  }
163 
164  //The first byte of the parameter block is the hash size in bytes
165  context->h[0] ^= digestLen;
166  //The second byte of the parameter block is the key size in bytes
167  context->h[0] ^= keyLen << 8;
168  //Bytes 2 and 3 are set as 01
169  context->h[0] ^= 0x01010000;
170 
171  //Number of bytes in the buffer
172  context->size = 0;
173 
174  //Total number of bytes
175  context->totalSize[0] = 0;
176  context->totalSize[1] = 0;
177 
178  //Size of the digest
179  context->digestSize = digestLen;
180 
181  //Clear input buffer
182  cryptoMemset(context->buffer, 0, 64);
183 
184  //Any secret key?
185  if(keyLen > 0)
186  {
187  //Copy the secret key
188  cryptoMemcpy(context->buffer, key, keyLen);
189  //The secret key is padded with zero bytes
190  context->size = 64;
191  }
192 
193  //Successful initialization
194  return NO_ERROR;
195 }
196 
197 
198 /**
199  * @brief Update the BLAKE2s context with a portion of the message being hashed
200  * @param[in] context Pointer to the BLAKE2s context
201  * @param[in] data Pointer to the buffer being hashed
202  * @param[in] length Length of the buffer
203  **/
204 
205 void blake2sUpdate(Blake2sContext *context, const void *data, size_t length)
206 {
207  size_t n;
208 
209  //Process the incoming data
210  while(length > 0)
211  {
212  //Each message block consists of 16 words
213  if(context->size == 64)
214  {
215  //Compress the 16-word block
216  blake2sProcessBlock(context, FALSE);
217  //Empty the buffer
218  context->size = 0;
219  }
220 
221  //The buffer can hold at most 64 bytes
222  n = MIN(length, 64 - context->size);
223 
224  //Copy the data to the buffer
225  cryptoMemcpy(context->buffer + context->size, data, n);
226  //Update the length of the buffer
227  context->size += n;
228 
229  //Advance the data pointer
230  data = (uint8_t *) data + n;
231  //Remaining bytes to process
232  length -= n;
233  }
234 }
235 
236 
237 /**
238  * @brief Finish the BLAKE2s message digest
239  * @param[in] context Pointer to the BLAKE2s context
240  * @param[out] digest Calculated digest (optional parameter)
241  **/
242 
243 void blake2sFinal(Blake2sContext *context, uint8_t *digest)
244 {
245  size_t i;
246 
247  //The last block is padded with zeros to full block size, if required
248  for(i = context->size; i < 64; i++)
249  {
250  context->buffer[i] = 0;
251  }
252 
253  //Compress the last block
254  blake2sProcessBlock(context, TRUE);
255 
256  //Convert from host byte order to big-endian byte order
257  for(i = 0; i < 8; i++)
258  {
259  context->h[i] = htole32(context->h[i]);
260  }
261 
262  //Copy the resulting digest
263  if(digest != NULL)
264  {
265  cryptoMemcpy(digest, context->digest, context->digestSize);
266  }
267 }
268 
269 
270 /**
271  * @brief Compression function F
272  * @param[in] context Pointer to the BLAKE2s context
273  * @param[in] last Flag indicating the last block
274  **/
275 
277 {
278  uint_t i;
279  uint32_t *m;
280  uint32_t v[16];
281 
282  //Initialize the working vector
283  for(i = 0; i < 8; i++)
284  {
285  //First half from state
286  v[i] = context->h[i];
287  //Second half from IV
288  v[i + 8] = iv[i];
289  }
290 
291  //Increment offset counter
292  context->totalSize[0] += context->size;
293 
294  //Propagate the carry if necessary
295  if(context->totalSize[0] < context->size)
296  {
297  context->totalSize[1]++;
298  }
299 
300  //Low word of the offset
301  v[12] ^= context->totalSize[0];
302  //High word of the offset
303  v[13] ^= context->totalSize[1];
304 
305  //Last block flag?
306  if(last)
307  {
308  //Invert all bits
309  v[14] = ~v[14];
310  }
311 
312  //Point to the message block vector
313  m = context->m;
314 
315  //Convert from little-endian byte order to host byte order
316  for(i = 0; i < 16; i++)
317  {
318  m[i] = letoh32(m[i]);
319  }
320 
321  //Cryptographic mixing
322  for(i = 0; i < 10; i++)
323  {
324  //The column rounds apply the quarter-round function to the four
325  //columns, from left to right
326  G(v[0], v[4], v[8], v[12], m[sigma[i][0]], m[sigma[i][1]]);
327  G(v[1], v[5], v[9], v[13], m[sigma[i][2]], m[sigma[i][3]]);
328  G(v[2], v[6], v[10], v[14], m[sigma[i][4]], m[sigma[i][5]]);
329  G(v[3], v[7], v[11], v[15], m[sigma[i][6]], m[sigma[i][7]]);
330 
331  //The diagonal rounds apply the quarter-round function to the top-left,
332  //bottom-right diagonal, followed by the pattern shifted one place to
333  //the right, for three more quarter-rounds
334  G(v[0], v[5], v[10], v[15], m[sigma[i][8]], m[sigma[i][9]]);
335  G(v[1], v[6], v[11], v[12], m[sigma[i][10]], m[sigma[i][11]]);
336  G(v[2], v[7], v[8], v[13], m[sigma[i][12]], m[sigma[i][13]]);
337  G(v[3], v[4], v[9], v[14], m[sigma[i][14]], m[sigma[i][15]]);
338  }
339 
340  //XOR the two halves
341  for(i = 0; i < 8; i++)
342  {
343  context->h[i] ^= v[i] ^ v[i + 8];
344  }
345 }
346 
347 #endif
uint8_t length
Definition: dtls_misc.h:149
int bool_t
Definition: compiler_port.h:49
uint8_t buffer[64]
Definition: blake2s.h:60
void blake2sFinal(Blake2sContext *context, uint8_t *digest)
Finish the BLAKE2s message digest.
Definition: blake2s.c:243
void blake2sProcessBlock(Blake2sContext *context, bool_t last)
Compression function F.
Definition: blake2s.c:276
uint32_t totalSize[2]
Definition: blake2s.h:63
#define TRUE
Definition: os_port.h:50
BLAKE2 cryptographic hash and MAC (BLAKE2s variant)
uint16_t last
Definition: ipv4_frag.h:96
size_t digestSize
Definition: blake2s.h:64
@ ERROR_OUT_OF_MEMORY
Definition: error.h:63
#define letoh32(value)
Definition: cpu_endian.h:414
#define G(a, b, c, d, x, y)
Definition: blake2s.c:48
uint32_t h[8]
Definition: blake2s.h:54
#define FALSE
Definition: os_port.h:46
@ ERROR_INVALID_PARAMETER
Invalid parameter.
Definition: error.h:47
size_t size
Definition: blake2s.h:62
error_t
Error codes.
Definition: error.h:42
#define htole32(value)
Definition: cpu_endian.h:406
void blake2sUpdate(Blake2sContext *context, const void *data, size_t length)
Update the BLAKE2s context with a portion of the message being hashed.
Definition: blake2s.c:205
General definitions for cryptographic algorithms.
BLAKE2s algorithm context.
Definition: blake2s.h:50
#define MIN(a, b)
Definition: os_port.h:62
#define cryptoMemset(p, value, length)
Definition: crypto.h:636
error_t blake2sCompute(const void *key, size_t keyLen, const void *data, size_t dataLen, uint8_t *digest, size_t digestLen)
Digest a message using BLAKE2s.
Definition: blake2s.c:98
error_t blake2sInit(Blake2sContext *context, const void *key, size_t keyLen, size_t digestLen)
Initialize BLAKE2s message digest context.
Definition: blake2s.c:145
uint32_t m[16]
Definition: blake2s.h:59
uint8_t m
Definition: ndp.h:302
uint8_t n
uint8_t digest[32]
Definition: blake2s.h:55
#define cryptoMemcpy(dest, src, length)
Definition: crypto.h:642
#define cryptoFreeMem(p)
Definition: crypto.h:630
#define cryptoAllocMem(size)
Definition: crypto.h:625
unsigned int uint_t
Definition: compiler_port.h:45
uint8_t data[]
Definition: dtls_misc.h:176
@ NO_ERROR
Success.
Definition: error.h:44