Arduino Cryptography Library
BLAKE2b.cpp
1 /*
2  * Copyright (C) 2015 Southern Storm Software, Pty Ltd.
3  *
4  * Permission is hereby granted, free of charge, to any person obtaining a
5  * copy of this software and associated documentation files (the "Software"),
6  * to deal in the Software without restriction, including without limitation
7  * the rights to use, copy, modify, merge, publish, distribute, sublicense,
8  * and/or sell copies of the Software, and to permit persons to whom the
9  * Software is furnished to do so, subject to the following conditions:
10  *
11  * The above copyright notice and this permission notice shall be included
12  * in all copies or substantial portions of the Software.
13  *
14  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15  * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
17  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
18  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
19  * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
20  * DEALINGS IN THE SOFTWARE.
21  */
22 
23 #include "BLAKE2b.h"
24 #include "Crypto.h"
25 #include "utility/EndianUtil.h"
26 #include "utility/RotateUtil.h"
27 #include "utility/ProgMemUtil.h"
28 #include <string.h>
29 
85 BLAKE2b::BLAKE2b()
86 {
87  reset();
88 }
89 
94 BLAKE2b::~BLAKE2b()
95 {
96  clean(state);
97 }
98 
99 size_t BLAKE2b::hashSize() const
100 {
101  return 64;
102 }
103 
104 size_t BLAKE2b::blockSize() const
105 {
106  return 128;
107 }
108 
109 // Initialization vectors for BLAKE2b.
110 #define BLAKE2b_IV0 0x6a09e667f3bcc908ULL
111 #define BLAKE2b_IV1 0xbb67ae8584caa73bULL
112 #define BLAKE2b_IV2 0x3c6ef372fe94f82bULL
113 #define BLAKE2b_IV3 0xa54ff53a5f1d36f1ULL
114 #define BLAKE2b_IV4 0x510e527fade682d1ULL
115 #define BLAKE2b_IV5 0x9b05688c2b3e6c1fULL
116 #define BLAKE2b_IV6 0x1f83d9abfb41bd6bULL
117 #define BLAKE2b_IV7 0x5be0cd19137e2179ULL
118 
119 void BLAKE2b::reset()
120 {
121  state.h[0] = BLAKE2b_IV0 ^ 0x01010040; // Default output length of 64.
122  state.h[1] = BLAKE2b_IV1;
123  state.h[2] = BLAKE2b_IV2;
124  state.h[3] = BLAKE2b_IV3;
125  state.h[4] = BLAKE2b_IV4;
126  state.h[5] = BLAKE2b_IV5;
127  state.h[6] = BLAKE2b_IV6;
128  state.h[7] = BLAKE2b_IV7;
129  state.chunkSize = 0;
130  state.lengthLow = 0;
131  state.lengthHigh = 0;
132 }
133 
141 void BLAKE2b::reset(uint8_t outputLength)
142 {
143  if (outputLength < 1)
144  outputLength = 1;
145  else if (outputLength > 64)
146  outputLength = 64;
147  state.h[0] = BLAKE2b_IV0 ^ 0x01010000 ^ outputLength;
148  state.h[1] = BLAKE2b_IV1;
149  state.h[2] = BLAKE2b_IV2;
150  state.h[3] = BLAKE2b_IV3;
151  state.h[4] = BLAKE2b_IV4;
152  state.h[5] = BLAKE2b_IV5;
153  state.h[6] = BLAKE2b_IV6;
154  state.h[7] = BLAKE2b_IV7;
155  state.chunkSize = 0;
156  state.lengthLow = 0;
157  state.lengthHigh = 0;
158 }
159 
172 void BLAKE2b::reset(const void *key, size_t keyLen, uint8_t outputLength)
173 {
174  if (keyLen > 64)
175  keyLen = 64;
176  if (outputLength < 1)
177  outputLength = 1;
178  else if (outputLength > 64)
179  outputLength = 64;
180  state.h[0] = BLAKE2b_IV0 ^ 0x01010000 ^ (keyLen << 8) ^ outputLength;
181  state.h[1] = BLAKE2b_IV1;
182  state.h[2] = BLAKE2b_IV2;
183  state.h[3] = BLAKE2b_IV3;
184  state.h[4] = BLAKE2b_IV4;
185  state.h[5] = BLAKE2b_IV5;
186  state.h[6] = BLAKE2b_IV6;
187  state.h[7] = BLAKE2b_IV7;
188  if (keyLen > 0) {
189  // Set the first block to the key and pad with zeroes.
190  memcpy(state.m, key, keyLen);
191  memset(((uint8_t *)state.m) + keyLen, 0, 128 - keyLen);
192  state.chunkSize = 128;
193  state.lengthLow = 128;
194  } else {
195  // No key. The first data block is the first hashed block.
196  state.chunkSize = 0;
197  state.lengthLow = 0;
198  }
199  state.lengthHigh = 0;
200 }
201 
202 void BLAKE2b::update(const void *data, size_t len)
203 {
204  // Break the input up into 1024-bit chunks and process each in turn.
205  const uint8_t *d = (const uint8_t *)data;
206  while (len > 0) {
207  if (state.chunkSize == 128) {
208  // Previous chunk was full and we know that it wasn't the
209  // last chunk, so we can process it now with f0 set to zero.
210  processChunk(0);
211  state.chunkSize = 0;
212  }
213  uint8_t size = 128 - state.chunkSize;
214  if (size > len)
215  size = len;
216  memcpy(((uint8_t *)state.m) + state.chunkSize, d, size);
217  state.chunkSize += size;
218  uint64_t temp = state.lengthLow;
219  state.lengthLow += size;
220  if (state.lengthLow < temp)
221  ++state.lengthHigh;
222  len -= size;
223  d += size;
224  }
225 }
226 
227 void BLAKE2b::finalize(void *hash, size_t len)
228 {
229  // Pad the last chunk and hash it with f0 set to all-ones.
230  memset(((uint8_t *)state.m) + state.chunkSize, 0, 128 - state.chunkSize);
231  processChunk(0xFFFFFFFFFFFFFFFFULL);
232 
233  // Convert the hash into little-endian in the message buffer.
234  for (uint8_t posn = 0; posn < 8; ++posn)
235  state.m[posn] = htole64(state.h[posn]);
236 
237  // Copy the hash to the caller's return buffer.
238  if (len > 64)
239  len = 64;
240  memcpy(hash, state.m, len);
241 }
242 
243 void BLAKE2b::clear()
244 {
245  clean(state);
246  reset();
247 }
248 
249 void BLAKE2b::resetHMAC(const void *key, size_t keyLen)
250 {
251  formatHMACKey(state.m, key, keyLen, 0x36);
252  state.lengthLow += 128;
253  state.chunkSize = 128;
254 }
255 
256 void BLAKE2b::finalizeHMAC(const void *key, size_t keyLen, void *hash, size_t hashLen)
257 {
258  uint8_t temp[64];
259  finalize(temp, sizeof(temp));
260  formatHMACKey(state.m, key, keyLen, 0x5C);
261  state.lengthLow += 128;
262  state.chunkSize = 128;
263  update(temp, sizeof(temp));
264  finalize(hash, hashLen);
265  clean(temp);
266 }
267 
268 // Permutation on the message input state for BLAKE2b.
269 static const uint8_t sigma[12][16] PROGMEM = {
270  { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15},
271  {14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3},
272  {11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4},
273  { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8},
274  { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13},
275  { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9},
276  {12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11},
277  {13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10},
278  { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5},
279  {10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13 , 0},
280  { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15},
281  {14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3},
282 };
283 
284 // Perform a BLAKE2b quarter round operation.
285 #define quarterRound(a, b, c, d, i) \
286  do { \
287  uint64_t _b = (b); \
288  uint64_t _a = (a) + _b + state.m[pgm_read_byte(&(sigma[index][2 * (i)]))]; \
289  uint64_t _d = rightRotate32_64((d) ^ _a); \
290  uint64_t _c = (c) + _d; \
291  _b = rightRotate24_64(_b ^ _c); \
292  _a += _b + state.m[pgm_read_byte(&(sigma[index][2 * (i) + 1]))]; \
293  (d) = _d = rightRotate16_64(_d ^ _a); \
294  _c += _d; \
295  (a) = _a; \
296  (b) = rightRotate63_64(_b ^ _c); \
297  (c) = _c; \
298  } while (0)
299 
300 void BLAKE2b::processChunk(uint64_t f0)
301 {
302  uint8_t index;
303  uint64_t v[16];
304 
305  // Byte-swap the message buffer into little-endian if necessary.
306 #if !defined(CRYPTO_LITTLE_ENDIAN)
307  for (index = 0; index < 16; ++index)
308  state.m[index] = le64toh(state.m[index]);
309 #endif
310 
311  // Format the block to be hashed.
312  memcpy(v, state.h, sizeof(state.h));
313  v[8] = BLAKE2b_IV0;
314  v[9] = BLAKE2b_IV1;
315  v[10] = BLAKE2b_IV2;
316  v[11] = BLAKE2b_IV3;
317  v[12] = BLAKE2b_IV4 ^ state.lengthLow;
318  v[13] = BLAKE2b_IV5 ^ state.lengthHigh;
319  v[14] = BLAKE2b_IV6 ^ f0;
320  v[15] = BLAKE2b_IV7;
321 
322  // Perform the 12 BLAKE2b rounds.
323  for (index = 0; index < 12; ++index) {
324  // Column round.
325  quarterRound(v[0], v[4], v[8], v[12], 0);
326  quarterRound(v[1], v[5], v[9], v[13], 1);
327  quarterRound(v[2], v[6], v[10], v[14], 2);
328  quarterRound(v[3], v[7], v[11], v[15], 3);
329 
330  // Diagonal round.
331  quarterRound(v[0], v[5], v[10], v[15], 4);
332  quarterRound(v[1], v[6], v[11], v[12], 5);
333  quarterRound(v[2], v[7], v[8], v[13], 6);
334  quarterRound(v[3], v[4], v[9], v[14], 7);
335  }
336 
337  // Combine the new and old hash values.
338  for (index = 0; index < 8; ++index)
339  state.h[index] ^= (v[index] ^ v[index + 8]);
340 }
BLAKE2b::finalize
void finalize(void *hash, size_t len)
Finalizes the hashing process and returns the hash.
Definition: BLAKE2b.cpp:227
BLAKE2b::BLAKE2b
BLAKE2b()
Constructs a BLAKE2b hash object.
Definition: BLAKE2b.cpp:85
BLAKE2b::clear
void clear()
Clears the hash state, removing all sensitive data, and then resets the hash ready for a new hashing ...
Definition: BLAKE2b.cpp:243
BLAKE2b::finalizeHMAC
void finalizeHMAC(const void *key, size_t keyLen, void *hash, size_t hashLen)
Finalizes the HMAC hashing process and returns the hash.
Definition: BLAKE2b.cpp:256
BLAKE2b::hashSize
size_t hashSize() const
Size of the hash result from finalize().
Definition: BLAKE2b.cpp:99
BLAKE2b::update
void update(const void *data, size_t len)
Updates the hash with more data.
Definition: BLAKE2b.cpp:202
BLAKE2b::blockSize
size_t blockSize() const
Size of the internal block used by the hash algorithm.
Definition: BLAKE2b.cpp:104
BLAKE2b::reset
void reset()
Resets the hash ready for a new hashing process.
Definition: BLAKE2b.cpp:119
BLAKE2b::resetHMAC
void resetHMAC(const void *key, size_t keyLen)
Resets the hash ready for a new HMAC hashing process.
Definition: BLAKE2b.cpp:249
BLAKE2b::~BLAKE2b
virtual ~BLAKE2b()
Destroys this BLAKE2b hash object after clearing sensitive information.
Definition: BLAKE2b.cpp:94
Hash::formatHMACKey
void formatHMACKey(void *block, const void *key, size_t len, uint8_t pad)
Formats a HMAC key into a block.
Definition: Hash.cpp:162
Generated on Sat Apr 1 2023 09:42:58 for Arduino Cryptography Library by doxygen 1.9.1