taigrr/arduinolibs
1
0
Fork 0
mirror of https://github.com/taigrr/arduinolibs synced 2025-01-18 04:33:12 -08:00
Code Issues Projects Releases Wiki Activity

Keyed hashing for BLAKE2 according to RFC7693

Browse Source
This commit is contained in:
Rhys Weatherley
2016-03-23 19:08:16 +10:00
parent 72715b172b
commit c8d7c3153d
7 changed files with 421 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

76
libraries/Crypto/BLAKE2b.cpp
View File

@@ -36,7 +36,35 @@
* replacement for SHA512 for when speed is critical but exact SHA512
* compatibility is not.
*
* Reference: https://blake2.net/
* This class supports two types of keyed hash. The BLAKE2 keyed hash and
* traditional HMAC. The BLAKE2 keyed hash is recommended unless there is
* some higher-level application need to be compatible with the HMAC
* construction. The keyed hash is computed as follows:
*
* \code
* BLAKE2b blake;
* blake.reset(key, sizeof(key), outputLength);
* blake.update(data1, sizeof(data1));
* blake.update(data2, sizeof(data2));
* ...
* blake.update(dataN, sizeof(dataN));
* blake.finalize(hash, outputLength);
* \endcode
*
* The HMAC is computed as follows (the output length is always 64):
*
* \code
* BLAKE2b blake;
* blake.resetHMAC(key, sizeof(key));
* blake.update(data1, sizeof(data1));
* blake.update(data2, sizeof(data2));
* ...
* blake.update(dataN, sizeof(dataN));
* blake.finalizeHMAC(key, sizeof(key), hash, 32);
* \endcode
*
* References: https://blake2.net/,
* <a href="http://tools.ietf.org/html/rfc7693">RFC 7693</a>
*
* \sa BLAKE2s, SHA512, SHA3_512
*/
@@ -102,6 +130,10 @@ void BLAKE2b::reset()
*/
void BLAKE2b::reset(uint8_t outputLength)
{
if (outputLength < 1)
outputLength = 1;
else if (outputLength > 64)
outputLength = 64;
state.h[0] = BLAKE2b_IV0 ^ 0x01010000 ^ outputLength;
state.h[1] = BLAKE2b_IV1;
state.h[2] = BLAKE2b_IV2;
@@ -115,6 +147,48 @@ void BLAKE2b::reset(uint8_t outputLength)
state.lengthHigh = 0;
}
/**
* \brief Resets the hash ready for a new hashing process with a specified
* key and output length.
*
* \param key Points to the key.
* \param keyLen The length of the key in bytes, between 0 and 64.
* \param outputLength The output length to use for the final hash in bytes,
* between 1 and 64.
*
* If \a keyLen is greater than 64, then the \a key will be truncated to
* the first 64 bytes.
*/
void BLAKE2b::reset(const void *key, size_t keyLen, uint8_t outputLength)
{
if (keyLen > 64)
keyLen = 64;
if (outputLength < 1)
outputLength = 1;
else if (outputLength > 64)
outputLength = 64;
state.h[0] = BLAKE2b_IV0 ^ 0x01010000 ^ (keyLen << 8) ^ outputLength;
state.h[1] = BLAKE2b_IV1;
state.h[2] = BLAKE2b_IV2;
state.h[3] = BLAKE2b_IV3;
state.h[4] = BLAKE2b_IV4;
state.h[5] = BLAKE2b_IV5;
state.h[6] = BLAKE2b_IV6;
state.h[7] = BLAKE2b_IV7;
if (keyLen > 0) {
// Set the first block to the key and pad with zeroes.
memcpy(state.m, key, keyLen);
memset(((uint8_t *)state.m) + keyLen, 0, 128 - keyLen);
state.chunkSize = 128;
state.lengthLow = 128;
} else {
// No key. The first data block is the first hashed block.
state.chunkSize = 0;
state.lengthLow = 0;
}
state.lengthHigh = 0;
}
void BLAKE2b::update(const void *data, size_t len)
{
// Break the input up into 1024-bit chunks and process each in turn.

2
libraries/Crypto/BLAKE2b.h
View File

@@ -36,6 +36,8 @@ public:
void reset();
void reset(uint8_t outputLength);
void reset(const void *key, size_t keyLen, uint8_t outputLength = 64);
void update(const void *data, size_t len);
void finalize(void *hash, size_t len);

75
libraries/Crypto/BLAKE2s.cpp
View File

@@ -36,7 +36,35 @@
* replacement for SHA256 for when speed is critical but exact SHA256
* compatibility is not.
*
* Reference: https://blake2.net/
* This class supports two types of keyed hash. The BLAKE2 keyed hash and
* traditional HMAC. The BLAKE2 keyed hash is recommended unless there is
* some higher-level application need to be compatible with the HMAC
* construction. The keyed hash is computed as follows:
*
* \code
* BLAKE2s blake;
* blake.reset(key, sizeof(key), outputLength);
* blake.update(data1, sizeof(data1));
* blake.update(data2, sizeof(data2));
* ...
* blake.update(dataN, sizeof(dataN));
* blake.finalize(hash, outputLength);
* \endcode
*
* The HMAC is computed as follows (the output length is always 32):
*
* \code
* BLAKE2s blake;
* blake.resetHMAC(key, sizeof(key));
* blake.update(data1, sizeof(data1));
* blake.update(data2, sizeof(data2));
* ...
* blake.update(dataN, sizeof(dataN));
* blake.finalizeHMAC(key, sizeof(key), hash, 32);
* \endcode
*
* References: https://blake2.net/,
* <a href="http://tools.ietf.org/html/rfc7693">RFC 7693</a>
*
* \sa BLAKE2b, SHA256, SHA3_256
*/
@@ -101,6 +129,10 @@ void BLAKE2s::reset()
*/
void BLAKE2s::reset(uint8_t outputLength)
{
if (outputLength < 1)
outputLength = 1;
else if (outputLength > 32)
outputLength = 32;
state.h[0] = BLAKE2s_IV0 ^ 0x01010000 ^ outputLength;
state.h[1] = BLAKE2s_IV1;
state.h[2] = BLAKE2s_IV2;
@@ -113,6 +145,47 @@ void BLAKE2s::reset(uint8_t outputLength)
state.length = 0;
}
/**
* \brief Resets the hash ready for a new hashing process with a specified
* key and output length.
*
* \param key Points to the key.
* \param keyLen The length of the key in bytes, between 0 and 32.
* \param outputLength The output length to use for the final hash in bytes,
* between 1 and 32.
*
* If \a keyLen is greater than 32, then the \a key will be truncated to
* the first 32 bytes.
*/
void BLAKE2s::reset(const void *key, size_t keyLen, uint8_t outputLength)
{
if (keyLen > 32)
keyLen = 32;
if (outputLength < 1)
outputLength = 1;
else if (outputLength > 32)
outputLength = 32;
state.h[0] = BLAKE2s_IV0 ^ 0x01010000 ^ (keyLen << 8) ^ outputLength;
state.h[1] = BLAKE2s_IV1;
state.h[2] = BLAKE2s_IV2;
state.h[3] = BLAKE2s_IV3;
state.h[4] = BLAKE2s_IV4;
state.h[5] = BLAKE2s_IV5;
state.h[6] = BLAKE2s_IV6;
state.h[7] = BLAKE2s_IV7;
if (keyLen > 0) {
// Set the first block to the key and pad with zeroes.
memcpy(state.m, key, keyLen);
memset(((uint8_t *)state.m) + keyLen, 0, 64 - keyLen);
state.chunkSize = 64;
state.length = 64;
} else {
// No key. The first data block is the first hashed block.
state.chunkSize = 0;
state.length = 0;
}
}
void BLAKE2s::update(const void *data, size_t len)
{
// Break the input up into 512-bit chunks and process each in turn.

2
libraries/Crypto/BLAKE2s.h
View File

@@ -36,6 +36,8 @@ public:
void reset();
void reset(uint8_t outputLength);
void reset(const void *key, size_t keyLen, uint8_t outputLength = 32);
void update(const void *data, size_t len);
void finalize(void *hash, size_t len);

134
libraries/Crypto/examples/TestBLAKE2b/TestBLAKE2b.ino
View File

@@ -27,6 +27,7 @@ This example runs tests on the BLAKE2b implementation to verify correct behaviou
#include <Crypto.h>
#include <BLAKE2b.h>
#include <string.h>
#include <avr/pgmspace.h>
#define HASH_SIZE 64
#define BLOCK_SIZE 128
@@ -39,7 +40,7 @@ struct TestHashVector
};
// Test vectors generated with the reference implementation of BLAKE2b.
static TestHashVector const testVectorBLAKE2b_1 = {
static TestHashVector const testVectorBLAKE2b_1 PROGMEM = {
"BLAKE2b #1",
"",
{0x78, 0x6a, 0x02, 0xf7, 0x42, 0x01, 0x59, 0x03,
@@ -51,7 +52,7 @@ static TestHashVector const testVectorBLAKE2b_1 = {
0x90, 0x3a, 0x68, 0x5b, 0x14, 0x48, 0xb7, 0x55,
0xd5, 0x6f, 0x70, 0x1a, 0xfe, 0x9b, 0xe2, 0xce}
};
static TestHashVector const testVectorBLAKE2b_2 = {
static TestHashVector const testVectorBLAKE2b_2 PROGMEM = {
"BLAKE2b #2",
"abc",
{0xba, 0x80, 0xa5, 0x3f, 0x98, 0x1c, 0x4d, 0x0d,
@@ -63,7 +64,7 @@ static TestHashVector const testVectorBLAKE2b_2 = {
0x18, 0xd3, 0x8a, 0xa8, 0xdb, 0xf1, 0x92, 0x5a,
0xb9, 0x23, 0x86, 0xed, 0xd4, 0x00, 0x99, 0x23}
};
static TestHashVector const testVectorBLAKE2b_3 = {
static TestHashVector const testVectorBLAKE2b_3 PROGMEM = {
"BLAKE2b #3",
"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
{0x72, 0x85, 0xff, 0x3e, 0x8b, 0xd7, 0x68, 0xd6,
@@ -75,7 +76,7 @@ static TestHashVector const testVectorBLAKE2b_3 = {
0x47, 0x13, 0x0b, 0x44, 0xf3, 0x3a, 0x02, 0xe8,
0x73, 0x0e, 0x5a, 0xd8, 0xe1, 0x66, 0xe8, 0x88}
};
static TestHashVector const testVectorBLAKE2b_4 = {
static TestHashVector const testVectorBLAKE2b_4 PROGMEM = {
"BLAKE2b #4",
"abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
"hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu",
@@ -116,6 +117,10 @@ bool testHash_N(Hash *hash, const struct TestHashVector *test, size_t inc)
void testHash(Hash *hash, const struct TestHashVector *test)
{
bool ok;
TestHashVector vec;
memcpy_P(&vec, test, sizeof(vec));
test = &vec;
Serial.print(test->name);
Serial.print(" ... ");
@@ -224,6 +229,125 @@ void testHMAC(Hash *hash, size_t keyLen)
Serial.println("Failed");
}
// Deterministic sequences (Fibonacci generator). From RFC 7693.
static void selftest_seq(uint8_t *out, size_t len, uint32_t seed)
{
size_t i;
uint32_t t, a , b;
a = 0xDEAD4BAD * seed; // prime
b = 1;
for (i = 0; i < len; i++) { // fill the buf
t = a + b;
a = b;
b = t;
out[i] = (t >> 24) & 0xFF;
}
}
// Incremental version of above to save memory.
static void selftest_seq_incremental(BLAKE2b *blake, size_t len, uint32_t seed)
{
size_t i;
uint32_t t, a , b;
a = 0xDEAD4BAD * seed; // prime
b = 1;
for (i = 0; i < len; i++) { // fill the buf
t = a + b;
a = b;
b = t;
buffer[i % 128] = (t >> 24) & 0xFF;
if ((i % 128) == 127)
blake->update(buffer, 128);
}
blake->update(buffer, len % 128);
}
// Run the self-test from Appendix E of RFC 7693. Most of this code
// is from RFC 7693, with modifications to use the Crypto library.
void testRFC7693()
{
// Grand hash of hash results.
static const uint8_t blake2b_res[32] PROGMEM = {
0xC2, 0x3A, 0x78, 0x00, 0xD9, 0x81, 0x23, 0xBD,
0x10, 0xF5, 0x06, 0xC6, 0x1E, 0x29, 0xDA, 0x56,
0x03, 0xD7, 0x63, 0xB8, 0xBB, 0xAD, 0x2E, 0x73,
0x7F, 0x5E, 0x76, 0x5A, 0x7B, 0xCC, 0xD4, 0x75
};
// Parameter sets.
static const uint8_t b2b_md_len[4] PROGMEM = { 20, 32, 48, 64 };
static const uint16_t b2b_in_len[6] PROGMEM = { 0, 3, 128, 129, 255, 1024 };
size_t i, j, outlen, inlen;
uint8_t md[64], key[64];
BLAKE2b inner;
Serial.print("BLAKE2b RFC 7693 ... ");
// 256-bit hash for testing.
blake2b.reset(32);
for (i = 0; i < 4; i++) {
outlen = pgm_read_byte(&(b2b_md_len[i]));
for (j = 0; j < 6; j++) {
inlen = pgm_read_word(&(b2b_in_len[j]));
inner.reset(outlen); // unkeyed hash
selftest_seq_incremental(&inner, inlen, inlen);
inner.finalize(md, outlen);
blake2b.update(md, outlen); // hash the hash
selftest_seq(key, outlen, outlen); // keyed hash
inner.reset(key, outlen, outlen);
selftest_seq_incremental(&inner, inlen, inlen);
inner.finalize(md, outlen);
blake2b.update(md, outlen); // hash the hash
}
}
// Compute and compare the hash of hashes.
bool ok = true;
blake2b.finalize(md, 32);
for (i = 0; i < 32; i++) {
if (md[i] != pgm_read_byte(&(blake2b_res[i])))
ok = false;
}
// Report the results.
if (ok)
Serial.println("Passed");
else
Serial.println("Failed");
}
void perfKeyed(BLAKE2b *hash)
{
unsigned long start;
unsigned long elapsed;
int count;
Serial.print("Keyed Reset ... ");
for (size_t posn = 0; posn < sizeof(buffer); ++posn)
buffer[posn] = (uint8_t)posn;
start = micros();
for (count = 0; count < 1000; ++count) {
hash->reset(buffer, hash->hashSize());
hash->update(buffer, 1); // To flush the key chunk.
}
elapsed = micros() - start;
Serial.print(elapsed / 1000.0);
Serial.print("us per op, ");
Serial.print((1000.0 * 1000000.0) / elapsed);
Serial.println(" ops per second");
}
void perfFinalize(Hash *hash)
{
unsigned long start;
@@ -267,11 +391,13 @@ void setup()
testHMAC(&blake2b, BLOCK_SIZE);
testHMAC(&blake2b, BLOCK_SIZE + 1);
testHMAC(&blake2b, BLOCK_SIZE + 2);
testRFC7693();
Serial.println();
Serial.println("Performance Tests:");
perfHash(&blake2b);
perfKeyed(&blake2b);
perfFinalize(&blake2b);
}

122
libraries/Crypto/examples/TestBLAKE2s/TestBLAKE2s.ino
View File

@@ -27,6 +27,7 @@ This example runs tests on the BLAKE2s implementation to verify correct behaviou
#include <Crypto.h>
#include <BLAKE2s.h>
#include <string.h>
#include <avr/pgmspace.h>
#define HASH_SIZE 32
#define BLOCK_SIZE 64
@@ -208,6 +209,101 @@ void testHMAC(Hash *hash, size_t keyLen)
Serial.println("Failed");
}
// Deterministic sequences (Fibonacci generator). From RFC 7693.
static void selftest_seq(uint8_t *out, size_t len, uint32_t seed)
{
size_t i;
uint32_t t, a , b;
a = 0xDEAD4BAD * seed; // prime
b = 1;
for (i = 0; i < len; i++) { // fill the buf
t = a + b;
a = b;
b = t;
out[i] = (t >> 24) & 0xFF;
}
}
// Incremental version of above to save memory.
static void selftest_seq_incremental(BLAKE2s *blake, size_t len, uint32_t seed)
{
size_t i;
uint32_t t, a , b;
a = 0xDEAD4BAD * seed; // prime
b = 1;
for (i = 0; i < len; i++) { // fill the buf
t = a + b;
a = b;
b = t;
buffer[i % 128] = (t >> 24) & 0xFF;
if ((i % 128) == 127)
blake->update(buffer, sizeof(buffer));
}
blake->update(buffer, len % 128);
}
// Run the self-test from Appendix E of RFC 7693. Most of this code
// is from RFC 7693, with modifications to use the Crypto library.
void testRFC7693()
{
// Grand hash of hash results.
static const uint8_t blake2s_res[32] PROGMEM = {
0x6A, 0x41, 0x1F, 0x08, 0xCE, 0x25, 0xAD, 0xCD,
0xFB, 0x02, 0xAB, 0xA6, 0x41, 0x45, 0x1C, 0xEC,
0x53, 0xC5, 0x98, 0xB2, 0x4F, 0x4F, 0xC7, 0x87,
0xFB, 0xDC, 0x88, 0x79, 0x7F, 0x4C, 0x1D, 0xFE
};
// Parameter sets.
static const uint8_t b2s_md_len[4] PROGMEM = { 16, 20, 28, 32 };
static const uint16_t b2s_in_len[6] PROGMEM = { 0, 3, 64, 65, 255, 1024 };
size_t i, j, outlen, inlen;
uint8_t md[32], key[32];
BLAKE2s inner;
Serial.print("BLAKE2s RFC 7693 ... ");
// 256-bit hash for testing.
blake2s.reset(32);
for (i = 0; i < 4; i++) {
outlen = pgm_read_byte(&(b2s_md_len[i]));
for (j = 0; j < 6; j++) {
inlen = pgm_read_word(&(b2s_in_len[j]));
inner.reset(outlen); // unkeyed hash
selftest_seq_incremental(&inner, inlen, inlen);
inner.finalize(md, outlen);
blake2s.update(md, outlen); // hash the hash
selftest_seq(key, outlen, outlen); // keyed hash
inner.reset(key, outlen, outlen);
selftest_seq_incremental(&inner, inlen, inlen);
inner.finalize(md, outlen);
blake2s.update(md, outlen); // hash the hash
}
}
// Compute and compare the hash of hashes.
bool ok = true;
blake2s.finalize(md, 32);
for (i = 0; i < 32; i++) {
if (md[i] != pgm_read_byte(&(blake2s_res[i])))
ok = false;
}
// Report the results.
if (ok)
Serial.println("Passed");
else
Serial.println("Failed");
}
void perfFinalize(Hash *hash)
{
unsigned long start;
@@ -230,6 +326,30 @@ void perfFinalize(Hash *hash)
Serial.println(" ops per second");
}
void perfKeyed(BLAKE2s *hash)
{
unsigned long start;
unsigned long elapsed;
int count;
Serial.print("Keyed Reset ... ");
for (size_t posn = 0; posn < sizeof(buffer); ++posn)
buffer[posn] = (uint8_t)posn;
start = micros();
for (count = 0; count < 1000; ++count) {
hash->reset(buffer, hash->hashSize());
hash->update(buffer, 1); // To flush the key chunk.
}
elapsed = micros() - start;
Serial.print(elapsed / 1000.0);
Serial.print("us per op, ");
Serial.print((1000.0 * 1000000.0) / elapsed);
Serial.println(" ops per second");
}
void perfHMAC(Hash *hash)
{
unsigned long start;
@@ -289,12 +409,14 @@ void setup()
testHMAC(&blake2s, BLOCK_SIZE);
testHMAC(&blake2s, BLOCK_SIZE + 1);
testHMAC(&blake2s, sizeof(buffer));
testRFC7693();
Serial.println();
Serial.println("Performance Tests:");
perfHash(&blake2s);
perfFinalize(&blake2s);
perfKeyed(&blake2s);
perfHMAC(&blake2s);
}