Add BLAKE2[sb] hash

[ksherlock]

Hi,

This adds the blake2s hash (https://blake2.net, https://www.ietf.org/rfc/rfc7693.txt) based on the reference implementation (https://github.com/BLAKE2/BLAKE2/blob/master/ref/blake2s-ref.c)

[karel-m]

Looks good, do you plan to add blake2b as well?

[ksherlock]

I have added blake2b as well.

[karel-m]

Ad Travis-CI failures e.g. https://travis-ci.org/libtom/libtomcrypt/jobs/220116643

you have to move all declaration at the block beginning like this:

 static inline int blake2s_init0(hash_state *md)
 {
+   int i;
    XMEMSET(&md->blake2s, 0, sizeof(struct blake2s_state));
 
-   for (int i = 0; i < 8; ++i)
+   for (i = 0; i < 8; ++i)

[ksherlock]

It has been updated.
Thanks,
Kelvin

[karel-m]

One more place that needs a fix

src/hashes/blake2s.c: In function ‘blake2s_init0’:
src/hashes/blake2s.c:153:4: error: ‘for’ loop initial declarations are only allowed in C99 mode
src/hashes/blake2s.c:153:4: note: use option -std=c99 or -std=gnu99 to compile your code

[karel-m]

move declaration int i at the block beginning

[karel-m]

declaration ulong32 *p should go at the block beginning before any code

[karel-m]

move declaration size_t i at the block beginning

[karel-m]

remove the declaration size_t i

[karel-m]

move declaration size_t i at the block beginning

[karel-m]

remove the declaration size_t i

[karel-m]

I propose a change like this:

 static int blake2s_init_param(hash_state *md, const struct blake2s_param *P)
 {
    unsigned long i;
-   ulong32 *p = (ulong32 *)(P);
+   unsigned char *p = (unsigned char *)(P);

    blake2s_init0(md);

    /* IV XOR ParamBlock */
    for (i = 0; i < 8; ++i) {
       ulong32 tmp;
-      LOAD32L(tmp, &p[i]);
+      LOAD32L(tmp, p + i*4);
       md->blake2s.h[i] ^= tmp;
    }

[sjaeckel]

c.f. my comments to blake2b_init_param()

[karel-m]

md is not on stack

[sjaeckel]

& you forgot to clean buffer

[karel-m]

md is not on stack

[karel-m]

IMO zeromem(md, sizeof(hash_state)) should be out of #ifdef LTC_CLEAN_STACK ... #endif

[sjaeckel]

IMO zeromem(md, sizeof(hash_state)) should be out of #ifdef LTC_CLEAN_STACK ... #endif

true

[sjaeckel]

Regarding my comments to the struct blake2[bs]_param I also don't have a good solution yet...

[sjaeckel]

why 2*64 here and 128 for blake2b?

[sjaeckel]

also these types (curlen, outlen, last_node) could be the same type as in blake2b or not? (or in blake2b the same as here, whichever makes most sense, at least it should be consistent)

[sjaeckel]

ugh @ the typecast before and then p + sizeof(md->blake2b.h[i]) * i

especially since the blake2b_param struct isn't packed... and I'm not really a fan of packed structs regarding portability...

[sjaeckel]

this can be static

[sjaeckel]

c.f. my comments to blake2b_init_param()

[sjaeckel]

& you forgot to clean buffer

[sjaeckel]

you forgot i :)

[sjaeckel]

👍

[sjaeckel]

format

[sjaeckel]

format

[sjaeckel]

shouldn't we better remove the zero'ing of md for both _done functions? or is the hash descriptor unusable anyways after having called done on it? I just realized that's in line with all the other hash implementations...

[sjaeckel]

I was thinking about changing blake2[sb]_init as we use it as far as I see only in blake2[sb].c files. We will obviously need to change related parts like:

- int blake2b_160_init(hash_state *md) { return blake2b_init(md, 20); }
+ int blake2b_160_init(hash_state *md) { return blake2b_init(md, 20, NULL, 0); }

But I am not strongly against separate blake2[sb]_init_key functions. Before you start perhaps wait for @sjaeckel's point of view.

sounds fine by me, it doesn't look like a blake2[sb]_init_key is needed as blake2[sb]_init would be yet another wrapper.

The next step would be creating something like src/mac/blake2[sb]mac/blake2[sb]mac.c with:

int blake2smac_init(blake2smac_state *st, unsigned long outlen, const unsigned char *key, unsigned long keylen);
int blake2smac_process(blake2smac_state *st, const unsigned char *in, unsigned long inlen);
int blake2smac_done(blake2smac_state *st, unsigned char *mac, unsigned long *maclen);

And to make it complete we need:

src/mac/blake2[sb]mac/blake2[sb]mac_file.c 
src/mac/blake2[sb]mac/blake2[sb]mac_memory.c 
src/mac/blake2[sb]mac/blake2[sb]mac_memory_multi.c 
src/mac/blake2[sb]mac/blake2[sb]mac_test.c 

also sounds fine by me, I'd just put them in src/mac/blake2/blake2[sb]mac_[file,memory,...].c

please have a look at #184 regarding the structure & API signatures used.

[karel-m]

Yes, having both BLAKE2 based MACs in src/mac/blake2/*.c looks better.

[sjaeckel]

can you please rename the identifiers for all blake2[bs] hash descriptors to blake2[bs]-XXX etc.

[sjaeckel]

please also add this patch and then we're ready to merge

diff --git a/demos/hashsum.c b/demos/hashsum.c
index 8f94af5..9951a85 100644
--- a/demos/hashsum.c
+++ b/demos/hashsum.c
@@ -105,6 +105,18 @@ void register_algs(void)
 #ifdef LTC_WHIRLPOOL
   register_hash (&whirlpool_desc);
 #endif
+#ifdef LTC_BLAKE2S
+  register_hash (&blake2s_128_desc);
+  register_hash (&blake2s_160_desc);
+  register_hash (&blake2s_224_desc);
+  register_hash (&blake2s_256_desc);
+#endif
+#ifdef LTC_BLAKE2B
+  register_hash (&blake2b_160_desc);
+  register_hash (&blake2b_256_desc);
+  register_hash (&blake2b_384_desc);
+  register_hash (&blake2b_512_desc);
+#endif
 #ifdef LTC_CHC_HASH
   register_hash(&chc_desc);
   if ((err = chc_register(register_cipher(&aes_enc_desc))) != CRYPT_OK) {
diff --git a/src/hashes/blake2b.c b/src/hashes/blake2b.c
index 3e7dd10..55409cc 100644
--- a/src/hashes/blake2b.c
+++ b/src/hashes/blake2b.c
@@ -489,6 +489,16 @@ int blake2b_256_test(void)
         0x31, 0x71, 0xef, 0x3f, 0xee, 0x98, 0x57, 0x9b,
         0x94, 0x96, 0x4e, 0x3b, 0xb1, 0xcb, 0x3e, 0x42,
         0x72, 0x62, 0xc8, 0xc0, 0x68, 0xd5, 0x23, 0x19 } },
+    { "12345678901234567890123456789012345678901234567890"
+      "12345678901234567890123456789012345678901234567890"
+      "12345678901234567890123456789012345678901234567890"
+      "12345678901234567890123456789012345678901234567890"
+      "12345678901234567890123456789012345678901234567890"
+      "12345678901234567890123456789012345678901234567890",
+      { 0x0f, 0x6e, 0x01, 0x8d, 0x38, 0xd6, 0x3f, 0x08,
+        0x4d, 0x58, 0xe3, 0x0c, 0x90, 0xfb, 0xa2, 0x41,
+        0x5f, 0xca, 0x17, 0xfa, 0x66, 0x26, 0x49, 0xf3,
+        0x8a, 0x30, 0x41, 0x7c, 0x57, 0xcd, 0xa8, 0x14 } },
 
     { NULL, { 0 } }
   };
diff --git a/src/hashes/blake2s.c b/src/hashes/blake2s.c
index 1c4164e..dbb1414 100644
--- a/src/hashes/blake2s.c
+++ b/src/hashes/blake2s.c
@@ -382,6 +382,16 @@ int blake2s_256_test(void)
         0xe1, 0xa7, 0x2b, 0xa3, 0x4e, 0xeb, 0x45, 0x2f,
         0x37, 0x45, 0x8b, 0x20, 0x9e, 0xd6, 0x3a, 0x29,
         0x4d, 0x99, 0x9b, 0x4c, 0x86, 0x67, 0x59, 0x82 } },
+    { "12345678901234567890123456789012345678901234567890"
+      "12345678901234567890123456789012345678901234567890"
+      "12345678901234567890123456789012345678901234567890"
+      "12345678901234567890123456789012345678901234567890"
+      "12345678901234567890123456789012345678901234567890"
+      "12345678901234567890123456789012345678901234567890",
+      { 0xa3, 0x78, 0x8b, 0x5b, 0x59, 0xee, 0xe4, 0x41,
+        0x95, 0x23, 0x58, 0x00, 0xa4, 0xf9, 0xfa, 0x41,
+        0x86, 0x0c, 0x7b, 0x1c, 0x35, 0xa2, 0x42, 0x70,
+        0x50, 0x80, 0x79, 0x56, 0xe3, 0xbe, 0x31, 0x74 } },
 
     { NULL, { 0 } }
   };

[karel-m]

Ad blake2b_160 vs. blake2b-160 I prefer the underscore variant as can be seen in my recent sha3_nnn addition. But the fact is that sha512 family uses a dash. We should be definitely consistent. Before merge test vectors should be regenerated via tv_gen.

[sjaeckel]

I don't think it should be a personal preference, so I just use the notation that is used in the standards... therefore - and not _
:-)

[karel-m]

And what about zeroing md always (not only #ifdef LTC_CLEAN_STACK) as mentioned in my comment? Especially if we'll use the same routines for BLAKE2 based MACs, the MD will contain key related material.

[sjaeckel]

And what about zeroing md always (not only #ifdef LTC_CLEAN_STACK) as
mentioned in my comment?

true, I missed that

[sjaeckel]

IMO zeromem(md, sizeof(hash_state)) should be out of #ifdef LTC_CLEAN_STACK ... #endif

true

[sjaeckel]

same

[sjaeckel]

you need something like this

make tv_gen
./tv_gen
mv *_tv.txt notes/
git add notes/
git commit -m "update testvectors"

@karel-m should we add something like the following to helper.pl?

for f in demos/tv_gen.c demos/hashsum.c testprof/x86_prof.c ; do for h in $(rgrep ltc_hash_desc ./src/hashes/ | awk '{print $4}'); do rgrep -q $h $f || echo $h not in $f ; done ; done

...which immediately shows

rmd320_desc not in demos/tv_gen.c
sha512_224_desc not in demos/tv_gen.c
sha512_256_desc not in demos/tv_gen.c
rmd256_desc not in demos/tv_gen.c
sha3_224_desc not in demos/hashsum.c
sha3_256_desc not in demos/hashsum.c
sha3_384_desc not in demos/hashsum.c
sha3_512_desc not in demos/hashsum.c
rmd320_desc not in demos/hashsum.c
sha512_224_desc not in demos/hashsum.c
sha512_256_desc not in demos/hashsum.c
rmd256_desc not in demos/hashsum.c

[sjaeckel]

I don't know how you created these testvectors, but the ones you pushed fail on my machine as well 😮
What's the architecture&OS you're working on?

[ksherlock]

The hash_sizes in blakes2-160 and blake2s-224 were a little off. hmac_tv.txt should be a little more consistent now.

[karel-m]

👍 I am for merging

[sjaeckel]

thx @ksherlock & @karel-m for the good review process