HMAC-BLAKE2s, HKDF, TAI64N 実装追加

暗号プリミティブ実装: - HMAC-BLAKE2s (RFC 2104): BLAKE2s ベースの HMAC - HKDF-BLAKE2s (RFC 586): 鍵導出関数 - HKDF-Extract: 入力鍵から PRK を導出 - HKDF-Expand: PRK から必要な長さの鍵を導出 - TAI64N: WireGuard プロトコル層のタイムスタンプ（12 バイト） WireGuard での使用: - ハンドシェイク中の鍵導出チェーン - チェーン鍵 (Ck)・セッション鍵 (tk) の導出 - リプレイ防止用タイムスタンプテスト: - test_hmac_blake2s: HMAC-BLAKE2s 検証 ✅ - test_hkdf_blake2s: HKDF 検証 ✅ - test_tai64n: TAI64N エンコード/デコード ✅
2026-03-26 21:03:27 +09:00
parent b83394f37b
commit c892e6ca01
11 changed files with 695 additions and 3 deletions
@@ -0,0 +1,98 @@
+/**
+ * @file se050_hkdf_blake2s.c
+ * @brief HKDF Implementation using HMAC-BLAKE2s (RFC 586)
+ */
+
+#include "se050_hkdf_blake2s.h"
+#include "se050_hmac_blake2s.h"
+#include <string.h>
+
+#define HKDF_MAX_BYTES (255 * HMAC_BLAKE2S_DIGEST_SIZE)
+
+int se050_hkdf_extract(uint8_t prk[32],
+                       const uint8_t *salt, size_t saltlen,
+                       const uint8_t *ikm, size_t ikmlen)
+{
+    uint8_t zero_salt[HMAC_BLAKE2S_BLOCK_SIZE] = {0};
+
+    if (!prk || !ikm || ikmlen == 0) {
+        return -1;
+    }
+
+    if (!salt || saltlen == 0) {
+        salt = zero_salt;
+        saltlen = HMAC_BLAKE2S_BLOCK_SIZE;
+    }
+
+    return se050_hmac_blake2s(prk, salt, saltlen, ikm, ikmlen);
+}
+
+int se050_hkdf_expand(uint8_t *okm, size_t okmlen,
+                      const uint8_t prk[32],
+                      const uint8_t *info, size_t infolen)
+{
+    uint8_t t[HMAC_BLAKE2S_DIGEST_SIZE];
+    uint8_t t_prev[HMAC_BLAKE2S_DIGEST_SIZE];
+    uint8_t info_with_counter[65];
+    size_t n, i, written;
+
+    if (!okm || !prk || okmlen == 0 || okmlen > HKDF_MAX_BYTES) {
+        return -1;
+    }
+
+    n = (okmlen + HMAC_BLAKE2S_DIGEST_SIZE - 1) / HMAC_BLAKE2S_DIGEST_SIZE;
+    if (n > 255) {
+        return -1;
+    }
+
+    memset(t, 0, sizeof(t));
+    memset(t_prev, 0, sizeof(t_prev));
+    memset(okm, 0, okmlen);
+
+    for (i = 1; i <= n; i++) {
+        info_with_counter[0] = (uint8_t)i;
+        if (info && infolen > 0) {
+            memcpy(info_with_counter + 1, info, infolen);
+        }
+
+        int ret = se050_hmac_blake2s(t, prk, 32,
+                                     info_with_counter, infolen + 1);
+        if (ret != 0) {
+            memset(t, 0, sizeof(t));
+            memset(t_prev, 0, sizeof(t_prev));
+            return ret;
+        }
+
+        written = (i == n) ? (okmlen % HMAC_BLAKE2S_DIGEST_SIZE) : HMAC_BLAKE2S_DIGEST_SIZE;
+        if (written == 0) written = HMAC_BLAKE2S_DIGEST_SIZE;
+        memcpy(okm + (i - 1) * HMAC_BLAKE2S_DIGEST_SIZE, t, written);
+
+        memcpy(t_prev, t, sizeof(t_prev));
+        memset(t, 0, sizeof(t));
+    }
+
+    memset(t_prev, 0, sizeof(t_prev));
+    return 0;
+}
+
+int se050_hkdf(uint8_t *okm, size_t okmlen,
+               const uint8_t *salt, size_t saltlen,
+               const uint8_t *ikm, size_t ikmlen,
+               const uint8_t *info, size_t infolen)
+{
+    uint8_t prk[32];
+    int ret;
+
+    if (!okm || okmlen == 0 || !ikm || ikmlen == 0) {
+        return -1;
+    }
+
+    ret = se050_hkdf_extract(prk, salt, saltlen, ikm, ikmlen);
+    if (ret != 0) {
+        return ret;
+    }
+
+    ret = se050_hkdf_expand(okm, okmlen, prk, info, infolen);
+    memset(prk, 0, sizeof(prk));
+    return ret;
+}
@@ -0,0 +1,78 @@
+/**
+ * @file se050_hmac_blake2s.c
+ * @brief HMAC-BLAKE2s Implementation (RFC 2104)
+ * Based on BLAKE2s hash function
+ */
+
+#include "se050_hmac_blake2s.h"
+#include "se050_blake2s.h"
+#include <string.h>
+
+int se050_hmac_blake2s(uint8_t out[32],
+                       const uint8_t *key, size_t keylen,
+                       const uint8_t *data, size_t datalen)
+{
+    uint8_t k_block[HMAC_BLAKE2S_BLOCK_SIZE];
+    uint8_t ipad[HMAC_BLAKE2S_BLOCK_SIZE];
+    uint8_t opad[HMAC_BLAKE2S_BLOCK_SIZE];
+    uint8_t inner_hash[HMAC_BLAKE2S_DIGEST_SIZE];
+    uint8_t inner_with_key[128];
+    int i;
+
+    if (!out || !key || keylen == 0 || !data || datalen > 64) {
+        return -1;
+    }
+
+    memset(k_block, 0, sizeof(k_block));
+
+    if (keylen > HMAC_BLAKE2S_BLOCK_SIZE) {
+        se050_blake2s(k_block, HMAC_BLAKE2S_DIGEST_SIZE, key, keylen);
+    } else {
+        memcpy(k_block, key, keylen);
+    }
+
+    for (i = 0; i < HMAC_BLAKE2S_BLOCK_SIZE; i++) {
+        ipad[i] = k_block[i] ^ 0x36;
+        opad[i] = k_block[i] ^ 0x5c;
+    }
+
+    memcpy(inner_with_key, ipad, HMAC_BLAKE2S_BLOCK_SIZE);
+    memcpy(inner_with_key + HMAC_BLAKE2S_BLOCK_SIZE, data, datalen);
+    se050_blake2s(inner_hash, HMAC_BLAKE2S_DIGEST_SIZE,
+                  inner_with_key, HMAC_BLAKE2S_BLOCK_SIZE + datalen);
+
+    memcpy(inner_with_key, opad, HMAC_BLAKE2S_BLOCK_SIZE);
+    memcpy(inner_with_key + HMAC_BLAKE2S_BLOCK_SIZE, inner_hash, HMAC_BLAKE2S_DIGEST_SIZE);
+    se050_blake2s(out, HMAC_BLAKE2S_DIGEST_SIZE,
+                  inner_with_key, HMAC_BLAKE2S_BLOCK_SIZE + HMAC_BLAKE2S_DIGEST_SIZE);
+
+    memset(k_block, 0, sizeof(k_block));
+    memset(ipad, 0, sizeof(ipad));
+    memset(opad, 0, sizeof(opad));
+    memset(inner_hash, 0, sizeof(inner_hash));
+    memset(inner_with_key, 0, sizeof(inner_with_key));
+
+    return 0;
+}
+
+int se050_hmac_blake2s_variable(uint8_t *out, size_t outlen,
+                                const uint8_t *key, size_t keylen,
+                                const uint8_t *data, size_t datalen)
+{
+    uint8_t full_digest[HMAC_BLAKE2S_DIGEST_SIZE];
+    int ret;
+
+    if (!out || outlen == 0 || outlen > HMAC_BLAKE2S_DIGEST_SIZE) {
+        return -1;
+    }
+
+    ret = se050_hmac_blake2s(full_digest, key, keylen, data, datalen);
+    if (ret != 0) {
+        return ret;
+    }
+
+    memcpy(out, full_digest, outlen);
+    memset(full_digest, 0, sizeof(full_digest));
+
+    return 0;
+}
@@ -0,0 +1,138 @@
+/**
+ * @file se050_tai64n.c
+ * @brief TAI64N Timestamp Encoding (WireGuard Protocol Layer)
+ */
+
+#define _POSIX_C_SOURCE 199309L
+
+#include "se050_tai64n.h"
+#include <time.h>
+#include <string.h>
+
+static void store64_le(uint8_t *out, uint64_t val)
+{
+    out[0] = (uint8_t)(val);
+    out[1] = (uint8_t)(val >> 8);
+    out[2] = (uint8_t)(val >> 16);
+    out[3] = (uint8_t)(val >> 24);
+    out[4] = (uint8_t)(val >> 32);
+    out[5] = (uint8_t)(val >> 40);
+    out[6] = (uint8_t)(val >> 48);
+    out[7] = (uint8_t)(val >> 56);
+}
+
+static void store32_le(uint8_t *out, uint32_t val)
+{
+    out[0] = (uint8_t)(val);
+    out[1] = (uint8_t)(val >> 8);
+    out[2] = (uint8_t)(val >> 16);
+    out[3] = (uint8_t)(val >> 24);
+}
+
+static uint64_t load64_le(const uint8_t *in)
+{
+    return (uint64_t)in[0] |
+           ((uint64_t)in[1] << 8) |
+           ((uint64_t)in[2] << 16) |
+           ((uint64_t)in[3] << 24) |
+           ((uint64_t)in[4] << 32) |
+           ((uint64_t)in[5] << 40) |
+           ((uint64_t)in[6] << 48) |
+           ((uint64_t)in[7] << 56);
+}
+
+static uint32_t load32_le(const uint8_t *in)
+{
+    return (uint32_t)in[0] |
+           ((uint32_t)in[1] << 8) |
+           ((uint32_t)in[2] << 16) |
+           ((uint32_t)in[3] << 24);
+}
+
+int se050_tai64n_now(uint8_t out[TAI64N_SIZE])
+{
+    struct timespec ts;
+    uint64_t tai64;
+
+    if (!out) {
+        return -1;
+    }
+
+    if (clock_gettime(CLOCK_REALTIME, &ts) != 0) {
+        return -1;
+    }
+
+    tai64 = TAI64_BASE + (uint64_t)ts.tv_sec;
+    store64_le(out, tai64);
+    store32_le(out + 8, ts.tv_nsec);
+
+    return 0;
+}
+
+int se050_tai64n_encode(uint8_t out[TAI64N_SIZE],
+                        uint64_t seconds, uint32_t nanoseconds)
+{
+    uint64_t tai64;
+
+    if (!out || nanoseconds >= 1000000000) {
+        return -1;
+    }
+
+    tai64 = TAI64_BASE + seconds;
+    store64_le(out, tai64);
+    store32_le(out + 8, nanoseconds);
+
+    return 0;
+}
+
+int se050_tai64n_decode(uint64_t *seconds, uint32_t *nanoseconds,
+                        const uint8_t in[TAI64N_SIZE])
+{
+    uint64_t tai64;
+
+    if (!seconds || !nanoseconds || !in) {
+        return -1;
+    }
+
+    tai64 = load64_le(in);
+    *seconds = tai64 - TAI64_BASE;
+    *nanoseconds = load32_le(in + 8);
+
+    return 0;
+}
+
+int se050_tai64n_check_window(const uint8_t timestamp[TAI64N_SIZE],
+                              uint32_t window_sec)
+{
+    uint64_t ts_seconds, now_seconds;
+    uint32_t ts_nanos, now_nanos;
+    int64_t diff;
+
+    if (!timestamp) {
+        return -1;
+    }
+
+    if (se050_tai64n_decode(&ts_seconds, &ts_nanos, timestamp) != 0) {
+        return -1;
+    }
+
+    struct timespec ts;
+    if (clock_gettime(CLOCK_REALTIME, &ts) != 0) {
+        return -1;
+    }
+
+    now_seconds = TAI64_BASE + (uint64_t)ts.tv_sec;
+    now_nanos = (uint32_t)ts.tv_nsec;
+
+    diff = (int64_t)now_seconds - (int64_t)ts_seconds;
+
+    if (diff > (int64_t)window_sec) {
+        return -1;
+    }
+
+    if (diff < -(int64_t)window_sec) {
+        return -2;
+    }
+
+    return 0;
+}