Merge branch 'use-blake2s' into 'master'

Use BLAKE2s for hashing, key derivation and signatures

SHA-256 is still used for password-based key derivation (will be replaced with Argon2) and Fortuna.

See merge request !47

briar-core/src/org/briarproject/crypto/CryptoComponentImpl.java

@@ -20,14 +20,11 @@ import org.spongycastle.crypto.AsymmetricCipherKeyPair;
 import org.spongycastle.crypto.BlockCipher;
 import org.spongycastle.crypto.CipherParameters;
 import org.spongycastle.crypto.Digest;
-import org.spongycastle.crypto.Mac;
 import org.spongycastle.crypto.agreement.ECDHCBasicAgreement;
-import org.spongycastle.crypto.digests.Blake2bDigest;
 import org.spongycastle.crypto.digests.SHA256Digest;
 import org.spongycastle.crypto.engines.AESLightEngine;
 import org.spongycastle.crypto.generators.ECKeyPairGenerator;
 import org.spongycastle.crypto.generators.PKCS5S2ParametersGenerator;
-import org.spongycastle.crypto.macs.HMac;
 import org.spongycastle.crypto.params.ECKeyGenerationParameters;
 import org.spongycastle.crypto.params.ECPrivateKeyParameters;
 import org.spongycastle.crypto.params.ECPublicKeyParameters;
@@ -123,7 +120,7 @@ class CryptoComponentImpl implements CryptoComponent {
 	}
 
 	public MessageDigest getMessageDigest() {
-		return new DoubleDigest(new SHA256Digest());
+		return new DigestWrapper(new Blake2sDigest());
 	}
 
 	public PseudoRandom getPseudoRandom(int seed1, int seed2) {
@@ -390,7 +387,7 @@ class CryptoComponentImpl implements CryptoComponent {
 	// Key derivation function based on a hash function - see NIST SP 800-56A,
 	// section 5.8
 	private byte[] hashKdf(byte[]... inputs) {
-		Digest digest = new Blake2bDigest();
+		Digest digest = new Blake2sDigest();
 		// The output of the hash function must be long enough to use as a key
 		int hashLength = digest.getDigestSize();
 		if (hashLength < SecretKey.LENGTH) throw new IllegalStateException();
@@ -414,10 +411,9 @@ class CryptoComponentImpl implements CryptoComponent {
 	// NIST SP 800-108, section 5.1
 	private byte[] macKdf(SecretKey key, byte[]... inputs) {
 		// Initialise the PRF
-		Mac prf = new HMac(new Blake2bDigest());
+		Digest prf = new Blake2sDigest(key.getBytes());
-		prf.init(new KeyParameter(key.getBytes()));
 		// The output of the PRF must be long enough to use as a key
-		int macLength = prf.getMacSize();
+		int macLength = prf.getDigestSize();
 		if (macLength < SecretKey.LENGTH) throw new IllegalStateException();
 		// Calculate the PRF over the concatenated length-prefixed inputs
 		byte[] length = new byte[4];

briar-core/src/org/briarproject/crypto/DigestWrapper.java

@@ -0,0 +1,59 @@
+package org.briarproject.crypto;
+
+import org.briarproject.api.crypto.MessageDigest;
+import org.spongycastle.crypto.Digest;
+
+class DigestWrapper implements MessageDigest {
+
+	private final Digest digest;
+
+	DigestWrapper(Digest digest) {
+		this.digest = digest;
+	}
+
+	@Override
+	public byte[] digest() {
+		byte[] hash = new byte[digest.getDigestSize()];
+		digest.doFinal(hash, 0);
+		return hash;
+	}
+
+	@Override
+	public byte[] digest(byte[] input) {
+		update(input);
+		return digest();
+	}
+
+	@Override
+	public int digest(byte[] buf, int offset, int len) {
+		byte[] hash = digest();
+		len = Math.min(len, hash.length);
+		System.arraycopy(hash, 0, buf, offset, len);
+		return len;
+	}
+
+	@Override
+	public int getDigestLength() {
+		return digest.getDigestSize();
+	}
+
+	@Override
+	public void reset() {
+		digest.reset();
+	}
+
+	@Override
+	public void update(byte input) {
+		digest.update(input);
+	}
+
+	@Override
+	public void update(byte[] input) {
+		digest.update(input, 0, input.length);
+	}
+
+	@Override
+	public void update(byte[] input, int offset, int len) {
+		digest.update(input, offset, len);
+	}
+}

briar-core/src/org/briarproject/crypto/SignatureImpl.java

@@ -1,16 +1,9 @@
 package org.briarproject.crypto;
 
-import static java.util.logging.Level.INFO;
-
-import java.security.GeneralSecurityException;
-import java.security.SecureRandom;
-import java.util.logging.Logger;
-
 import org.briarproject.api.crypto.PrivateKey;
 import org.briarproject.api.crypto.PublicKey;
 import org.briarproject.api.crypto.Signature;
 import org.spongycastle.crypto.Digest;
-import org.spongycastle.crypto.digests.SHA256Digest;
 import org.spongycastle.crypto.params.ECPrivateKeyParameters;
 import org.spongycastle.crypto.params.ECPublicKeyParameters;
 import org.spongycastle.crypto.params.ParametersWithRandom;
@@ -19,6 +12,12 @@ import org.spongycastle.crypto.signers.DSAKCalculator;
 import org.spongycastle.crypto.signers.ECDSASigner;
 import org.spongycastle.crypto.signers.HMacDSAKCalculator;
 
+import java.security.GeneralSecurityException;
+import java.security.SecureRandom;
+import java.util.logging.Logger;
+
+import static java.util.logging.Level.INFO;
+
 class SignatureImpl implements Signature {
 
 	private static final Logger LOG =
@@ -29,7 +28,7 @@ class SignatureImpl implements Signature {
 
 	SignatureImpl(SecureRandom secureRandom) {
 		this.secureRandom = secureRandom;
-		Digest digest = new SHA256Digest();
+		Digest digest = new Blake2sDigest();
 		DSAKCalculator calculator = new HMacDSAKCalculator(digest);
 		signer = new DSADigestSigner(new ECDSASigner(calculator), digest);
 	}

briar-tests/src/org/briarproject/crypto/EllipticCurvePerformanceTest.java

@@ -6,7 +6,6 @@ import org.spongycastle.asn1.x9.X9ECParameters;
 import org.spongycastle.crypto.AsymmetricCipherKeyPair;
 import org.spongycastle.crypto.Digest;
 import org.spongycastle.crypto.agreement.ECDHCBasicAgreement;
-import org.spongycastle.crypto.digests.SHA256Digest;
 import org.spongycastle.crypto.generators.ECKeyPairGenerator;
 import org.spongycastle.crypto.params.ECDomainParameters;
 import org.spongycastle.crypto.params.ECKeyGenerationParameters;
@@ -83,7 +82,7 @@ public class EllipticCurvePerformanceTest {
 		List<byte[]> signatures = new ArrayList<byte[]>();
 		samples.clear();
 		for (int i = 0; i < SAMPLES; i++) {
-			Digest digest = new SHA256Digest();
+			Digest digest = new Blake2sDigest();
 			DSAKCalculator calculator = new HMacDSAKCalculator(digest);
 			DSADigestSigner signer = new DSADigestSigner(new ECDSASigner(
 					calculator), digest);
@@ -97,7 +96,7 @@ public class EllipticCurvePerformanceTest {
 		// Time some signature verifications
 		samples.clear();
 		for (int i = 0; i < SAMPLES; i++) {
-			Digest digest = new SHA256Digest();
+			Digest digest = new Blake2sDigest();
 			DSAKCalculator calculator = new HMacDSAKCalculator(digest);
 			DSADigestSigner signer = new DSADigestSigner(new ECDSASigner(
 					calculator), digest);