iqyx
diff --git a/‎services/Kconfig
+4 b/‎services/Kconfig
+4
diff --git a/‎services/nbus2/SConscript
+6 b/‎services/nbus2/SConscript
+6
diff --git a/‎services/nbus2/blake2s-siv.c
+124 b/‎services/nbus2/blake2s-siv.c
+124
diff --git a/‎services/nbus2/blake2s-siv.h
+36 b/‎services/nbus2/blake2s-siv.h
+36
diff --git a/‎services/nbus2/halfsiphash.c
+166 b/‎services/nbus2/halfsiphash.c
+166
diff --git a/‎services/nbus2/halfsiphash.h
+22 b/‎services/nbus2/halfsiphash.h
+22
@@ -59,6 +59,10 @@ menu "Low-level platform drivers"
 			bool "NBUS peripheral bus driver for STM32 FDCAN"
 			default n
 
+		config SERVICE_NBUS2
+			bool "NBUS2 protocol MAC"
+			default n
+
 		config SERVICE_NBUS_SWITCH
 			bool "NBUS CAN-FD switch"
 			default n
 
@@ -0,0 +1,6 @@
+Import("env")
+Import("objs")
+Import("conf")
+
+if conf["SERVICE_NBUS2"] == "y":
+	objs.append(env.Object(File(Glob("*.c"))))
@@ -0,0 +1,124 @@
+/* SPDX-License-Identifier: BSD-2-Clause
+ *
+ * Blake2s-SIV implementation
+ *
+ * Copyright (c) 2018-2023, Marek Koza (qyx@krtko.org)
+ * All rights reserved.
+ */
+
+#include <stdint.h>
+#include <stddef.h>
+#include <string.h>
+
+#include <main.h>
+#include <blake2.h>
+
+#include "blake2s-siv.h"
+
+/**
+ * @brief A SIV-mode authenticated encryption based on the Blake2s PRF
+ *
+ * The idea comes from https://web.cs.ucdavis.edu/~rogaway/papers/siv.pdf:
+ * - the input is a key, header and a plaintext
+ * - output of the first phase is a MAC, serving as a SIV (synthetic IV)
+ * - output of the second phase is a ciphertext using a key and the SIV as an IV
+ *
+ * Using the SIV mode in this use case have the advantage of not requiring
+ * keeping a message counter value between reboots. In an embedded device this
+ * could be a significant challenge. We also save some bytes by not requiring
+ * and explicit IV.
+ *
+ * Although the original paper doesn't use Blake2s, we made this change
+ * considering the following:
+ *
+ * - only a single PRF is used to do a key derivation (to get an encryption key Ke
+ *   and a MAC key Km from a single shared key), a MAC (a keyed Blake2s can be
+ *   used as a MAC, even without the HMAC construct) and encryption (Blake2s
+ *   is used in a stream cipher mode where B2S(Ke | counter) is used to generate
+ *   a cipherstream). This reduces code and memory footprint.
+ * - it serves as an "obstruction layer" on layer 2/3. A proper encryption with
+ *   a key exchange is done on higher layers. We may tolerate some fuckups here.
+ * - don't roll your own crypto, huh!
+ *
+ * encryption:
+ *
+ * input key is K, input message is M, ciphertext is C
+ * derive Ke, Km as (Ke | Km) = H(K)
+ * compute a MAC serving as a IV: SIV = H(Km, M)
+ * construct cipherstream as i:0->n, Cs = H(Ke, SIV | (i as a big endian uint32)) | H(..) | H(..)
+ * encrypt C = M^Cs | SIV
+ *
+ * decryption:
+ *
+ * input key is K, ciphertext is C, output message is M
+ * derive Ke, Km as (Ke | Km) = H(K)
+ * construct cipherstream as i:0->n, Cs = H(Ke, SIV | (i as a big endian uint32)) | H(..) | H(..)
+ * split the input Me | SIV = C
+ * decrypt the message M = Me^Cs
+ * validate MAC H(Km, M) == SIV?, return M if matches
+ */
+
+
+void b2s_derive_keys(const uint8_t *key, size_t len, uint8_t ke[B2S_KE_LEN], uint8_t km[B2S_KM_LEN]) {
+	/* No length constraints for the key except it must be non-empty. */
+	u_assert(key != NULL);
+	u_assert(len > 0);
+
+	uint8_t res[B2S_KE_LEN + B2S_KM_LEN] = {0};
+	blake2s(res, B2S_KE_LEN + B2S_KM_LEN, key, len, NULL, 0);
+
+	/* Now split the key. */
+	memcpy(ke, res, B2S_KE_LEN);
+	memcpy(km, res + B2S_KE_LEN, B2S_KM_LEN);
+}
+
+
+void b2s_crypt(uint8_t *buf, size_t len, const uint8_t *siv, size_t siv_len, const uint8_t ke[B2S_KE_LEN]) {
+	u_assert(buf != NULL);
+	u_assert(len > 0);
+	u_assert(siv != NULL);
+	u_assert(siv_len >= 4);
+	u_assert(ke != NULL);
+
+	/* Block counter */
+	uint8_t i = 0;
+	while (len > 0) {
+		/* Generate a BLAKE2S_OUTBYTES of keystream. */
+		uint8_t keystream[BLAKE2S_OUTBYTES] = {0};
+		blake2s_state s;
+		blake2s_init_key(&s, BLAKE2S_OUTBYTES, ke, B2S_KE_LEN);
+		blake2s_update(&s, siv, siv_len);
+		uint8_t b[4] = {0, 0, 0, i};
+		blake2s_update(&s, b, sizeof(b));
+		blake2s_final(&s, keystream, BLAKE2S_OUTBYTES);
+
+		/* Crunch BLAKE2S_OUTBYTES or less in one step. */
+		size_t block_len = len;
+		if (block_len > BLAKE2S_OUTBYTES) {
+			block_len = BLAKE2S_OUTBYTES;
+		}
+		for (size_t j = 0; j < block_len; j++) {
+			buf[j] = buf[j] ^ keystream[j];
+		}
+
+		/* Advance to the next block. */
+		buf += block_len;
+		len -= block_len;
+		i++;
+	}
+	/* Now len = 0 and buf is at the end. */
+}
+
+
+void b2s_siv(const uint8_t *buf, size_t len, uint8_t *siv, size_t siv_len, const uint8_t km[B2S_KM_LEN]) {
+	u_assert(buf != NULL);
+	u_assert(len > 0);
+	u_assert(siv != NULL);
+	u_assert(siv_len >= 4);
+	u_assert(km != NULL);
+
+	blake2s_state s;
+	blake2s_init_key(&s, BLAKE2S_OUTBYTES, km, B2S_KM_LEN);
+	blake2s_update(&s, buf, len);
+	blake2s_final(&s, siv, siv_len);
+}
@@ -0,0 +1,36 @@
+/* SPDX-License-Identifier: BSD-2-Clause
+ *
+ * Blake2s-SIV implementation
+ *
+ * Copyright (c) 2018-2023, Marek Koza (qyx@krtko.org)
+ * All rights reserved.
+ */
+
+#pragma once
+
+#include <stdint.h>
+#include <stddef.h>
+
+#define B2S_KE_LEN 16
+#define B2S_KM_LEN 16
+
+/**
+ * @brief Defive Ke and Km keys from an arbitrary-legnth key
+ */
+void b2s_derive_keys(const uint8_t *key, size_t len, uint8_t ke[B2S_KE_LEN], uint8_t km[B2S_KM_LEN]);
+
+
+/**
+ * @brief Encrypt a message
+ *
+ * The encryption is reversible. This single function can be used bot for
+ * encryption and decryption.
+ */
+void b2s_crypt(uint8_t *buf, size_t len, const uint8_t *siv, size_t siv_len, const uint8_t ke[B2S_KE_LEN]);
+
+
+/**
+ * @brief Produce a message SIV
+ */
+void b2s_siv(const uint8_t *buf, size_t len, uint8_t *siv, size_t siv_len, const uint8_t km[B2S_KM_LEN]);
+
@@ -0,0 +1,166 @@
+
+/*
+   SipHash reference C implementation
+
+   Copyright (c) 2016 Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
+
+   To the extent possible under law, the author(s) have dedicated all copyright
+   and related and neighboring rights to this software to the public domain
+   worldwide. This software is distributed without any warranty.
+
+   You should have received a copy of the CC0 Public Domain Dedication along
+   with
+   this software. If not, see
+   <http://creativecommons.org/publicdomain/zero/1.0/>.
+ */
+#include "halfsiphash.h"
+#include <assert.h>
+#include <stddef.h>
+#include <stdint.h>
+
+/* default: SipHash-2-4 */
+#ifndef cROUNDS
+#define cROUNDS 2
+#endif
+#ifndef dROUNDS
+#define dROUNDS 4
+#endif
+
+#define ROTL(x, b) (uint32_t)(((x) << (b)) | ((x) >> (32 - (b))))
+
+#define U32TO8_LE(p, v)                                                        \
+    (p)[0] = (uint8_t)((v));                                                   \
+    (p)[1] = (uint8_t)((v) >> 8);                                              \
+    (p)[2] = (uint8_t)((v) >> 16);                                             \
+    (p)[3] = (uint8_t)((v) >> 24);
+
+#define U8TO32_LE(p)                                                           \
+    (((uint32_t)((p)[0])) | ((uint32_t)((p)[1]) << 8) |                        \
+     ((uint32_t)((p)[2]) << 16) | ((uint32_t)((p)[3]) << 24))
+
+#define SIPROUND                                                               \
+    do {                                                                       \
+        v0 += v1;                                                              \
+        v1 = ROTL(v1, 5);                                                      \
+        v1 ^= v0;                                                              \
+        v0 = ROTL(v0, 16);                                                     \
+        v2 += v3;                                                              \
+        v3 = ROTL(v3, 8);                                                      \
+        v3 ^= v2;                                                              \
+        v0 += v3;                                                              \
+        v3 = ROTL(v3, 7);                                                      \
+        v3 ^= v0;                                                              \
+        v2 += v1;                                                              \
+        v1 = ROTL(v1, 13);                                                     \
+        v1 ^= v2;                                                              \
+        v2 = ROTL(v2, 16);                                                     \
+    } while (0)
+
+
+#ifdef DEBUG_SIPHASH
+#include <stdio.h>
+
+#define TRACE                                                                  \
+    do {                                                                       \
+        printf("(%3zu) v0 %08" PRIx32 "\n", inlen, v0);                        \
+        printf("(%3zu) v1 %08" PRIx32 "\n", inlen, v1);                        \
+        printf("(%3zu) v2 %08" PRIx32 "\n", inlen, v2);                        \
+        printf("(%3zu) v3 %08" PRIx32 "\n", inlen, v3);                        \
+    } while (0)
+#else
+#define TRACE
+#endif
+
+/*
+    Computes a SipHash value
+    *in: pointer to input data (read-only)
+    inlen: input data length in bytes (any size_t value)
+    *k: pointer to the key data (read-only), must be 8 bytes 
+    *out: pointer to output data (write-only), outlen bytes must be allocated
+    outlen: length of the output in bytes, must be 4 or 8
+*/
+int halfsiphash(const void *in, const size_t inlen, const void *k, uint8_t *out,
+                const size_t outlen) {
+
+    const unsigned char *ni = (const unsigned char *)in;
+    const unsigned char *kk = (const unsigned char *)k;
+
+    assert((outlen == 4) || (outlen == 8));
+    uint32_t v0 = 0;
+    uint32_t v1 = 0;
+    uint32_t v2 = UINT32_C(0x6c796765);
+    uint32_t v3 = UINT32_C(0x74656462);
+    uint32_t k0 = U8TO32_LE(kk);
+    uint32_t k1 = U8TO32_LE(kk + 4);
+    uint32_t m;
+    int i;
+    const unsigned char *end = ni + inlen - (inlen % sizeof(uint32_t));
+    const int left = inlen & 3;
+    uint32_t b = ((uint32_t)inlen) << 24;
+    v3 ^= k1;
+    v2 ^= k0;
+    v1 ^= k1;
+    v0 ^= k0;
+
+    if (outlen == 8)
+        v1 ^= 0xee;
+
+    for (; ni != end; ni += 4) {
+        m = U8TO32_LE(ni);
+        v3 ^= m;
+
+        TRACE;
+        for (i = 0; i < cROUNDS; ++i)
+            SIPROUND;
+
+        v0 ^= m;
+    }
+
+    switch (left) {
+    case 3:
+        b |= ((uint32_t)ni[2]) << 16;
+        /* FALLTHRU */
+    case 2:
+        b |= ((uint32_t)ni[1]) << 8;
+        /* FALLTHRU */
+    case 1:
+        b |= ((uint32_t)ni[0]);
+        break;
+    case 0:
+        break;
+    }
+
+    v3 ^= b;
+
+    TRACE;
+    for (i = 0; i < cROUNDS; ++i)
+        SIPROUND;
+
+    v0 ^= b;
+
+    if (outlen == 8)
+        v2 ^= 0xee;
+    else
+        v2 ^= 0xff;
+
+    TRACE;
+    for (i = 0; i < dROUNDS; ++i)
+        SIPROUND;
+
+    b = v1 ^ v3;
+    U32TO8_LE(out, b);
+
+    if (outlen == 4)
+        return 0;
+
+    v1 ^= 0xdd;
+
+    TRACE;
+    for (i = 0; i < dROUNDS; ++i)
+        SIPROUND;
+
+    b = v1 ^ v3;
+    U32TO8_LE(out + 4, b);
+
+    return 0;
+}
@@ -0,0 +1,22 @@
+/*
+   SipHash reference C implementation
+
+   Copyright (c) 2012-2021 Jean-Philippe Aumasson
+   <jeanphilippe.aumasson@gmail.com>
+   Copyright (c) 2012-2014 Daniel J. Bernstein <djb@cr.yp.to>
+
+   To the extent possible under law, the author(s) have dedicated all copyright
+   and related and neighboring rights to this software to the public domain
+   worldwide. This software is distributed without any warranty.
+
+   You should have received a copy of the CC0 Public Domain Dedication along
+   with
+   this software. If not, see
+   <http://creativecommons.org/publicdomain/zero/1.0/>.
+ */
+
+#include <inttypes.h>
+#include <string.h>
+
+int halfsiphash(const void *in, const size_t inlen, const void *k, uint8_t *out,
+                const size_t outlen);