// Copyright 2016 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. // Package blake2s implements the BLAKE2s hash algorithm defined by RFC 7693 // and the extendable output function (XOF) BLAKE2Xs. // // BLAKE2s is optimized for 8- to 32-bit platforms and produces digests of any // size between 1 and 32 bytes. // For a detailed specification of BLAKE2s see https://blake2.net/blake2.pdf // and for BLAKE2Xs see https://blake2.net/blake2x.pdf // // If you aren't sure which function you need, use BLAKE2s (Sum256 or New256). // If you need a secret-key MAC (message authentication code), use the New256 // function with a non-nil key. // // BLAKE2X is a construction to compute hash values larger than 32 bytes. It // can produce hash values between 0 and 65535 bytes. package blake2s import ( "crypto" "encoding/binary" "errors" "hash" ) const ( // The blocksize of BLAKE2s in bytes. BlockSize = 64 // The hash size of BLAKE2s-256 in bytes. Size = 32 // The hash size of BLAKE2s-128 in bytes. Size128 = 16 ) var errKeySize = errors.New("blake2s: invalid key size") var iv = [8]uint32{ 0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19, } // Sum256 returns the BLAKE2s-256 checksum of the data. func Sum256(data []byte) [Size]byte { var sum [Size]byte checkSum(&sum, Size, data) return sum } // New256 returns a new hash.Hash computing the BLAKE2s-256 checksum. A non-nil // key turns the hash into a MAC. The key must between zero and 32 bytes long. // When the key is nil, the returned hash.Hash implements BinaryMarshaler // and BinaryUnmarshaler for state (de)serialization as documented by hash.Hash. func New256(key []byte) (hash.Hash, error) { return newDigest(Size, key) } func init() { crypto.RegisterHash(crypto.BLAKE2s_256, func() hash.Hash { h, _ := New256(nil) return h }) } // New128 returns a new hash.Hash computing the BLAKE2s-128 checksum given a // non-empty key. Note that a 128-bit digest is too small to be secure as a // cryptographic hash and should only be used as a MAC, thus the key argument // is not optional. func New128(key []byte) (hash.Hash, error) { if len(key) == 0 { return nil, errors.New("blake2s: a key is required for a 128-bit hash") } return newDigest(Size128, key) } func newDigest(hashSize int, key []byte) (*digest, error) { if len(key) > Size { return nil, errKeySize } d := &digest{ size: hashSize, keyLen: len(key), } copy(d.key[:], key) d.Reset() return d, nil } func checkSum(sum *[Size]byte, hashSize int, data []byte) { var ( h [8]uint32 c [2]uint32 ) h = iv h[0] ^= uint32(hashSize) | (1 << 16) | (1 << 24) if length := len(data); length > BlockSize { n := length &^ (BlockSize - 1) if length == n { n -= BlockSize } hashBlocks(&h, &c, 0, data[:n]) data = data[n:] } var block [BlockSize]byte offset := copy(block[:], data) remaining := uint32(BlockSize - offset) if c[0] < remaining { c[1]-- } c[0] -= remaining hashBlocks(&h, &c, 0xFFFFFFFF, block[:]) for i, v := range h { binary.LittleEndian.PutUint32(sum[4*i:], v) } } type digest struct { h [8]uint32 c [2]uint32 size int block [BlockSize]byte offset int key [BlockSize]byte keyLen int } const ( magic = "b2s" marshaledSize = len(magic) + 8*4 + 2*4 + 1 + BlockSize + 1 ) func (d *digest) MarshalBinary() ([]byte, error) { if d.keyLen != 0 { return nil, errors.New("crypto/blake2s: cannot marshal MACs") } b := make([]byte, 0, marshaledSize) b = append(b, magic...) for i := 0; i < 8; i++ { b = appendUint32(b, d.h[i]) } b = appendUint32(b, d.c[0]) b = appendUint32(b, d.c[1]) // Maximum value for size is 32 b = append(b, byte(d.size)) b = append(b, d.block[:]...) b = append(b, byte(d.offset)) return b, nil } func (d *digest) UnmarshalBinary(b []byte) error { if len(b) < len(magic) || string(b[:len(magic)]) != magic { return errors.New("crypto/blake2s: invalid hash state identifier") } if len(b) != marshaledSize { return errors.New("crypto/blake2s: invalid hash state size") } b = b[len(magic):] for i := 0; i < 8; i++ { b, d.h[i] = consumeUint32(b) } b, d.c[0] = consumeUint32(b) b, d.c[1] = consumeUint32(b) d.size = int(b[0]) b = b[1:] copy(d.block[:], b[:BlockSize]) b = b[BlockSize:] d.offset = int(b[0]) return nil } func (d *digest) BlockSize() int { return BlockSize } func (d *digest) Size() int { return d.size } func (d *digest) Reset() { d.h = iv d.h[0] ^= uint32(d.size) | (uint32(d.keyLen) << 8) | (1 << 16) | (1 << 24) d.offset, d.c[0], d.c[1] = 0, 0, 0 if d.keyLen > 0 { d.block = d.key d.offset = BlockSize } } func (d *digest) Write(p []byte) (n int, err error) { n = len(p) if d.offset > 0 { remaining := BlockSize - d.offset if n <= remaining { d.offset += copy(d.block[d.offset:], p) return } copy(d.block[d.offset:], p[:remaining]) hashBlocks(&d.h, &d.c, 0, d.block[:]) d.offset = 0 p = p[remaining:] } if length := len(p); length > BlockSize { nn := length &^ (BlockSize - 1) if length == nn { nn -= BlockSize } hashBlocks(&d.h, &d.c, 0, p[:nn]) p = p[nn:] } d.offset += copy(d.block[:], p) return } func (d *digest) Sum(sum []byte) []byte { var hash [Size]byte d.finalize(&hash) return append(sum, hash[:d.size]...) } func (d *digest) finalize(hash *[Size]byte) { var block [BlockSize]byte h := d.h c := d.c copy(block[:], d.block[:d.offset]) remaining := uint32(BlockSize - d.offset) if c[0] < remaining { c[1]-- } c[0] -= remaining hashBlocks(&h, &c, 0xFFFFFFFF, block[:]) for i, v := range h { binary.LittleEndian.PutUint32(hash[4*i:], v) } } func appendUint32(b []byte, x uint32) []byte { var a [4]byte binary.BigEndian.PutUint32(a[:], x) return append(b, a[:]...) } func consumeUint32(b []byte) ([]byte, uint32) { x := binary.BigEndian.Uint32(b) return b[4:], x }