320 lines
8.0 KiB
Go
320 lines
8.0 KiB
Go
// Copyright 2016 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
// Package blake2b implements the BLAKE2b hash algorithm defined by RFC 7693
|
|
// and the extendable output function (XOF) BLAKE2Xb.
|
|
//
|
|
// For a detailed specification of BLAKE2b see https://blake2.net/blake2.pdf
|
|
// and for BLAKE2Xb see https://blake2.net/blake2x.pdf
|
|
//
|
|
// If you aren't sure which function you need, use BLAKE2b (Sum512 or New512).
|
|
// If you need a secret-key MAC (message authentication code), use the New512
|
|
// function with a non-nil key.
|
|
//
|
|
// BLAKE2X is a construction to compute hash values larger than 64 bytes. It
|
|
// can produce hash values between 0 and 4 GiB.
|
|
package blake2b
|
|
|
|
import (
|
|
"encoding/binary"
|
|
"errors"
|
|
"hash"
|
|
)
|
|
|
|
const (
|
|
// The blocksize of BLAKE2b in bytes.
|
|
BlockSize = 128
|
|
// The hash size of BLAKE2b-512 in bytes.
|
|
Size = 64
|
|
// The hash size of BLAKE2b-384 in bytes.
|
|
Size384 = 48
|
|
// The hash size of BLAKE2b-256 in bytes.
|
|
Size256 = 32
|
|
)
|
|
|
|
var (
|
|
useAVX2 bool
|
|
useAVX bool
|
|
useSSE4 bool
|
|
)
|
|
|
|
var (
|
|
errKeySize = errors.New("blake2b: invalid key size")
|
|
errHashSize = errors.New("blake2b: invalid hash size")
|
|
)
|
|
|
|
var iv = [8]uint64{
|
|
0x6a09e667f3bcc908, 0xbb67ae8584caa73b, 0x3c6ef372fe94f82b, 0xa54ff53a5f1d36f1,
|
|
0x510e527fade682d1, 0x9b05688c2b3e6c1f, 0x1f83d9abfb41bd6b, 0x5be0cd19137e2179,
|
|
}
|
|
|
|
// Sum512 returns the BLAKE2b-512 checksum of the data.
|
|
func Sum512(data []byte) [Size]byte {
|
|
var sum [Size]byte
|
|
checkSum(&sum, Size, data)
|
|
return sum
|
|
}
|
|
|
|
// Sum384 returns the BLAKE2b-384 checksum of the data.
|
|
func Sum384(data []byte) [Size384]byte {
|
|
var sum [Size]byte
|
|
var sum384 [Size384]byte
|
|
checkSum(&sum, Size384, data)
|
|
copy(sum384[:], sum[:Size384])
|
|
return sum384
|
|
}
|
|
|
|
// Sum256 returns the BLAKE2b-256 checksum of the data.
|
|
func Sum256(data []byte) [Size256]byte {
|
|
var sum [Size]byte
|
|
var sum256 [Size256]byte
|
|
checkSum(&sum, Size256, data)
|
|
copy(sum256[:], sum[:Size256])
|
|
return sum256
|
|
}
|
|
|
|
// New512 returns a new hash.Hash computing the BLAKE2b-512 checksum. A non-nil
|
|
// key turns the hash into a MAC. The key must be between zero and 64 bytes long.
|
|
func New512(key []byte) (hash.Hash, error) { return newDigest(Size, key) }
|
|
|
|
// New384 returns a new hash.Hash computing the BLAKE2b-384 checksum. A non-nil
|
|
// key turns the hash into a MAC. The key must be between zero and 64 bytes long.
|
|
func New384(key []byte) (hash.Hash, error) { return newDigest(Size384, key) }
|
|
|
|
// New256 returns a new hash.Hash computing the BLAKE2b-256 checksum. A non-nil
|
|
// key turns the hash into a MAC. The key must be between zero and 64 bytes long.
|
|
func New256(key []byte) (hash.Hash, error) { return newDigest(Size256, key) }
|
|
|
|
// New returns a new hash.Hash computing the BLAKE2b checksum with a custom length.
|
|
// A non-nil key turns the hash into a MAC. The key must be between zero and 64 bytes long.
|
|
// The hash size can be a value between 1 and 64 but it is highly recommended to use
|
|
// values equal or greater than:
|
|
// - 32 if BLAKE2b is used as a hash function (The key is zero bytes long).
|
|
// - 16 if BLAKE2b is used as a MAC function (The key is at least 16 bytes long).
|
|
// When the key is nil, the returned hash.Hash implements BinaryMarshaler
|
|
// and BinaryUnmarshaler for state (de)serialization as documented by hash.Hash.
|
|
func New(size int, key []byte) (hash.Hash, error) { return newDigest(size, key) }
|
|
|
|
// F is a compression function for BLAKE2b. It takes as an argument the state
|
|
// vector `h`, message block vector `m`, offset counter `t`, final block indicator
|
|
// flag `f`, and number of rounds `rounds`. The state vector provided as the first
|
|
// parameter is modified by the function.
|
|
func F(h *[8]uint64, m [16]uint64, c [2]uint64, final bool, rounds uint32) {
|
|
var flag uint64
|
|
if final {
|
|
flag = 0xFFFFFFFFFFFFFFFF
|
|
}
|
|
f(h, &m, c[0], c[1], flag, uint64(rounds))
|
|
}
|
|
|
|
func newDigest(hashSize int, key []byte) (*digest, error) {
|
|
if hashSize < 1 || hashSize > Size {
|
|
return nil, errHashSize
|
|
}
|
|
if len(key) > Size {
|
|
return nil, errKeySize
|
|
}
|
|
d := &digest{
|
|
size: hashSize,
|
|
keyLen: len(key),
|
|
}
|
|
copy(d.key[:], key)
|
|
d.Reset()
|
|
return d, nil
|
|
}
|
|
|
|
func checkSum(sum *[Size]byte, hashSize int, data []byte) {
|
|
h := iv
|
|
h[0] ^= uint64(hashSize) | (1 << 16) | (1 << 24)
|
|
var c [2]uint64
|
|
|
|
if length := len(data); length > BlockSize {
|
|
n := length &^ (BlockSize - 1)
|
|
if length == n {
|
|
n -= BlockSize
|
|
}
|
|
hashBlocks(&h, &c, 0, data[:n])
|
|
data = data[n:]
|
|
}
|
|
|
|
var block [BlockSize]byte
|
|
offset := copy(block[:], data)
|
|
remaining := uint64(BlockSize - offset)
|
|
if c[0] < remaining {
|
|
c[1]--
|
|
}
|
|
c[0] -= remaining
|
|
|
|
hashBlocks(&h, &c, 0xFFFFFFFFFFFFFFFF, block[:])
|
|
|
|
for i, v := range h[:(hashSize+7)/8] {
|
|
binary.LittleEndian.PutUint64(sum[8*i:], v)
|
|
}
|
|
}
|
|
|
|
func hashBlocks(h *[8]uint64, c *[2]uint64, flag uint64, blocks []byte) {
|
|
var m [16]uint64
|
|
c0, c1 := c[0], c[1]
|
|
|
|
for i := 0; i < len(blocks); {
|
|
c0 += BlockSize
|
|
if c0 < BlockSize {
|
|
c1++
|
|
}
|
|
for j := range m {
|
|
m[j] = binary.LittleEndian.Uint64(blocks[i:])
|
|
i += 8
|
|
}
|
|
f(h, &m, c0, c1, flag, 12)
|
|
}
|
|
c[0], c[1] = c0, c1
|
|
}
|
|
|
|
type digest struct {
|
|
h [8]uint64
|
|
c [2]uint64
|
|
size int
|
|
block [BlockSize]byte
|
|
offset int
|
|
|
|
key [BlockSize]byte
|
|
keyLen int
|
|
}
|
|
|
|
const (
|
|
magic = "b2b"
|
|
marshaledSize = len(magic) + 8*8 + 2*8 + 1 + BlockSize + 1
|
|
)
|
|
|
|
func (d *digest) MarshalBinary() ([]byte, error) {
|
|
if d.keyLen != 0 {
|
|
return nil, errors.New("crypto/blake2b: cannot marshal MACs")
|
|
}
|
|
b := make([]byte, 0, marshaledSize)
|
|
b = append(b, magic...)
|
|
for i := 0; i < 8; i++ {
|
|
b = appendUint64(b, d.h[i])
|
|
}
|
|
b = appendUint64(b, d.c[0])
|
|
b = appendUint64(b, d.c[1])
|
|
// Maximum value for size is 64
|
|
b = append(b, byte(d.size))
|
|
b = append(b, d.block[:]...)
|
|
b = append(b, byte(d.offset))
|
|
return b, nil
|
|
}
|
|
|
|
func (d *digest) UnmarshalBinary(b []byte) error {
|
|
if len(b) < len(magic) || string(b[:len(magic)]) != magic {
|
|
return errors.New("crypto/blake2b: invalid hash state identifier")
|
|
}
|
|
if len(b) != marshaledSize {
|
|
return errors.New("crypto/blake2b: invalid hash state size")
|
|
}
|
|
b = b[len(magic):]
|
|
for i := 0; i < 8; i++ {
|
|
b, d.h[i] = consumeUint64(b)
|
|
}
|
|
b, d.c[0] = consumeUint64(b)
|
|
b, d.c[1] = consumeUint64(b)
|
|
d.size = int(b[0])
|
|
b = b[1:]
|
|
copy(d.block[:], b[:BlockSize])
|
|
b = b[BlockSize:]
|
|
d.offset = int(b[0])
|
|
return nil
|
|
}
|
|
|
|
func (d *digest) BlockSize() int { return BlockSize }
|
|
|
|
func (d *digest) Size() int { return d.size }
|
|
|
|
func (d *digest) Reset() {
|
|
d.h = iv
|
|
d.h[0] ^= uint64(d.size) | (uint64(d.keyLen) << 8) | (1 << 16) | (1 << 24)
|
|
d.offset, d.c[0], d.c[1] = 0, 0, 0
|
|
if d.keyLen > 0 {
|
|
d.block = d.key
|
|
d.offset = BlockSize
|
|
}
|
|
}
|
|
|
|
func (d *digest) Write(p []byte) (n int, err error) {
|
|
n = len(p)
|
|
|
|
if d.offset > 0 {
|
|
remaining := BlockSize - d.offset
|
|
if n <= remaining {
|
|
d.offset += copy(d.block[d.offset:], p)
|
|
return
|
|
}
|
|
copy(d.block[d.offset:], p[:remaining])
|
|
hashBlocks(&d.h, &d.c, 0, d.block[:])
|
|
d.offset = 0
|
|
p = p[remaining:]
|
|
}
|
|
|
|
if length := len(p); length > BlockSize {
|
|
nn := length &^ (BlockSize - 1)
|
|
if length == nn {
|
|
nn -= BlockSize
|
|
}
|
|
hashBlocks(&d.h, &d.c, 0, p[:nn])
|
|
p = p[nn:]
|
|
}
|
|
|
|
if len(p) > 0 {
|
|
d.offset += copy(d.block[:], p)
|
|
}
|
|
|
|
return
|
|
}
|
|
|
|
func (d *digest) Sum(sum []byte) []byte {
|
|
var hash [Size]byte
|
|
d.finalize(&hash)
|
|
return append(sum, hash[:d.size]...)
|
|
}
|
|
|
|
func (d *digest) finalize(hash *[Size]byte) {
|
|
var block [BlockSize]byte
|
|
copy(block[:], d.block[:d.offset])
|
|
remaining := uint64(BlockSize - d.offset)
|
|
|
|
c := d.c
|
|
if c[0] < remaining {
|
|
c[1]--
|
|
}
|
|
c[0] -= remaining
|
|
|
|
h := d.h
|
|
hashBlocks(&h, &c, 0xFFFFFFFFFFFFFFFF, block[:])
|
|
|
|
for i, v := range h {
|
|
binary.LittleEndian.PutUint64(hash[8*i:], v)
|
|
}
|
|
}
|
|
|
|
func appendUint64(b []byte, x uint64) []byte {
|
|
var a [8]byte
|
|
binary.BigEndian.PutUint64(a[:], x)
|
|
return append(b, a[:]...)
|
|
}
|
|
|
|
func appendUint32(b []byte, x uint32) []byte {
|
|
var a [4]byte
|
|
binary.BigEndian.PutUint32(a[:], x)
|
|
return append(b, a[:]...)
|
|
}
|
|
|
|
func consumeUint64(b []byte) ([]byte, uint64) {
|
|
x := binary.BigEndian.Uint64(b)
|
|
return b[8:], x
|
|
}
|
|
|
|
func consumeUint32(b []byte) ([]byte, uint32) {
|
|
x := binary.BigEndian.Uint32(b)
|
|
return b[4:], x
|
|
}
|