1 // Copyright 2016 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
5 // Package blake2s implements the BLAKE2s hash algorithm defined by RFC 7693
6 // and the extendable output function (XOF) BLAKE2Xs.
8 // For a detailed specification of BLAKE2s see https://blake2.net/blake2.pdf
9 // and for BLAKE2Xs see https://blake2.net/blake2x.pdf
11 // If you aren't sure which function you need, use BLAKE2s (Sum256 or New256).
12 // If you need a secret-key MAC (message authentication code), use the New256
13 // function with a non-nil key.
15 // BLAKE2X is a construction to compute hash values larger than 32 bytes. It
16 // can produce hash values between 0 and 65535 bytes.
17 package blake2s // import "golang.org/x/crypto/blake2s"
26 // The blocksize of BLAKE2s in bytes.
29 // The hash size of BLAKE2s-256 in bytes.
32 // The hash size of BLAKE2s-128 in bytes.
36 var errKeySize = errors.New("blake2s: invalid key size")
39 0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
40 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19,
43 // Sum256 returns the BLAKE2s-256 checksum of the data.
44 func Sum256(data []byte) [Size]byte {
46 checkSum(&sum, Size, data)
50 // New256 returns a new hash.Hash computing the BLAKE2s-256 checksum. A non-nil
51 // key turns the hash into a MAC. The key must between zero and 32 bytes long.
52 // When the key is nil, the returned hash.Hash implements BinaryMarshaler
53 // and BinaryUnmarshaler for state (de)serialization as documented by hash.Hash.
54 func New256(key []byte) (hash.Hash, error) { return newDigest(Size, key) }
56 // New128 returns a new hash.Hash computing the BLAKE2s-128 checksum given a
57 // non-empty key. Note that a 128-bit digest is too small to be secure as a
58 // cryptographic hash and should only be used as a MAC, thus the key argument
60 func New128(key []byte) (hash.Hash, error) {
62 return nil, errors.New("blake2s: a key is required for a 128-bit hash")
64 return newDigest(Size128, key)
67 func newDigest(hashSize int, key []byte) (*digest, error) {
69 return nil, errKeySize
80 func checkSum(sum *[Size]byte, hashSize int, data []byte) {
87 h[0] ^= uint32(hashSize) | (1 << 16) | (1 << 24)
89 if length := len(data); length > BlockSize {
90 n := length &^ (BlockSize - 1)
94 hashBlocks(&h, &c, 0, data[:n])
98 var block [BlockSize]byte
99 offset := copy(block[:], data)
100 remaining := uint32(BlockSize - offset)
102 if c[0] < remaining {
107 hashBlocks(&h, &c, 0xFFFFFFFF, block[:])
109 for i, v := range h {
110 binary.LittleEndian.PutUint32(sum[4*i:], v)
118 block [BlockSize]byte
127 marshaledSize = len(magic) + 8*4 + 2*4 + 1 + BlockSize + 1
130 func (d *digest) MarshalBinary() ([]byte, error) {
132 return nil, errors.New("crypto/blake2s: cannot marshal MACs")
134 b := make([]byte, 0, marshaledSize)
135 b = append(b, magic...)
136 for i := 0; i < 8; i++ {
137 b = appendUint32(b, d.h[i])
139 b = appendUint32(b, d.c[0])
140 b = appendUint32(b, d.c[1])
141 // Maximum value for size is 32
142 b = append(b, byte(d.size))
143 b = append(b, d.block[:]...)
144 b = append(b, byte(d.offset))
148 func (d *digest) UnmarshalBinary(b []byte) error {
149 if len(b) < len(magic) || string(b[:len(magic)]) != magic {
150 return errors.New("crypto/blake2s: invalid hash state identifier")
152 if len(b) != marshaledSize {
153 return errors.New("crypto/blake2s: invalid hash state size")
156 for i := 0; i < 8; i++ {
157 b, d.h[i] = consumeUint32(b)
159 b, d.c[0] = consumeUint32(b)
160 b, d.c[1] = consumeUint32(b)
163 copy(d.block[:], b[:BlockSize])
169 func (d *digest) BlockSize() int { return BlockSize }
171 func (d *digest) Size() int { return d.size }
173 func (d *digest) Reset() {
175 d.h[0] ^= uint32(d.size) | (uint32(d.keyLen) << 8) | (1 << 16) | (1 << 24)
176 d.offset, d.c[0], d.c[1] = 0, 0, 0
183 func (d *digest) Write(p []byte) (n int, err error) {
187 remaining := BlockSize - d.offset
189 d.offset += copy(d.block[d.offset:], p)
192 copy(d.block[d.offset:], p[:remaining])
193 hashBlocks(&d.h, &d.c, 0, d.block[:])
198 if length := len(p); length > BlockSize {
199 nn := length &^ (BlockSize - 1)
203 hashBlocks(&d.h, &d.c, 0, p[:nn])
207 d.offset += copy(d.block[:], p)
211 func (d *digest) Sum(sum []byte) []byte {
214 return append(sum, hash[:d.size]...)
217 func (d *digest) finalize(hash *[Size]byte) {
218 var block [BlockSize]byte
222 copy(block[:], d.block[:d.offset])
223 remaining := uint32(BlockSize - d.offset)
224 if c[0] < remaining {
229 hashBlocks(&h, &c, 0xFFFFFFFF, block[:])
230 for i, v := range h {
231 binary.LittleEndian.PutUint32(hash[4*i:], v)
235 func appendUint32(b []byte, x uint32) []byte {
237 binary.BigEndian.PutUint32(a[:], x)
238 return append(b, a[:]...)
241 func consumeUint32(b []byte) ([]byte, uint32) {
242 x := binary.BigEndian.Uint32(b)