Emil Bay
7 years ago
3 changed files with 358 additions and 1 deletions
@ -0,0 +1,269 @@ |
|||
var assert = require('assert') |
|||
|
|||
// 64-bit unsigned addition
|
|||
// Sets v[a,a+1] += v[b,b+1]
|
|||
// v should be a Uint32Array
|
|||
function ADD64AA (v, a, b) { |
|||
var o0 = v[a] + v[b] |
|||
var o1 = v[a + 1] + v[b + 1] |
|||
if (o0 >= 0x100000000) { |
|||
o1++ |
|||
} |
|||
v[a] = o0 |
|||
v[a + 1] = o1 |
|||
} |
|||
|
|||
// 64-bit unsigned addition
|
|||
// Sets v[a,a+1] += b
|
|||
// b0 is the low 32 bits of b, b1 represents the high 32 bits
|
|||
function ADD64AC (v, a, b0, b1) { |
|||
var o0 = v[a] + b0 |
|||
if (b0 < 0) { |
|||
o0 += 0x100000000 |
|||
} |
|||
var o1 = v[a + 1] + b1 |
|||
if (o0 >= 0x100000000) { |
|||
o1++ |
|||
} |
|||
v[a] = o0 |
|||
v[a + 1] = o1 |
|||
} |
|||
|
|||
// Little-endian byte access
|
|||
function B2B_GET32 (arr, i) { |
|||
return (arr[i] ^ |
|||
(arr[i + 1] << 8) ^ |
|||
(arr[i + 2] << 16) ^ |
|||
(arr[i + 3] << 24)) |
|||
} |
|||
|
|||
// G Mixing function
|
|||
// The ROTRs are inlined for speed
|
|||
function B2B_G (a, b, c, d, ix, iy) { |
|||
var x0 = m[ix] |
|||
var x1 = m[ix + 1] |
|||
var y0 = m[iy] |
|||
var y1 = m[iy + 1] |
|||
|
|||
ADD64AA(v, a, b) // v[a,a+1] += v[b,b+1] ... in JS we must store a uint64 as two uint32s
|
|||
ADD64AC(v, a, x0, x1) // v[a, a+1] += x ... x0 is the low 32 bits of x, x1 is the high 32 bits
|
|||
|
|||
// v[d,d+1] = (v[d,d+1] xor v[a,a+1]) rotated to the right by 32 bits
|
|||
var xor0 = v[d] ^ v[a] |
|||
var xor1 = v[d + 1] ^ v[a + 1] |
|||
v[d] = xor1 |
|||
v[d + 1] = xor0 |
|||
|
|||
ADD64AA(v, c, d) |
|||
|
|||
// v[b,b+1] = (v[b,b+1] xor v[c,c+1]) rotated right by 24 bits
|
|||
xor0 = v[b] ^ v[c] |
|||
xor1 = v[b + 1] ^ v[c + 1] |
|||
v[b] = (xor0 >>> 24) ^ (xor1 << 8) |
|||
v[b + 1] = (xor1 >>> 24) ^ (xor0 << 8) |
|||
|
|||
ADD64AA(v, a, b) |
|||
ADD64AC(v, a, y0, y1) |
|||
|
|||
// v[d,d+1] = (v[d,d+1] xor v[a,a+1]) rotated right by 16 bits
|
|||
xor0 = v[d] ^ v[a] |
|||
xor1 = v[d + 1] ^ v[a + 1] |
|||
v[d] = (xor0 >>> 16) ^ (xor1 << 16) |
|||
v[d + 1] = (xor1 >>> 16) ^ (xor0 << 16) |
|||
|
|||
ADD64AA(v, c, d) |
|||
|
|||
// v[b,b+1] = (v[b,b+1] xor v[c,c+1]) rotated right by 63 bits
|
|||
xor0 = v[b] ^ v[c] |
|||
xor1 = v[b + 1] ^ v[c + 1] |
|||
v[b] = (xor1 >>> 31) ^ (xor0 << 1) |
|||
v[b + 1] = (xor0 >>> 31) ^ (xor1 << 1) |
|||
} |
|||
|
|||
// Initialization Vector
|
|||
var BLAKE2B_IV32 = new Uint32Array([ |
|||
0xF3BCC908, 0x6A09E667, 0x84CAA73B, 0xBB67AE85, |
|||
0xFE94F82B, 0x3C6EF372, 0x5F1D36F1, 0xA54FF53A, |
|||
0xADE682D1, 0x510E527F, 0x2B3E6C1F, 0x9B05688C, |
|||
0xFB41BD6B, 0x1F83D9AB, 0x137E2179, 0x5BE0CD19 |
|||
]) |
|||
|
|||
var SIGMA8 = [ |
|||
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, |
|||
14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3, |
|||
11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4, |
|||
7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8, |
|||
9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13, |
|||
2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9, |
|||
12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11, |
|||
13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10, |
|||
6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5, |
|||
10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0, |
|||
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, |
|||
14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 |
|||
] |
|||
|
|||
// These are offsets into a uint64 buffer.
|
|||
// Multiply them all by 2 to make them offsets into a uint32 buffer,
|
|||
// because this is Javascript and we don't have uint64s
|
|||
var SIGMA82 = new Uint8Array(SIGMA8.map(function (x) { return x * 2 })) |
|||
|
|||
// Compression function. 'last' flag indicates last block.
|
|||
// Note we're representing 16 uint64s as 32 uint32s
|
|||
var v = new Uint32Array(32) |
|||
var m = new Uint32Array(32) |
|||
function blake2bCompress (ctx, last) { |
|||
var i = 0 |
|||
|
|||
// init work variables
|
|||
for (i = 0; i < 16; i++) { |
|||
v[i] = ctx.h[i] |
|||
v[i + 16] = BLAKE2B_IV32[i] |
|||
} |
|||
|
|||
// low 64 bits of offset
|
|||
v[24] = v[24] ^ ctx.t |
|||
v[25] = v[25] ^ (ctx.t / 0x100000000) |
|||
// high 64 bits not supported, offset may not be higher than 2**53-1
|
|||
|
|||
// last block flag set ?
|
|||
if (last) { |
|||
v[28] = ~v[28] |
|||
v[29] = ~v[29] |
|||
} |
|||
|
|||
// get little-endian words
|
|||
for (i = 0; i < 32; i++) { |
|||
m[i] = B2B_GET32(ctx.b, 4 * i) |
|||
} |
|||
|
|||
// twelve rounds of mixing
|
|||
for (i = 0; i < 12; i++) { |
|||
B2B_G(0, 8, 16, 24, SIGMA82[i * 16 + 0], SIGMA82[i * 16 + 1]) |
|||
B2B_G(2, 10, 18, 26, SIGMA82[i * 16 + 2], SIGMA82[i * 16 + 3]) |
|||
B2B_G(4, 12, 20, 28, SIGMA82[i * 16 + 4], SIGMA82[i * 16 + 5]) |
|||
B2B_G(6, 14, 22, 30, SIGMA82[i * 16 + 6], SIGMA82[i * 16 + 7]) |
|||
B2B_G(0, 10, 20, 30, SIGMA82[i * 16 + 8], SIGMA82[i * 16 + 9]) |
|||
B2B_G(2, 12, 22, 24, SIGMA82[i * 16 + 10], SIGMA82[i * 16 + 11]) |
|||
B2B_G(4, 14, 16, 26, SIGMA82[i * 16 + 12], SIGMA82[i * 16 + 13]) |
|||
B2B_G(6, 8, 18, 28, SIGMA82[i * 16 + 14], SIGMA82[i * 16 + 15]) |
|||
} |
|||
|
|||
for (i = 0; i < 16; i++) { |
|||
ctx.h[i] = ctx.h[i] ^ v[i] ^ v[i + 16] |
|||
} |
|||
} |
|||
|
|||
// reusable parameter_block
|
|||
var parameter_block = new Uint8Array([ |
|||
0, 0, 0, 0, // 0: outlen, keylen, fanout, depth
|
|||
0, 0, 0, 0, // 4: leaf length, sequential mode
|
|||
0, 0, 0, 0, // 8: node offset
|
|||
0, 0, 0, 0, // 12: node offset
|
|||
0, 0, 0, 0, // 16: node depth, inner length, rfu
|
|||
0, 0, 0, 0, // 20: rfu
|
|||
0, 0, 0, 0, // 24: rfu
|
|||
0, 0, 0, 0, // 28: rfu
|
|||
0, 0, 0, 0, // 32: salt
|
|||
0, 0, 0, 0, // 36: salt
|
|||
0, 0, 0, 0, // 40: salt
|
|||
0, 0, 0, 0, // 44: salt
|
|||
0, 0, 0, 0, // 48: personal
|
|||
0, 0, 0, 0, // 52: personal
|
|||
0, 0, 0, 0, // 56: personal
|
|||
0, 0, 0, 0 // 60: personal
|
|||
]) |
|||
|
|||
// Creates a BLAKE2b hashing context
|
|||
// Requires an output length between 1 and 64 bytes
|
|||
// Takes an optional Uint8Array key
|
|||
function blake2bInit (outlen, key, salt, personal) { |
|||
// zero out parameter_block before usage
|
|||
parameter_block.fill(0) |
|||
// state, 'param block'
|
|||
var ctx = { |
|||
b: new Uint8Array(128), |
|||
h: new Uint32Array(16), |
|||
t: 0, // input count
|
|||
c: 0, // pointer within buffer
|
|||
outlen: outlen // output length in bytes
|
|||
} |
|||
|
|||
parameter_block[0] = outlen |
|||
if (key) parameter_block[1] = key.length |
|||
parameter_block[2] = 1 // fanout
|
|||
parameter_block[3] = 1 // depth
|
|||
|
|||
if (salt) parameter_block.set(salt, 32) |
|||
if (personal) parameter_block.set(personal, 48) |
|||
|
|||
// initialize hash state
|
|||
for (var i = 0; i < 16; i++) { |
|||
ctx.h[i] = BLAKE2B_IV32[i] ^ B2B_GET32(parameter_block, i * 4) |
|||
} |
|||
|
|||
// key the hash, if applicable
|
|||
if (key) { |
|||
blake2bUpdate(ctx, key) |
|||
// at the end
|
|||
ctx.c = 128 |
|||
} |
|||
|
|||
return ctx |
|||
} |
|||
|
|||
// Updates a BLAKE2b streaming hash
|
|||
// Requires hash context and Uint8Array (byte array)
|
|||
function blake2bUpdate (ctx, input) { |
|||
for (var i = 0; i < input.length; i++) { |
|||
if (ctx.c === 128) { // buffer full ?
|
|||
ctx.t += ctx.c // add counters
|
|||
blake2bCompress(ctx, false) // compress (not last)
|
|||
ctx.c = 0 // counter to zero
|
|||
} |
|||
ctx.b[ctx.c++] = input[i] |
|||
} |
|||
} |
|||
|
|||
// Completes a BLAKE2b streaming hash
|
|||
// Returns a Uint8Array containing the message digest
|
|||
function blake2bFinal (out, ctx) { |
|||
ctx.t += ctx.c // mark last block offset
|
|||
|
|||
while (ctx.c < 128) { // fill up with zeros
|
|||
ctx.b[ctx.c++] = 0 |
|||
} |
|||
blake2bCompress(ctx, true) // final block flag = 1
|
|||
|
|||
for (var i = 0; i < ctx.outlen; i++) { |
|||
out[i] = ctx.h[i >> 2] >> (8 * (i & 3)) |
|||
} |
|||
return out |
|||
} |
|||
|
|||
module.exports = function blake2b (out, input, key, salt, personal, noAssert) { |
|||
if (noAssert !== true) { |
|||
assert(out != null) |
|||
assert(out.length >= BYTES_MIN) |
|||
assert(out.length <= BYTES_MAX) |
|||
assert(input != null) |
|||
assert(key == null ? true : key.length >= KEYBYTES_MIN) |
|||
assert(key == null ? true : key.length <= KEYBYTES_MAX) |
|||
assert(salt == null ? true : salt.length === SALTBYTES) |
|||
assert(personal == null ? true : personal.length === PERSONALBYTES) |
|||
} |
|||
|
|||
// do the math
|
|||
var ctx = blake2bInit(out.length, key, salt, personal) |
|||
blake2bUpdate(ctx, input) |
|||
return blake2bFinal(out, ctx) |
|||
} |
|||
|
|||
var BYTES_MIN = module.exports.BYTES_MIN = 16 |
|||
var BYTES_MAX = module.exports.BYTES_MAX = 64 |
|||
var BYTES = module.exports.BYTES = 32 |
|||
var KEYBYTES_MIN = module.exports.KEYBYTES_MIN = 16 |
|||
var KEYBYTES_MAX = module.exports.KEYBYTES_MAX = 64 |
|||
var KEYBYTES = module.exports.KEYBYTES = 32 |
|||
var SALTBYTES = module.exports.SALTBYTES = 16 |
|||
var PERSONALBYTES = module.exports.PERSONALBYTES = 16 |
@ -0,0 +1,48 @@ |
|||
var test = require('tape') |
|||
var blake2b = require('.') |
|||
var vectors = require('./test-vectors.json') |
|||
|
|||
test('vectors', function (assert) { |
|||
vectors.forEach(function (v) { |
|||
var out = new Uint8Array(v.outlen) |
|||
var input = hexWrite(new Uint8Array(v.input.length / 2), v.input) |
|||
var key = v.key.length === 0 ? null : hexWrite(new Uint8Array(v.key.length / 2), v.key) |
|||
var salt = v.salt.length === 0 ? null : hexWrite(new Uint8Array(v.salt.length / 2), v.salt) |
|||
var personal = v.personal.length === 0 ? null : hexWrite(new Uint8Array(v.personal.length / 2), v.personal) |
|||
|
|||
var expected = Buffer.from(hexWrite(new Uint8Array(v.out.length / 2), v.out)) |
|||
var actual = Buffer.from(blake2b(out, input, key, salt, personal, true)) |
|||
|
|||
assert.deepEquals(actual, expected) |
|||
}) |
|||
assert.end() |
|||
}) |
|||
|
|||
test('works with buffers', function (assert) { |
|||
var vector = vectors.slice(-1)[0] |
|||
|
|||
var out = Buffer.allocUnsafe(vector.outlen) |
|||
var input = Buffer.from(vector.input, 'hex') |
|||
var key = Buffer.from(vector.key, 'hex') |
|||
var salt = Buffer.from(vector.salt, 'hex') |
|||
var personal = Buffer.from(vector.personal, 'hex') |
|||
|
|||
var expected = Buffer.from(vector.out, 'hex') |
|||
var actual = blake2b(out, input, key, salt, personal) |
|||
|
|||
assert.deepEquals(actual, expected) |
|||
assert.end() |
|||
}) |
|||
|
|||
function hexWrite (buf, string) { |
|||
// must be an even number of digits
|
|||
var strLen = string.length |
|||
if (strLen % 2 !== 0) throw new TypeError('Invalid hex string') |
|||
|
|||
for (var i = 0; i < strLen / 2; ++i) { |
|||
var parsed = parseInt(string.substr(i * 2, 2), 16) |
|||
if (Number.isNaN(parsed)) throw new Error('Invalid byte') |
|||
buf[i] = parsed |
|||
} |
|||
return buf |
|||
} |
Loading…
Reference in new issue