v
Зеркало из https://github.com/vlang/v
1// Copyright (c) 2023 Kim Shrier. All rights reserved.2// Use of this source code is governed by an MIT license3// that can be found in the LICENSE file.4// Package sha3 implements the 512, 384, 256, and 2245// bit hash algorithms and the 128 and 256 bit6// extended output functions as defined in7// https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf.8// Last updated: August 20159module sha310import math12// size_224 is the size, in bytes, of a sha3 sum224 checksum.14pub const size_224 = 2815// size_256 is the size, in bytes, of a sha3 sum256 checksum.16pub const size_256 = 3217// size_384 is the size, in bytes, of a sha3 sum384 checksum.18pub const size_384 = 4819// size_512 is the size, in bytes, of a sha3 sum512 checksum.20pub const size_512 = 6421// rate_224 is the rate, in bytes, absorbed into the sponge on every permutation23pub const rate_224 = 14424// rate_256 is the rate, in bytes, absorbed into the sponge on every permutation25pub const rate_256 = 13626// rate_384 is the rate, in bytes, absorbed into the sponge on every permutation27pub const rate_384 = 10428// rate_512 is the rate, in bytes, absorbed into the sponge on every permutation29pub const rate_512 = 7230// xof_rate_128 is the capacity, in bytes, of a 128 bit extended output function sponge32pub const xof_rate_128 = 16833// xof_rate_256 is the capacity, in bytes, of a 256 bit extended output function sponge34pub const xof_rate_256 = 13635// the low order pad bits for a hash function37const hash_pad = u8(0x06)38// the low order pad bits for an extended output function40const xof_pad = u8(0x1f)41// new512 initializes the digest structure for a sha3 512 bit hash43pub fn new512() !&Digest {44return new_digest(rate_512, size_512)!45}46// new384 initializes the digest structure for a sha3 384 bit hash48pub fn new384() !&Digest {49return new_digest(rate_384, size_384)!50}51// new256 initializes the digest structure for a sha3 256 bit hash53pub fn new256() !&Digest {54return new_digest(rate_256, size_256)!55}56// new224 initializes the digest structure for a sha3 224 bit hash58pub fn new224() !&Digest {59return new_digest(rate_224, size_224)!60}61// new256_xof initializes the digest structure for a sha3 256 bit extended output function63pub fn new256xof(output_len int) !&Digest {64return new_xof_digest(xof_rate_256, output_len)!65}66// new128_xof initializes the digest structure for a sha3 128 bit extended output function68pub fn new128xof(output_len int) !&Digest {69return new_xof_digest(xof_rate_128, output_len)!70}71struct HashSizeError {73Error74size int75}76fn (err HashSizeError) msg() string {78return 'Hash size ${err.size} must be ${size_224}, ${size_256}, ${size_384}, or ${size_512}'79}80struct AbsorptionRateError {82Error83size int84rate int85}86fn (err AbsorptionRateError) msg() string {88return 'Absorption rate ${err.rate} is not compatible with a hash size of ${err.size}'89}90struct XOFRateError {92Error93rate int94}95fn (err XOFRateError) msg() string {97return 'Extended output rate ${err.rate} must be ${xof_rate_128} or ${xof_rate_256}'98}99struct XOFSizeError {101Error102size int103}104fn (err XOFSizeError) msg() string {106return 'Extended output size ${err.size} must be > 0'107}108struct Digest {110rate int // the number of bytes absorbed per permutation111suffix u8 // the domain suffix, 0x06 for hash, 0x1f for extended output112output_len int // the number of bytes to output113mut:114input_buffer []u8 // temporary holding buffer for input bytes115s State // the state of a kaccak-p[1600, 24] sponge116}117// new_digest creates an initialized digest structure based on119// the hash size and whether or not you specify a MAC key.120//121// absorption_rate is the number of bytes to be absorbed into the122// sponge per permutation.123//124// hash_size - the number if bytes in the generated hash.125// Legal values are 224, 256, 384, and 512.126pub fn new_digest(absorption_rate int, hash_size int) !&Digest {127match hash_size {128size_224 {129if absorption_rate != rate_224 {130return AbsorptionRateError{131rate: absorption_rate132size: hash_size133}134}135}136size_256 {137if absorption_rate != rate_256 {138return AbsorptionRateError{139rate: absorption_rate140size: hash_size141}142}143}144size_384 {145if absorption_rate != rate_384 {146return AbsorptionRateError{147rate: absorption_rate148size: hash_size149}150}151}152size_512 {153if absorption_rate != rate_512 {154return AbsorptionRateError{155rate: absorption_rate156size: hash_size157}158}159}160else {161return HashSizeError{162size: hash_size163}164}165}166d := Digest{168rate: absorption_rate169suffix: hash_pad170output_len: hash_size171s: State{}172}173return &d175}176// new_xof_digest creates an initialized digest structure based on178// the absorption rate and how many bytes of output you need179//180// absorption_rate is the number of bytes to be absorbed into the181// sponge per permutation. Legal values are xof_rate_128 and182// xof_rate_256.183//184// hash_size - the number if bytes in the generated hash.185// Legal values are positive integers.186pub fn new_xof_digest(absorption_rate int, hash_size int) !&Digest {187match absorption_rate {188xof_rate_128, xof_rate_256 {189if hash_size < 1 {190return XOFSizeError{191size: hash_size192}193}194}195else {196return XOFRateError{197rate: absorption_rate198}199}200}201d := Digest{203rate: absorption_rate204suffix: xof_pad205output_len: hash_size206s: State{}207}208return &d210}211// write adds bytes to the sponge.213//214// This is the absorption phase of the computation.215pub fn (mut d Digest) write(data []u8) ! {216// if no data is being added to the hash,217// just return218if data.len == 0 {219return220}221// absorb the input into the sponge223mut bytes_remaining := unsafe { data[..] }224if d.input_buffer.len != 0 {226// see if we can accumulate rate bytes to be absorbed227empty_space := d.rate - d.input_buffer.len228if bytes_remaining.len < empty_space {230d.input_buffer << bytes_remaining231// we have not accumulated rate bytes yet.233// just return.234return235} else {236// we have enough bytes to add rate bytes to the237// sponge.238d.input_buffer << bytes_remaining[..empty_space]239bytes_remaining = unsafe { bytes_remaining[empty_space..] }240// absorb them242d.s.xor_bytes(d.input_buffer[..d.rate], d.rate)243d.s.kaccak_p_1600_24()244d.input_buffer = ''.bytes()246}247}248// absorb the remaining bytes250for bytes_remaining.len >= d.rate {251d.s.xor_bytes(bytes_remaining[..d.rate], d.rate)252d.s.kaccak_p_1600_24()253bytes_remaining = unsafe { bytes_remaining[d.rate..] }254}255if bytes_remaining.len > 0 {257d.input_buffer = bytes_remaining258}259}260// checksum finalizes the hash and returns the generated bytes.262pub fn (mut d Digest) checksum() []u8 {263return d.checksum_internal() or { panic(err) }264}265fn (mut d Digest) checksum_internal() ![]u8 {267// pad the last input bytes to have rate bytes268if d.input_buffer.len == d.rate - 1 {269// a single byte pad needs to be handled specially270d.input_buffer << u8(0x80 | d.suffix)271} else {272zero_pads := (d.rate - d.input_buffer.len) - 2273// add the first byte of padding275d.input_buffer << d.suffix276// add intermediate zero pad bytes278for _ in 0 .. zero_pads {279d.input_buffer << u8(0x00)280}281// add the last pad byte283d.input_buffer << u8(0x80)284}285d.s.xor_bytes(d.input_buffer[..d.rate], d.rate)287d.s.kaccak_p_1600_24()288// absorption is done. on to squeezing.290// We know that we can extract rate bytes from the current292// state. If the output_len is <= rate, we don't need to293// iterate and can just return the bytes from the current294// state.295if d.output_len <= d.rate {297return d.s.to_bytes()[..d.output_len]298}299// we need to squeeze the sponge a little harder to get301// longer strings of bytes.302mut output_bytes := []u8{cap: d.output_len}304mut remaining_ouput_len := d.output_len305for remaining_ouput_len > 0 {307mut byte_len_this_round := math.min[int](remaining_ouput_len, d.rate)308output_bytes << d.s.to_bytes()[..byte_len_this_round]309remaining_ouput_len -= byte_len_this_round311if remaining_ouput_len > 0 {313d.s.kaccak_p_1600_24()314}315}316return output_bytes318}319// sum512 returns the sha3 512 bit checksum of the data.321pub fn sum512(data []u8) []u8 {322mut d := new512() or { panic(err) }323d.write(data) or { panic(err) }324return d.checksum_internal() or { panic(err) }325}326// sum384 returns the sha3 384 bit checksum of the data.328pub fn sum384(data []u8) []u8 {329mut d := new384() or { panic(err) }330d.write(data) or { panic(err) }331return d.checksum_internal() or { panic(err) }332}333// sum256 returns the sha3 256 bit checksum of the data.335pub fn sum256(data []u8) []u8 {336mut d := new256() or { panic(err) }337d.write(data) or { panic(err) }338return d.checksum_internal() or { panic(err) }339}340// sum224 returns the sha3 224 bit checksum of the data.342pub fn sum224(data []u8) []u8 {343mut d := new224() or { panic(err) }344d.write(data) or { panic(err) }345return d.checksum_internal() or { panic(err) }346}347// shake256 returns the sha3 shake256 bit extended output349pub fn shake256(data []u8, output_len int) []u8 {350mut d := new256xof(output_len) or { panic(err) }351d.write(data) or { panic(err) }352return d.checksum_internal() or { panic(err) }353}354// shake128 returns the sha3 shake128 bit extended output356pub fn shake128(data []u8, output_len int) []u8 {357mut d := new128xof(output_len) or { panic(err) }358d.write(data) or { panic(err) }359return d.checksum_internal() or { panic(err) }360}361