//! The official Rust implementation of the [BLAKE3] cryptographic hash

//! function.

//!

//! # Examples

//!

//! ```

//! # fn main() -> Result<(), Box<dyn std::error::Error>> {

//! // Hash an input all at once.

//! let hash1 = blake3::hash(b"foobarbaz");

//!

//! // Hash an input incrementally.

//! let mut hasher = blake3::Hasher::new();

//! hasher.update(b"foo");

//! hasher.update(b"bar");

//! hasher.update(b"baz");

//! let hash2 = hasher.finalize();

//! assert_eq!(hash1, hash2);

//!

//! // Extended output. OutputReader also implements Read and Seek.

//! # #[cfg(feature = "std")] {

//! let mut output = [0; 1000];

//! let mut output_reader = hasher.finalize_xof();

//! output_reader.fill(&mut output);

//! assert_eq!(hash1, output[..32]);

//! # }

//!

//! // Print a hash as hex.

//! println!("{}", hash1);

//! # Ok(())

//! # }

//! ```

//!

//! # Cargo Features

//!

//! The `std` feature (the only feature enabled by default) is required for

//! implementations of the [`Write`] and [`Seek`] traits, the

//! [`update_reader`](Hasher::update_reader) helper method, and runtime CPU

//! feature detection on x86. If this feature is disabled, the only way to use

//! the x86 SIMD implementations is to enable the corresponding instruction sets

//! globally, with e.g. `RUSTFLAGS="-C target-cpu=native"`. The resulting binary

//! will not be portable to other machines.

//!

//! The `rayon` feature (disabled by default, but enabled for [docs.rs]) adds

//! the [`update_rayon`](Hasher::update_rayon) and (in combination with `mmap`

//! below) [`update_mmap_rayon`](Hasher::update_mmap_rayon) methods, for

//! multithreaded hashing. However, even if this feature is enabled, all other

//! APIs remain single-threaded.

//!

//! The `mmap` feature (disabled by default, but enabled for [docs.rs]) adds the

//! [`update_mmap`](Hasher::update_mmap) and (in combination with `rayon` above)

//! [`update_mmap_rayon`](Hasher::update_mmap_rayon) helper methods for

//! memory-mapped IO.

//!

//! The `zeroize` feature (disabled by default, but enabled for [docs.rs])

//! implements

//! [`Zeroize`](https://docs.rs/zeroize/latest/zeroize/trait.Zeroize.html) for

//! this crate's types.

//!

//! The `serde` feature (disabled by default, but enabled for [docs.rs]) implements

//! [`serde::Serialize`](https://docs.rs/serde/latest/serde/trait.Serialize.html) and

//! [`serde::Deserialize`](https://docs.rs/serde/latest/serde/trait.Deserialize.html)

//! for [`Hash`](struct@Hash).

//!

//! The NEON implementation is enabled by default for AArch64 but requires the

//! `neon` feature for other ARM targets. Not all ARMv7 CPUs support NEON, and

//! enabling this feature will produce a binary that's not portable to CPUs

//! without NEON support.

//!

//! The `traits-preview` feature enables implementations of traits from the

//! RustCrypto [`digest`] crate, and re-exports that crate as `traits::digest`.

//! However, the traits aren't stable, and they're expected to change in

//! incompatible ways before that crate reaches 1.0. For that reason, this crate

//! makes no SemVer guarantees for this feature, and callers who use it should

//! expect breaking changes between patch versions. (The "-preview" feature name

//! follows the conventions of the RustCrypto [`signature`] crate.)

//!

//! [`Hasher::update_rayon`]: struct.Hasher.html#method.update_rayon

//! [BLAKE3]: https://blake3.io

//! [Rayon]: https://github.com/rayon-rs/rayon

//! [docs.rs]: https://docs.rs/

//! [`Write`]: https://doc.rust-lang.org/std/io/trait.Write.html

//! [`Seek`]: https://doc.rust-lang.org/std/io/trait.Seek.html

//! [`digest`]: https://crates.io/crates/digest

//! [`signature`]: https://crates.io/crates/signature

#![cfg_attr(not(feature = "std"), no_std)]

#[cfg(test)]

mod test;

// The guts module is for incremental use cases like the `bao` crate that need

// to explicitly compute chunk and parent chaining values. It is semi-stable

// and likely to keep working, but largely undocumented and not intended for

// widespread use.

#[doc(hidden)]

pub mod guts;

/// Undocumented and unstable, for benchmarks only.

#[doc(hidden)]

pub mod platform;

// Platform-specific implementations of the compression function. These

// BLAKE3-specific cfg flags are set in build.rs.

#[cfg(blake3_avx2_rust)]

#[path = "rust_avx2.rs"]

mod avx2;

#[cfg(blake3_avx2_ffi)]

#[path = "ffi_avx2.rs"]

mod avx2;

#[cfg(blake3_avx512_ffi)]

#[path = "ffi_avx512.rs"]

mod avx512;

#[cfg(blake3_neon)]

#[path = "ffi_neon.rs"]

mod neon;

mod portable;

#[cfg(blake3_sse2_rust)]

#[path = "rust_sse2.rs"]

mod sse2;

#[cfg(blake3_sse2_ffi)]

#[path = "ffi_sse2.rs"]

mod sse2;

#[cfg(blake3_sse41_rust)]

#[path = "rust_sse41.rs"]

mod sse41;

#[cfg(blake3_sse41_ffi)]

#[path = "ffi_sse41.rs"]

mod sse41;

#[cfg(blake3_wasm32_simd)]

#[path = "wasm32_simd.rs"]

mod wasm32_simd;

#[cfg(feature = "traits-preview")]

pub mod traits;

mod io;

mod join;

use arrayref::{array_mut_ref, array_ref};

use arrayvec::{ArrayString, ArrayVec};

use core::cmp;

use core::fmt;

use platform::{Platform, MAX_SIMD_DEGREE, MAX_SIMD_DEGREE_OR_2};

#[cfg(feature = "zeroize")]

use zeroize::Zeroize;

/// The number of bytes in a [`Hash`](struct.Hash.html), 32.

pub const OUT_LEN: usize = 32;

/// The number of bytes in a key, 32.

pub const KEY_LEN: usize = 32;

const MAX_DEPTH: usize = 54; // 2^54 * CHUNK_LEN = 2^64

use guts::{BLOCK_LEN, CHUNK_LEN};

// While iterating the compression function within a chunk, the CV is

// represented as words, to avoid doing two extra endianness conversions for

// each compression in the portable implementation. But the hash_many interface

// needs to hash both input bytes and parent nodes, so its better for its

// output CVs to be represented as bytes.

type CVWords = [u32; 8];

type CVBytes = [u8; 32]; // little-endian

const IV: &CVWords = &[

    0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A, 0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19,

];

const MSG_SCHEDULE: [[usize; 16]; 7] = [

    [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15],

    [2, 6, 3, 10, 7, 0, 4, 13, 1, 11, 12, 5, 9, 14, 15, 8],

    [3, 4, 10, 12, 13, 2, 7, 14, 6, 5, 9, 0, 11, 15, 8, 1],

    [10, 7, 12, 9, 14, 3, 13, 15, 4, 0, 11, 2, 5, 8, 1, 6],

    [12, 13, 9, 11, 15, 10, 14, 8, 7, 2, 5, 3, 0, 1, 6, 4],

    [9, 14, 11, 5, 8, 12, 15, 1, 13, 3, 0, 10, 2, 6, 4, 7],

    [11, 15, 5, 0, 1, 9, 8, 6, 14, 10, 2, 12, 3, 4, 7, 13],

];

// These are the internal flags that we use to domain separate root/non-root,

// chunk/parent, and chunk beginning/middle/end. These get set at the high end

// of the block flags word in the compression function, so their values start

// high and go down.

const CHUNK_START: u8 = 1 << 0;

const CHUNK_END: u8 = 1 << 1;

const PARENT: u8 = 1 << 2;

const ROOT: u8 = 1 << 3;

const KEYED_HASH: u8 = 1 << 4;

const DERIVE_KEY_CONTEXT: u8 = 1 << 5;

const DERIVE_KEY_MATERIAL: u8 = 1 << 6;

#[inline]

fn counter_low(counter: u64) -> u32 {

    counter as u32

}

#[inline]

fn counter_high(counter: u64) -> u32 {

    (counter >> 32) as u32

}

/// An output of the default size, 32 bytes, which provides constant-time

/// equality checking.

///

/// `Hash` implements [`From`] and [`Into`] for `[u8; 32]`, and it provides

/// [`from_bytes`] and [`as_bytes`] for explicit conversions between itself and

/// `[u8; 32]`. However, byte arrays and slices don't provide constant-time

/// equality checking, which is often a security requirement in software that

/// handles private data. `Hash` doesn't implement [`Deref`] or [`AsRef`], to

/// avoid situations where a type conversion happens implicitly and the

/// constant-time property is accidentally lost.

///

/// `Hash` provides the [`to_hex`] and [`from_hex`] methods for converting to

/// and from hexadecimal. It also implements [`Display`] and [`FromStr`].

///

/// [`From`]: https://doc.rust-lang.org/std/convert/trait.From.html

/// [`Into`]: https://doc.rust-lang.org/std/convert/trait.Into.html

/// [`as_bytes`]: #method.as_bytes

/// [`from_bytes`]: #method.from_bytes

/// [`Deref`]: https://doc.rust-lang.org/stable/std/ops/trait.Deref.html

/// [`AsRef`]: https://doc.rust-lang.org/std/convert/trait.AsRef.html

/// [`to_hex`]: #method.to_hex

/// [`from_hex`]: #method.from_hex

/// [`Display`]: https://doc.rust-lang.org/std/fmt/trait.Display.html

/// [`FromStr`]: https://doc.rust-lang.org/std/str/trait.FromStr.html

#[cfg_attr(feature = "serde", derive(serde::Deserialize, serde::Serialize))]

#[derive(Clone, Copy, Hash)]

pub struct Hash([u8; OUT_LEN]);

impl Hash {

    /// The raw bytes of the `Hash`. Note that byte arrays don't provide

    /// constant-time equality checking, so if  you need to compare hashes,

    /// prefer the `Hash` type.

    #[inline]

    pub const fn as_bytes(&self) -> &[u8; OUT_LEN] {

        &self.0

    }

    /// Create a `Hash` from its raw bytes representation.

    pub const fn from_bytes(bytes: [u8; OUT_LEN]) -> Self {

        Self(bytes)

    }

    /// Create a `Hash` from its raw bytes representation as a slice.

    ///

    /// Returns an error if the slice is not exactly 32 bytes long.

    pub fn from_slice(bytes: &[u8]) -> Result<Self, core::array::TryFromSliceError> {

        Ok(Self::from_bytes(bytes.try_into()?))

    }

    /// Encode a `Hash` in lowercase hexadecimal.

    ///

    /// The returned [`ArrayString`] is a fixed size and doesn't allocate memory

    /// on the heap. Note that [`ArrayString`] doesn't provide constant-time

    /// equality checking, so if you need to compare hashes, prefer the `Hash`

    /// type.

    ///

    /// [`ArrayString`]: https://docs.rs/arrayvec/0.5.1/arrayvec/struct.ArrayString.html

    pub fn to_hex(&self) -> ArrayString<{ 2 * OUT_LEN }> {

        let mut s = ArrayString::new();

        let table = b"0123456789abcdef";

        for &b in self.0.iter() {

            s.push(table[(b >> 4) as usize] as char);

            s.push(table[(b & 0xf) as usize] as char);

        }

        s

    }

    /// Decode a `Hash` from hexadecimal. Both uppercase and lowercase ASCII

    /// bytes are supported.

    ///

    /// Any byte outside the ranges `'0'...'9'`, `'a'...'f'`, and `'A'...'F'`

    /// results in an error. An input length other than 64 also results in an

    /// error.

    ///

    /// Note that `Hash` also implements `FromStr`, so `Hash::from_hex("...")`

    /// is equivalent to `"...".parse()`.

    pub fn from_hex(hex: impl AsRef<[u8]>) -> Result<Self, HexError> {

        fn hex_val(byte: u8) -> Result<u8, HexError> {

            match byte {

                b'A'..=b'F' => Ok(byte - b'A' + 10),

                b'a'..=b'f' => Ok(byte - b'a' + 10),

                b'0'..=b'9' => Ok(byte - b'0'),

                _ => Err(HexError(HexErrorInner::InvalidByte(byte))),

            }

        }

        let hex_bytes: &[u8] = hex.as_ref();

        if hex_bytes.len() != OUT_LEN * 2 {

            return Err(HexError(HexErrorInner::InvalidLen(hex_bytes.len())));

        }

        let mut hash_bytes: [u8; OUT_LEN] = [0; OUT_LEN];

        for i in 0..OUT_LEN {

            hash_bytes[i] = 16 * hex_val(hex_bytes[2 * i])? + hex_val(hex_bytes[2 * i + 1])?;

        }

        Ok(Hash::from(hash_bytes))

    }

}

impl From<[u8; OUT_LEN]> for Hash {

    #[inline]

    fn from(bytes: [u8; OUT_LEN]) -> Self {

        Self::from_bytes(bytes)

    }

}

impl From<Hash> for [u8; OUT_LEN] {

    #[inline]

    fn from(hash: Hash) -> Self {

        hash.0

    }

}

impl core::str::FromStr for Hash {

    type Err = HexError;

    fn from_str(s: &str) -> Result<Self, Self::Err> {

        Hash::from_hex(s)

    }

}

#[cfg(feature = "zeroize")]

impl Zeroize for Hash {

    fn zeroize(&mut self) {

        // Destructuring to trigger compile error as a reminder to update this impl.

        let Self(bytes) = self;

        bytes.zeroize();

    }

}

/// This implementation is constant-time.

impl PartialEq for Hash {

    #[inline]

    fn eq(&self, other: &Hash) -> bool {

        constant_time_eq::constant_time_eq_32(&self.0, &other.0)

    }

}

/// This implementation is constant-time.

impl PartialEq<[u8; OUT_LEN]> for Hash {

    #[inline]

    fn eq(&self, other: &[u8; OUT_LEN]) -> bool {

        constant_time_eq::constant_time_eq_32(&self.0, other)

    }

}

/// This implementation is constant-time if the target is 32 bytes long.

impl PartialEq<[u8]> for Hash {

    #[inline]

    fn eq(&self, other: &[u8]) -> bool {

        constant_time_eq::constant_time_eq(&self.0, other)

    }

}

impl Eq for Hash {}

impl fmt::Display for Hash {

    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {

        // Formatting field as `&str` to reduce code size since the `Debug`

        // dynamic dispatch table for `&str` is likely needed elsewhere already,

        // but that for `ArrayString<[u8; 64]>` is not.

        let hex = self.to_hex();

        let hex: &str = hex.as_str();

        f.write_str(hex)

    }

}

impl fmt::Debug for Hash {

    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {

        // Formatting field as `&str` to reduce code size since the `Debug`

        // dynamic dispatch table for `&str` is likely needed elsewhere already,

        // but that for `ArrayString<[u8; 64]>` is not.

        let hex = self.to_hex();

        let hex: &str = hex.as_str();

        f.debug_tuple("Hash").field(&hex).finish()

    }

}

/// The error type for [`Hash::from_hex`].

///

/// The `.to_string()` representation of this error currently distinguishes between bad length

/// errors and bad character errors. This is to help with logging and debugging, but it isn't a

/// stable API detail, and it may change at any time.

#[derive(Clone, Debug)]

pub struct HexError(HexErrorInner);

#[derive(Clone, Debug)]

enum HexErrorInner {

    InvalidByte(u8),

    InvalidLen(usize),

}

impl fmt::Display for HexError {

    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {

        match self.0 {

            HexErrorInner::InvalidByte(byte) => {

                if byte < 128 {

                    write!(f, "invalid hex character: {:?}", byte as char)

                } else {

                    write!(f, "invalid hex character: 0x{:x}", byte)

                }

            }

            HexErrorInner::InvalidLen(len) => {

                write!(f, "expected 64 hex bytes, received {}", len)

            }

        }

    }

}

#[cfg(feature = "std")]

impl std::error::Error for HexError {}

// Each chunk or parent node can produce either a 32-byte chaining value or, by

// setting the ROOT flag, any number of final output bytes. The Output struct

// captures the state just prior to choosing between those two possibilities.

#[derive(Clone)]

struct Output {

    input_chaining_value: CVWords,

    block: [u8; 64],

    block_len: u8,

    counter: u64,

    flags: u8,

    platform: Platform,

}

impl Output {

    fn chaining_value(&self) -> CVBytes {

        let mut cv = self.input_chaining_value;

        self.platform.compress_in_place(

            &mut cv,

            &self.block,

            self.block_len,

            self.counter,

            self.flags,

        );

        platform::le_bytes_from_words_32(&cv)

    }

    fn root_hash(&self) -> Hash {

        debug_assert_eq!(self.counter, 0);

        let mut cv = self.input_chaining_value;

        self.platform

            .compress_in_place(&mut cv, &self.block, self.block_len, 0, self.flags | ROOT);

        Hash(platform::le_bytes_from_words_32(&cv))

    }

    fn root_output_block(&self) -> [u8; 2 * OUT_LEN] {

        self.platform.compress_xof(

            &self.input_chaining_value,

            &self.block,

            self.block_len,

            self.counter,

            self.flags | ROOT,

        )

    }

}

#[cfg(feature = "zeroize")]

impl Zeroize for Output {

    fn zeroize(&mut self) {

        // Destructuring to trigger compile error as a reminder to update this impl.

        let Self {

            input_chaining_value,

            block,

            block_len,

            counter,

            flags,

            platform: _,

        } = self;

        input_chaining_value.zeroize();

        block.zeroize();

        block_len.zeroize();

        counter.zeroize();

        flags.zeroize();

    }

}

#[derive(Clone)]

struct ChunkState {

    cv: CVWords,

    chunk_counter: u64,

    buf: [u8; BLOCK_LEN],

    buf_len: u8,

    blocks_compressed: u8,

    flags: u8,

    platform: Platform,

}

impl ChunkState {

    fn new(key: &CVWords, chunk_counter: u64, flags: u8, platform: Platform) -> Self {

        Self {

            cv: *key,

            chunk_counter,

            buf: [0; BLOCK_LEN],

            buf_len: 0,

            blocks_compressed: 0,

            flags,

            platform,

        }

    }

    fn len(&self) -> usize {

        BLOCK_LEN * self.blocks_compressed as usize + self.buf_len as usize

    }

    fn fill_buf(&mut self, input: &mut &[u8]) {

        let want = BLOCK_LEN - self.buf_len as usize;

        let take = cmp::min(want, input.len());

        self.buf[self.buf_len as usize..][..take].copy_from_slice(&input[..take]);

        self.buf_len += take as u8;

        *input = &input[take..];

    }

    fn start_flag(&self) -> u8 {

        if self.blocks_compressed == 0 {

            CHUNK_START

        } else {

            0

        }

    }

    // Try to avoid buffering as much as possible, by compressing directly from

    // the input slice when full blocks are available.

    fn update(&mut self, mut input: &[u8]) -> &mut Self {

        if self.buf_len > 0 {

            self.fill_buf(&mut input);

            if !input.is_empty() {

                debug_assert_eq!(self.buf_len as usize, BLOCK_LEN);

                let block_flags = self.flags | self.start_flag(); // borrowck

                self.platform.compress_in_place(

                    &mut self.cv,

                    &self.buf,

                    BLOCK_LEN as u8,

                    self.chunk_counter,

                    block_flags,

                );

                self.buf_len = 0;

                self.buf = [0; BLOCK_LEN];

                self.blocks_compressed += 1;

            }

        }

        while input.len() > BLOCK_LEN {

            debug_assert_eq!(self.buf_len, 0);

            let block_flags = self.flags | self.start_flag(); // borrowck

            self.platform.compress_in_place(

                &mut self.cv,

                array_ref!(input, 0, BLOCK_LEN),

                BLOCK_LEN as u8,

                self.chunk_counter,

                block_flags,

            );

            self.blocks_compressed += 1;

            input = &input[BLOCK_LEN..];

        }

        self.fill_buf(&mut input);

        debug_assert!(input.is_empty());

        debug_assert!(self.len() <= CHUNK_LEN);

        self

    }

    fn output(&self) -> Output {

        let block_flags = self.flags | self.start_flag() | CHUNK_END;

        Output {

            input_chaining_value: self.cv,

            block: self.buf,

            block_len: self.buf_len,

            counter: self.chunk_counter,

            flags: block_flags,

            platform: self.platform,

        }

    }

}

// Don't derive(Debug), because the state may be secret.

impl fmt::Debug for ChunkState {

    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {

        f.debug_struct("ChunkState")

            .field("len", &self.len())

            .field("chunk_counter", &self.chunk_counter)

            .field("flags", &self.flags)

            .field("platform", &self.platform)

            .finish()

    }

}

#[cfg(feature = "zeroize")]

impl Zeroize for ChunkState {

    fn zeroize(&mut self) {

        // Destructuring to trigger compile error as a reminder to update this impl.

        let Self {

            cv,

            chunk_counter,

            buf,

            buf_len,

            blocks_compressed,

            flags,

            platform: _,

        } = self;

        cv.zeroize();

        chunk_counter.zeroize();

        buf.zeroize();

        buf_len.zeroize();

        blocks_compressed.zeroize();

        flags.zeroize();

    }

}

// IMPLEMENTATION NOTE

// ===================

// The recursive function compress_subtree_wide(), implemented below, is the

// basis of high-performance BLAKE3. We use it both for all-at-once hashing,

// and for the incremental input with Hasher (though we have to be careful with

// subtree boundaries in the incremental case). compress_subtree_wide() applies

// several optimizations at the same time:

// - Multithreading with Rayon.

// - Parallel chunk hashing with SIMD.

// - Parallel parent hashing with SIMD. Note that while SIMD chunk hashing

//   maxes out at MAX_SIMD_DEGREE*CHUNK_LEN, parallel parent hashing continues

//   to benefit from larger inputs, because more levels of the tree benefit can

//   use full-width SIMD vectors for parent hashing. Without parallel parent

//   hashing, we lose about 10% of overall throughput on AVX2 and AVX-512.

/// Undocumented and unstable, for benchmarks only.

#[doc(hidden)]

#[derive(Clone, Copy)]

pub enum IncrementCounter {

    Yes,

    No,

}

impl IncrementCounter {

    #[inline]

    fn yes(&self) -> bool {

        match self {

            IncrementCounter::Yes => true,

            IncrementCounter::No => false,

        }

    }

}

// The largest power of two less than or equal to `n`, used for left_len()

// immediately below, and also directly in Hasher::update().

fn largest_power_of_two_leq(n: usize) -> usize {

    ((n / 2) + 1).next_power_of_two()

}

// Given some input larger than one chunk, return the number of bytes that

// should go in the left subtree. This is the largest power-of-2 number of

// chunks that leaves at least 1 byte for the right subtree.

fn left_len(content_len: usize) -> usize {

    debug_assert!(content_len > CHUNK_LEN);

    // Subtract 1 to reserve at least one byte for the right side.

    let full_chunks = (content_len - 1) / CHUNK_LEN;

    largest_power_of_two_leq(full_chunks) * CHUNK_LEN

}

// Use SIMD parallelism to hash up to MAX_SIMD_DEGREE chunks at the same time

// on a single thread. Write out the chunk chaining values and return the

// number of chunks hashed. These chunks are never the root and never empty;

// those cases use a different codepath.

fn compress_chunks_parallel(

    input: &[u8],

    key: &CVWords,

    chunk_counter: u64,

    flags: u8,

    platform: Platform,

    out: &mut [u8],

) -> usize {

    debug_assert!(!input.is_empty(), "empty chunks below the root");

    debug_assert!(input.len() <= MAX_SIMD_DEGREE * CHUNK_LEN);

    let mut chunks_exact = input.chunks_exact(CHUNK_LEN);

    let mut chunks_array = ArrayVec::<&[u8; CHUNK_LEN], MAX_SIMD_DEGREE>::new();

    for chunk in &mut chunks_exact {

        chunks_array.push(array_ref!(chunk, 0, CHUNK_LEN));

    }

    platform.hash_many(

        &chunks_array,

        key,

        chunk_counter,

        IncrementCounter::Yes,

        flags,

        CHUNK_START,

        CHUNK_END,

        out,

    );

    // Hash the remaining partial chunk, if there is one. Note that the empty

    // chunk (meaning the empty message) is a different codepath.

    let chunks_so_far = chunks_array.len();

    if !chunks_exact.remainder().is_empty() {

        let counter = chunk_counter + chunks_so_far as u64;

        let mut chunk_state = ChunkState::new(key, counter, flags, platform);

        chunk_state.update(chunks_exact.remainder());

        *array_mut_ref!(out, chunks_so_far * OUT_LEN, OUT_LEN) =

            chunk_state.output().chaining_value();

        chunks_so_far + 1

    } else {

        chunks_so_far

    }

}

// Use SIMD parallelism to hash up to MAX_SIMD_DEGREE parents at the same time

// on a single thread. Write out the parent chaining values and return the

// number of parents hashed. (If there's an odd input chaining value left over,

// return it as an additional output.) These parents are never the root and

// never empty; those cases use a different codepath.

fn compress_parents_parallel(

    child_chaining_values: &[u8],

    key: &CVWords,

    flags: u8,

    platform: Platform,

    out: &mut [u8],

) -> usize {

    debug_assert_eq!(child_chaining_values.len() % OUT_LEN, 0, "wacky hash bytes");

    let num_children = child_chaining_values.len() / OUT_LEN;

    debug_assert!(num_children >= 2, "not enough children");

    debug_assert!(num_children <= 2 * MAX_SIMD_DEGREE_OR_2, "too many");

    let mut parents_exact = child_chaining_values.chunks_exact(BLOCK_LEN);

    // Use MAX_SIMD_DEGREE_OR_2 rather than MAX_SIMD_DEGREE here, because of

    // the requirements of compress_subtree_wide().

    let mut parents_array = ArrayVec::<&[u8; BLOCK_LEN], MAX_SIMD_DEGREE_OR_2>::new();

    for parent in &mut parents_exact {

        parents_array.push(array_ref!(parent, 0, BLOCK_LEN));

    }

    platform.hash_many(

        &parents_array,

        key,

        0, // Parents always use counter 0.

        IncrementCounter::No,

        flags | PARENT,

        0, // Parents have no start flags.

        0, // Parents have no end flags.

        out,

    );

    // If there's an odd child left over, it becomes an output.

    let parents_so_far = parents_array.len();

    if !parents_exact.remainder().is_empty() {

        out[parents_so_far * OUT_LEN..][..OUT_LEN].copy_from_slice(parents_exact.remainder());

        parents_so_far + 1

    } else {

        parents_so_far

    }

}

// The wide helper function returns (writes out) an array of chaining values

// and returns the length of that array. The number of chaining values returned

// is the dynamically detected SIMD degree, at most MAX_SIMD_DEGREE. Or fewer,

// if the input is shorter than that many chunks. The reason for maintaining a

// wide array of chaining values going back up the tree, is to allow the

// implementation to hash as many parents in parallel as possible.

//

// As a special case when the SIMD degree is 1, this function will still return

// at least 2 outputs. This guarantees that this function doesn't perform the

// root compression. (If it did, it would use the wrong flags, and also we

// wouldn't be able to implement extendable output.) Note that this function is

// not used when the whole input is only 1 chunk long; that's a different

// codepath.

//

// Why not just have the caller split the input on the first update(), instead

// of implementing this special rule? Because we don't want to limit SIMD or

// multithreading parallelism for that update().

fn compress_subtree_wide<J: join::Join>(

    input: &[u8],

    key: &CVWords,

    chunk_counter: u64,

    flags: u8,

    platform: Platform,

    out: &mut [u8],

) -> usize {

    // Note that the single chunk case does *not* bump the SIMD degree up to 2

    // when it is 1. This allows Rayon the option of multithreading even the

    // 2-chunk case, which can help performance on smaller platforms.

    if input.len() <= platform.simd_degree() * CHUNK_LEN {

        return compress_chunks_parallel(input, key, chunk_counter, flags, platform, out);

    }

    // With more than simd_degree chunks, we need to recurse. Start by dividing

    // the input into left and right subtrees. (Note that this is only optimal

    // as long as the SIMD degree is a power of 2. If we ever get a SIMD degree

    // of 3 or something, we'll need a more complicated strategy.)

    debug_assert_eq!(platform.simd_degree().count_ones(), 1, "power of 2");

    let (left, right) = input.split_at(left_len(input.len()));

    let right_chunk_counter = chunk_counter + (left.len() / CHUNK_LEN) as u64;

    // Make space for the child outputs. Here we use MAX_SIMD_DEGREE_OR_2 to

    // account for the special case of returning 2 outputs when the SIMD degree

    // is 1.

    let mut cv_array = [0; 2 * MAX_SIMD_DEGREE_OR_2 * OUT_LEN];

    let degree = if left.len() == CHUNK_LEN {

        // The "simd_degree=1 and we're at the leaf nodes" case.

        debug_assert_eq!(platform.simd_degree(), 1);

        1

    } else {

        cmp::max(platform.simd_degree(), 2)

    };

    let (left_out, right_out) = cv_array.split_at_mut(degree * OUT_LEN);

    // Recurse! For update_rayon(), this is where we take advantage of RayonJoin and use multiple

    // threads.

    let (left_n, right_n) = J::join(

        || compress_subtree_wide::<J>(left, key, chunk_counter, flags, platform, left_out),

        || compress_subtree_wide::<J>(right, key, right_chunk_counter, flags, platform, right_out),

    );

    // The special case again. If simd_degree=1, then we'll have left_n=1 and

    // right_n=1. Rather than compressing them into a single output, return

    // them directly, to make sure we always have at least two outputs.

    debug_assert_eq!(left_n, degree);

    debug_assert!(right_n >= 1 && right_n <= left_n);

    if left_n == 1 {

        out[..2 * OUT_LEN].copy_from_slice(&cv_array[..2 * OUT_LEN]);

        return 2;

    }

    // Otherwise, do one layer of parent node compression.

    let num_children = left_n + right_n;

    compress_parents_parallel(

        &cv_array[..num_children * OUT_LEN],

        key,

        flags,

        platform,

        out,

    )

}

// Hash a subtree with compress_subtree_wide(), and then condense the resulting

// list of chaining values down to a single parent node. Don't compress that

// last parent node, however. Instead, return its message bytes (the

// concatenated chaining values of its children). This is necessary when the

// first call to update() supplies a complete subtree, because the topmost

// parent node of that subtree could end up being the root. It's also necessary

// for extended output in the general case.

//

// As with compress_subtree_wide(), this function is not used on inputs of 1

// chunk or less. That's a different codepath.

fn compress_subtree_to_parent_node<J: join::Join>(

    input: &[u8],

    key: &CVWords,

    chunk_counter: u64,

    flags: u8,

    platform: Platform,

) -> [u8; BLOCK_LEN] {

    debug_assert!(input.len() > CHUNK_LEN);

    let mut cv_array = [0; MAX_SIMD_DEGREE_OR_2 * OUT_LEN];

    let mut num_cvs =

        compress_subtree_wide::<J>(input, &key, chunk_counter, flags, platform, &mut cv_array);

    debug_assert!(num_cvs >= 2);

    // If MAX_SIMD_DEGREE is greater than 2 and there's enough input,

    // compress_subtree_wide() returns more than 2 chaining values. Condense

    // them into 2 by forming parent nodes repeatedly.

    let mut out_array = [0; MAX_SIMD_DEGREE_OR_2 * OUT_LEN / 2];

    while num_cvs > 2 {

        let cv_slice = &cv_array[..num_cvs * OUT_LEN];

        num_cvs = compress_parents_parallel(cv_slice, key, flags, platform, &mut out_array);

        cv_array[..num_cvs * OUT_LEN].copy_from_slice(&out_array[..num_cvs * OUT_LEN]);

    }

    *array_ref!(cv_array, 0, 2 * OUT_LEN)

}

// Hash a complete input all at once. Unlike compress_subtree_wide() and

// compress_subtree_to_parent_node(), this function handles the 1 chunk case.

fn hash_all_at_once<J: join::Join>(input: &[u8], key: &CVWords, flags: u8) -> Output {

    let platform = Platform::detect();

    // If the whole subtree is one chunk, hash it directly with a ChunkState.

    if input.len() <= CHUNK_LEN {

        return ChunkState::new(key, 0, flags, platform)

            .update(input)

            .output();

    }

    // Otherwise construct an Output object from the parent node returned by

    // compress_subtree_to_parent_node().

    Output {

        input_chaining_value: *key,

        block: compress_subtree_to_parent_node::<J>(input, key, 0, flags, platform),

        block_len: BLOCK_LEN as u8,

        counter: 0,

        flags: flags | PARENT,

        platform,

    }

}

/// The default hash function.

///

/// For an incremental version that accepts multiple writes, see [`Hasher::new`],

/// [`Hasher::update`], and [`Hasher::finalize`]. These two lines are equivalent:

///

/// ```

/// let hash = blake3::hash(b"foo");

/// # let hash1 = hash;

///

/// let hash = blake3::Hasher::new().update(b"foo").finalize();

/// # let hash2 = hash;

/// # assert_eq!(hash1, hash2);

/// ```

///

/// For output sizes other than 32 bytes, see [`Hasher::finalize_xof`] and

/// [`OutputReader`].

///

/// This function is always single-threaded. For multithreading support, see

/// [`Hasher::update_rayon`](struct.Hasher.html#method.update_rayon).

pub fn hash(input: &[u8]) -> Hash {

    hash_all_at_once::<join::SerialJoin>(input, IV, 0).root_hash()

}

/// The keyed hash function.

///

/// This is suitable for use as a message authentication code, for example to

/// replace an HMAC instance. In that use case, the constant-time equality

/// checking provided by [`Hash`](struct.Hash.html) is almost always a security

/// requirement, and callers need to be careful not to compare MACs as raw

/// bytes.

///

/// For an incremental version that accepts multiple writes, see [`Hasher::new_keyed`],

/// [`Hasher::update`], and [`Hasher::finalize`]. These two lines are equivalent:

///

/// ```

/// # const KEY: &[u8; 32] = &[0; 32];

/// let mac = blake3::keyed_hash(KEY, b"foo");

/// # let mac1 = mac;

///

/// let mac = blake3::Hasher::new_keyed(KEY).update(b"foo").finalize();

/// # let mac2 = mac;

/// # assert_eq!(mac1, mac2);

/// ```

///

/// For output sizes other than 32 bytes, see [`Hasher::finalize_xof`], and [`OutputReader`].

///

/// This function is always single-threaded. For multithreading support, see

/// [`Hasher::update_rayon`](struct.Hasher.html#method.update_rayon).

pub fn keyed_hash(key: &[u8; KEY_LEN], input: &[u8]) -> Hash {

    let key_words = platform::words_from_le_bytes_32(key);

    hash_all_at_once::<join::SerialJoin>(input, &key_words, KEYED_HASH).root_hash()

}

/// The key derivation function.

///

/// Given cryptographic key material of any length and a context string of any

/// length, this function outputs a 32-byte derived subkey. **The context string

/// should be hardcoded, globally unique, and application-specific.** A good

/// default format for such strings is `"[application] [commit timestamp]

/// [purpose]"`, e.g., `"example.com 2019-12-25 16:18:03 session tokens v1"`.

///

/// Key derivation is important when you want to use the same key in multiple

/// algorithms or use cases. Using the same key with different cryptographic

/// algorithms is generally forbidden, and deriving a separate subkey for each

/// use case protects you from bad interactions. Derived keys also mitigate the

/// damage from one part of your application accidentally leaking its key.

///

/// As a rare exception to that general rule, however, it is possible to use

/// `derive_key` itself with key material that you are already using with

/// another algorithm. You might need to do this if you're adding features to

/// an existing application, which does not yet use key derivation internally.

/// However, you still must not share key material with algorithms that forbid

/// key reuse entirely, like a one-time pad. For more on this, see sections 6.2

/// and 7.8 of the [BLAKE3 paper](https://github.com/BLAKE3-team/BLAKE3-specs/blob/master/blake3.pdf).

///

/// Note that BLAKE3 is not a password hash, and **`derive_key` should never be

/// used with passwords.** Instead, use a dedicated password hash like

/// [Argon2]. Password hashes are entirely different from generic hash

/// functions, with opposite design requirements.

///

/// For an incremental version that accepts multiple writes, see [`Hasher::new_derive_key`],

/// [`Hasher::update`], and [`Hasher::finalize`]. These two statements are equivalent:

///

/// ```

/// # const CONTEXT: &str = "example.com 2019-12-25 16:18:03 session tokens v1";

/// let key = blake3::derive_key(CONTEXT, b"key material, not a password");

/// # let key1 = key;

///

/// let key: [u8; 32] = blake3::Hasher::new_derive_key(CONTEXT)

///     .update(b"key material, not a password")

///     .finalize()

///     .into();

/// # let key2 = key;

/// # assert_eq!(key1, key2);

/// ```

///

/// For output sizes other than 32 bytes, see [`Hasher::finalize_xof`], and [`OutputReader`].

///

/// This function is always single-threaded. For multithreading support, see

/// [`Hasher::update_rayon`](struct.Hasher.html#method.update_rayon).

///

/// [Argon2]: https://en.wikipedia.org/wiki/Argon2

pub fn derive_key(context: &str, key_material: &[u8]) -> [u8; OUT_LEN] {

    let context_key =

        hash_all_at_once::<join::SerialJoin>(context.as_bytes(), IV, DERIVE_KEY_CONTEXT)

            .root_hash();

    let context_key_words = platform::words_from_le_bytes_32(context_key.as_bytes());

    hash_all_at_once::<join::SerialJoin>(key_material, &context_key_words, DERIVE_KEY_MATERIAL)

        .root_hash()

        .0