New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal: x/crypto/blake2b: Make blake2b compatible with crypto/hmac #21644
Comments
hmac.New takes a /cc @aead |
HMAC-BLAKE2 does not make a lot of sense since BLAKE2 can be used itself as a keyed MAC, but I agree that I wish we called the keyed options
👍 ? |
I would agree with @FiloSottile , BLAKE2 combined with HMAC doesn't make much sense - as far as I can see... However if someone wants to use BLAKE2 as a hash function for the HMAC construction I would prefer something like this (works only with 1.9):
over adding new functions to the blake2(b/s) packages. They already contain a lot of exported functions and with |
Forcing the indirection through package crypto is a bit odd. Do any real-world protocols use HMAC-BLAKE2? Maybe we don't need to do this? |
I'm not aware of any protocols using HMAC-BLAKE2. I agree that the indirection is a bit odd compared to code using HMAC-SHA2. On the other hand BLAKE2 can be used as a MAC directly. However, the usage of BLAKE2 as a hash function is a bit different because of the error handling:
Of course |
It sounds like there are thorny API issues here and on top of that "BLAKE2 combined with HMAC doesn't make much sense". And we know of no protocols that actually need HMAC-BLAKE2. So the fact that it's hard to do (well, a few lines of code) seems OK. |
hmac.New() requires a function[1] that returns hash.Hash, which is what sha1,sha256,sha512 do but this thing changes with blake2b as it returns an error along with hash.Hash[2] which makes it incompatible with hmac.New().
Creating a hmac now with blake2b requires manual intervention, it would nice to support hmac out of box. I don't know how this could be done without breaking the existing API as I think just not returning error on blake2b functions would do the job. I don't know why blake2b alone returns error while SHAs don't.
Please advise.
Thanks.
// func New(h func() hash.Hash, key []byte) hash.Hash
[1] https://golang.org/pkg/crypto/hmac/#New
// func New512(key []byte) (hash.Hash, error)
[2] https://godoc.org/golang.org/x/crypto/blake2b#New512
The text was updated successfully, but these errors were encountered: