Blake2 hashes are incorrect when message size is an even multiple of block size

[saucecontrol]

Howdy,

I was just doing some evaluation/benchmarking of the Blake2 implementations available on Nuget, and I noticed yours has a fairly serious bug in it. It appears your implementation eagerly processes every full block, whereas the Blake2 spec delays the processing of each block until it is known whether that block is the last. This is most easily seen with an empty message and a key. The key is padded out to fill the first block, and since the message is empty, the key block becomes the final block. In your implementation, the key block is processed, and then a second 0-filled block is processed to finalize the hash.

For example, the hash for key="abc" msg=null should be 91CC35FC51CE734EAE9E57A20725D68062B0BD6DE1965A4B5DC5EB4D60402D02D00B5079B0907775E317FD84A149634253C9D1FD01819E202729AFFBF47B00E5.

Your implementation returns 03F6D1846F629A5C3CAB19CA9672EA9E5F0742C73867564EAD0F61AF9CA0195342FD1E325046D79AD0DB2557035E9FF03EF8C2FC116F0FAF100DAD4C0A5847A0

The same bug manifests in any message with a length that is an even multiple of the block size.

[kmaragon]

Wow. This is a great find. I'll try to spin up my environment this weekend and take care of that!

[kmaragon]

As this issue reflects, I finally had the time (or more realistically decided it's been long enough that I was willing to give up a night of sleep to fix it). I'll be pushing v 1.0.7 of the package with the fix. Once that's pushed to nuget, I'll close this issue. Feel free to re-open if the issue isn't fixed by that package.

[kmaragon]

https://www.nuget.org/packages/Konscious.Security.Cryptography.Blake2/1.0.7 should have this fix. Thanks for reporting it with the specific example that I could build a test against.