| blob | 8e90f386afeaa34c7f2c01ad075314bbda67fc55 |
1 /*-
2 * Copyright 2005,2007,2009 Colin Percival
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 */
26 #include <sys/types.h>
28 #include <stdint.h>
29 #include <string.h>
31 #include <sys/endian.h>
37 {
44 }
48 {
55 }
57 /*
58 * Encode a length len/4 vector of (uint32_t) into a length len vector of
59 * (unsigned char) in big-endian form. Assumes len is a multiple of 4.
60 */
61 static void
63 {
68 }
70 /*
71 * Decode a big-endian length len vector of (unsigned char) into a length
72 * len/4 vector of (uint32_t). Assumes len is a multiple of 4.
73 */
74 static void
76 {
81 }
83 /* Elementary functions used by SHA256 */
84 #define Ch(x, y, z) ((x & (y ^ z)) ^ z)
85 #define Maj(x, y, z) ((x & (y | z)) | (y & z))
86 #define SHR(x, n) (x >> n)
87 #define ROTR(x, n) ((x >> n) | (x << (32 - n)))
88 #define S0(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
89 #define S1(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
90 #define s0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
91 #define s1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
93 /* SHA256 round function */
94 #define RND(a, b, c, d, e, f, g, h, k) \
95 t0 = h + S1(e) + Ch(e, f, g) + k; \
96 t1 = S0(a) + Maj(a, b, c); \
97 d += t0; \
98 h = t0 + t1;
100 /* Adjusted round function for rotating state */
101 #define RNDr(S, W, i, k) \
102 RND(S[(64 - i) % 8], S[(65 - i) % 8], \
103 S[(66 - i) % 8], S[(67 - i) % 8], \
104 S[(68 - i) % 8], S[(69 - i) % 8], \
105 S[(70 - i) % 8], S[(71 - i) % 8], \
106 W[i] + k)
108 /*
109 * SHA256 block compression function. The 256-bit state is transformed via
110 * the 512-bit input block to produce a new state.
111 */
112 static void
114 {
120 /* 1. Prepare message schedule W. */
125 /* 2. Initialize working variables. */
128 /* 3. Mix. */
194 /* 4. Mix local working variables into global state. */
198 /* Clean the stack. */
202 }
209 };
211 /* Add padding and terminating bit-count. */
212 static void
214 {
218 /*
219 * Convert length to a vector of bytes -- we do this now rather
220 * than later because the length will change after we pad.
221 */
224 /* Add 1--64 bytes so that the resulting length is 56 mod 64. */
229 /* Add the terminating bit-count. */
231 }
233 /* SHA-256 initialization. Begins a SHA-256 operation. */
234 void
236 {
238 /* Zero bits processed so far. */
241 /* Magic initialization constants. */
250 }
252 /* Add bytes into the hash. */
253 void
255 {
260 /* Number of bytes left in the buffer from previous updates. */
263 /* Convert the length into a number of bits. */
267 /* Update number of bits. */
272 /* Handle the case where we don't need to perform any transforms. */
276 }
278 /* Finish the current block. */
284 /* Perform complete blocks. */
289 }
291 /* Copy left over data into buffer. */
293 }
295 /*
296 * SHA-256 finalization. Pads the input data, exports the hash value,
297 * and clears the context state.
298 */
299 void
301 {
303 /* Add padding. */
306 /* Write the hash. */
309 /* Clear the context state. */
311 }
313 /* Initialize an HMAC-SHA256 operation with the given key. */
314 void
316 {
322 /* If Klen > 64, the key is really SHA256(K). */
329 }
331 /* Inner SHA256 operation is SHA256(K xor [block of 0x36] || data). */
338 /* Outer SHA256 operation is SHA256(K xor [block of 0x5c] || hash). */
345 /* Clean the stack. */
347 }
349 /* Add bytes to the HMAC-SHA256 operation. */
350 void
352 {
354 /* Feed data to the inner SHA256 operation. */
356 }
358 /* Finish an HMAC-SHA256 operation. */
359 void
361 {
364 /* Finish the inner SHA256 operation. */
367 /* Feed the inner hash to the outer SHA256 operation. */
370 /* Finish the outer SHA256 operation. */
373 /* Clean the stack. */
375 }
377 /**
378 * PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen):
379 * Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and
380 * write the output to buf. The value dkLen must be at most 32 * (2^32 - 1).
381 */
382 void
385 {
395 /* Compute HMAC state after processing P and S. */
399 /* Iterate through the blocks. */
401 /* Generate INT(i + 1). */
404 /* Compute U_1 = PRF(P, S || INT(i)). */
409 /* T_i = U_1 ... */
413 /* Compute U_j. */
418 /* ... xor U_j ... */
421 }
423 /* Copy as many bytes as necessary into buf. */
428 }
430 /* Clean PShctx, since we never called _Final on it. */
432 }