[mirror_frr.git] / lib / sha256.c

/*-
 * Copyright 2005,2007,2009 Colin Percival
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#include <zebra.h>
#include "sha256.h"

#ifdef GNU_LINUX
static inline uint32_t
be32dec(const void *pp)
{
        const uint8_t *p = (uint8_t const *)pp;

        return ((uint32_t)(p[3]) + ((uint32_t)(p[2]) << 8) +
            ((uint32_t)(p[1]) << 16) + ((uint32_t)(p[0]) << 24));
}

static inline void
be32enc(void *pp, uint32_t x)
{
        uint8_t * p = (uint8_t *)pp;

        p[3] = x & 0xff;
        p[2] = (x >> 8) & 0xff;
        p[1] = (x >> 16) & 0xff;
        p[0] = (x >> 24) & 0xff;
}
#endif

/*
 * Encode a length len/4 vector of (uint32_t) into a length len vector of
 * (unsigned char) in big-endian form.  Assumes len is a multiple of 4.
 */
static void
be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len)
{
        size_t i;

        for (i = 0; i < len / 4; i++)
                be32enc(dst + i * 4, src[i]);
}

/*
 * Decode a big-endian length len vector of (unsigned char) into a length
 * len/4 vector of (uint32_t).  Assumes len is a multiple of 4.
 */
static void
be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len)
{
        size_t i;

        for (i = 0; i < len / 4; i++)
                dst[i] = be32dec(src + i * 4);
}

/* Elementary functions used by SHA256 */
#define Ch(x, y, z)     ((x & (y ^ z)) ^ z)
#define Maj(x, y, z)    ((x & (y | z)) | (y & z))
#define SHR(x, n)       (x >> n)
#define ROTR(x, n)      ((x >> n) | (x << (32 - n)))
#define S0(x)           (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
#define S1(x)           (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
#define s0(x)           (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
#define s1(x)           (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))

/* SHA256 round function */
#define RND(a, b, c, d, e, f, g, h, k)                  \
        t0 = h + S1(e) + Ch(e, f, g) + k;               \
        t1 = S0(a) + Maj(a, b, c);                      \
        d += t0;                                        \
        h  = t0 + t1;

/* Adjusted round function for rotating state */
#define RNDr(S, W, i, k)                        \
        RND(S[(64 - i) % 8], S[(65 - i) % 8],   \
            S[(66 - i) % 8], S[(67 - i) % 8],   \
            S[(68 - i) % 8], S[(69 - i) % 8],   \
            S[(70 - i) % 8], S[(71 - i) % 8],   \
            W[i] + k)

/*
 * SHA256 block compression function.  The 256-bit state is transformed via
 * the 512-bit input block to produce a new state.
 */
static void
SHA256_Transform(uint32_t * state, const unsigned char block[64])
{
        uint32_t W[64];
        uint32_t S[8];
        uint32_t t0, t1;
        int i;

        /* 1. Prepare message schedule W. */
        be32dec_vect(W, block, 64);
        for (i = 16; i < 64; i++)
                W[i] = s1(W[i - 2]) + W[i - 7] + s0(W[i - 15]) + W[i - 16];

        /* 2. Initialize working variables. */
        memcpy(S, state, 32);

        /* 3. Mix. */
        RNDr(S, W, 0, 0x428a2f98);
        RNDr(S, W, 1, 0x71374491);
        RNDr(S, W, 2, 0xb5c0fbcf);
        RNDr(S, W, 3, 0xe9b5dba5);
        RNDr(S, W, 4, 0x3956c25b);
        RNDr(S, W, 5, 0x59f111f1);
        RNDr(S, W, 6, 0x923f82a4);
        RNDr(S, W, 7, 0xab1c5ed5);
        RNDr(S, W, 8, 0xd807aa98);
        RNDr(S, W, 9, 0x12835b01);
        RNDr(S, W, 10, 0x243185be);
        RNDr(S, W, 11, 0x550c7dc3);
        RNDr(S, W, 12, 0x72be5d74);
        RNDr(S, W, 13, 0x80deb1fe);
        RNDr(S, W, 14, 0x9bdc06a7);
        RNDr(S, W, 15, 0xc19bf174);
        RNDr(S, W, 16, 0xe49b69c1);
        RNDr(S, W, 17, 0xefbe4786);
        RNDr(S, W, 18, 0x0fc19dc6);
        RNDr(S, W, 19, 0x240ca1cc);
        RNDr(S, W, 20, 0x2de92c6f);
        RNDr(S, W, 21, 0x4a7484aa);
        RNDr(S, W, 22, 0x5cb0a9dc);
        RNDr(S, W, 23, 0x76f988da);
        RNDr(S, W, 24, 0x983e5152);
        RNDr(S, W, 25, 0xa831c66d);
        RNDr(S, W, 26, 0xb00327c8);
        RNDr(S, W, 27, 0xbf597fc7);
        RNDr(S, W, 28, 0xc6e00bf3);
        RNDr(S, W, 29, 0xd5a79147);
        RNDr(S, W, 30, 0x06ca6351);
        RNDr(S, W, 31, 0x14292967);
        RNDr(S, W, 32, 0x27b70a85);
        RNDr(S, W, 33, 0x2e1b2138);
        RNDr(S, W, 34, 0x4d2c6dfc);
        RNDr(S, W, 35, 0x53380d13);
        RNDr(S, W, 36, 0x650a7354);
        RNDr(S, W, 37, 0x766a0abb);
        RNDr(S, W, 38, 0x81c2c92e);
        RNDr(S, W, 39, 0x92722c85);
        RNDr(S, W, 40, 0xa2bfe8a1);
        RNDr(S, W, 41, 0xa81a664b);
        RNDr(S, W, 42, 0xc24b8b70);
        RNDr(S, W, 43, 0xc76c51a3);
        RNDr(S, W, 44, 0xd192e819);
        RNDr(S, W, 45, 0xd6990624);
        RNDr(S, W, 46, 0xf40e3585);
        RNDr(S, W, 47, 0x106aa070);
        RNDr(S, W, 48, 0x19a4c116);
        RNDr(S, W, 49, 0x1e376c08);
        RNDr(S, W, 50, 0x2748774c);
        RNDr(S, W, 51, 0x34b0bcb5);
        RNDr(S, W, 52, 0x391c0cb3);
        RNDr(S, W, 53, 0x4ed8aa4a);
        RNDr(S, W, 54, 0x5b9cca4f);
        RNDr(S, W, 55, 0x682e6ff3);
        RNDr(S, W, 56, 0x748f82ee);
        RNDr(S, W, 57, 0x78a5636f);
        RNDr(S, W, 58, 0x84c87814);
        RNDr(S, W, 59, 0x8cc70208);
        RNDr(S, W, 60, 0x90befffa);
        RNDr(S, W, 61, 0xa4506ceb);
        RNDr(S, W, 62, 0xbef9a3f7);
        RNDr(S, W, 63, 0xc67178f2);

        /* 4. Mix local working variables into global state */
        for (i = 0; i < 8; i++)
                state[i] += S[i];

        /* Clean the stack. */
        memset(W, 0, 256);
        memset(S, 0, 32);
        t0 = t1 = 0;
}

static unsigned char PAD[64] = {
        0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
};

/* Add padding and terminating bit-count. */
static void
SHA256_Pad(SHA256_CTX * ctx)
{
        unsigned char len[8];
        uint32_t r, plen;

        /*
         * Convert length to a vector of bytes -- we do this now rather
         * than later because the length will change after we pad.
         */
        be32enc_vect(len, ctx->count, 8);

        /* Add 1--64 bytes so that the resulting length is 56 mod 64 */
        r = (ctx->count[1] >> 3) & 0x3f;
        plen = (r < 56) ? (56 - r) : (120 - r);
        SHA256_Update(ctx, PAD, (size_t)plen);

        /* Add the terminating bit-count */
        SHA256_Update(ctx, len, 8);
}

/* SHA-256 initialization.  Begins a SHA-256 operation. */
void
SHA256_Init(SHA256_CTX * ctx)
{

        /* Zero bits processed so far */
        ctx->count[0] = ctx->count[1] = 0;

        /* Magic initialization constants */
        ctx->state[0] = 0x6A09E667;
        ctx->state[1] = 0xBB67AE85;
        ctx->state[2] = 0x3C6EF372;
        ctx->state[3] = 0xA54FF53A;
        ctx->state[4] = 0x510E527F;
        ctx->state[5] = 0x9B05688C;
        ctx->state[6] = 0x1F83D9AB;
        ctx->state[7] = 0x5BE0CD19;
}

/* Add bytes into the hash */
void
SHA256_Update(SHA256_CTX * ctx, const void *in, size_t len)
{
        uint32_t bitlen[2];
        uint32_t r;
        const unsigned char *src = in;

        /* Number of bytes left in the buffer from previous updates */
        r = (ctx->count[1] >> 3) & 0x3f;

        /* Convert the length into a number of bits */
        bitlen[1] = ((uint32_t)len) << 3;
        bitlen[0] = (uint32_t)(len >> 29);

        /* Update number of bits */
        if ((ctx->count[1] += bitlen[1]) < bitlen[1])
                ctx->count[0]++;
        ctx->count[0] += bitlen[0];

        /* Handle the case where we don't need to perform any transforms */
        if (len < 64 - r) {
                memcpy(&ctx->buf[r], src, len);
                return;
        }

        /* Finish the current block */
        memcpy(&ctx->buf[r], src, 64 - r);
        SHA256_Transform(ctx->state, ctx->buf);
        src += 64 - r;
        len -= 64 - r;

        /* Perform complete blocks */
        while (len >= 64) {
                SHA256_Transform(ctx->state, src);
                src += 64;
                len -= 64;
        }

        /* Copy left over data into buffer */
        memcpy(ctx->buf, src, len);
}

/*
 * SHA-256 finalization.  Pads the input data, exports the hash value,
 * and clears the context state.
 */
void
SHA256_Final(unsigned char digest[32], SHA256_CTX * ctx)
{

        /* Add padding */
        SHA256_Pad(ctx);

        /* Write the hash */
        be32enc_vect(digest, ctx->state, 32);

        /* Clear the context state */
        memset((void *)ctx, 0, sizeof(*ctx));
}

/* Initialize an HMAC-SHA256 operation with the given key. */
void
HMAC__SHA256_Init(HMAC_SHA256_CTX * ctx, const void * _K, size_t Klen)
{
        unsigned char pad[64];
        unsigned char khash[32];
        const unsigned char * K = _K;
        size_t i;

        /* If Klen > 64, the key is really SHA256(K). */
        if (Klen > 64) {
                SHA256_Init(&ctx->ictx);
                SHA256_Update(&ctx->ictx, K, Klen);
                SHA256_Final(khash, &ctx->ictx);
                K = khash;
                Klen = 32;
        }

        /* Inner SHA256 operation is SHA256(K xor [block of 0x36] || data). */
        SHA256_Init(&ctx->ictx);
        memset(pad, 0x36, 64);
        for (i = 0; i < Klen; i++)
                pad[i] ^= K[i];
        SHA256_Update(&ctx->ictx, pad, 64);

        /* Outer SHA256 operation is SHA256(K xor [block of 0x5c] || hash). */
        SHA256_Init(&ctx->octx);
        memset(pad, 0x5c, 64);
        for (i = 0; i < Klen; i++)
                pad[i] ^= K[i];
        SHA256_Update(&ctx->octx, pad, 64);

        /* Clean the stack. */
        memset(khash, 0, 32);
}

/* Add bytes to the HMAC-SHA256 operation. */
void
HMAC__SHA256_Update(HMAC_SHA256_CTX * ctx, const void *in, size_t len)
{

        /* Feed data to the inner SHA256 operation. */
        SHA256_Update(&ctx->ictx, in, len);
}

/* Finish an HMAC-SHA256 operation. */
void
HMAC__SHA256_Final(unsigned char digest[32], HMAC_SHA256_CTX * ctx)
{
        unsigned char ihash[32];

        /* Finish the inner SHA256 operation. */
        SHA256_Final(ihash, &ctx->ictx);

        /* Feed the inner hash to the outer SHA256 operation. */
        SHA256_Update(&ctx->octx, ihash, 32);

        /* Finish the outer SHA256 operation. */
        SHA256_Final(digest, &ctx->octx);

        /* Clean the stack. */
        memset(ihash, 0, 32);
}

/**
 * PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen):
 * Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and
 * write the output to buf.  The value dkLen must be at most 32 * (2^32 - 1).
 */
void
PBKDF2_SHA256(const uint8_t * passwd, size_t passwdlen, const uint8_t * salt,
    size_t saltlen, uint64_t c, uint8_t * buf, size_t dkLen)
{
        HMAC_SHA256_CTX PShctx, hctx;
        size_t i;
        uint8_t ivec[4];
        uint8_t U[32];
        uint8_t T[32];
        uint64_t j;
        int k;
        size_t clen;

        /* Compute HMAC state after processing P and S. */
        HMAC__SHA256_Init(&PShctx, passwd, passwdlen);
        HMAC__SHA256_Update(&PShctx, salt, saltlen);

        /* Iterate through the blocks. */
        for (i = 0; i * 32 < dkLen; i++) {
                /* Generate INT(i + 1). */
                be32enc(ivec, (uint32_t)(i + 1));

                /* Compute U_1 = PRF(P, S || INT(i)). */
                memcpy(&hctx, &PShctx, sizeof(HMAC_SHA256_CTX));
                HMAC__SHA256_Update(&hctx, ivec, 4);
                HMAC__SHA256_Final(U, &hctx);

                /* T_i = U_1 ... */
                memcpy(T, U, 32);

                for (j = 2; j <= c; j++) {
                        /* Compute U_j. */
                        HMAC__SHA256_Init(&hctx, passwd, passwdlen);
                        HMAC__SHA256_Update(&hctx, U, 32);
                        HMAC__SHA256_Final(U, &hctx);

                        /* ... xor U_j ... */
                        for (k = 0; k < 32; k++)
                                T[k] ^= U[k];
                }

                /* Copy as many bytes as necessary into buf. */
                clen = dkLen - i * 32;
                if (clen > 32)
                        clen = 32;
                memcpy(&buf[i * 32], T, clen);
        }

        /* Clean PShctx, since we never called _Final on it. */
        memset(&PShctx, 0, sizeof(HMAC_SHA256_CTX));
}
Commit	Line	Data
7f57883e DS	1	/*-
	2	* Copyright 2005,2007,2009 Colin Percival
	3	* All rights reserved.
	4	*
	5	* Redistribution and use in source and binary forms, with or without
	6	* modification, are permitted provided that the following conditions
	7	* are met:
	8	* 1. Redistributions of source code must retain the above copyright
	9	* notice, this list of conditions and the following disclaimer.
	10	* 2. Redistributions in binary form must reproduce the above copyright
	11	* notice, this list of conditions and the following disclaimer in the
	12	* documentation and/or other materials provided with the distribution.
	13	*
	14	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
	15	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	16	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	17	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
	18	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	19	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	20	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	21	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	22	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	23	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	24	* SUCH DAMAGE.
	25	*/
	26
	27	#include <zebra.h>
	28	#include "sha256.h"
	29
4f13df62	30	#ifdef GNU_LINUX
7f57883e DS	31	static inline uint32_t
	32	be32dec(const void *pp)
	33	{
	34	const uint8_t p = (uint8_t const )pp;
	35
	36	return ((uint32_t)(p[3]) + ((uint32_t)(p[2]) << 8) +
	37	((uint32_t)(p[1]) << 16) + ((uint32_t)(p[0]) << 24));
	38	}
	39
	40	static inline void
	41	be32enc(void *pp, uint32_t x)
	42	{
	43	uint8_t * p = (uint8_t *)pp;
	44
	45	p[3] = x & 0xff;
	46	p[2] = (x >> 8) & 0xff;
	47	p[1] = (x >> 16) & 0xff;
	48	p[0] = (x >> 24) & 0xff;
	49	}
4f13df62	50	#endif
7f57883e DS	51
	52	/*
	53	* Encode a length len/4 vector of (uint32_t) into a length len vector of
	54	* (unsigned char) in big-endian form. Assumes len is a multiple of 4.
	55	*/
	56	static void
	57	be32enc_vect(unsigned char dst, const uint32_t src, size_t len)
	58	{
	59	size_t i;
	60
	61	for (i = 0; i < len / 4; i++)
	62	be32enc(dst + i * 4, src[i]);
	63	}
	64
	65	/*
	66	* Decode a big-endian length len vector of (unsigned char) into a length
	67	* len/4 vector of (uint32_t). Assumes len is a multiple of 4.
	68	*/
	69	static void
	70	be32dec_vect(uint32_t dst, const unsigned char src, size_t len)
	71	{
	72	size_t i;
	73
	74	for (i = 0; i < len / 4; i++)
	75	dst[i] = be32dec(src + i * 4);
	76	}
	77
	78	/* Elementary functions used by SHA256 */
	79	#define Ch(x, y, z) ((x & (y ^ z)) ^ z)
	80	#define Maj(x, y, z) ((x & (y \| z)) \| (y & z))
	81	#define SHR(x, n) (x >> n)
	82	#define ROTR(x, n) ((x >> n) \| (x << (32 - n)))
	83	#define S0(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
	84	#define S1(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
	85	#define s0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
	86	#define s1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
	87
	88	/* SHA256 round function */
	89	#define RND(a, b, c, d, e, f, g, h, k) \
	90	t0 = h + S1(e) + Ch(e, f, g) + k; \
	91	t1 = S0(a) + Maj(a, b, c); \
	92	d += t0; \
	93	h = t0 + t1;
	94
	95	/* Adjusted round function for rotating state */
	96	#define RNDr(S, W, i, k) \
	97	RND(S[(64 - i) % 8], S[(65 - i) % 8], \
	98	S[(66 - i) % 8], S[(67 - i) % 8], \
	99	S[(68 - i) % 8], S[(69 - i) % 8], \
	100	S[(70 - i) % 8], S[(71 - i) % 8], \
	101	W[i] + k)
	102
	103	/*
	104	* SHA256 block compression function. The 256-bit state is transformed via
	105	* the 512-bit input block to produce a new state.
	106	*/
	107	static void
	108	SHA256_Transform(uint32_t * state, const unsigned char block[64])
	109	{
	110	uint32_t W[64];
	111	uint32_t S[8];
	112	uint32_t t0, t1;
	113	int i;
	114
115	/* 1. Prepare message schedule W. */
116	be32dec_vect(W, block, 64);
117	for (i = 16; i < 64; i++)
118	W[i] = s1(W[i - 2]) + W[i - 7] + s0(W[i - 15]) + W[i - 16];
119
120	/* 2. Initialize working variables. */
121	memcpy(S, state, 32);
122
123	/* 3. Mix. */
124	RNDr(S, W, 0, 0x428a2f98);
125	RNDr(S, W, 1, 0x71374491);
126	RNDr(S, W, 2, 0xb5c0fbcf);
127	RNDr(S, W, 3, 0xe9b5dba5);
128	RNDr(S, W, 4, 0x3956c25b);
129	RNDr(S, W, 5, 0x59f111f1);
130	RNDr(S, W, 6, 0x923f82a4);
131	RNDr(S, W, 7, 0xab1c5ed5);
132	RNDr(S, W, 8, 0xd807aa98);
133	RNDr(S, W, 9, 0x12835b01);
134	RNDr(S, W, 10, 0x243185be);
135	RNDr(S, W, 11, 0x550c7dc3);
136	RNDr(S, W, 12, 0x72be5d74);
137	RNDr(S, W, 13, 0x80deb1fe);
138	RNDr(S, W, 14, 0x9bdc06a7);
139	RNDr(S, W, 15, 0xc19bf174);
140	RNDr(S, W, 16, 0xe49b69c1);
141	RNDr(S, W, 17, 0xefbe4786);
142	RNDr(S, W, 18, 0x0fc19dc6);
143	RNDr(S, W, 19, 0x240ca1cc);
144	RNDr(S, W, 20, 0x2de92c6f);
145	RNDr(S, W, 21, 0x4a7484aa);
146	RNDr(S, W, 22, 0x5cb0a9dc);
147	RNDr(S, W, 23, 0x76f988da);
148	RNDr(S, W, 24, 0x983e5152);
149	RNDr(S, W, 25, 0xa831c66d);
150	RNDr(S, W, 26, 0xb00327c8);
151	RNDr(S, W, 27, 0xbf597fc7);
152	RNDr(S, W, 28, 0xc6e00bf3);
153	RNDr(S, W, 29, 0xd5a79147);
154	RNDr(S, W, 30, 0x06ca6351);
155	RNDr(S, W, 31, 0x14292967);
156	RNDr(S, W, 32, 0x27b70a85);
157	RNDr(S, W, 33, 0x2e1b2138);
158	RNDr(S, W, 34, 0x4d2c6dfc);
159	RNDr(S, W, 35, 0x53380d13);
160	RNDr(S, W, 36, 0x650a7354);
161	RNDr(S, W, 37, 0x766a0abb);
162	RNDr(S, W, 38, 0x81c2c92e);
163	RNDr(S, W, 39, 0x92722c85);
164	RNDr(S, W, 40, 0xa2bfe8a1);
165	RNDr(S, W, 41, 0xa81a664b);
166	RNDr(S, W, 42, 0xc24b8b70);
167	RNDr(S, W, 43, 0xc76c51a3);
168	RNDr(S, W, 44, 0xd192e819);
169	RNDr(S, W, 45, 0xd6990624);
170	RNDr(S, W, 46, 0xf40e3585);
171	RNDr(S, W, 47, 0x106aa070);
172	RNDr(S, W, 48, 0x19a4c116);
173	RNDr(S, W, 49, 0x1e376c08);
174	RNDr(S, W, 50, 0x2748774c);
175	RNDr(S, W, 51, 0x34b0bcb5);
176	RNDr(S, W, 52, 0x391c0cb3);
177	RNDr(S, W, 53, 0x4ed8aa4a);
178	RNDr(S, W, 54, 0x5b9cca4f);
179	RNDr(S, W, 55, 0x682e6ff3);
180	RNDr(S, W, 56, 0x748f82ee);
181	RNDr(S, W, 57, 0x78a5636f);
182	RNDr(S, W, 58, 0x84c87814);
183	RNDr(S, W, 59, 0x8cc70208);
184	RNDr(S, W, 60, 0x90befffa);
185	RNDr(S, W, 61, 0xa4506ceb);
186	RNDr(S, W, 62, 0xbef9a3f7);
187	RNDr(S, W, 63, 0xc67178f2);
188
189	/* 4. Mix local working variables into global state */
190	for (i = 0; i < 8; i++)
191	state[i] += S[i];
192
193	/* Clean the stack. */
194	memset(W, 0, 256);
195	memset(S, 0, 32);
196	t0 = t1 = 0;
197	}
198
199	static unsigned char PAD[64] = {
200	0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
201	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
202	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
203	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
204	};
205
206	/* Add padding and terminating bit-count. */
207	static void
208	SHA256_Pad(SHA256_CTX * ctx)
209	{
210	unsigned char len[8];
211	uint32_t r, plen;
212
213	/*
214	* Convert length to a vector of bytes -- we do this now rather
215	* than later because the length will change after we pad.
216	*/
217	be32enc_vect(len, ctx->count, 8);
218
219	/* Add 1--64 bytes so that the resulting length is 56 mod 64 */
220	r = (ctx->count[1] >> 3) & 0x3f;
221	plen = (r < 56) ? (56 - r) : (120 - r);
222	SHA256_Update(ctx, PAD, (size_t)plen);
223
224	/* Add the terminating bit-count */
225	SHA256_Update(ctx, len, 8);
226	}
227
228	/* SHA-256 initialization. Begins a SHA-256 operation. */
229	void
230	SHA256_Init(SHA256_CTX * ctx)
231	{
232
233	/* Zero bits processed so far */
234	ctx->count[0] = ctx->count[1] = 0;
235
236	/* Magic initialization constants */
237	ctx->state[0] = 0x6A09E667;
238	ctx->state[1] = 0xBB67AE85;
239	ctx->state[2] = 0x3C6EF372;
240	ctx->state[3] = 0xA54FF53A;
241	ctx->state[4] = 0x510E527F;
242	ctx->state[5] = 0x9B05688C;
243	ctx->state[6] = 0x1F83D9AB;
244	ctx->state[7] = 0x5BE0CD19;
245	}
246
247	/* Add bytes into the hash */
248	void
249	SHA256_Update(SHA256_CTX * ctx, const void *in, size_t len)
250	{
251	uint32_t bitlen[2];
252	uint32_t r;
253	const unsigned char *src = in;
254
255	/* Number of bytes left in the buffer from previous updates */
256	r = (ctx->count[1] >> 3) & 0x3f;
257
258	/* Convert the length into a number of bits */
259	bitlen[1] = ((uint32_t)len) << 3;
260	bitlen[0] = (uint32_t)(len >> 29);
261
262	/* Update number of bits */
263	if ((ctx->count[1] += bitlen[1]) < bitlen[1])
264	ctx->count[0]++;
265	ctx->count[0] += bitlen[0];
266
267	/* Handle the case where we don't need to perform any transforms */
268	if (len < 64 - r) {
269	memcpy(&ctx->buf[r], src, len);
270	return;
271	}
272
273	/* Finish the current block */
274	memcpy(&ctx->buf[r], src, 64 - r);
275	SHA256_Transform(ctx->state, ctx->buf);
276	src += 64 - r;
277	len -= 64 - r;
278
279	/* Perform complete blocks */
280	while (len >= 64) {
281	SHA256_Transform(ctx->state, src);
282	src += 64;
283	len -= 64;
284	}
285
286	/* Copy left over data into buffer */
287	memcpy(ctx->buf, src, len);
288	}
289
290	/*
291	* SHA-256 finalization. Pads the input data, exports the hash value,
292	* and clears the context state.
293	*/
294	void
295	SHA256_Final(unsigned char digest[32], SHA256_CTX * ctx)
296	{
297
298	/* Add padding */
299	SHA256_Pad(ctx);
300
301	/* Write the hash */
302	be32enc_vect(digest, ctx->state, 32);
303
304	/* Clear the context state */
305	memset((void )ctx, 0, sizeof(ctx));
306	}
307
308	/* Initialize an HMAC-SHA256 operation with the given key. */
309	void
310	HMAC__SHA256_Init(HMAC_SHA256_CTX * ctx, const void * _K, size_t Klen)
311	{
312	unsigned char pad[64];
313	unsigned char khash[32];
314	const unsigned char * K = _K;
315	size_t i;
316
317	/* If Klen > 64, the key is really SHA256(K). */
318	if (Klen > 64) {
319	SHA256_Init(&ctx->ictx);
320	SHA256_Update(&ctx->ictx, K, Klen);
321	SHA256_Final(khash, &ctx->ictx);
322	K = khash;
323	Klen = 32;
324	}
325
326	/* Inner SHA256 operation is SHA256(K xor [block of 0x36] \|\| data). */
327	SHA256_Init(&ctx->ictx);
328	memset(pad, 0x36, 64);
329	for (i = 0; i < Klen; i++)
330	pad[i] ^= K[i];
331	SHA256_Update(&ctx->ictx, pad, 64);
332
333	/* Outer SHA256 operation is SHA256(K xor [block of 0x5c] \|\| hash). */
334	SHA256_Init(&ctx->octx);
335	memset(pad, 0x5c, 64);
336	for (i = 0; i < Klen; i++)
337	pad[i] ^= K[i];
338	SHA256_Update(&ctx->octx, pad, 64);
339
340	/* Clean the stack. */
341	memset(khash, 0, 32);
342	}
343
344	/* Add bytes to the HMAC-SHA256 operation. */
345	void
346	HMAC__SHA256_Update(HMAC_SHA256_CTX * ctx, const void *in, size_t len)
347	{
348
349	/* Feed data to the inner SHA256 operation. */
350	SHA256_Update(&ctx->ictx, in, len);
351	}
352
353	/* Finish an HMAC-SHA256 operation. */
354	void
355	HMAC__SHA256_Final(unsigned char digest[32], HMAC_SHA256_CTX * ctx)
356	{
357	unsigned char ihash[32];
358
359	/* Finish the inner SHA256 operation. */
360	SHA256_Final(ihash, &ctx->ictx);
361
362	/* Feed the inner hash to the outer SHA256 operation. */
363	SHA256_Update(&ctx->octx, ihash, 32);
364
365	/* Finish the outer SHA256 operation. */
366	SHA256_Final(digest, &ctx->octx);
367
368	/* Clean the stack. */
369	memset(ihash, 0, 32);
370	}
371
372	/**
373	* PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen):
374	* Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and
375	* write the output to buf. The value dkLen must be at most 32 * (2^32 - 1).
376	*/
377	void
378	PBKDF2_SHA256(const uint8_t * passwd, size_t passwdlen, const uint8_t * salt,
379	size_t saltlen, uint64_t c, uint8_t * buf, size_t dkLen)
380	{
381	HMAC_SHA256_CTX PShctx, hctx;
382	size_t i;
383	uint8_t ivec[4];
384	uint8_t U[32];
385	uint8_t T[32];
386	uint64_t j;
387	int k;
388	size_t clen;
389
390	/* Compute HMAC state after processing P and S. */
391	HMAC__SHA256_Init(&PShctx, passwd, passwdlen);
392	HMAC__SHA256_Update(&PShctx, salt, saltlen);
393
394	/* Iterate through the blocks. */
395	for (i = 0; i * 32 < dkLen; i++) {
396	/* Generate INT(i + 1). */
397	be32enc(ivec, (uint32_t)(i + 1));
398
399	/* Compute U_1 = PRF(P, S \|\| INT(i)). */
400	memcpy(&hctx, &PShctx, sizeof(HMAC_SHA256_CTX));
401	HMAC__SHA256_Update(&hctx, ivec, 4);
402	HMAC__SHA256_Final(U, &hctx);
403
404	/* T_i = U_1 ... */
405	memcpy(T, U, 32);
406
407	for (j = 2; j <= c; j++) {
408	/* Compute U_j. */
409	HMAC__SHA256_Init(&hctx, passwd, passwdlen);
410	HMAC__SHA256_Update(&hctx, U, 32);
411	HMAC__SHA256_Final(U, &hctx);
412
413	/* ... xor U_j ... */
414	for (k = 0; k < 32; k++)
415	T[k] ^= U[k];
416	}
417
418	/* Copy as many bytes as necessary into buf. */
419	clen = dkLen - i * 32;
420	if (clen > 32)
421	clen = 32;
422	memcpy(&buf[i * 32], T, clen);
423	}
424
425	/* Clean PShctx, since we never called _Final on it. */
426	memset(&PShctx, 0, sizeof(HMAC_SHA256_CTX));
427	}