[mirror_frr.git] / lib / sha256.c

// SPDX-License-Identifier: BSD-2-Clause
/*-
 * Copyright 2005,2007,2009 Colin Percival
 * All rights reserved.
 */

#include <zebra.h>
#include "sha256.h"

#if !HAVE_DECL_BE32DEC
static inline uint32_t be32dec(const void *pp)
{
	const uint8_t *p = (uint8_t const *)pp;

	return ((uint32_t)(p[3]) + ((uint32_t)(p[2]) << 8)
		+ ((uint32_t)(p[1]) << 16) + ((uint32_t)(p[0]) << 24));
}
#endif

#if !HAVE_DECL_BE32ENC
static inline void be32enc(void *pp, uint32_t x)
{
	uint8_t *p = (uint8_t *)pp;

	p[3] = x & 0xff;
	p[2] = (x >> 8) & 0xff;
	p[1] = (x >> 16) & 0xff;
	p[0] = (x >> 24) & 0xff;
}
#endif

/*
 * Encode a length len/4 vector of (uint32_t) into a length len vector of
 * (unsigned char) in big-endian form.  Assumes len is a multiple of 4.
 */
static void be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len)
{
	size_t i;

	for (i = 0; i < len / 4; i++)
		be32enc(dst + i * 4, src[i]);
}

/*
 * Decode a big-endian length len vector of (unsigned char) into a length
 * len/4 vector of (uint32_t).  Assumes len is a multiple of 4.
 */
static void be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len)
{
	size_t i;

	for (i = 0; i < len / 4; i++)
		dst[i] = be32dec(src + i * 4);
}

/* Elementary functions used by SHA256 */
#define Ch(x, y, z)     ((x & (y ^ z)) ^ z)
#define Maj(x, y, z)    ((x & (y | z)) | (y & z))
#define SHR(x, n)       (x >> n)
#define ROTR(x, n)      ((x >> n) | (x << (32 - n)))
#define S0(x)           (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
#define S1(x)           (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
#define s0(x)           (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
#define s1(x)           (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))

/* SHA256 round function */
#define RND(a, b, c, d, e, f, g, h, k)                                         \
	t0 = h + S1(e) + Ch(e, f, g) + k;                                      \
	t1 = S0(a) + Maj(a, b, c);                                             \
	d += t0;                                                               \
	h = t0 + t1;

/* Adjusted round function for rotating state */
#define RNDr(S, W, i, k)                                                       \
	RND(S[(64 - i) % 8], S[(65 - i) % 8], S[(66 - i) % 8],                 \
	    S[(67 - i) % 8], S[(68 - i) % 8], S[(69 - i) % 8],                 \
	    S[(70 - i) % 8], S[(71 - i) % 8], W[i] + k)

/*
 * SHA256 block compression function.  The 256-bit state is transformed via
 * the 512-bit input block to produce a new state.
 */
static void SHA256_Transform(uint32_t *state, const unsigned char block[64])
{
	uint32_t W[64];
	uint32_t S[8];
	uint32_t t0, t1;
	int i;

	/* 1. Prepare message schedule W. */
	be32dec_vect(W, block, 64);
	for (i = 16; i < 64; i++)
		W[i] = s1(W[i - 2]) + W[i - 7] + s0(W[i - 15]) + W[i - 16];

	/* 2. Initialize working variables. */
	memcpy(S, state, 32);

	/* 3. Mix. */
	RNDr(S, W, 0, 0x428a2f98);
	RNDr(S, W, 1, 0x71374491);
	RNDr(S, W, 2, 0xb5c0fbcf);
	RNDr(S, W, 3, 0xe9b5dba5);
	RNDr(S, W, 4, 0x3956c25b);
	RNDr(S, W, 5, 0x59f111f1);
	RNDr(S, W, 6, 0x923f82a4);
	RNDr(S, W, 7, 0xab1c5ed5);
	RNDr(S, W, 8, 0xd807aa98);
	RNDr(S, W, 9, 0x12835b01);
	RNDr(S, W, 10, 0x243185be);
	RNDr(S, W, 11, 0x550c7dc3);
	RNDr(S, W, 12, 0x72be5d74);
	RNDr(S, W, 13, 0x80deb1fe);
	RNDr(S, W, 14, 0x9bdc06a7);
	RNDr(S, W, 15, 0xc19bf174);
	RNDr(S, W, 16, 0xe49b69c1);
	RNDr(S, W, 17, 0xefbe4786);
	RNDr(S, W, 18, 0x0fc19dc6);
	RNDr(S, W, 19, 0x240ca1cc);
	RNDr(S, W, 20, 0x2de92c6f);
	RNDr(S, W, 21, 0x4a7484aa);
	RNDr(S, W, 22, 0x5cb0a9dc);
	RNDr(S, W, 23, 0x76f988da);
	RNDr(S, W, 24, 0x983e5152);
	RNDr(S, W, 25, 0xa831c66d);
	RNDr(S, W, 26, 0xb00327c8);
	RNDr(S, W, 27, 0xbf597fc7);
	RNDr(S, W, 28, 0xc6e00bf3);
	RNDr(S, W, 29, 0xd5a79147);
	RNDr(S, W, 30, 0x06ca6351);
	RNDr(S, W, 31, 0x14292967);
	RNDr(S, W, 32, 0x27b70a85);
	RNDr(S, W, 33, 0x2e1b2138);
	RNDr(S, W, 34, 0x4d2c6dfc);
	RNDr(S, W, 35, 0x53380d13);
	RNDr(S, W, 36, 0x650a7354);
	RNDr(S, W, 37, 0x766a0abb);
	RNDr(S, W, 38, 0x81c2c92e);
	RNDr(S, W, 39, 0x92722c85);
	RNDr(S, W, 40, 0xa2bfe8a1);
	RNDr(S, W, 41, 0xa81a664b);
	RNDr(S, W, 42, 0xc24b8b70);
	RNDr(S, W, 43, 0xc76c51a3);
	RNDr(S, W, 44, 0xd192e819);
	RNDr(S, W, 45, 0xd6990624);
	RNDr(S, W, 46, 0xf40e3585);
	RNDr(S, W, 47, 0x106aa070);
	RNDr(S, W, 48, 0x19a4c116);
	RNDr(S, W, 49, 0x1e376c08);
	RNDr(S, W, 50, 0x2748774c);
	RNDr(S, W, 51, 0x34b0bcb5);
	RNDr(S, W, 52, 0x391c0cb3);
	RNDr(S, W, 53, 0x4ed8aa4a);
	RNDr(S, W, 54, 0x5b9cca4f);
	RNDr(S, W, 55, 0x682e6ff3);
	RNDr(S, W, 56, 0x748f82ee);
	RNDr(S, W, 57, 0x78a5636f);
	RNDr(S, W, 58, 0x84c87814);
	RNDr(S, W, 59, 0x8cc70208);
	RNDr(S, W, 60, 0x90befffa);
	RNDr(S, W, 61, 0xa4506ceb);
	RNDr(S, W, 62, 0xbef9a3f7);
	RNDr(S, W, 63, 0xc67178f2);

	/* 4. Mix local working variables into global state */
	for (i = 0; i < 8; i++)
		state[i] += S[i];

	/* Clean the stack. */
	explicit_bzero(W, 256);
	explicit_bzero(S, 32);
	explicit_bzero(&t0, sizeof(t0));
	explicit_bzero(&t1, sizeof(t0));
}

static unsigned char PAD[64] = {
	0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
	0,    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
	0,    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};

/* Add padding and terminating bit-count. */
static void SHA256_Pad(SHA256_CTX *ctx)
{
	unsigned char len[8];
	uint32_t r, plen;

	/*
	 * Convert length to a vector of bytes -- we do this now rather
	 * than later because the length will change after we pad.
	 */
	be32enc_vect(len, ctx->count, 8);

	/* Add 1--64 bytes so that the resulting length is 56 mod 64 */
	r = (ctx->count[1] >> 3) & 0x3f;
	plen = (r < 56) ? (56 - r) : (120 - r);
	SHA256_Update(ctx, PAD, (size_t)plen);

	/* Add the terminating bit-count */
	SHA256_Update(ctx, len, 8);
}

/* SHA-256 initialization.  Begins a SHA-256 operation. */
void SHA256_Init(SHA256_CTX *ctx)
{

	/* Zero bits processed so far */
	ctx->count[0] = ctx->count[1] = 0;

	/* Magic initialization constants */
	ctx->state[0] = 0x6A09E667;
	ctx->state[1] = 0xBB67AE85;
	ctx->state[2] = 0x3C6EF372;
	ctx->state[3] = 0xA54FF53A;
	ctx->state[4] = 0x510E527F;
	ctx->state[5] = 0x9B05688C;
	ctx->state[6] = 0x1F83D9AB;
	ctx->state[7] = 0x5BE0CD19;
}

/* Add bytes into the hash */
void SHA256_Update(SHA256_CTX *ctx, const void *in, size_t len)
{
	uint32_t bitlen[2];
	uint32_t r;
	const unsigned char *src = in;

	/* Number of bytes left in the buffer from previous updates */
	r = (ctx->count[1] >> 3) & 0x3f;

	/* Convert the length into a number of bits */
	bitlen[1] = ((uint32_t)len) << 3;
	bitlen[0] = (uint32_t)(len >> 29);

	/* Update number of bits */
	if ((ctx->count[1] += bitlen[1]) < bitlen[1])
		ctx->count[0]++;
	ctx->count[0] += bitlen[0];

	/* Handle the case where we don't need to perform any transforms */
	if (len < 64 - r) {
		memcpy(&ctx->buf[r], src, len);
		return;
	}

	/* Finish the current block */
	memcpy(&ctx->buf[r], src, 64 - r);
	SHA256_Transform(ctx->state, ctx->buf);
	src += 64 - r;
	len -= 64 - r;

	/* Perform complete blocks */
	while (len >= 64) {
		SHA256_Transform(ctx->state, src);
		src += 64;
		len -= 64;
	}

	/* Copy left over data into buffer */
	memcpy(ctx->buf, src, len);
}

/*
 * SHA-256 finalization.  Pads the input data, exports the hash value,
 * and clears the context state.
 */
void SHA256_Final(unsigned char digest[32], SHA256_CTX *ctx)
{

	/* Add padding */
	SHA256_Pad(ctx);

	/* Write the hash */
	be32enc_vect(digest, ctx->state, 32);

	/* Clear the context state */
	explicit_bzero((void *)ctx, sizeof(*ctx));
}

/* Initialize an HMAC-SHA256 operation with the given key. */
void HMAC__SHA256_Init(HMAC_SHA256_CTX *ctx, const void *_K, size_t Klen)
{
	unsigned char pad[64];
	unsigned char khash[32];
	const unsigned char *K = _K;
	size_t i;

	/* If Klen > 64, the key is really SHA256(K). */
	if (Klen > 64) {
		SHA256_Init(&ctx->ictx);
		SHA256_Update(&ctx->ictx, K, Klen);
		SHA256_Final(khash, &ctx->ictx);
		K = khash;
		Klen = 32;
	}

	/* Inner SHA256 operation is SHA256(K xor [block of 0x36] || data). */
	SHA256_Init(&ctx->ictx);
	memset(pad, 0x36, 64);
	for (i = 0; i < Klen; i++)
		pad[i] ^= K[i];
	SHA256_Update(&ctx->ictx, pad, 64);

	/* Outer SHA256 operation is SHA256(K xor [block of 0x5c] || hash). */
	SHA256_Init(&ctx->octx);
	memset(pad, 0x5c, 64);
	for (i = 0; i < Klen; i++)
		pad[i] ^= K[i];
	SHA256_Update(&ctx->octx, pad, 64);

	/* Clean the stack. */
	explicit_bzero(khash, 32);
}

/* Add bytes to the HMAC-SHA256 operation. */
void HMAC__SHA256_Update(HMAC_SHA256_CTX *ctx, const void *in, size_t len)
{

	/* Feed data to the inner SHA256 operation. */
	SHA256_Update(&ctx->ictx, in, len);
}

/* Finish an HMAC-SHA256 operation. */
void HMAC__SHA256_Final(unsigned char digest[32], HMAC_SHA256_CTX *ctx)
{
	unsigned char ihash[32];

	/* Finish the inner SHA256 operation. */
	SHA256_Final(ihash, &ctx->ictx);

	/* Feed the inner hash to the outer SHA256 operation. */
	SHA256_Update(&ctx->octx, ihash, 32);

	/* Finish the outer SHA256 operation. */
	SHA256_Final(digest, &ctx->octx);

	/* Clean the stack. */
	explicit_bzero(ihash, 32);
}

/**
 * PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen):
 * Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and
 * write the output to buf.  The value dkLen must be at most 32 * (2^32 - 1).
 */
void PBKDF2_SHA256(const uint8_t *passwd, size_t passwdlen, const uint8_t *salt,
		   size_t saltlen, uint64_t c, uint8_t *buf, size_t dkLen)
{
	HMAC_SHA256_CTX PShctx, hctx;
	size_t i;
	uint8_t ivec[4];
	uint8_t U[32];
	uint8_t T[32];
	uint64_t j;
	int k;
	size_t clen;

	/* Compute HMAC state after processing P and S. */
	HMAC__SHA256_Init(&PShctx, passwd, passwdlen);
	HMAC__SHA256_Update(&PShctx, salt, saltlen);

	/* Iterate through the blocks. */
	for (i = 0; i * 32 < dkLen; i++) {
		/* Generate INT(i + 1). */
		be32enc(ivec, (uint32_t)(i + 1));

		/* Compute U_1 = PRF(P, S || INT(i)). */
		memcpy(&hctx, &PShctx, sizeof(HMAC_SHA256_CTX));
		HMAC__SHA256_Update(&hctx, ivec, 4);
		HMAC__SHA256_Final(U, &hctx);

		/* T_i = U_1 ... */
		memcpy(T, U, 32);

		for (j = 2; j <= c; j++) {
			/* Compute U_j. */
			HMAC__SHA256_Init(&hctx, passwd, passwdlen);
			HMAC__SHA256_Update(&hctx, U, 32);
			HMAC__SHA256_Final(U, &hctx);

			/* ... xor U_j ... */
			for (k = 0; k < 32; k++)
				T[k] ^= U[k];
		}

		/* Copy as many bytes as necessary into buf. */
		clen = dkLen - i * 32;
		if (clen > 32)
			clen = 32;
		memcpy(&buf[i * 32], T, clen);
	}

	/* Clean PShctx, since we never called _Final on it. */
	explicit_bzero(&PShctx, sizeof(HMAC_SHA256_CTX));
}
Commit	Line	Data
acddc0ed	1	// SPDX-License-Identifier: BSD-2-Clause
7f57883e DS	2	/*-
	3	* Copyright 2005,2007,2009 Colin Percival
	4	* All rights reserved.
7f57883e DS	5	*/
	6
	7	#include <zebra.h>
	8	#include "sha256.h"
	9
ba0cb3fe	10	#if !HAVE_DECL_BE32DEC
d62a17ae	11	static inline uint32_t be32dec(const void *pp)
7f57883e	12	{
d62a17ae	13	const uint8_t p = (uint8_t const )pp;
7f57883e	14
d62a17ae	15	return ((uint32_t)(p[3]) + ((uint32_t)(p[2]) << 8)
d62a17ae	16	+ ((uint32_t)(p[1]) << 16) + ((uint32_t)(p[0]) << 24));
7f57883e	17	}
ba0cb3fe	18	#endif
7f57883e	19
ba0cb3fe	20	#if !HAVE_DECL_BE32ENC
d62a17ae	21	static inline void be32enc(void *pp, uint32_t x)
7f57883e	22	{
d62a17ae	23	uint8_t p = (uint8_t )pp;
7f57883e	24
d62a17ae	25	p[3] = x & 0xff;
	26	p[2] = (x >> 8) & 0xff;
	27	p[1] = (x >> 16) & 0xff;
	28	p[0] = (x >> 24) & 0xff;
7f57883e	29	}
4f13df62	30	#endif
7f57883e DS	31
	32	/*
	33	* Encode a length len/4 vector of (uint32_t) into a length len vector of
	34	* (unsigned char) in big-endian form. Assumes len is a multiple of 4.
	35	*/
d62a17ae	36	static void be32enc_vect(unsigned char dst, const uint32_t src, size_t len)
7f57883e	37	{
d62a17ae	38	size_t i;
7f57883e	39
d62a17ae	40	for (i = 0; i < len / 4; i++)
d62a17ae	41	be32enc(dst + i * 4, src[i]);
7f57883e DS	42	}
	43
	44	/*
	45	* Decode a big-endian length len vector of (unsigned char) into a length
	46	* len/4 vector of (uint32_t). Assumes len is a multiple of 4.
	47	*/
d62a17ae	48	static void be32dec_vect(uint32_t dst, const unsigned char src, size_t len)
7f57883e	49	{
d62a17ae	50	size_t i;
7f57883e	51
d62a17ae	52	for (i = 0; i < len / 4; i++)
d62a17ae	53	dst[i] = be32dec(src + i * 4);
7f57883e DS	54	}
	55
	56	/* Elementary functions used by SHA256 */
	57	#define Ch(x, y, z) ((x & (y ^ z)) ^ z)
	58	#define Maj(x, y, z) ((x & (y \| z)) \| (y & z))
	59	#define SHR(x, n) (x >> n)
	60	#define ROTR(x, n) ((x >> n) \| (x << (32 - n)))
	61	#define S0(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
	62	#define S1(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
	63	#define s0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
	64	#define s1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
	65
	66	/* SHA256 round function */
d62a17ae	67	#define RND(a, b, c, d, e, f, g, h, k) \
	68	t0 = h + S1(e) + Ch(e, f, g) + k; \
	69	t1 = S0(a) + Maj(a, b, c); \
	70	d += t0; \
	71	h = t0 + t1;
7f57883e DS	72
7f57883e DS	73	/* Adjusted round function for rotating state */
d62a17ae	74	#define RNDr(S, W, i, k) \
	75	RND(S[(64 - i) % 8], S[(65 - i) % 8], S[(66 - i) % 8], \
	76	S[(67 - i) % 8], S[(68 - i) % 8], S[(69 - i) % 8], \
	77	S[(70 - i) % 8], S[(71 - i) % 8], W[i] + k)
7f57883e DS	78
	79	/*
	80	* SHA256 block compression function. The 256-bit state is transformed via
	81	* the 512-bit input block to produce a new state.
	82	*/
d62a17ae	83	static void SHA256_Transform(uint32_t *state, const unsigned char block[64])
7f57883e	84	{
d62a17ae	85	uint32_t W[64];
	86	uint32_t S[8];
	87	uint32_t t0, t1;
	88	int i;
	89
	90	/* 1. Prepare message schedule W. */
	91	be32dec_vect(W, block, 64);
	92	for (i = 16; i < 64; i++)
	93	W[i] = s1(W[i - 2]) + W[i - 7] + s0(W[i - 15]) + W[i - 16];
	94
	95	/* 2. Initialize working variables. */
	96	memcpy(S, state, 32);
	97
	98	/* 3. Mix. */
	99	RNDr(S, W, 0, 0x428a2f98);
	100	RNDr(S, W, 1, 0x71374491);
	101	RNDr(S, W, 2, 0xb5c0fbcf);
	102	RNDr(S, W, 3, 0xe9b5dba5);
	103	RNDr(S, W, 4, 0x3956c25b);
	104	RNDr(S, W, 5, 0x59f111f1);
	105	RNDr(S, W, 6, 0x923f82a4);
	106	RNDr(S, W, 7, 0xab1c5ed5);
	107	RNDr(S, W, 8, 0xd807aa98);
	108	RNDr(S, W, 9, 0x12835b01);
	109	RNDr(S, W, 10, 0x243185be);
	110	RNDr(S, W, 11, 0x550c7dc3);
	111	RNDr(S, W, 12, 0x72be5d74);
	112	RNDr(S, W, 13, 0x80deb1fe);
	113	RNDr(S, W, 14, 0x9bdc06a7);
	114	RNDr(S, W, 15, 0xc19bf174);
	115	RNDr(S, W, 16, 0xe49b69c1);
	116	RNDr(S, W, 17, 0xefbe4786);
	117	RNDr(S, W, 18, 0x0fc19dc6);
	118	RNDr(S, W, 19, 0x240ca1cc);
	119	RNDr(S, W, 20, 0x2de92c6f);
	120	RNDr(S, W, 21, 0x4a7484aa);
	121	RNDr(S, W, 22, 0x5cb0a9dc);
	122	RNDr(S, W, 23, 0x76f988da);
	123	RNDr(S, W, 24, 0x983e5152);
	124	RNDr(S, W, 25, 0xa831c66d);
	125	RNDr(S, W, 26, 0xb00327c8);
	126	RNDr(S, W, 27, 0xbf597fc7);
	127	RNDr(S, W, 28, 0xc6e00bf3);
	128	RNDr(S, W, 29, 0xd5a79147);
	129	RNDr(S, W, 30, 0x06ca6351);
	130	RNDr(S, W, 31, 0x14292967);
	131	RNDr(S, W, 32, 0x27b70a85);
	132	RNDr(S, W, 33, 0x2e1b2138);
	133	RNDr(S, W, 34, 0x4d2c6dfc);
	134	RNDr(S, W, 35, 0x53380d13);
	135	RNDr(S, W, 36, 0x650a7354);
	136	RNDr(S, W, 37, 0x766a0abb);
	137	RNDr(S, W, 38, 0x81c2c92e);
	138	RNDr(S, W, 39, 0x92722c85);
	139	RNDr(S, W, 40, 0xa2bfe8a1);
	140	RNDr(S, W, 41, 0xa81a664b);
	141	RNDr(S, W, 42, 0xc24b8b70);
	142	RNDr(S, W, 43, 0xc76c51a3);
	143	RNDr(S, W, 44, 0xd192e819);
	144	RNDr(S, W, 45, 0xd6990624);
	145	RNDr(S, W, 46, 0xf40e3585);
	146	RNDr(S, W, 47, 0x106aa070);
	147	RNDr(S, W, 48, 0x19a4c116);
	148	RNDr(S, W, 49, 0x1e376c08);
149	RNDr(S, W, 50, 0x2748774c);
150	RNDr(S, W, 51, 0x34b0bcb5);
151	RNDr(S, W, 52, 0x391c0cb3);
152	RNDr(S, W, 53, 0x4ed8aa4a);
153	RNDr(S, W, 54, 0x5b9cca4f);
154	RNDr(S, W, 55, 0x682e6ff3);
155	RNDr(S, W, 56, 0x748f82ee);
156	RNDr(S, W, 57, 0x78a5636f);
157	RNDr(S, W, 58, 0x84c87814);
158	RNDr(S, W, 59, 0x8cc70208);
159	RNDr(S, W, 60, 0x90befffa);
160	RNDr(S, W, 61, 0xa4506ceb);
161	RNDr(S, W, 62, 0xbef9a3f7);
162	RNDr(S, W, 63, 0xc67178f2);
163
164	/* 4. Mix local working variables into global state */
165	for (i = 0; i < 8; i++)
166	state[i] += S[i];
167
168	/* Clean the stack. */
04b4b595 LV	169	explicit_bzero(W, 256);
	170	explicit_bzero(S, 32);
	171	explicit_bzero(&t0, sizeof(t0));
	172	explicit_bzero(&t1, sizeof(t0));
7f57883e DS	173	}
	174
	175	static unsigned char PAD[64] = {
d62a17ae	176	0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
	177	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
	178	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
7f57883e DS	179
7f57883e DS	180	/* Add padding and terminating bit-count. */
d62a17ae	181	static void SHA256_Pad(SHA256_CTX *ctx)
7f57883e	182	{
d62a17ae	183	unsigned char len[8];
	184	uint32_t r, plen;
	185
	186	/*
	187	* Convert length to a vector of bytes -- we do this now rather
	188	* than later because the length will change after we pad.
	189	*/
	190	be32enc_vect(len, ctx->count, 8);
	191
	192	/* Add 1--64 bytes so that the resulting length is 56 mod 64 */
	193	r = (ctx->count[1] >> 3) & 0x3f;
	194	plen = (r < 56) ? (56 - r) : (120 - r);
	195	SHA256_Update(ctx, PAD, (size_t)plen);
	196
	197	/* Add the terminating bit-count */
	198	SHA256_Update(ctx, len, 8);
7f57883e DS	199	}
	200
	201	/* SHA-256 initialization. Begins a SHA-256 operation. */
d62a17ae	202	void SHA256_Init(SHA256_CTX *ctx)
7f57883e DS	203	{
7f57883e DS	204
d62a17ae	205	/* Zero bits processed so far */
	206	ctx->count[0] = ctx->count[1] = 0;
	207
	208	/* Magic initialization constants */
	209	ctx->state[0] = 0x6A09E667;
	210	ctx->state[1] = 0xBB67AE85;
	211	ctx->state[2] = 0x3C6EF372;
	212	ctx->state[3] = 0xA54FF53A;
	213	ctx->state[4] = 0x510E527F;
	214	ctx->state[5] = 0x9B05688C;
	215	ctx->state[6] = 0x1F83D9AB;
	216	ctx->state[7] = 0x5BE0CD19;
7f57883e DS	217	}
	218
	219	/* Add bytes into the hash */
d62a17ae	220	void SHA256_Update(SHA256_CTX ctx, const void in, size_t len)
7f57883e	221	{
d62a17ae	222	uint32_t bitlen[2];
	223	uint32_t r;
	224	const unsigned char *src = in;
	225
	226	/* Number of bytes left in the buffer from previous updates */
	227	r = (ctx->count[1] >> 3) & 0x3f;
	228
	229	/* Convert the length into a number of bits */
	230	bitlen[1] = ((uint32_t)len) << 3;
	231	bitlen[0] = (uint32_t)(len >> 29);
	232
	233	/* Update number of bits */
	234	if ((ctx->count[1] += bitlen[1]) < bitlen[1])
	235	ctx->count[0]++;
	236	ctx->count[0] += bitlen[0];
	237
	238	/* Handle the case where we don't need to perform any transforms */
	239	if (len < 64 - r) {
	240	memcpy(&ctx->buf[r], src, len);
	241	return;
	242	}
	243
	244	/* Finish the current block */
	245	memcpy(&ctx->buf[r], src, 64 - r);
	246	SHA256_Transform(ctx->state, ctx->buf);
	247	src += 64 - r;
	248	len -= 64 - r;
	249
	250	/* Perform complete blocks */
	251	while (len >= 64) {
	252	SHA256_Transform(ctx->state, src);
	253	src += 64;
	254	len -= 64;
	255	}
	256
	257	/* Copy left over data into buffer */
	258	memcpy(ctx->buf, src, len);
7f57883e DS	259	}
	260
	261	/*
	262	* SHA-256 finalization. Pads the input data, exports the hash value,
	263	* and clears the context state.
	264	*/
d62a17ae	265	void SHA256_Final(unsigned char digest[32], SHA256_CTX *ctx)
7f57883e DS	266	{
7f57883e DS	267
d62a17ae	268	/* Add padding */
d62a17ae	269	SHA256_Pad(ctx);
7f57883e	270
d62a17ae	271	/* Write the hash */
d62a17ae	272	be32enc_vect(digest, ctx->state, 32);
7f57883e	273
d62a17ae	274	/* Clear the context state */
04b4b595	275	explicit_bzero((void )ctx, sizeof(ctx));
7f57883e DS	276	}
	277
	278	/* Initialize an HMAC-SHA256 operation with the given key. */
d62a17ae	279	void HMAC__SHA256_Init(HMAC_SHA256_CTX ctx, const void _K, size_t Klen)
7f57883e	280	{
d62a17ae	281	unsigned char pad[64];
	282	unsigned char khash[32];
	283	const unsigned char *K = _K;
	284	size_t i;
	285
	286	/* If Klen > 64, the key is really SHA256(K). */
	287	if (Klen > 64) {
	288	SHA256_Init(&ctx->ictx);
	289	SHA256_Update(&ctx->ictx, K, Klen);
	290	SHA256_Final(khash, &ctx->ictx);
	291	K = khash;
	292	Klen = 32;
	293	}
	294
	295	/* Inner SHA256 operation is SHA256(K xor [block of 0x36] \|\| data). */
	296	SHA256_Init(&ctx->ictx);
	297	memset(pad, 0x36, 64);
	298	for (i = 0; i < Klen; i++)
	299	pad[i] ^= K[i];
	300	SHA256_Update(&ctx->ictx, pad, 64);
	301
	302	/* Outer SHA256 operation is SHA256(K xor [block of 0x5c] \|\| hash). */
	303	SHA256_Init(&ctx->octx);
	304	memset(pad, 0x5c, 64);
	305	for (i = 0; i < Klen; i++)
	306	pad[i] ^= K[i];
	307	SHA256_Update(&ctx->octx, pad, 64);
	308
	309	/* Clean the stack. */
04b4b595	310	explicit_bzero(khash, 32);
7f57883e DS	311	}
	312
	313	/* Add bytes to the HMAC-SHA256 operation. */
d62a17ae	314	void HMAC__SHA256_Update(HMAC_SHA256_CTX ctx, const void in, size_t len)
7f57883e DS	315	{
7f57883e DS	316
d62a17ae	317	/* Feed data to the inner SHA256 operation. */
d62a17ae	318	SHA256_Update(&ctx->ictx, in, len);
7f57883e DS	319	}
	320
	321	/* Finish an HMAC-SHA256 operation. */
d62a17ae	322	void HMAC__SHA256_Final(unsigned char digest[32], HMAC_SHA256_CTX *ctx)
7f57883e	323	{
d62a17ae	324	unsigned char ihash[32];
7f57883e	325
d62a17ae	326	/* Finish the inner SHA256 operation. */
d62a17ae	327	SHA256_Final(ihash, &ctx->ictx);
7f57883e	328
d62a17ae	329	/* Feed the inner hash to the outer SHA256 operation. */
d62a17ae	330	SHA256_Update(&ctx->octx, ihash, 32);
7f57883e	331
d62a17ae	332	/* Finish the outer SHA256 operation. */
d62a17ae	333	SHA256_Final(digest, &ctx->octx);
7f57883e	334
d62a17ae	335	/* Clean the stack. */
04b4b595	336	explicit_bzero(ihash, 32);
7f57883e DS	337	}
	338
	339	/**
	340	* PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen):
	341	* Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and
	342	* write the output to buf. The value dkLen must be at most 32 * (2^32 - 1).
	343	*/
d62a17ae	344	void PBKDF2_SHA256(const uint8_t passwd, size_t passwdlen, const uint8_t salt,
d62a17ae	345	size_t saltlen, uint64_t c, uint8_t *buf, size_t dkLen)
7f57883e	346	{
d62a17ae	347	HMAC_SHA256_CTX PShctx, hctx;
	348	size_t i;
	349	uint8_t ivec[4];
	350	uint8_t U[32];
	351	uint8_t T[32];
	352	uint64_t j;
	353	int k;
	354	size_t clen;
	355
	356	/* Compute HMAC state after processing P and S. */
	357	HMAC__SHA256_Init(&PShctx, passwd, passwdlen);
	358	HMAC__SHA256_Update(&PShctx, salt, saltlen);
	359
	360	/* Iterate through the blocks. */
	361	for (i = 0; i * 32 < dkLen; i++) {
	362	/* Generate INT(i + 1). */
	363	be32enc(ivec, (uint32_t)(i + 1));
	364
	365	/* Compute U_1 = PRF(P, S \|\| INT(i)). */
	366	memcpy(&hctx, &PShctx, sizeof(HMAC_SHA256_CTX));
	367	HMAC__SHA256_Update(&hctx, ivec, 4);
	368	HMAC__SHA256_Final(U, &hctx);
	369
	370	/* T_i = U_1 ... */
	371	memcpy(T, U, 32);
	372
	373	for (j = 2; j <= c; j++) {
	374	/* Compute U_j. */
	375	HMAC__SHA256_Init(&hctx, passwd, passwdlen);
	376	HMAC__SHA256_Update(&hctx, U, 32);
	377	HMAC__SHA256_Final(U, &hctx);
	378
	379	/* ... xor U_j ... */
	380	for (k = 0; k < 32; k++)
	381	T[k] ^= U[k];
	382	}
	383
	384	/* Copy as many bytes as necessary into buf. */
	385	clen = dkLen - i * 32;
	386	if (clen > 32)
	387	clen = 32;
	388	memcpy(&buf[i * 32], T, clen);
	389	}
	390
	391	/* Clean PShctx, since we never called _Final on it. */
04b4b595	392	explicit_bzero(&PShctx, sizeof(HMAC_SHA256_CTX));
7f57883e	393	}