2 * Copyright 2005,2007,2009 Colin Percival
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 #include "scrypt_platform.h"
28 #include <sys/types.h>
33 #include "sysendian.h"
38 * Encode a length len/4 vector of (uint32_t) into a length len vector of
39 * (unsigned char) in big-endian form. Assumes len is a multiple of 4.
42 be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len)
46 for (i = 0; i < len / 4; i++)
47 be32enc(dst + i * 4, src[i]);
51 * Decode a big-endian length len vector of (unsigned char) into a length
52 * len/4 vector of (uint32_t). Assumes len is a multiple of 4.
55 be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len)
59 for (i = 0; i < len / 4; i++)
60 dst[i] = be32dec(src + i * 4);
63 /* Elementary functions used by SHA256 */
64 #define Ch(x, y, z) ((x & (y ^ z)) ^ z)
65 #define Maj(x, y, z) ((x & (y | z)) | (y & z))
66 #define SHR(x, n) (x >> n)
67 #define ROTR(x, n) ((x >> n) | (x << (32 - n)))
68 #define S0(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
69 #define S1(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
70 #define s0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
71 #define s1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
73 /* SHA256 round function */
74 #define RND(a, b, c, d, e, f, g, h, k) \
75 t0 = h + S1(e) + Ch(e, f, g) + k; \
76 t1 = S0(a) + Maj(a, b, c); \
80 /* Adjusted round function for rotating state */
81 #define RNDr(S, W, i, k) \
82 RND(S[(64 - i) % 8], S[(65 - i) % 8], \
83 S[(66 - i) % 8], S[(67 - i) % 8], \
84 S[(68 - i) % 8], S[(69 - i) % 8], \
85 S[(70 - i) % 8], S[(71 - i) % 8], \
89 * SHA256 block compression function. The 256-bit state is transformed via
90 * the 512-bit input block to produce a new state.
93 SHA256_Transform(uint32_t * state, const unsigned char block[64])
100 /* 1. Prepare message schedule W. */
101 be32dec_vect(W, block, 64);
102 for (i = 16; i < 64; i++)
103 W[i] = s1(W[i - 2]) + W[i - 7] + s0(W[i - 15]) + W[i - 16];
105 /* 2. Initialize working variables. */
106 memcpy(S, state, 32);
109 RNDr(S, W, 0, 0x428a2f98);
110 RNDr(S, W, 1, 0x71374491);
111 RNDr(S, W, 2, 0xb5c0fbcf);
112 RNDr(S, W, 3, 0xe9b5dba5);
113 RNDr(S, W, 4, 0x3956c25b);
114 RNDr(S, W, 5, 0x59f111f1);
115 RNDr(S, W, 6, 0x923f82a4);
116 RNDr(S, W, 7, 0xab1c5ed5);
117 RNDr(S, W, 8, 0xd807aa98);
118 RNDr(S, W, 9, 0x12835b01);
119 RNDr(S, W, 10, 0x243185be);
120 RNDr(S, W, 11, 0x550c7dc3);
121 RNDr(S, W, 12, 0x72be5d74);
122 RNDr(S, W, 13, 0x80deb1fe);
123 RNDr(S, W, 14, 0x9bdc06a7);
124 RNDr(S, W, 15, 0xc19bf174);
125 RNDr(S, W, 16, 0xe49b69c1);
126 RNDr(S, W, 17, 0xefbe4786);
127 RNDr(S, W, 18, 0x0fc19dc6);
128 RNDr(S, W, 19, 0x240ca1cc);
129 RNDr(S, W, 20, 0x2de92c6f);
130 RNDr(S, W, 21, 0x4a7484aa);
131 RNDr(S, W, 22, 0x5cb0a9dc);
132 RNDr(S, W, 23, 0x76f988da);
133 RNDr(S, W, 24, 0x983e5152);
134 RNDr(S, W, 25, 0xa831c66d);
135 RNDr(S, W, 26, 0xb00327c8);
136 RNDr(S, W, 27, 0xbf597fc7);
137 RNDr(S, W, 28, 0xc6e00bf3);
138 RNDr(S, W, 29, 0xd5a79147);
139 RNDr(S, W, 30, 0x06ca6351);
140 RNDr(S, W, 31, 0x14292967);
141 RNDr(S, W, 32, 0x27b70a85);
142 RNDr(S, W, 33, 0x2e1b2138);
143 RNDr(S, W, 34, 0x4d2c6dfc);
144 RNDr(S, W, 35, 0x53380d13);
145 RNDr(S, W, 36, 0x650a7354);
146 RNDr(S, W, 37, 0x766a0abb);
147 RNDr(S, W, 38, 0x81c2c92e);
148 RNDr(S, W, 39, 0x92722c85);
149 RNDr(S, W, 40, 0xa2bfe8a1);
150 RNDr(S, W, 41, 0xa81a664b);
151 RNDr(S, W, 42, 0xc24b8b70);
152 RNDr(S, W, 43, 0xc76c51a3);
153 RNDr(S, W, 44, 0xd192e819);
154 RNDr(S, W, 45, 0xd6990624);
155 RNDr(S, W, 46, 0xf40e3585);
156 RNDr(S, W, 47, 0x106aa070);
157 RNDr(S, W, 48, 0x19a4c116);
158 RNDr(S, W, 49, 0x1e376c08);
159 RNDr(S, W, 50, 0x2748774c);
160 RNDr(S, W, 51, 0x34b0bcb5);
161 RNDr(S, W, 52, 0x391c0cb3);
162 RNDr(S, W, 53, 0x4ed8aa4a);
163 RNDr(S, W, 54, 0x5b9cca4f);
164 RNDr(S, W, 55, 0x682e6ff3);
165 RNDr(S, W, 56, 0x748f82ee);
166 RNDr(S, W, 57, 0x78a5636f);
167 RNDr(S, W, 58, 0x84c87814);
168 RNDr(S, W, 59, 0x8cc70208);
169 RNDr(S, W, 60, 0x90befffa);
170 RNDr(S, W, 61, 0xa4506ceb);
171 RNDr(S, W, 62, 0xbef9a3f7);
172 RNDr(S, W, 63, 0xc67178f2);
174 /* 4. Mix local working variables into global state */
175 for (i = 0; i < 8; i++)
178 /* Clean the stack. */
184 static unsigned char PAD[64] = {
185 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
186 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
187 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
188 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
191 /* Add padding and terminating bit-count. */
193 SHA256_Pad(SHA256_CTX * ctx)
195 unsigned char len[8];
199 * Convert length to a vector of bytes -- we do this now rather
200 * than later because the length will change after we pad.
202 be32enc_vect(len, ctx->count, 8);
204 /* Add 1--64 bytes so that the resulting length is 56 mod 64 */
205 r = (ctx->count[1] >> 3) & 0x3f;
206 plen = (r < 56) ? (56 - r) : (120 - r);
207 SHA256_Update(ctx, PAD, (size_t)plen);
209 /* Add the terminating bit-count */
210 SHA256_Update(ctx, len, 8);
213 /* SHA-256 initialization. Begins a SHA-256 operation. */
215 SHA256_Init(SHA256_CTX * ctx)
218 /* Zero bits processed so far */
219 ctx->count[0] = ctx->count[1] = 0;
221 /* Magic initialization constants */
222 ctx->state[0] = 0x6A09E667;
223 ctx->state[1] = 0xBB67AE85;
224 ctx->state[2] = 0x3C6EF372;
225 ctx->state[3] = 0xA54FF53A;
226 ctx->state[4] = 0x510E527F;
227 ctx->state[5] = 0x9B05688C;
228 ctx->state[6] = 0x1F83D9AB;
229 ctx->state[7] = 0x5BE0CD19;
232 /* Add bytes into the hash */
234 SHA256_Update(SHA256_CTX * ctx, const void *in, size_t len)
238 const unsigned char *src = in;
240 /* Number of bytes left in the buffer from previous updates */
241 r = (ctx->count[1] >> 3) & 0x3f;
243 /* Convert the length into a number of bits */
244 bitlen[1] = ((uint32_t)len) << 3;
245 bitlen[0] = (uint32_t)(len >> 29);
247 /* Update number of bits */
248 if ((ctx->count[1] += bitlen[1]) < bitlen[1])
250 ctx->count[0] += bitlen[0];
252 /* Handle the case where we don't need to perform any transforms */
254 memcpy(&ctx->buf[r], src, len);
258 /* Finish the current block */
259 memcpy(&ctx->buf[r], src, 64 - r);
260 SHA256_Transform(ctx->state, ctx->buf);
264 /* Perform complete blocks */
266 SHA256_Transform(ctx->state, src);
271 /* Copy left over data into buffer */
272 memcpy(ctx->buf, src, len);
276 * SHA-256 finalization. Pads the input data, exports the hash value,
277 * and clears the context state.
280 SHA256_Final(unsigned char digest[32], SHA256_CTX * ctx)
287 be32enc_vect(digest, ctx->state, 32);
289 /* Clear the context state */
290 memset((void *)ctx, 0, sizeof(*ctx));
293 /* Initialize an HMAC-SHA256 operation with the given key. */
295 HMAC_SHA256_Init(HMAC_SHA256_CTX * ctx, const void * _K, size_t Klen)
297 unsigned char pad[64];
298 unsigned char khash[32];
299 const unsigned char * K = _K;
302 /* If Klen > 64, the key is really SHA256(K). */
304 SHA256_Init(&ctx->ictx);
305 SHA256_Update(&ctx->ictx, K, Klen);
306 SHA256_Final(khash, &ctx->ictx);
311 /* Inner SHA256 operation is SHA256(K xor [block of 0x36] || data). */
312 SHA256_Init(&ctx->ictx);
313 memset(pad, 0x36, 64);
314 for (i = 0; i < Klen; i++)
316 SHA256_Update(&ctx->ictx, pad, 64);
318 /* Outer SHA256 operation is SHA256(K xor [block of 0x5c] || hash). */
319 SHA256_Init(&ctx->octx);
320 memset(pad, 0x5c, 64);
321 for (i = 0; i < Klen; i++)
323 SHA256_Update(&ctx->octx, pad, 64);
325 /* Clean the stack. */
326 memset(khash, 0, 32);
329 /* Add bytes to the HMAC-SHA256 operation. */
331 HMAC_SHA256_Update(HMAC_SHA256_CTX * ctx, const void *in, size_t len)
334 /* Feed data to the inner SHA256 operation. */
335 SHA256_Update(&ctx->ictx, in, len);
338 /* Finish an HMAC-SHA256 operation. */
340 HMAC_SHA256_Final(unsigned char digest[32], HMAC_SHA256_CTX * ctx)
342 unsigned char ihash[32];
344 /* Finish the inner SHA256 operation. */
345 SHA256_Final(ihash, &ctx->ictx);
347 /* Feed the inner hash to the outer SHA256 operation. */
348 SHA256_Update(&ctx->octx, ihash, 32);
350 /* Finish the outer SHA256 operation. */
351 SHA256_Final(digest, &ctx->octx);
353 /* Clean the stack. */
354 memset(ihash, 0, 32);
358 * PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen):
359 * Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and
360 * write the output to buf. The value dkLen must be at most 32 * (2^32 - 1).
363 PBKDF2_SHA256(const uint8_t * passwd, size_t passwdlen, const uint8_t * salt,
364 size_t saltlen, uint64_t c, uint8_t * buf, size_t dkLen)
366 HMAC_SHA256_CTX PShctx, hctx;
375 /* Compute HMAC state after processing P and S. */
376 HMAC_SHA256_Init(&PShctx, passwd, passwdlen);
377 HMAC_SHA256_Update(&PShctx, salt, saltlen);
379 /* Iterate through the blocks. */
380 for (i = 0; i * 32 < dkLen; i++) {
381 /* Generate INT(i + 1). */
382 be32enc(ivec, (uint32_t)(i + 1));
384 /* Compute U_1 = PRF(P, S || INT(i)). */
385 memcpy(&hctx, &PShctx, sizeof(HMAC_SHA256_CTX));
386 HMAC_SHA256_Update(&hctx, ivec, 4);
387 HMAC_SHA256_Final(U, &hctx);
392 for (j = 2; j <= c; j++) {
394 HMAC_SHA256_Init(&hctx, passwd, passwdlen);
395 HMAC_SHA256_Update(&hctx, U, 32);
396 HMAC_SHA256_Final(U, &hctx);
398 /* ... xor U_j ... */
399 for (k = 0; k < 32; k++)
403 /* Copy as many bytes as necessary into buf. */
404 clen = dkLen - i * 32;
407 memcpy(&buf[i * 32], T, clen);
410 /* Clean PShctx, since we never called _Final on it. */
411 memset(&PShctx, 0, sizeof(HMAC_SHA256_CTX));