1 /*-
2 * Copyright 2005,2007,2009 Colin Percival
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 */
26
27 #include "php.h"
28
29 #include <sys/types.h>
30 #ifdef PHP_WIN32
31 # include "win32/php_stdint.h"
32 #else
33 # include <stdint.h>
34 #endif
35 #include <string.h>
36
37 #include "sysendian.h"
38
39 #include "sha256.h"
40
41 /*
42 * Encode a length len/4 vector of (uint32_t) into a length len vector of
43 * (unsigned char) in big-endian form. Assumes len is a multiple of 4.
44 */
45 static void
46 be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len)
47 {
48 size_t i;
49
50 for (i = 0; i < len / 4; i++)
51 be32enc(dst + i * 4, src[i]);
52 }
53
54 /*
55 * Decode a big-endian length len vector of (unsigned char) into a length
56 * len/4 vector of (uint32_t). Assumes len is a multiple of 4.
57 */
58 static void
59 be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len)
60 {
imx7_gpr_read(void * opaque,hwaddr offset,unsigned size)61 size_t i;
62
63 for (i = 0; i < len / 4; i++)
64 dst[i] = be32dec(src + i * 4);
65 }
66
67 /* Elementary functions used by SHA256 */
68 #define Ch(x, y, z) ((x & (y ^ z)) ^ z)
69 #define Maj(x, y, z) ((x & (y | z)) | (y & z))
70 #define SHR(x, n) (x >> n)
71 #define ROTR(x, n) ((x >> n) | (x << (32 - n)))
imx7_gpr_write(void * opaque,hwaddr offset,uint64_t v,unsigned size)72 #define S0(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
73 #define S1(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
74 #define s0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
75 #define s1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
76
77 /* SHA256 round function */
78 #define RND(a, b, c, d, e, f, g, h, k) \
79 t0 = h + S1(e) + Ch(e, f, g) + k; \
80 t1 = S0(a) + Maj(a, b, c); \
81 d += t0; \
82 h = t0 + t1;
83
84 /* Adjusted round function for rotating state */
85 #define RNDr(S, W, i, k) \
86 RND(S[(64 - i) % 8], S[(65 - i) % 8], \
87 S[(66 - i) % 8], S[(67 - i) % 8], \
88 S[(68 - i) % 8], S[(69 - i) % 8], \
89 S[(70 - i) % 8], S[(71 - i) % 8], \
90 W[i] + k)
91
92 /*
93 * SHA256 block compression function. The 256-bit state is transformed via
94 * the 512-bit input block to produce a new state.
imx7_gpr_init(Object * obj)95 */
96 static void
97 SHA256_Transform(uint32_t * state, const unsigned char block[64])
98 {
99 uint32_t W[64];
100 uint32_t S[8];
101 uint32_t t0, t1;
102 int i;
103
104 /* 1. Prepare message schedule W. */
105 be32dec_vect(W, block, 64);
106 for (i = 16; i < 64; i++)
107 W[i] = s1(W[i - 2]) + W[i - 7] + s0(W[i - 15]) + W[i - 16];
108
109 /* 2. Initialize working variables. */
110 memcpy(S, state, 32);
111
112 /* 3. Mix. */
113 RNDr(S, W, 0, 0x428a2f98);
114 RNDr(S, W, 1, 0x71374491);
115 RNDr(S, W, 2, 0xb5c0fbcf);
116 RNDr(S, W, 3, 0xe9b5dba5);
117 RNDr(S, W, 4, 0x3956c25b);
118 RNDr(S, W, 5, 0x59f111f1);
119 RNDr(S, W, 6, 0x923f82a4);
120 RNDr(S, W, 7, 0xab1c5ed5);
121 RNDr(S, W, 8, 0xd807aa98);
122 RNDr(S, W, 9, 0x12835b01);
123 RNDr(S, W, 10, 0x243185be);
124 RNDr(S, W, 11, 0x550c7dc3);
125 RNDr(S, W, 12, 0x72be5d74);
126 RNDr(S, W, 13, 0x80deb1fe);
127 RNDr(S, W, 14, 0x9bdc06a7);
128 RNDr(S, W, 15, 0xc19bf174);
129 RNDr(S, W, 16, 0xe49b69c1);
130 RNDr(S, W, 17, 0xefbe4786);
131 RNDr(S, W, 18, 0x0fc19dc6);
132 RNDr(S, W, 19, 0x240ca1cc);
133 RNDr(S, W, 20, 0x2de92c6f);
134 RNDr(S, W, 21, 0x4a7484aa);
135 RNDr(S, W, 22, 0x5cb0a9dc);
136 RNDr(S, W, 23, 0x76f988da);
137 RNDr(S, W, 24, 0x983e5152);
138 RNDr(S, W, 25, 0xa831c66d);
139 RNDr(S, W, 26, 0xb00327c8);
140 RNDr(S, W, 27, 0xbf597fc7);
141 RNDr(S, W, 28, 0xc6e00bf3);
142 RNDr(S, W, 29, 0xd5a79147);
143 RNDr(S, W, 30, 0x06ca6351);
144 RNDr(S, W, 31, 0x14292967);
145 RNDr(S, W, 32, 0x27b70a85);
146 RNDr(S, W, 33, 0x2e1b2138);
147 RNDr(S, W, 34, 0x4d2c6dfc);
148 RNDr(S, W, 35, 0x53380d13);
149 RNDr(S, W, 36, 0x650a7354);
150 RNDr(S, W, 37, 0x766a0abb);
151 RNDr(S, W, 38, 0x81c2c92e);
152 RNDr(S, W, 39, 0x92722c85);
153 RNDr(S, W, 40, 0xa2bfe8a1);
154 RNDr(S, W, 41, 0xa81a664b);
155 RNDr(S, W, 42, 0xc24b8b70);
156 RNDr(S, W, 43, 0xc76c51a3);
157 RNDr(S, W, 44, 0xd192e819);
158 RNDr(S, W, 45, 0xd6990624);
159 RNDr(S, W, 46, 0xf40e3585);
160 RNDr(S, W, 47, 0x106aa070);
161 RNDr(S, W, 48, 0x19a4c116);
162 RNDr(S, W, 49, 0x1e376c08);
163 RNDr(S, W, 50, 0x2748774c);
164 RNDr(S, W, 51, 0x34b0bcb5);
165 RNDr(S, W, 52, 0x391c0cb3);
166 RNDr(S, W, 53, 0x4ed8aa4a);
167 RNDr(S, W, 54, 0x5b9cca4f);
168 RNDr(S, W, 55, 0x682e6ff3);
169 RNDr(S, W, 56, 0x748f82ee);
170 RNDr(S, W, 57, 0x78a5636f);
171 RNDr(S, W, 58, 0x84c87814);
172 RNDr(S, W, 59, 0x8cc70208);
173 RNDr(S, W, 60, 0x90befffa);
174 RNDr(S, W, 61, 0xa4506ceb);
175 RNDr(S, W, 62, 0xbef9a3f7);
176 RNDr(S, W, 63, 0xc67178f2);
177
178 /* 4. Mix local working variables into global state */
179 for (i = 0; i < 8; i++)
180 state[i] += S[i];
181
182 /* Clean the stack. */
183 memset(W, 0, 256);
184 memset(S, 0, 32);
185 t0 = t1 = 0;
186 }
187
188 static unsigned char PAD[64] = {
189 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
190 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
191 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
192 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
193 };
194
195 /* Add padding and terminating bit-count. */
196 static void
197 SHA256_Pad(SHA256_CTX * ctx)
198 {
199 unsigned char len[8];
200 uint32_t r, plen;
201
202 /*
203 * Convert length to a vector of bytes -- we do this now rather
204 * than later because the length will change after we pad.
205 */
206 be32enc_vect(len, ctx->count, 8);
207
208 /* Add 1--64 bytes so that the resulting length is 56 mod 64 */
209 r = (ctx->count[1] >> 3) & 0x3f;
210 plen = (r < 56) ? (56 - r) : (120 - r);
211 SHA256_Update_SCRYPT(ctx, PAD, (size_t)plen);
212
213 /* Add the terminating bit-count */
214 SHA256_Update_SCRYPT(ctx, len, 8);
215 }
216
217 /* SHA-256 initialization. Begins a SHA-256 operation. */
218 void
219 SHA256_Init_SCRYPT(SHA256_CTX * ctx)
220 {
221
222 /* Zero bits processed so far */
223 ctx->count[0] = ctx->count[1] = 0;
224
225 /* Magic initialization constants */
226 ctx->state[0] = 0x6A09E667;
227 ctx->state[1] = 0xBB67AE85;
228 ctx->state[2] = 0x3C6EF372;
229 ctx->state[3] = 0xA54FF53A;
230 ctx->state[4] = 0x510E527F;
231 ctx->state[5] = 0x9B05688C;
232 ctx->state[6] = 0x1F83D9AB;
233 ctx->state[7] = 0x5BE0CD19;
234 }
235
236 /* Add bytes into the hash */
237 void
238 SHA256_Update_SCRYPT(SHA256_CTX * ctx, const void *in, size_t len)
239 {
240 uint32_t bitlen[2];
241 uint32_t r;
242 const unsigned char *src = in;
243
244 /* Number of bytes left in the buffer from previous updates */
245 r = (ctx->count[1] >> 3) & 0x3f;
246
247 /* Convert the length into a number of bits */
248 bitlen[1] = ((uint32_t)len) << 3;
249 bitlen[0] = (uint32_t)(len >> 29);
250
251 /* Update number of bits */
252 if ((ctx->count[1] += bitlen[1]) < bitlen[1])
253 ctx->count[0]++;
254 ctx->count[0] += bitlen[0];
255
256 /* Handle the case where we don't need to perform any transforms */
257 if (len < 64 - r) {
258 memcpy(&ctx->buf[r], src, len);
259 return;
260 }
261
262 /* Finish the current block */
263 memcpy(&ctx->buf[r], src, 64 - r);
264 SHA256_Transform(ctx->state, ctx->buf);
265 src += 64 - r;
266 len -= 64 - r;
267
268 /* Perform complete blocks */
269 while (len >= 64) {
270 SHA256_Transform(ctx->state, src);
271 src += 64;
272 len -= 64;
273 }
274
275 /* Copy left over data into buffer */
276 memcpy(ctx->buf, src, len);
277 }
278
279 /*
280 * SHA-256 finalization. Pads the input data, exports the hash value,
281 * and clears the context state.
282 */
283 void
284 SHA256_Final_SCRYPT(unsigned char digest[32], SHA256_CTX * ctx)
285 {
286
287 /* Add padding */
288 SHA256_Pad(ctx);
289
290 /* Write the hash */
291 be32enc_vect(digest, ctx->state, 32);
292
293 /* Clear the context state */
294 memset((void *)ctx, 0, sizeof(*ctx));
295 }
296
297 /* Initialize an HMAC-SHA256 operation with the given key. */
298 void
299 HMAC_SHA256_Init_SCRYPT(HMAC_SHA256_CTX * ctx, const void * _K, size_t Klen)
300 {
301 unsigned char pad[64];
302 unsigned char khash[32];
303 const unsigned char * K = _K;
304 size_t i;
305
306 /* If Klen > 64, the key is really SHA256(K). */
307 if (Klen > 64) {
308 SHA256_Init_SCRYPT(&ctx->ictx);
309 SHA256_Update_SCRYPT(&ctx->ictx, K, Klen);
310 SHA256_Final_SCRYPT(khash, &ctx->ictx);
311 K = khash;
312 Klen = 32;
313 }
314
315 /* Inner SHA256 operation is SHA256(K xor [block of 0x36] || data). */
316 SHA256_Init_SCRYPT(&ctx->ictx);
317 memset(pad, 0x36, 64);
318 for (i = 0; i < Klen; i++)
319 pad[i] ^= K[i];
320
321 SHA256_Update_SCRYPT(&ctx->ictx, pad, 64);
322
323 /* Outer SHA256 operation is SHA256(K xor [block of 0x5c] || hash). */
324 SHA256_Init_SCRYPT(&ctx->octx);
325 memset(pad, 0x5c, 64);
326 for (i = 0; i < Klen; i++)
327 pad[i] ^= K[i];
328 SHA256_Update_SCRYPT(&ctx->octx, pad, 64);
329
330 /* Clean the stack. */
331 memset(khash, 0, 32);
332 }
333
334 /* Add bytes to the HMAC-SHA256 operation. */
335 void
336 HMAC_SHA256_Update_SCRYPT(HMAC_SHA256_CTX * ctx, const void *in, size_t len)
337 {
338
339 /* Feed data to the inner SHA256 operation. */
340 SHA256_Update_SCRYPT(&ctx->ictx, in, len);
341 }
342
343 /* Finish an HMAC-SHA256 operation. */
344 void
345 HMAC_SHA256_Final_SCRYPT(unsigned char digest[32], HMAC_SHA256_CTX * ctx)
346 {
347 unsigned char ihash[32];
348
349 /* Finish the inner SHA256 operation. */
350 SHA256_Final_SCRYPT(ihash, &ctx->ictx);
351
352 /* Feed the inner hash to the outer SHA256 operation. */
353 SHA256_Update_SCRYPT(&ctx->octx, ihash, 32);
354
355 /* Finish the outer SHA256 operation. */
356 SHA256_Final_SCRYPT(digest, &ctx->octx);
357
358 /* Clean the stack. */
359 memset(ihash, 0, 32);
360 }
361
362 /**
363 * PBKDF2_SHA256_SCRYPT(passwd, passwdlen, salt, saltlen, c, buf, dkLen):
364 * Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and
365 * write the output to buf. The value dkLen must be at most 32 * (2^32 - 1).
366 */
367 void
368 PBKDF2_SHA256_SCRYPT(const uint8_t * passwd, size_t passwdlen, const uint8_t * salt,
369 size_t saltlen, uint64_t c, uint8_t * buf, size_t dkLen)
370 {
371 HMAC_SHA256_CTX PShctx, hctx;
372 size_t i;
373 uint8_t ivec[4];
374 uint8_t U[32];
375 uint8_t T[32];
376 uint64_t j;
377 int k;
378 size_t clen;
379
380 /* Compute HMAC state after processing P and S. */
381 HMAC_SHA256_Init_SCRYPT(&PShctx, passwd, passwdlen);
382
383 HMAC_SHA256_Update_SCRYPT(&PShctx, salt, saltlen);
384
385 /* Iterate through the blocks. */
386 for (i = 0; i * 32 < dkLen; i++) {
387 /* Generate INT(i + 1). */
388 be32enc(ivec, (uint32_t)(i + 1));
389
390 /* Compute U_1 = PRF(P, S || INT(i)). */
391 memcpy(&hctx, &PShctx, sizeof(HMAC_SHA256_CTX));
392 HMAC_SHA256_Update_SCRYPT(&hctx, ivec, 4);
393 HMAC_SHA256_Final_SCRYPT(U, &hctx);
394
395 /* T_i = U_1 ... */
396 memcpy(T, U, 32);
397
398 for (j = 2; j <= c; j++) {
399 /* Compute U_j. */
400 HMAC_SHA256_Init_SCRYPT(&hctx, passwd, passwdlen);
401 HMAC_SHA256_Update_SCRYPT(&hctx, U, 32);
402 HMAC_SHA256_Final_SCRYPT(U, &hctx);
403
404 /* ... xor U_j ... */
405 for (k = 0; k < 32; k++)
406 T[k] ^= U[k];
407 }
408
409 /* Copy as many bytes as necessary into buf. */
410 clen = dkLen - i * 32;
411 if (clen > 32)
412 clen = 32;
413 memcpy(&buf[i * 32], T, clen);
414 }
415
416 /* Clean PShctx, since we never called _Final on it. */
417 memset(&PShctx, 0, sizeof(HMAC_SHA256_CTX));
418 }
419