1 /*-
2 * Copyright 2005-2016 Colin Percival
3 * Copyright 2016-2018,2021 Alexander Peslyak
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25 * SUCH DAMAGE.
26 */
27
28 #include "crypt-port.h"
29
30 #if INCLUDE_gost_yescrypt || INCLUDE_yescrypt || INCLUDE_scrypt || INCLUDE_sha256crypt
31
32 #include "alg-sha256.h"
33 #include "byteorder.h"
34
35 #ifdef __ICC
36 /* Miscompile with icc 14.0.0 (at least), so don't use restrict there */
37 #define restrict
38 #elif __STDC_VERSION__ >= 199901L
39 /* Have restrict */
40 #elif defined(__GNUC__)
41 #define restrict __restrict
42 #else
43 #define restrict
44 #endif
45
46 /* SHA256 round constants. */
47 static const uint32_t Krnd[64] = {
48 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
49 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
50 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
51 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
52 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
53 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
54 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
55 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
56 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
57 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
58 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
59 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
60 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
61 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
62 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
63 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
64 };
65
66 /* Elementary functions used by SHA256 */
67 #define Ch(x, y, z) ((x & (y ^ z)) ^ z)
68 #if 1 /* Explicit caching/reuse of common subexpression between rounds */
69 #define Maj(x, y, z) (y ^ ((x_xor_y = x ^ y) & y_xor_z))
70 #else /* Let the compiler cache/reuse or not */
71 #define Maj(x, y, z) (y ^ ((x ^ y) & (y ^ z)))
72 #endif
73 #define SHR(x, n) (x >> n)
74 #define ROTR(x, n) ((x >> n) | (x << (32 - n)))
75 #define S0(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
76 #define S1(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
77 #define s0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
78 #define s1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
79
80 /* SHA256 round function */
81 #define RND(a, b, c, d, e, f, g, h, k) \
82 h += S1(e) + Ch(e, f, g) + k; \
83 d += h; \
84 h += S0(a) + Maj(a, b, c); \
85 y_xor_z = x_xor_y;
86
87 /* Adjusted round function for rotating state */
88 #define RNDr(S, W, i, ii) \
89 RND(S[(64 - i) % 8], S[(65 - i) % 8], \
90 S[(66 - i) % 8], S[(67 - i) % 8], \
91 S[(68 - i) % 8], S[(69 - i) % 8], \
92 S[(70 - i) % 8], S[(71 - i) % 8], \
93 W[i + ii] + Krnd[i + ii])
94
95 /* Message schedule computation */
96 #define MSCH(W, ii, i) \
97 W[i + ii + 16] = s1(W[i + ii + 14]) + W[i + ii + 9] + s0(W[i + ii + 1]) + W[i + ii]
98
99 /*
100 * SHA256 block compression function. The 256-bit state is transformed via
101 * the 512-bit input block to produce a new state.
102 */
103 static void
104 SHA256_Transform(uint32_t state[static restrict 8],
105 const uint8_t block[static restrict 64],
106 uint32_t W[static restrict 64], uint32_t S[static restrict 8])
107 {
108 int i;
109
110 /* 1. Prepare the first part of the message schedule W. */
111 be32dec_vect(W, block, 16);
112
113 /* 2. Initialize working variables. */
114 memcpy(S, state, 32);
115
116 /* 3. Mix. */
117 for (i = 0; i <= 48; i += 16) {
118 uint32_t x_xor_y, y_xor_z = S[(65 - i) % 8] ^ S[(66 - i) % 8];
119 RNDr(S, W, 0, i);
120 RNDr(S, W, 1, i);
121 RNDr(S, W, 2, i);
122 RNDr(S, W, 3, i);
123 RNDr(S, W, 4, i);
124 RNDr(S, W, 5, i);
125 RNDr(S, W, 6, i);
126 RNDr(S, W, 7, i);
127 RNDr(S, W, 8, i);
128 RNDr(S, W, 9, i);
129 RNDr(S, W, 10, i);
130 RNDr(S, W, 11, i);
131 RNDr(S, W, 12, i);
132 RNDr(S, W, 13, i);
133 RNDr(S, W, 14, i);
134 RNDr(S, W, 15, i);
135
136 if (i == 48)
137 break;
138
139 MSCH(W, 0, i);
140 MSCH(W, 1, i);
141 MSCH(W, 2, i);
142 MSCH(W, 3, i);
143 MSCH(W, 4, i);
144 MSCH(W, 5, i);
145 MSCH(W, 6, i);
146 MSCH(W, 7, i);
147 MSCH(W, 8, i);
148 MSCH(W, 9, i);
149 MSCH(W, 10, i);
150 MSCH(W, 11, i);
151 MSCH(W, 12, i);
152 MSCH(W, 13, i);
153 MSCH(W, 14, i);
154 MSCH(W, 15, i);
155 }
156
157 /* 4. Mix local working variables into global state. */
158 state[0] += S[0];
159 state[1] += S[1];
160 state[2] += S[2];
161 state[3] += S[3];
162 state[4] += S[4];
163 state[5] += S[5];
164 state[6] += S[6];
165 state[7] += S[7];
166 }
167
168 static const uint8_t PAD[64] = {
169 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
170 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
171 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
172 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
173 };
174
175 /* Add padding and terminating bit-count. */
176 static void
177 SHA256_Pad(SHA256_CTX * ctx, uint32_t tmp32[static restrict 72])
178 {
179 size_t r;
180
181 /* Figure out how many bytes we have buffered. */
182 r = (ctx->count >> 3) & 0x3f;
183
184 /* Pad to 56 mod 64, transforming if we finish a block en route. */
185 if (r < 56) {
186 /* Pad to 56 mod 64. */
187 memcpy(&ctx->buf[r], PAD, 56 - r);
188 } else {
189 /* Finish the current block and mix. */
190 memcpy(&ctx->buf[r], PAD, 64 - r);
191 SHA256_Transform(ctx->state, ctx->buf, &tmp32[0], &tmp32[64]);
192
193 /* The start of the final block is all zeroes. */
194 memset(&ctx->buf[0], 0, 56);
195 }
196
197 /* Add the terminating bit-count. */
198 be64enc(&ctx->buf[56], ctx->count);
199
200 /* Mix in the final block. */
201 SHA256_Transform(ctx->state, ctx->buf, &tmp32[0], &tmp32[64]);
202 }
203
204 /* Magic initialization constants. */
205 static const uint32_t initial_state[8] = {
206 0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A,
207 0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19
208 };
209
210 /**
211 * SHA256_Init(ctx):
212 * Initialize the SHA256 context ${ctx}.
213 */
214 void
215 SHA256_Init(SHA256_CTX * ctx)
216 {
217
218 /* Zero bits processed so far. */
219 ctx->count = 0;
220
221 /* Initialize state. */
222 memcpy(ctx->state, initial_state, sizeof(initial_state));
223 }
224
225 /**
226 * SHA256_Update(ctx, in, len):
227 * Input ${len} bytes from ${in} into the SHA256 context ${ctx}.
228 */
229 static void
230 _SHA256_Update(SHA256_CTX * ctx, const void * in, size_t len,
231 uint32_t tmp32[static restrict 72])
232 {
233 uint32_t r;
234 const uint8_t * src = in;
235
236 /* Return immediately if we have nothing to do. */
237 if (len == 0)
238 return;
239
240 /* Number of bytes left in the buffer from previous updates. */
241 r = (ctx->count >> 3) & 0x3f;
242
243 /* Update number of bits. */
244 ctx->count += (uint64_t)(len) << 3;
245
246 /* Handle the case where we don't need to perform any transforms. */
247 if (len < 64 - r) {
248 memcpy(&ctx->buf[r], src, len);
249 return;
250 }
251
252 /* Finish the current block. */
253 memcpy(&ctx->buf[r], src, 64 - r);
254 SHA256_Transform(ctx->state, ctx->buf, &tmp32[0], &tmp32[64]);
255 src += 64 - r;
256 len -= 64 - r;
257
258 /* Perform complete blocks. */
259 while (len >= 64) {
260 SHA256_Transform(ctx->state, src, &tmp32[0], &tmp32[64]);
261 src += 64;
262 len -= 64;
263 }
264
265 /* Copy left over data into buffer. */
266 memcpy(ctx->buf, src, len);
267 }
268
269 /* Wrapper function for intermediate-values sanitization. */
270 void
271 SHA256_Update(SHA256_CTX * ctx, const void * in, size_t len)
272 {
273 uint32_t tmp32[72];
274
275 /* Call the real function. */
276 _SHA256_Update(ctx, in, len, tmp32);
277
278 /* Clean the stack. */
279 explicit_bzero(tmp32, 288);
280 }
281
282 /**
283 * SHA256_Final(digest, ctx):
284 * Output the SHA256 hash of the data input to the context ${ctx} into the
285 * buffer ${digest}.
286 */
287 static void
288 _SHA256_Final(uint8_t digest[32], SHA256_CTX * ctx,
289 uint32_t tmp32[static restrict 72])
290 {
291
292 /* Add padding. */
293 SHA256_Pad(ctx, tmp32);
294
295 /* Write the hash. */
296 be32enc_vect(digest, ctx->state, 8);
297 }
298
299 /* Wrapper function for intermediate-values sanitization. */
300 void
301 SHA256_Final(uint8_t digest[32], SHA256_CTX * ctx)
302 {
303 uint32_t tmp32[72];
304
305 /* Call the real function. */
306 _SHA256_Final(digest, ctx, tmp32);
307
308 /* Clear the context state. */
309 explicit_bzero(ctx, sizeof(SHA256_CTX));
310
311 /* Clean the stack. */
312 explicit_bzero(tmp32, 288);
313 }
314
315 /**
316 * SHA256_Buf(in, len, digest):
317 * Compute the SHA256 hash of ${len} bytes from ${in} and write it to ${digest}.
318 */
319 void
320 SHA256_Buf(const void * in, size_t len, uint8_t digest[32])
321 {
322 SHA256_CTX ctx;
323 uint32_t tmp32[72];
324
325 SHA256_Init(&ctx);
326 _SHA256_Update(&ctx, in, len, tmp32);
327 _SHA256_Final(digest, &ctx, tmp32);
328
329 /* Clean the stack. */
330 explicit_bzero(&ctx, sizeof(SHA256_CTX));
331 explicit_bzero(tmp32, 288);
332 }
333
334 #endif /* INCLUDE_gost_yescrypt || INCLUDE_yescrypt || INCLUDE_scrypt || INCLUDE_sha256crypt */
335
336 #if INCLUDE_gost_yescrypt || INCLUDE_yescrypt || INCLUDE_scrypt
337
338 /**
339 * HMAC_SHA256_Init(ctx, K, Klen):
340 * Initialize the HMAC-SHA256 context ${ctx} with ${Klen} bytes of key from
341 * ${K}.
342 */
343 static void
344 _HMAC_SHA256_Init(HMAC_SHA256_CTX * ctx, const void * _K, size_t Klen,
345 uint32_t tmp32[static restrict 72], uint8_t pad[static restrict 64],
346 uint8_t khash[static restrict 32])
347 {
348 const uint8_t * K = _K;
349 size_t i;
350
351 /* If Klen > 64, the key is really SHA256(K). */
352 if (Klen > 64) {
353 SHA256_Init(&ctx->ictx);
354 _SHA256_Update(&ctx->ictx, K, Klen, tmp32);
355 _SHA256_Final(khash, &ctx->ictx, tmp32);
356 K = khash;
357 Klen = 32;
358 }
359
360 /* Inner SHA256 operation is SHA256(K xor [block of 0x36] || data). */
361 SHA256_Init(&ctx->ictx);
362 memset(pad, 0x36, 64);
363 for (i = 0; i < Klen; i++)
364 pad[i] ^= K[i];
365 _SHA256_Update(&ctx->ictx, pad, 64, tmp32);
366
367 /* Outer SHA256 operation is SHA256(K xor [block of 0x5c] || hash). */
368 SHA256_Init(&ctx->octx);
369 memset(pad, 0x5c, 64);
370 for (i = 0; i < Klen; i++)
371 pad[i] ^= K[i];
372 _SHA256_Update(&ctx->octx, pad, 64, tmp32);
373 }
374
375 /* Wrapper function for intermediate-values sanitization. */
376 void
377 HMAC_SHA256_Init(HMAC_SHA256_CTX * ctx, const void * _K, size_t Klen)
378 {
379 uint32_t tmp32[72];
380 uint8_t pad[64];
381 uint8_t khash[32];
382
383 /* Call the real function. */
384 _HMAC_SHA256_Init(ctx, _K, Klen, tmp32, pad, khash);
385
386 /* Clean the stack. */
387 explicit_bzero(tmp32, 288);
388 explicit_bzero(khash, 32);
389 explicit_bzero(pad, 64);
390 }
391
392 /**
393 * HMAC_SHA256_Update(ctx, in, len):
394 * Input ${len} bytes from ${in} into the HMAC-SHA256 context ${ctx}.
395 */
396 static void
397 _HMAC_SHA256_Update(HMAC_SHA256_CTX * ctx, const void * in, size_t len,
398 uint32_t tmp32[static restrict 72])
399 {
400
401 /* Feed data to the inner SHA256 operation. */
402 _SHA256_Update(&ctx->ictx, in, len, tmp32);
403 }
404
405 /* Wrapper function for intermediate-values sanitization. */
406 void
407 HMAC_SHA256_Update(HMAC_SHA256_CTX * ctx, const void * in, size_t len)
408 {
409 uint32_t tmp32[72];
410
411 /* Call the real function. */
412 _HMAC_SHA256_Update(ctx, in, len, tmp32);
413
414 /* Clean the stack. */
415 explicit_bzero(tmp32, 288);
416 }
417
418 /**
419 * HMAC_SHA256_Final(digest, ctx):
420 * Output the HMAC-SHA256 of the data input to the context ${ctx} into the
421 * buffer ${digest}.
422 */
423 static void
424 _HMAC_SHA256_Final(uint8_t digest[32], HMAC_SHA256_CTX * ctx,
425 uint32_t tmp32[static restrict 72], uint8_t ihash[static restrict 32])
426 {
427
428 /* Finish the inner SHA256 operation. */
429 _SHA256_Final(ihash, &ctx->ictx, tmp32);
430
431 /* Feed the inner hash to the outer SHA256 operation. */
432 _SHA256_Update(&ctx->octx, ihash, 32, tmp32);
433
434 /* Finish the outer SHA256 operation. */
435 _SHA256_Final(digest, &ctx->octx, tmp32);
436 }
437
438 /* Wrapper function for intermediate-values sanitization. */
439 void
440 HMAC_SHA256_Final(uint8_t digest[32], HMAC_SHA256_CTX * ctx)
441 {
442 uint32_t tmp32[72];
443 uint8_t ihash[32];
444
445 /* Call the real function. */
446 _HMAC_SHA256_Final(digest, ctx, tmp32, ihash);
447
448 /* Clear the context state. */
449 explicit_bzero(ctx, sizeof(HMAC_SHA256_CTX));
450
451 /* Clean the stack. */
452 explicit_bzero(tmp32, 288);
453 explicit_bzero(ihash, 32);
454 }
455
456 /**
457 * HMAC_SHA256_Buf(K, Klen, in, len, digest):
458 * Compute the HMAC-SHA256 of ${len} bytes from ${in} using the key ${K} of
459 * length ${Klen}, and write the result to ${digest}.
460 */
461 void
462 HMAC_SHA256_Buf(const void * K, size_t Klen, const void * in, size_t len,
463 uint8_t digest[32])
464 {
465 HMAC_SHA256_CTX ctx;
466 uint32_t tmp32[72];
467 uint8_t tmp8[96];
468
469 _HMAC_SHA256_Init(&ctx, K, Klen, tmp32, &tmp8[0], &tmp8[64]);
470 _HMAC_SHA256_Update(&ctx, in, len, tmp32);
471 _HMAC_SHA256_Final(digest, &ctx, tmp32, &tmp8[0]);
472
473 /* Clean the stack. */
474 explicit_bzero(&ctx, sizeof(HMAC_SHA256_CTX));
475 explicit_bzero(tmp32, 288);
476 explicit_bzero(tmp8, 96);
477 }
478
479 /* Add padding and terminating bit-count, but don't invoke Transform yet. */
480 static int
481 SHA256_Pad_Almost(SHA256_CTX * ctx, uint8_t len[static restrict 8],
482 uint32_t tmp32[static restrict 72])
483 {
484 uint32_t r;
485
486 r = (ctx->count >> 3) & 0x3f;
487 if (r >= 56)
488 return -1;
489
490 /*
491 * Convert length to a vector of bytes -- we do this now rather
492 * than later because the length will change after we pad.
493 */
494 be64enc(len, ctx->count);
495
496 /* Add 1--56 bytes so that the resulting length is 56 mod 64. */
497 _SHA256_Update(ctx, PAD, 56 - r, tmp32);
498
499 /* Add the terminating bit-count. */
500 ctx->buf[63] = len[7];
501 _SHA256_Update(ctx, len, 7, tmp32);
502
503 return 0;
504 }
505
506 /**
507 * PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen):
508 * Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and
509 * write the output to buf. The value dkLen must be at most 32 * (2^32 - 1).
510 */
511 void
512 PBKDF2_SHA256(const uint8_t * passwd, size_t passwdlen, const uint8_t * salt,
513 size_t saltlen, uint64_t c, uint8_t * buf, size_t dkLen)
514 {
515 HMAC_SHA256_CTX Phctx, PShctx, hctx;
516 uint32_t tmp32[72];
517 union {
518 uint8_t tmp8[96];
519 uint32_t state[8];
520 } u;
521 size_t i;
522 uint8_t ivec[4];
523 uint8_t U[32];
524 uint8_t T[32];
525 uint64_t j;
526 int k;
527 size_t clen;
528
529 /* Sanity-check. */
530 assert(dkLen <= 32 * (size_t)(UINT32_MAX));
531
532 if (c == 1 && (dkLen & 31) == 0 && (saltlen & 63) <= 51) {
533 uint32_t oldcount;
534 uint8_t * ivecp;
535
536 /* Compute HMAC state after processing P and S. */
537 _HMAC_SHA256_Init(&hctx, passwd, passwdlen,
538 tmp32, &u.tmp8[0], &u.tmp8[64]);
539 _HMAC_SHA256_Update(&hctx, salt, saltlen, tmp32);
540
541 /* Prepare ictx padding. */
542 oldcount = hctx.ictx.count & (0x3f << 3);
543 _HMAC_SHA256_Update(&hctx, "\0\0\0", 4, tmp32);
544 if ((hctx.ictx.count & (0x3f << 3)) < oldcount ||
545 SHA256_Pad_Almost(&hctx.ictx, u.tmp8, tmp32))
546 goto generic; /* Can't happen due to saltlen check */
547 ivecp = hctx.ictx.buf + (oldcount >> 3);
548
549 /* Prepare octx padding. */
550 hctx.octx.count += 32 << 3;
551 SHA256_Pad_Almost(&hctx.octx, u.tmp8, tmp32);
552
553 /* Iterate through the blocks. */
554 for (i = 0; i * 32 < dkLen; i++) {
555 /* Generate INT(i + 1). */
556 be32enc(ivecp, (uint32_t)(i + 1));
557
558 /* Compute U_1 = PRF(P, S || INT(i)). */
559 memcpy(u.state, hctx.ictx.state, sizeof(u.state));
560 SHA256_Transform(u.state, hctx.ictx.buf,
561 &tmp32[0], &tmp32[64]);
562 be32enc_vect(hctx.octx.buf, u.state, 8);
563 memcpy(u.state, hctx.octx.state, sizeof(u.state));
564 SHA256_Transform(u.state, hctx.octx.buf,
565 &tmp32[0], &tmp32[64]);
566 be32enc_vect(&buf[i * 32], u.state, 8);
567 }
568
569 goto cleanup;
570 }
571
572 generic:
573 /* Compute HMAC state after processing P. */
574 _HMAC_SHA256_Init(&Phctx, passwd, passwdlen,
575 tmp32, &u.tmp8[0], &u.tmp8[64]);
576
577 /* Compute HMAC state after processing P and S. */
578 memcpy(&PShctx, &Phctx, sizeof(HMAC_SHA256_CTX));
579 _HMAC_SHA256_Update(&PShctx, salt, saltlen, tmp32);
580
581 /* Iterate through the blocks. */
582 for (i = 0; i * 32 < dkLen; i++) {
583 /* Generate INT(i + 1). */
584 be32enc(ivec, (uint32_t)(i + 1));
585
586 /* Compute U_1 = PRF(P, S || INT(i)). */
587 memcpy(&hctx, &PShctx, sizeof(HMAC_SHA256_CTX));
588 _HMAC_SHA256_Update(&hctx, ivec, 4, tmp32);
589 _HMAC_SHA256_Final(T, &hctx, tmp32, u.tmp8);
590
591 if (c > 1) {
592 /* T_i = U_1 ... */
593 memcpy(U, T, 32);
594
595 for (j = 2; j <= c; j++) {
596 /* Compute U_j. */
597 memcpy(&hctx, &Phctx, sizeof(HMAC_SHA256_CTX));
598 _HMAC_SHA256_Update(&hctx, U, 32, tmp32);
599 _HMAC_SHA256_Final(U, &hctx, tmp32, u.tmp8);
600
601 /* ... xor U_j ... */
602 for (k = 0; k < 32; k++)
603 T[k] ^= U[k];
604 }
605 }
606
607 /* Copy as many bytes as necessary into buf. */
608 clen = dkLen - i * 32;
609 if (clen > 32)
610 clen = 32;
611 memcpy(&buf[i * 32], T, clen);
612 }
613
614 /* Clean the stack. */
615 explicit_bzero(&Phctx, sizeof(HMAC_SHA256_CTX));
616 explicit_bzero(&PShctx, sizeof(HMAC_SHA256_CTX));
617 explicit_bzero(U, 32);
618 explicit_bzero(T, 32);
619
620 cleanup:
621 explicit_bzero(&hctx, sizeof(HMAC_SHA256_CTX));
622 explicit_bzero(tmp32, 288);
623 explicit_bzero(&u, sizeof(u));
624 }
625
626 #endif /* INCLUDE_gost_yescrypt || INCLUDE_yescrypt || INCLUDE_scrypt */