xref: /haiku/src/system/libroot/posix/crypt/pbkdf2.h (revision ed24eb5ff12640d052171c6a7feba37fab8a75d1) 
1 /* This file is distributed under the following terms:
2 
3  * Copyright 2005-2014 Colin Percival.  All rights reserved.
4  * Copyright 2014 Sean Kelly.  All rights reserved.
5 
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in the
13  *    documentation and/or other materials provided with the distribution.
14  *
15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25  * SUCH DAMAGE.
26  */
27 
28 #ifndef _SHA256_H_
29 #define _SHA256_H_
30 
31 #include <stddef.h>
32 #include <stdint.h>
33 #include <SHA256.h>
34 
35 /* Pointer to memory-zeroing function. */
36 extern void (* volatile insecure_memzero_ptr)(volatile void *, size_t);
37 
38 /**
39  * insecure_memzero(buf, len):
40  * Attempt to zero ${len} bytes at ${buf} in spite of optimizing compilers'
41  * best (standards-compliant) attempts to remove the buffer-zeroing.  In
42  * particular, to avoid performing the zeroing, a compiler would need to
43  * use optimistic devirtualization; recognize that non-volatile objects do not
44  * need to be treated as volatile, even if they are accessed via volatile
45  * qualified pointers; and perform link-time optimization; in addition to the
46  * dead-code elimination which often causes buffer-zeroing to be elided.
47  *
48  * Note however that zeroing a buffer does not guarantee that the data held
49  * in the buffer is not stored elsewhere; in particular, there may be copies
50  * held in CPU registers or in anonymous allocations on the stack, even if
51  * every named variable is successfully sanitized.  Solving the "wipe data
52  * from the system" problem will require a C language extension which does not
53  * yet exist.
54  *
55  * For more information, see:
56  * http://www.daemonology.net/blog/2014-09-04-how-to-zero-a-buffer.html
57  * http://www.daemonology.net/blog/2014-09-06-zeroing-buffers-is-insufficient.html
58  */
59 static inline void
60 insecure_memzero(volatile void * buf, size_t len)
61 {
62 
63 	(insecure_memzero_ptr)(buf, len);
64 }
65 
66 /* Context structure for SHA256 operations. */
67 typedef struct {
68 	uint32_t state[8];
69 	uint64_t count;
70 	uint8_t buf[64];
71 } SHA256_CTX;
72 
73 /* Context structure for HMAC-SHA256 operations. */
74 typedef struct {
75 	SHA256 ictx;
76 	SHA256 octx;
77 } HMAC_SHA256_CTX;
78 
79 /**
80  * HMAC_SHA256_Init(ctx, K, Klen):
81  * Initialize the HMAC-SHA256 context ${ctx} with ${Klen} bytes of key from
82  * ${K}.
83  */
84 void HMAC_SHA256_Init(HMAC_SHA256_CTX *, const void *, size_t);
85 
86 /**
87  * HMAC_SHA256_Update(ctx, in, len):
88  * Input ${len} bytes from ${in} into the HMAC-SHA256 context ${ctx}.
89  */
90 void HMAC_SHA256_Update(HMAC_SHA256_CTX *, const void *, size_t);
91 
92 /**
93  * HMAC_SHA256_Final(digest, ctx):
94  * Output the HMAC-SHA256 of the data input to the context ${ctx} into the
95  * buffer ${digest}.
96  */
97 void HMAC_SHA256_Final(uint8_t[32], HMAC_SHA256_CTX *);
98 
99 /**
100  * PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen):
101  * Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and
102  * write the output to buf.  The value dkLen must be at most 32 * (2^32 - 1).
103  */
104 void PBKDF2_SHA256(const uint8_t *, size_t, const uint8_t *, size_t,
105     uint64_t, uint8_t *, size_t);
106 
107 #endif /* !_SHA256_H_ */
108