1/* This file is distributed under the following terms:
2
3 * Copyright 2005-2014 Colin Percival.  All rights reserved.
4 * Copyright 2014 Sean Kelly.  All rights reserved.
5
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 *    notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 *    notice, this list of conditions and the following disclaimer in the
13 *    documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25 * SUCH DAMAGE.
26 */
27
28#ifndef _SHA256_H_
29#define _SHA256_H_
30
31#include <stddef.h>
32#include <stdint.h>
33#include <SHA256.h>
34
35/* Pointer to memory-zeroing function. */
36extern void (* volatile insecure_memzero_ptr)(volatile void *, size_t);
37
38/**
39 * insecure_memzero(buf, len):
40 * Attempt to zero ${len} bytes at ${buf} in spite of optimizing compilers'
41 * best (standards-compliant) attempts to remove the buffer-zeroing.  In
42 * particular, to avoid performing the zeroing, a compiler would need to
43 * use optimistic devirtualization; recognize that non-volatile objects do not
44 * need to be treated as volatile, even if they are accessed via volatile
45 * qualified pointers; and perform link-time optimization; in addition to the
46 * dead-code elimination which often causes buffer-zeroing to be elided.
47 *
48 * Note however that zeroing a buffer does not guarantee that the data held
49 * in the buffer is not stored elsewhere; in particular, there may be copies
50 * held in CPU registers or in anonymous allocations on the stack, even if
51 * every named variable is successfully sanitized.  Solving the "wipe data
52 * from the system" problem will require a C language extension which does not
53 * yet exist.
54 *
55 * For more information, see:
56 * http://www.daemonology.net/blog/2014-09-04-how-to-zero-a-buffer.html
57 * http://www.daemonology.net/blog/2014-09-06-zeroing-buffers-is-insufficient.html
58 */
59static inline void
60insecure_memzero(volatile void * buf, size_t len)
61{
62
63	(insecure_memzero_ptr)(buf, len);
64}
65
66/* Context structure for SHA256 operations. */
67typedef struct {
68	uint32_t state[8];
69	uint64_t count;
70	uint8_t buf[64];
71} SHA256_CTX;
72
73/* Context structure for HMAC-SHA256 operations. */
74typedef struct {
75	SHA256 ictx;
76	SHA256 octx;
77} HMAC_SHA256_CTX;
78
79/**
80 * HMAC_SHA256_Init(ctx, K, Klen):
81 * Initialize the HMAC-SHA256 context ${ctx} with ${Klen} bytes of key from
82 * ${K}.
83 */
84void HMAC_SHA256_Init(HMAC_SHA256_CTX *, const void *, size_t);
85
86/**
87 * HMAC_SHA256_Update(ctx, in, len):
88 * Input ${len} bytes from ${in} into the HMAC-SHA256 context ${ctx}.
89 */
90void HMAC_SHA256_Update(HMAC_SHA256_CTX *, const void *, size_t);
91
92/**
93 * HMAC_SHA256_Final(digest, ctx):
94 * Output the HMAC-SHA256 of the data input to the context ${ctx} into the
95 * buffer ${digest}.
96 */
97void HMAC_SHA256_Final(uint8_t[32], HMAC_SHA256_CTX *);
98
99/**
100 * PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen):
101 * Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and
102 * write the output to buf.  The value dkLen must be at most 32 * (2^32 - 1).
103 */
104void PBKDF2_SHA256(const uint8_t *, size_t, const uint8_t *, size_t,
105    uint64_t, uint8_t *, size_t);
106
107#endif /* !_SHA256_H_ */
108