1 files changed, 91 insertions, 0 deletions
diff --git a/libbb/yescrypt/alg-sha256.c b/libbb/yescrypt/alg-sha256.c
new file mode 100644
index 000000000..dc748c968
--- /dev/null
+++ b/libbb/yescrypt/alg-sha256.c
@@ -0,0 +1,91 @@
+/*-
+ * Copyright 2005-2016 Colin Percival
+ * Copyright 2016-2018,2021 Alexander Peslyak
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+/**
+ * PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen):
+ * Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and
+ * write the output to buf.  The value dkLen must be at most 32 * (2^32 - 1).
+ */
+static void
+PBKDF2_SHA256(const uint8_t *passwd, size_t passwdlen,
+                const uint8_t *salt, size_t saltlen,
+                uint64_t c, uint8_t *buf, size_t dkLen)
+{
+        hmac_ctx_t Phctx, PShctx;
+        uint32_t i;
+        /* Compute HMAC state after processing P. */
+        hmac_begin(&Phctx, passwd, passwdlen, sha256_begin);
+        /* Compute HMAC state after processing P and S. */
+        PShctx = Phctx;
+        hmac_hash(&PShctx, salt, saltlen);
+        /* Iterate through the blocks. */
+        for (i = 0; dkLen != 0; ) {
+                long U[32 / sizeof(long)];
+                long T[32 / sizeof(long)];
+// Do not make these ^^ uint64_t[]. Keep them long[].
+// Even though the XORing loop below is optimized out,
+// gcc is not smart enough to realize that 64-bit alignment of the stack
+// is no longer useful, and generates ~50 more bytes of code on i386...
+                uint32_t ivec;
+                size_t clen;
+                int k;
+                /* Generate INT(i). */
+                i++;
+                ivec = SWAP_BE32(i);
+                /* Compute U_1 = PRF(P, S || INT(i)). */
+                hmac_peek_hash(&PShctx, (void*)T, &ivec, 4, NULL);
+//TODO: the above is a vararg function, might incur some ABI pain
+//does libbb need a non-vararg version with just one (buf,len)?
+                if (c > 1) {
+//in yescrypt, c is always 1, so this if() branch is optimized out
+                        uint64_t j;
+                        /* T_i = U_1 ... */
+                        memcpy(U, T, 32);
+                        for (j = 2; j <= c; j++) {
+                                /* Compute U_j. */
+                                hmac_peek_hash(&Phctx, (void*)U, U, 32, NULL);
+                                /* ... xor U_j ... */
+                                for (k = 0; k < 32 / sizeof(long); k++)
+                                        T[k] ^= U[k];
+                                //TODO: xorbuf32_aligned_long(T, U);
+                        }
+                }
+                /* Copy as many bytes as necessary into buf. */
+                clen = dkLen;
+                if (clen > 32)
+                        clen = 32;
+                buf = mempcpy(buf, T, clen);
+                dkLen -= clen;
+        }
+}

diff --git a/libbb/yescrypt/alg-sha256.c b/libbb/yescrypt/alg-sha256.c new file mode 100644 index 000000000..dc748c968 --- /dev/null +++ b/libbb/yescrypt/alg-sha256.c
@@ -0,0 +1,91 @@
	1	/*-
	2	* Copyright 2005-2016 Colin Percival
	3	* Copyright 2016-2018,2021 Alexander Peslyak
	4	* All rights reserved.
	5	*
	6	* Redistribution and use in source and binary forms, with or without
	7	* modification, are permitted provided that the following conditions
	8	* are met:
	9	* 1. Redistributions of source code must retain the above copyright
	10	* notice, this list of conditions and the following disclaimer.
	11	* 2. Redistributions in binary form must reproduce the above copyright
	12	* notice, this list of conditions and the following disclaimer in the
	13	* documentation and/or other materials provided with the distribution.
	14	*
	15	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
	16	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	17	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	18	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
	19	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	20	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	21	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	22	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	23	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	24	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	25	* SUCH DAMAGE.
	26	*/
	27
	28	/**
	29	* PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen):
	30	* Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and
	31	* write the output to buf. The value dkLen must be at most 32 * (2^32 - 1).
	32	*/
	33	static void
	34	PBKDF2_SHA256(const uint8_t *passwd, size_t passwdlen,
	35	const uint8_t *salt, size_t saltlen,
	36	uint64_t c, uint8_t *buf, size_t dkLen)
	37	{
	38	hmac_ctx_t Phctx, PShctx;
	39	uint32_t i;
	40
	41	/* Compute HMAC state after processing P. */
	42	hmac_begin(&Phctx, passwd, passwdlen, sha256_begin);
	43
	44	/* Compute HMAC state after processing P and S. */
	45	PShctx = Phctx;
	46	hmac_hash(&PShctx, salt, saltlen);
	47
	48	/* Iterate through the blocks. */
	49	for (i = 0; dkLen != 0; ) {
	50	long U[32 / sizeof(long)];
	51	long T[32 / sizeof(long)];
	52	// Do not make these ^^ uint64_t[]. Keep them long[].
	53	// Even though the XORing loop below is optimized out,
	54	// gcc is not smart enough to realize that 64-bit alignment of the stack
	55	// is no longer useful, and generates ~50 more bytes of code on i386...
	56	uint32_t ivec;
	57	size_t clen;
	58	int k;
	59
	60	/* Generate INT(i). */
	61	i++;
	62	ivec = SWAP_BE32(i);
	63
	64	/* Compute U_1 = PRF(P, S \|\| INT(i)). */
	65	hmac_peek_hash(&PShctx, (void*)T, &ivec, 4, NULL);
	66	//TODO: the above is a vararg function, might incur some ABI pain
	67	//does libbb need a non-vararg version with just one (buf,len)?
	68
	69	if (c > 1) {
	70	//in yescrypt, c is always 1, so this if() branch is optimized out
	71	uint64_t j;
	72	/* T_i = U_1 ... */
	73	memcpy(U, T, 32);
	74	for (j = 2; j <= c; j++) {
	75	/* Compute U_j. */
	76	hmac_peek_hash(&Phctx, (void*)U, U, 32, NULL);
	77	/* ... xor U_j ... */
	78	for (k = 0; k < 32 / sizeof(long); k++)
	79	T[k] ^= U[k];
	80	//TODO: xorbuf32_aligned_long(T, U);
	81	}
	82	}
	83
	84	/* Copy as many bytes as necessary into buf. */
	85	clen = dkLen;
	86	if (clen > 32)
	87	clen = 32;
	88	buf = mempcpy(buf, T, clen);
	89	dkLen -= clen;
	90	}
	91	}