SHA256.hs (18256B)
1 {-# OPTIONS_GHC -funbox-small-strict-fields #-} 2 {-# LANGUAGE BangPatterns #-} 3 {-# LANGUAGE RecordWildCards #-} 4 {-# LANGUAGE ViewPatterns #-} 5 6 -- | 7 -- Module: Crypto.Hash.SHA256 8 -- Copyright: (c) 2024 Jared Tobin 9 -- License: MIT 10 -- Maintainer: Jared Tobin <jared@ppad.tech> 11 -- 12 -- Pure SHA-256 and HMAC-SHA256 implementations for 13 -- strict and lazy ByteStrings, as specified by RFC's 14 -- [6234](https://datatracker.ietf.org/doc/html/rfc6234) and 15 -- [2104](https://datatracker.ietf.org/doc/html/rfc2104). 16 17 module Crypto.Hash.SHA256 ( 18 -- * SHA-256 message digest functions 19 hash 20 , hash_lazy 21 22 -- * SHA256-based MAC functions 23 , hmac 24 , hmac_lazy 25 ) where 26 27 import qualified Data.Bits as B 28 import Data.Bits ((.|.), (.&.)) 29 import qualified Data.ByteString as BS 30 import qualified Data.ByteString.Builder as BSB 31 import qualified Data.ByteString.Builder.Extra as BE 32 import qualified Data.ByteString.Internal as BI 33 import qualified Data.ByteString.Lazy as BL 34 import qualified Data.ByteString.Lazy.Internal as BLI 35 import qualified Data.ByteString.Unsafe as BU 36 import Data.Word (Word32, Word64) 37 import Foreign.ForeignPtr (plusForeignPtr) 38 39 -- preliminary utils 40 41 -- keystroke saver 42 fi :: (Integral a, Num b) => a -> b 43 fi = fromIntegral 44 {-# INLINE fi #-} 45 46 -- parse strict ByteString in BE order to Word32 (verbatim from 47 -- Data.Binary) 48 -- 49 -- invariant: 50 -- the input bytestring is at least 32 bits in length 51 unsafe_word32be :: BS.ByteString -> Word32 52 unsafe_word32be s = 53 (fi (s `BU.unsafeIndex` 0) `B.unsafeShiftL` 24) .|. 54 (fi (s `BU.unsafeIndex` 1) `B.unsafeShiftL` 16) .|. 55 (fi (s `BU.unsafeIndex` 2) `B.unsafeShiftL` 8) .|. 56 (fi (s `BU.unsafeIndex` 3)) 57 {-# INLINE unsafe_word32be #-} 58 59 -- utility types for more efficient ByteString management 60 61 data SSPair = SSPair 62 {-# UNPACK #-} !BS.ByteString 63 {-# UNPACK #-} !BS.ByteString 64 65 data SLPair = SLPair {-# UNPACK #-} !BS.ByteString !BL.ByteString 66 67 data WSPair = WSPair {-# UNPACK #-} !Word32 {-# UNPACK #-} !BS.ByteString 68 69 -- unsafe version of splitAt that does no bounds checking 70 -- 71 -- invariant: 72 -- 0 <= n <= l 73 unsafe_splitAt :: Int -> BS.ByteString -> SSPair 74 unsafe_splitAt n (BI.BS x l) = 75 SSPair (BI.BS x n) (BI.BS (plusForeignPtr x n) (l - n)) 76 77 -- variant of Data.ByteString.Lazy.splitAt that returns the initial 78 -- component as a strict, unboxed ByteString 79 splitAt64 :: BL.ByteString -> SLPair 80 splitAt64 = splitAt' (64 :: Int) where 81 splitAt' _ BLI.Empty = SLPair mempty BLI.Empty 82 splitAt' n (BLI.Chunk c@(BI.PS _ _ l) cs) = 83 if n < l 84 then 85 -- n < BS.length c, so unsafe_splitAt is safe 86 let !(SSPair c0 c1) = unsafe_splitAt n c 87 in SLPair c0 (BLI.Chunk c1 cs) 88 else 89 let SLPair cs' cs'' = splitAt' (n - l) cs 90 in SLPair (c <> cs') cs'' 91 92 -- variant of Data.ByteString.splitAt that behaves like an incremental 93 -- Word32 parser 94 -- 95 -- invariant: 96 -- the input bytestring is at least 32 bits in length 97 unsafe_parseWsPair :: BS.ByteString -> WSPair 98 unsafe_parseWsPair (BI.BS x l) = 99 WSPair (unsafe_word32be (BI.BS x 4)) (BI.BS (plusForeignPtr x 4) (l - 4)) 100 {-# INLINE unsafe_parseWsPair #-} 101 102 -- message padding and parsing 103 -- https://datatracker.ietf.org/doc/html/rfc6234#section-4.1 104 105 -- k such that (l + 1 + k) mod 64 = 56 106 sol :: Word64 -> Word64 107 sol l = 108 let r = 56 - fi l `mod` 64 - 1 :: Integer -- fi prevents underflow 109 in fi (if r < 0 then r + 64 else r) 110 111 -- RFC 6234 4.1 (strict) 112 pad :: BS.ByteString -> BS.ByteString 113 pad m@(BI.PS _ _ (fi -> l)) = BL.toStrict . BSB.toLazyByteString $ padded where 114 padded = BSB.byteString m <> fill (sol l) (BSB.word8 0x80) 115 fill j !acc 116 | j == 0 = acc <> BSB.word64BE (l * 8) 117 | otherwise = fill (pred j) (acc <> BSB.word8 0x00) 118 119 -- RFC 6234 4.1 (lazy) 120 pad_lazy :: BL.ByteString -> BL.ByteString 121 pad_lazy (BL.toChunks -> m) = BL.fromChunks (walk 0 m) where 122 walk !l bs = case bs of 123 (c:cs) -> c : walk (l + fi (BS.length c)) cs 124 [] -> padding l (sol l) (BSB.word8 0x80) 125 126 padding l k bs 127 | k == 0 = 128 pure 129 . BL.toStrict 130 -- more efficient for small builder 131 . BE.toLazyByteStringWith 132 (BE.safeStrategy 128 BE.smallChunkSize) mempty 133 $ bs <> BSB.word64BE (l * 8) 134 | otherwise = 135 let nacc = bs <> BSB.word8 0x00 136 in padding l (pred k) nacc 137 138 -- functions and constants used 139 -- https://datatracker.ietf.org/doc/html/rfc6234#section-5.1 140 141 ch :: Word32 -> Word32 -> Word32 -> Word32 142 ch x y z = (x .&. y) `B.xor` (B.complement x .&. z) 143 {-# INLINE ch #-} 144 145 -- credit to SHA authors for the following optimisation. their text: 146 -- 147 -- > note: 148 -- > the original functions is (x & y) ^ (x & z) ^ (y & z) 149 -- > if you fire off truth tables, this is equivalent to 150 -- > (x & y) | (x & z) | (y & z) 151 -- > which you can the use distribution on: 152 -- > (x & (y | z)) | (y & z) 153 -- > which saves us one operation. 154 maj :: Word32 -> Word32 -> Word32 -> Word32 155 maj x y z = (x .&. (y .|. z)) .|. (y .&. z) 156 {-# INLINE maj #-} 157 158 bsig0 :: Word32 -> Word32 159 bsig0 x = B.rotateR x 2 `B.xor` B.rotateR x 13 `B.xor` B.rotateR x 22 160 {-# INLINE bsig0 #-} 161 162 bsig1 :: Word32 -> Word32 163 bsig1 x = B.rotateR x 6 `B.xor` B.rotateR x 11 `B.xor` B.rotateR x 25 164 {-# INLINE bsig1 #-} 165 166 ssig0 :: Word32 -> Word32 167 ssig0 x = B.rotateR x 7 `B.xor` B.rotateR x 18 `B.xor` B.unsafeShiftR x 3 168 {-# INLINE ssig0 #-} 169 170 ssig1 :: Word32 -> Word32 171 ssig1 x = B.rotateR x 17 `B.xor` B.rotateR x 19 `B.xor` B.unsafeShiftR x 10 172 {-# INLINE ssig1 #-} 173 174 data Schedule = Schedule { 175 w00 :: !Word32, w01 :: !Word32, w02 :: !Word32, w03 :: !Word32 176 , w04 :: !Word32, w05 :: !Word32, w06 :: !Word32, w07 :: !Word32 177 , w08 :: !Word32, w09 :: !Word32, w10 :: !Word32, w11 :: !Word32 178 , w12 :: !Word32, w13 :: !Word32, w14 :: !Word32, w15 :: !Word32 179 , w16 :: !Word32, w17 :: !Word32, w18 :: !Word32, w19 :: !Word32 180 , w20 :: !Word32, w21 :: !Word32, w22 :: !Word32, w23 :: !Word32 181 , w24 :: !Word32, w25 :: !Word32, w26 :: !Word32, w27 :: !Word32 182 , w28 :: !Word32, w29 :: !Word32, w30 :: !Word32, w31 :: !Word32 183 , w32 :: !Word32, w33 :: !Word32, w34 :: !Word32, w35 :: !Word32 184 , w36 :: !Word32, w37 :: !Word32, w38 :: !Word32, w39 :: !Word32 185 , w40 :: !Word32, w41 :: !Word32, w42 :: !Word32, w43 :: !Word32 186 , w44 :: !Word32, w45 :: !Word32, w46 :: !Word32, w47 :: !Word32 187 , w48 :: !Word32, w49 :: !Word32, w50 :: !Word32, w51 :: !Word32 188 , w52 :: !Word32, w53 :: !Word32, w54 :: !Word32, w55 :: !Word32 189 , w56 :: !Word32, w57 :: !Word32, w58 :: !Word32, w59 :: !Word32 190 , w60 :: !Word32, w61 :: !Word32, w62 :: !Word32, w63 :: !Word32 191 } 192 193 -- initialization 194 -- https://datatracker.ietf.org/doc/html/rfc6234#section-6.1 195 196 data Registers = Registers { 197 h0 :: !Word32, h1 :: !Word32, h2 :: !Word32, h3 :: !Word32 198 , h4 :: !Word32, h5 :: !Word32, h6 :: !Word32, h7 :: !Word32 199 } 200 201 -- first 32 bits of the fractional parts of the square roots of the 202 -- first eight primes 203 iv :: Registers 204 iv = Registers 205 0x6a09e667 0xbb67ae85 0x3c6ef372 0xa54ff53a 206 0x510e527f 0x9b05688c 0x1f83d9ab 0x5be0cd19 207 208 -- processing 209 -- https://datatracker.ietf.org/doc/html/rfc6234#section-6.2 210 211 data Block = Block { 212 m00 :: !Word32, m01 :: !Word32, m02 :: !Word32, m03 :: !Word32 213 , m04 :: !Word32, m05 :: !Word32, m06 :: !Word32, m07 :: !Word32 214 , m08 :: !Word32, m09 :: !Word32, m10 :: !Word32, m11 :: !Word32 215 , m12 :: !Word32, m13 :: !Word32, m14 :: !Word32, m15 :: !Word32 216 } 217 218 -- parse strict bytestring to block 219 -- 220 -- invariant: 221 -- the input bytestring is exactly 512 bits long 222 unsafe_parse :: BS.ByteString -> Block 223 unsafe_parse bs = 224 let !(WSPair m00 t00) = unsafe_parseWsPair bs 225 !(WSPair m01 t01) = unsafe_parseWsPair t00 226 !(WSPair m02 t02) = unsafe_parseWsPair t01 227 !(WSPair m03 t03) = unsafe_parseWsPair t02 228 !(WSPair m04 t04) = unsafe_parseWsPair t03 229 !(WSPair m05 t05) = unsafe_parseWsPair t04 230 !(WSPair m06 t06) = unsafe_parseWsPair t05 231 !(WSPair m07 t07) = unsafe_parseWsPair t06 232 !(WSPair m08 t08) = unsafe_parseWsPair t07 233 !(WSPair m09 t09) = unsafe_parseWsPair t08 234 !(WSPair m10 t10) = unsafe_parseWsPair t09 235 !(WSPair m11 t11) = unsafe_parseWsPair t10 236 !(WSPair m12 t12) = unsafe_parseWsPair t11 237 !(WSPair m13 t13) = unsafe_parseWsPair t12 238 !(WSPair m14 t14) = unsafe_parseWsPair t13 239 !(WSPair m15 t15) = unsafe_parseWsPair t14 240 in if BS.null t15 241 then Block {..} 242 else error "ppad-sha256: internal error (bytes remaining)" 243 244 -- RFC 6234 6.2 step 1 245 prepare_schedule :: Block -> Schedule 246 prepare_schedule Block {..} = Schedule {..} where 247 w00 = m00; w01 = m01; w02 = m02; w03 = m03 248 w04 = m04; w05 = m05; w06 = m06; w07 = m07 249 w08 = m08; w09 = m09; w10 = m10; w11 = m11 250 w12 = m12; w13 = m13; w14 = m14; w15 = m15 251 w16 = ssig1 w14 + w09 + ssig0 w01 + w00 252 w17 = ssig1 w15 + w10 + ssig0 w02 + w01 253 w18 = ssig1 w16 + w11 + ssig0 w03 + w02 254 w19 = ssig1 w17 + w12 + ssig0 w04 + w03 255 w20 = ssig1 w18 + w13 + ssig0 w05 + w04 256 w21 = ssig1 w19 + w14 + ssig0 w06 + w05 257 w22 = ssig1 w20 + w15 + ssig0 w07 + w06 258 w23 = ssig1 w21 + w16 + ssig0 w08 + w07 259 w24 = ssig1 w22 + w17 + ssig0 w09 + w08 260 w25 = ssig1 w23 + w18 + ssig0 w10 + w09 261 w26 = ssig1 w24 + w19 + ssig0 w11 + w10 262 w27 = ssig1 w25 + w20 + ssig0 w12 + w11 263 w28 = ssig1 w26 + w21 + ssig0 w13 + w12 264 w29 = ssig1 w27 + w22 + ssig0 w14 + w13 265 w30 = ssig1 w28 + w23 + ssig0 w15 + w14 266 w31 = ssig1 w29 + w24 + ssig0 w16 + w15 267 w32 = ssig1 w30 + w25 + ssig0 w17 + w16 268 w33 = ssig1 w31 + w26 + ssig0 w18 + w17 269 w34 = ssig1 w32 + w27 + ssig0 w19 + w18 270 w35 = ssig1 w33 + w28 + ssig0 w20 + w19 271 w36 = ssig1 w34 + w29 + ssig0 w21 + w20 272 w37 = ssig1 w35 + w30 + ssig0 w22 + w21 273 w38 = ssig1 w36 + w31 + ssig0 w23 + w22 274 w39 = ssig1 w37 + w32 + ssig0 w24 + w23 275 w40 = ssig1 w38 + w33 + ssig0 w25 + w24 276 w41 = ssig1 w39 + w34 + ssig0 w26 + w25 277 w42 = ssig1 w40 + w35 + ssig0 w27 + w26 278 w43 = ssig1 w41 + w36 + ssig0 w28 + w27 279 w44 = ssig1 w42 + w37 + ssig0 w29 + w28 280 w45 = ssig1 w43 + w38 + ssig0 w30 + w29 281 w46 = ssig1 w44 + w39 + ssig0 w31 + w30 282 w47 = ssig1 w45 + w40 + ssig0 w32 + w31 283 w48 = ssig1 w46 + w41 + ssig0 w33 + w32 284 w49 = ssig1 w47 + w42 + ssig0 w34 + w33 285 w50 = ssig1 w48 + w43 + ssig0 w35 + w34 286 w51 = ssig1 w49 + w44 + ssig0 w36 + w35 287 w52 = ssig1 w50 + w45 + ssig0 w37 + w36 288 w53 = ssig1 w51 + w46 + ssig0 w38 + w37 289 w54 = ssig1 w52 + w47 + ssig0 w39 + w38 290 w55 = ssig1 w53 + w48 + ssig0 w40 + w39 291 w56 = ssig1 w54 + w49 + ssig0 w41 + w40 292 w57 = ssig1 w55 + w50 + ssig0 w42 + w41 293 w58 = ssig1 w56 + w51 + ssig0 w43 + w42 294 w59 = ssig1 w57 + w52 + ssig0 w44 + w43 295 w60 = ssig1 w58 + w53 + ssig0 w45 + w44 296 w61 = ssig1 w59 + w54 + ssig0 w46 + w45 297 w62 = ssig1 w60 + w55 + ssig0 w47 + w46 298 w63 = ssig1 w61 + w56 + ssig0 w48 + w47 299 300 -- RFC 6234 6.2 steps 2, 3, 4 301 block_hash :: Registers -> Schedule -> Registers 302 block_hash r00@Registers {..} Schedule {..} = 303 -- constants are the first 32 bits of the fractional parts of the 304 -- cube roots of the first sixty-four prime numbers 305 let r01 = step r00 0x428a2f98 w00; r02 = step r01 0x71374491 w01 306 r03 = step r02 0xb5c0fbcf w02; r04 = step r03 0xe9b5dba5 w03 307 r05 = step r04 0x3956c25b w04; r06 = step r05 0x59f111f1 w05 308 r07 = step r06 0x923f82a4 w06; r08 = step r07 0xab1c5ed5 w07 309 r09 = step r08 0xd807aa98 w08; r10 = step r09 0x12835b01 w09 310 r11 = step r10 0x243185be w10; r12 = step r11 0x550c7dc3 w11 311 r13 = step r12 0x72be5d74 w12; r14 = step r13 0x80deb1fe w13 312 r15 = step r14 0x9bdc06a7 w14; r16 = step r15 0xc19bf174 w15 313 r17 = step r16 0xe49b69c1 w16; r18 = step r17 0xefbe4786 w17 314 r19 = step r18 0x0fc19dc6 w18; r20 = step r19 0x240ca1cc w19 315 r21 = step r20 0x2de92c6f w20; r22 = step r21 0x4a7484aa w21 316 r23 = step r22 0x5cb0a9dc w22; r24 = step r23 0x76f988da w23 317 r25 = step r24 0x983e5152 w24; r26 = step r25 0xa831c66d w25 318 r27 = step r26 0xb00327c8 w26; r28 = step r27 0xbf597fc7 w27 319 r29 = step r28 0xc6e00bf3 w28; r30 = step r29 0xd5a79147 w29 320 r31 = step r30 0x06ca6351 w30; r32 = step r31 0x14292967 w31 321 r33 = step r32 0x27b70a85 w32; r34 = step r33 0x2e1b2138 w33 322 r35 = step r34 0x4d2c6dfc w34; r36 = step r35 0x53380d13 w35 323 r37 = step r36 0x650a7354 w36; r38 = step r37 0x766a0abb w37 324 r39 = step r38 0x81c2c92e w38; r40 = step r39 0x92722c85 w39 325 r41 = step r40 0xa2bfe8a1 w40; r42 = step r41 0xa81a664b w41 326 r43 = step r42 0xc24b8b70 w42; r44 = step r43 0xc76c51a3 w43 327 r45 = step r44 0xd192e819 w44; r46 = step r45 0xd6990624 w45 328 r47 = step r46 0xf40e3585 w46; r48 = step r47 0x106aa070 w47 329 r49 = step r48 0x19a4c116 w48; r50 = step r49 0x1e376c08 w49 330 r51 = step r50 0x2748774c w50; r52 = step r51 0x34b0bcb5 w51 331 r53 = step r52 0x391c0cb3 w52; r54 = step r53 0x4ed8aa4a w53 332 r55 = step r54 0x5b9cca4f w54; r56 = step r55 0x682e6ff3 w55 333 r57 = step r56 0x748f82ee w56; r58 = step r57 0x78a5636f w57 334 r59 = step r58 0x84c87814 w58; r60 = step r59 0x8cc70208 w59 335 r61 = step r60 0x90befffa w60; r62 = step r61 0xa4506ceb w61 336 r63 = step r62 0xbef9a3f7 w62; r64 = step r63 0xc67178f2 w63 337 !(Registers a b c d e f g h) = r64 338 in Registers 339 (a + h0) (b + h1) (c + h2) (d + h3) 340 (e + h4) (f + h5) (g + h6) (h + h7) 341 342 step :: Registers -> Word32 -> Word32 -> Registers 343 step (Registers a b c d e f g h) k w = 344 let t1 = h + bsig1 e + ch e f g + k + w 345 t2 = bsig0 a + maj a b c 346 in Registers (t1 + t2) a b c (d + t1) e f g 347 {-# INLINE step #-} 348 349 -- RFC 6234 6.2 block pipeline 350 -- 351 -- invariant: 352 -- the input bytestring is exactly 512 bits in length 353 unsafe_hash_alg :: Registers -> BS.ByteString -> Registers 354 unsafe_hash_alg rs bs = block_hash rs (prepare_schedule (unsafe_parse bs)) 355 356 -- register concatenation 357 cat :: Registers -> BS.ByteString 358 cat Registers {..} = 359 BL.toStrict 360 -- more efficient for small builder 361 . BE.toLazyByteStringWith (BE.safeStrategy 128 BE.smallChunkSize) mempty 362 $ BSB.word64BE w64_0 <> BSB.word64BE w64_1 363 <> BSB.word64BE w64_2 <> BSB.word64BE w64_3 364 where 365 !w64_0 = fi h0 `B.unsafeShiftL` 32 .|. fi h1 366 !w64_1 = fi h2 `B.unsafeShiftL` 32 .|. fi h3 367 !w64_2 = fi h4 `B.unsafeShiftL` 32 .|. fi h5 368 !w64_3 = fi h6 `B.unsafeShiftL` 32 .|. fi h7 369 370 -- | Compute a condensed representation of a strict bytestring via 371 -- SHA-256. 372 -- 373 -- The 256-bit output digest is returned as a strict bytestring. 374 -- 375 -- >>> hash "strict bytestring input" 376 -- "<strict 256-bit message digest>" 377 hash :: BS.ByteString -> BS.ByteString 378 hash bs = cat (go iv (pad bs)) where 379 -- proof that 'go' always terminates safely: 380 -- 381 -- let b = pad bs 382 -- then length(b) = n * 512 bits for some n >= 0 (1) 383 go :: Registers -> BS.ByteString -> Registers 384 go !acc b 385 -- if n == 0, then 'go' terminates safely (2) 386 | BS.null b = acc 387 -- if n > 0, then 388 -- 389 -- let (c, r) = unsafe_splitAt 64 b 390 -- then length(c) == 512 bits by (1) 391 -- length(r) == m * 512 bits for some m >= 0 by (1) 392 -- 393 -- note 'unsafe_hash_alg' terminates safely for bytestring (3) 394 -- input of exactly 512 bits in length 395 -- 396 -- length(c) == 512 397 -- => 'unsafe_hash_alg' terminates safely by (3) 398 -- => 'go' terminates safely (4) 399 -- length(r) == m * 512 bits for m >= 0 400 -- => next invocation of 'go' terminates safely by (2), (4) 401 -- 402 -- then by induction, 'go' always terminates safely (QED) 403 | otherwise = case unsafe_splitAt 64 b of 404 SSPair c r -> go (unsafe_hash_alg acc c) r 405 406 -- | Compute a condensed representation of a lazy bytestring via 407 -- SHA-256. 408 -- 409 -- The 256-bit output digest is returned as a strict bytestring. 410 -- 411 -- >>> hash_lazy "lazy bytestring input" 412 -- "<strict 256-bit message digest>" 413 hash_lazy :: BL.ByteString -> BS.ByteString 414 hash_lazy bl = cat (go iv (pad_lazy bl)) where 415 -- proof of safety proceeds analogously 416 go :: Registers -> BL.ByteString -> Registers 417 go !acc bs 418 | BL.null bs = acc 419 | otherwise = case splitAt64 bs of 420 SLPair c r -> go (unsafe_hash_alg acc c) r 421 422 -- HMAC ----------------------------------------------------------------------- 423 -- https://datatracker.ietf.org/doc/html/rfc2104#section-2 424 425 data KeyAndLen = KeyAndLen 426 {-# UNPACK #-} !BS.ByteString 427 {-# UNPACK #-} !Int 428 429 -- | Produce a message authentication code for a strict bytestring, 430 -- based on the provided (strict, bytestring) key, via SHA-256. 431 -- 432 -- The 256-bit MAC is returned as a strict bytestring. 433 -- 434 -- Per RFC 2104, the key /should/ be a minimum of 32 bytes long. Keys 435 -- exceeding 64 bytes in length will first be hashed (via SHA-256). 436 -- 437 -- >>> hmac "strict bytestring key" "strict bytestring input" 438 -- "<strict 256-bit MAC>" 439 hmac 440 :: BS.ByteString -- ^ key 441 -> BS.ByteString -- ^ text 442 -> BS.ByteString 443 hmac mk@(BI.PS _ _ l) text = 444 let step1 = k <> BS.replicate (64 - lk) 0x00 445 step2 = BS.map (B.xor 0x36) step1 446 step3 = step2 <> text 447 step4 = hash step3 448 step5 = BS.map (B.xor 0x5C) step1 449 step6 = step5 <> step4 450 in hash step6 451 where 452 !(KeyAndLen k lk) 453 | l > 64 = KeyAndLen (hash mk) 32 454 | otherwise = KeyAndLen mk l 455 456 -- | Produce a message authentication code for a lazy bytestring, based 457 -- on the provided (strict, bytestring) key, via SHA-256. 458 -- 459 -- The 256-bit MAC is returned as a strict bytestring. 460 -- 461 -- Per RFC 2104, the key /should/ be a minimum of 32 bytes long. Keys 462 -- exceeding 64 bytes in length will first be hashed (via SHA-256). 463 -- 464 -- >>> hmac_lazy "strict bytestring key" "lazy bytestring input" 465 -- "<strict 256-bit MAC>" 466 hmac_lazy 467 :: BS.ByteString -- ^ key 468 -> BL.ByteString -- ^ text 469 -> BS.ByteString 470 hmac_lazy mk@(BI.PS _ _ l) text = 471 let step1 = k <> BS.replicate (64 - lk) 0x00 472 step2 = BS.map (B.xor 0x36) step1 473 step3 = BL.fromStrict step2 <> text 474 step4 = hash_lazy step3 475 step5 = BS.map (B.xor 0x5C) step1 476 step6 = step5 <> step4 477 in hash step6 478 where 479 !(KeyAndLen k lk) 480 | l > 64 = KeyAndLen (hash mk) 32 481 | otherwise = KeyAndLen mk l 482