SHA256.hs (18178B)
1 {-# OPTIONS_GHC -funbox-small-strict-fields #-} 2 {-# LANGUAGE BangPatterns #-} 3 {-# LANGUAGE RecordWildCards #-} 4 {-# LANGUAGE ViewPatterns #-} 5 6 -- | 7 -- Module: Crypto.Hash.SHA256 8 -- Copyright: (c) 2024 Jared Tobin 9 -- License: MIT 10 -- Maintainer: Jared Tobin <jared@ppad.tech> 11 -- 12 -- Pure SHA-256 and HMAC-SHA256 implementations for 13 -- strict and lazy ByteStrings, as specified by RFC's 14 -- [6234](https://datatracker.ietf.org/doc/html/rfc6234) and 15 -- [2104](https://datatracker.ietf.org/doc/html/rfc2104). 16 17 module Crypto.Hash.SHA256 ( 18 -- * SHA-256 message digest functions 19 hash 20 , hash_lazy 21 22 -- * SHA256-based MAC functions 23 , hmac 24 , hmac_lazy 25 ) where 26 27 import qualified Data.Bits as B 28 import Data.Bits ((.|.), (.&.)) 29 import qualified Data.ByteString as BS 30 import qualified Data.ByteString.Builder as BSB 31 import qualified Data.ByteString.Builder.Extra as BE 32 import qualified Data.ByteString.Internal as BI 33 import qualified Data.ByteString.Lazy as BL 34 import qualified Data.ByteString.Lazy.Internal as BLI 35 import qualified Data.ByteString.Unsafe as BU 36 import Data.Word (Word32, Word64) 37 import Foreign.ForeignPtr (plusForeignPtr) 38 39 -- preliminary utils 40 41 -- keystroke saver 42 fi :: (Integral a, Num b) => a -> b 43 fi = fromIntegral 44 {-# INLINE fi #-} 45 46 -- parse strict ByteString in BE order to Word32 (verbatim from 47 -- Data.Binary) 48 -- 49 -- invariant: 50 -- the input bytestring is at least 32 bits in length 51 unsafe_word32be :: BS.ByteString -> Word32 52 unsafe_word32be s = 53 (fi (s `BU.unsafeIndex` 0) `B.unsafeShiftL` 24) .|. 54 (fi (s `BU.unsafeIndex` 1) `B.unsafeShiftL` 16) .|. 55 (fi (s `BU.unsafeIndex` 2) `B.unsafeShiftL` 8) .|. 56 (fi (s `BU.unsafeIndex` 3)) 57 {-# INLINE unsafe_word32be #-} 58 59 -- utility types for more efficient ByteString management 60 61 data SSPair = SSPair 62 {-# UNPACK #-} !BS.ByteString 63 {-# UNPACK #-} !BS.ByteString 64 65 data SLPair = SLPair {-# UNPACK #-} !BS.ByteString !BL.ByteString 66 67 data WSPair = WSPair {-# UNPACK #-} !Word32 {-# UNPACK #-} !BS.ByteString 68 69 -- unsafe version of splitAt that does no bounds checking 70 -- 71 -- invariant: 72 -- 0 <= n <= l 73 unsafe_splitAt :: Int -> BS.ByteString -> SSPair 74 unsafe_splitAt n (BI.BS x l) = 75 SSPair (BI.BS x n) (BI.BS (plusForeignPtr x n) (l - n)) 76 77 -- variant of Data.ByteString.Lazy.splitAt that returns the initial 78 -- component as a strict, unboxed ByteString 79 splitAt64 :: BL.ByteString -> SLPair 80 splitAt64 = splitAt' (64 :: Int) where 81 splitAt' _ BLI.Empty = SLPair mempty BLI.Empty 82 splitAt' n (BLI.Chunk c cs) = 83 if n < BS.length c 84 then 85 -- n < BS.length c, so unsafe_splitAt is safe 86 let !(SSPair c0 c1) = unsafe_splitAt n c 87 in SLPair c0 (BLI.Chunk c1 cs) 88 else 89 let SLPair cs' cs'' = splitAt' (n - BS.length c) cs 90 in SLPair (c <> cs') cs'' 91 92 -- variant of Data.ByteString.splitAt that behaves like an incremental 93 -- Word32 parser 94 -- 95 -- invariant: 96 -- the input bytestring is at least 32 bits in length 97 unsafe_parseWsPair :: BS.ByteString -> WSPair 98 unsafe_parseWsPair (BI.BS x l) = 99 WSPair (unsafe_word32be (BI.BS x 4)) (BI.BS (plusForeignPtr x 4) (l - 4)) 100 {-# INLINE unsafe_parseWsPair #-} 101 102 -- message padding and parsing 103 -- https://datatracker.ietf.org/doc/html/rfc6234#section-4.1 104 105 -- k such that (l + 1 + k) mod 64 = 56 106 sol :: Word64 -> Word64 107 sol l = 108 let r = 56 - fi l `mod` 64 - 1 :: Integer -- fi prevents underflow 109 in fi (if r < 0 then r + 64 else r) 110 111 -- RFC 6234 4.1 (strict) 112 pad :: BS.ByteString -> BS.ByteString 113 pad m = BL.toStrict . BSB.toLazyByteString $ padded where 114 l = fi (BS.length m) 115 padded = BSB.byteString m <> fill (sol l) (BSB.word8 0x80) 116 117 fill j !acc 118 | j == 0 = acc <> BSB.word64BE (l * 8) 119 | otherwise = fill (pred j) (acc <> BSB.word8 0x00) 120 121 -- RFC 6234 4.1 (lazy) 122 pad_lazy :: BL.ByteString -> BL.ByteString 123 pad_lazy (BL.toChunks -> m) = BL.fromChunks (walk 0 m) where 124 walk !l bs = case bs of 125 (c:cs) -> c : walk (l + fi (BS.length c)) cs 126 [] -> padding l (sol l) (BSB.word8 0x80) 127 128 padding l k bs 129 | k == 0 = 130 pure 131 . BL.toStrict 132 -- more efficient for small builder 133 . BE.toLazyByteStringWith 134 (BE.safeStrategy 128 BE.smallChunkSize) mempty 135 $ bs <> BSB.word64BE (l * 8) 136 | otherwise = 137 let nacc = bs <> BSB.word8 0x00 138 in padding l (pred k) nacc 139 140 -- functions and constants used 141 -- https://datatracker.ietf.org/doc/html/rfc6234#section-5.1 142 143 ch :: Word32 -> Word32 -> Word32 -> Word32 144 ch x y z = (x .&. y) `B.xor` (B.complement x .&. z) 145 {-# INLINE ch #-} 146 147 -- credit to SHA authors for the following optimisation. their text: 148 -- 149 -- > note: 150 -- > the original functions is (x & y) ^ (x & z) ^ (y & z) 151 -- > if you fire off truth tables, this is equivalent to 152 -- > (x & y) | (x & z) | (y & z) 153 -- > which you can the use distribution on: 154 -- > (x & (y | z)) | (y & z) 155 -- > which saves us one operation. 156 maj :: Word32 -> Word32 -> Word32 -> Word32 157 maj x y z = (x .&. (y .|. z)) .|. (y .&. z) 158 {-# INLINE maj #-} 159 160 bsig0 :: Word32 -> Word32 161 bsig0 x = B.rotateR x 2 `B.xor` B.rotateR x 13 `B.xor` B.rotateR x 22 162 {-# INLINE bsig0 #-} 163 164 bsig1 :: Word32 -> Word32 165 bsig1 x = B.rotateR x 6 `B.xor` B.rotateR x 11 `B.xor` B.rotateR x 25 166 {-# INLINE bsig1 #-} 167 168 ssig0 :: Word32 -> Word32 169 ssig0 x = B.rotateR x 7 `B.xor` B.rotateR x 18 `B.xor` B.unsafeShiftR x 3 170 {-# INLINE ssig0 #-} 171 172 ssig1 :: Word32 -> Word32 173 ssig1 x = B.rotateR x 17 `B.xor` B.rotateR x 19 `B.xor` B.unsafeShiftR x 10 174 {-# INLINE ssig1 #-} 175 176 data Schedule = Schedule { 177 w00 :: !Word32, w01 :: !Word32, w02 :: !Word32, w03 :: !Word32 178 , w04 :: !Word32, w05 :: !Word32, w06 :: !Word32, w07 :: !Word32 179 , w08 :: !Word32, w09 :: !Word32, w10 :: !Word32, w11 :: !Word32 180 , w12 :: !Word32, w13 :: !Word32, w14 :: !Word32, w15 :: !Word32 181 , w16 :: !Word32, w17 :: !Word32, w18 :: !Word32, w19 :: !Word32 182 , w20 :: !Word32, w21 :: !Word32, w22 :: !Word32, w23 :: !Word32 183 , w24 :: !Word32, w25 :: !Word32, w26 :: !Word32, w27 :: !Word32 184 , w28 :: !Word32, w29 :: !Word32, w30 :: !Word32, w31 :: !Word32 185 , w32 :: !Word32, w33 :: !Word32, w34 :: !Word32, w35 :: !Word32 186 , w36 :: !Word32, w37 :: !Word32, w38 :: !Word32, w39 :: !Word32 187 , w40 :: !Word32, w41 :: !Word32, w42 :: !Word32, w43 :: !Word32 188 , w44 :: !Word32, w45 :: !Word32, w46 :: !Word32, w47 :: !Word32 189 , w48 :: !Word32, w49 :: !Word32, w50 :: !Word32, w51 :: !Word32 190 , w52 :: !Word32, w53 :: !Word32, w54 :: !Word32, w55 :: !Word32 191 , w56 :: !Word32, w57 :: !Word32, w58 :: !Word32, w59 :: !Word32 192 , w60 :: !Word32, w61 :: !Word32, w62 :: !Word32, w63 :: !Word32 193 } 194 195 -- initialization 196 -- https://datatracker.ietf.org/doc/html/rfc6234#section-6.1 197 198 data Registers = Registers { 199 h0 :: !Word32, h1 :: !Word32, h2 :: !Word32, h3 :: !Word32 200 , h4 :: !Word32, h5 :: !Word32, h6 :: !Word32, h7 :: !Word32 201 } 202 203 -- first 32 bits of the fractional parts of the square roots of the 204 -- first eight primes 205 iv :: Registers 206 iv = Registers 207 0x6a09e667 0xbb67ae85 0x3c6ef372 0xa54ff53a 208 0x510e527f 0x9b05688c 0x1f83d9ab 0x5be0cd19 209 210 -- processing 211 -- https://datatracker.ietf.org/doc/html/rfc6234#section-6.2 212 213 data Block = Block { 214 m00 :: !Word32, m01 :: !Word32, m02 :: !Word32, m03 :: !Word32 215 , m04 :: !Word32, m05 :: !Word32, m06 :: !Word32, m07 :: !Word32 216 , m08 :: !Word32, m09 :: !Word32, m10 :: !Word32, m11 :: !Word32 217 , m12 :: !Word32, m13 :: !Word32, m14 :: !Word32, m15 :: !Word32 218 } 219 220 -- parse strict bytestring to block 221 -- 222 -- invariant: 223 -- the input bytestring is exactly 512 bits long 224 unsafe_parse :: BS.ByteString -> Block 225 unsafe_parse bs = 226 let !(WSPair m00 t00) = unsafe_parseWsPair bs 227 !(WSPair m01 t01) = unsafe_parseWsPair t00 228 !(WSPair m02 t02) = unsafe_parseWsPair t01 229 !(WSPair m03 t03) = unsafe_parseWsPair t02 230 !(WSPair m04 t04) = unsafe_parseWsPair t03 231 !(WSPair m05 t05) = unsafe_parseWsPair t04 232 !(WSPair m06 t06) = unsafe_parseWsPair t05 233 !(WSPair m07 t07) = unsafe_parseWsPair t06 234 !(WSPair m08 t08) = unsafe_parseWsPair t07 235 !(WSPair m09 t09) = unsafe_parseWsPair t08 236 !(WSPair m10 t10) = unsafe_parseWsPair t09 237 !(WSPair m11 t11) = unsafe_parseWsPair t10 238 !(WSPair m12 t12) = unsafe_parseWsPair t11 239 !(WSPair m13 t13) = unsafe_parseWsPair t12 240 !(WSPair m14 t14) = unsafe_parseWsPair t13 241 !(WSPair m15 t15) = unsafe_parseWsPair t14 242 in if BS.null t15 243 then Block {..} 244 else error "ppad-sha256: internal error (bytes remaining)" 245 246 -- RFC 6234 6.2 step 1 247 prepare_schedule :: Block -> Schedule 248 prepare_schedule Block {..} = Schedule {..} where 249 w00 = m00; w01 = m01; w02 = m02; w03 = m03 250 w04 = m04; w05 = m05; w06 = m06; w07 = m07 251 w08 = m08; w09 = m09; w10 = m10; w11 = m11 252 w12 = m12; w13 = m13; w14 = m14; w15 = m15 253 w16 = ssig1 w14 + w09 + ssig0 w01 + w00 254 w17 = ssig1 w15 + w10 + ssig0 w02 + w01 255 w18 = ssig1 w16 + w11 + ssig0 w03 + w02 256 w19 = ssig1 w17 + w12 + ssig0 w04 + w03 257 w20 = ssig1 w18 + w13 + ssig0 w05 + w04 258 w21 = ssig1 w19 + w14 + ssig0 w06 + w05 259 w22 = ssig1 w20 + w15 + ssig0 w07 + w06 260 w23 = ssig1 w21 + w16 + ssig0 w08 + w07 261 w24 = ssig1 w22 + w17 + ssig0 w09 + w08 262 w25 = ssig1 w23 + w18 + ssig0 w10 + w09 263 w26 = ssig1 w24 + w19 + ssig0 w11 + w10 264 w27 = ssig1 w25 + w20 + ssig0 w12 + w11 265 w28 = ssig1 w26 + w21 + ssig0 w13 + w12 266 w29 = ssig1 w27 + w22 + ssig0 w14 + w13 267 w30 = ssig1 w28 + w23 + ssig0 w15 + w14 268 w31 = ssig1 w29 + w24 + ssig0 w16 + w15 269 w32 = ssig1 w30 + w25 + ssig0 w17 + w16 270 w33 = ssig1 w31 + w26 + ssig0 w18 + w17 271 w34 = ssig1 w32 + w27 + ssig0 w19 + w18 272 w35 = ssig1 w33 + w28 + ssig0 w20 + w19 273 w36 = ssig1 w34 + w29 + ssig0 w21 + w20 274 w37 = ssig1 w35 + w30 + ssig0 w22 + w21 275 w38 = ssig1 w36 + w31 + ssig0 w23 + w22 276 w39 = ssig1 w37 + w32 + ssig0 w24 + w23 277 w40 = ssig1 w38 + w33 + ssig0 w25 + w24 278 w41 = ssig1 w39 + w34 + ssig0 w26 + w25 279 w42 = ssig1 w40 + w35 + ssig0 w27 + w26 280 w43 = ssig1 w41 + w36 + ssig0 w28 + w27 281 w44 = ssig1 w42 + w37 + ssig0 w29 + w28 282 w45 = ssig1 w43 + w38 + ssig0 w30 + w29 283 w46 = ssig1 w44 + w39 + ssig0 w31 + w30 284 w47 = ssig1 w45 + w40 + ssig0 w32 + w31 285 w48 = ssig1 w46 + w41 + ssig0 w33 + w32 286 w49 = ssig1 w47 + w42 + ssig0 w34 + w33 287 w50 = ssig1 w48 + w43 + ssig0 w35 + w34 288 w51 = ssig1 w49 + w44 + ssig0 w36 + w35 289 w52 = ssig1 w50 + w45 + ssig0 w37 + w36 290 w53 = ssig1 w51 + w46 + ssig0 w38 + w37 291 w54 = ssig1 w52 + w47 + ssig0 w39 + w38 292 w55 = ssig1 w53 + w48 + ssig0 w40 + w39 293 w56 = ssig1 w54 + w49 + ssig0 w41 + w40 294 w57 = ssig1 w55 + w50 + ssig0 w42 + w41 295 w58 = ssig1 w56 + w51 + ssig0 w43 + w42 296 w59 = ssig1 w57 + w52 + ssig0 w44 + w43 297 w60 = ssig1 w58 + w53 + ssig0 w45 + w44 298 w61 = ssig1 w59 + w54 + ssig0 w46 + w45 299 w62 = ssig1 w60 + w55 + ssig0 w47 + w46 300 w63 = ssig1 w61 + w56 + ssig0 w48 + w47 301 302 -- RFC 6234 6.2 steps 2, 3, 4 303 block_hash :: Registers -> Schedule -> Registers 304 block_hash r00@Registers {..} Schedule {..} = 305 -- constants are the first 32 bits of the fractional parts of the 306 -- cube roots of the first sixty-four prime numbers 307 let r01 = step r00 0x428a2f98 w00; r02 = step r01 0x71374491 w01 308 r03 = step r02 0xb5c0fbcf w02; r04 = step r03 0xe9b5dba5 w03 309 r05 = step r04 0x3956c25b w04; r06 = step r05 0x59f111f1 w05 310 r07 = step r06 0x923f82a4 w06; r08 = step r07 0xab1c5ed5 w07 311 r09 = step r08 0xd807aa98 w08; r10 = step r09 0x12835b01 w09 312 r11 = step r10 0x243185be w10; r12 = step r11 0x550c7dc3 w11 313 r13 = step r12 0x72be5d74 w12; r14 = step r13 0x80deb1fe w13 314 r15 = step r14 0x9bdc06a7 w14; r16 = step r15 0xc19bf174 w15 315 r17 = step r16 0xe49b69c1 w16; r18 = step r17 0xefbe4786 w17 316 r19 = step r18 0x0fc19dc6 w18; r20 = step r19 0x240ca1cc w19 317 r21 = step r20 0x2de92c6f w20; r22 = step r21 0x4a7484aa w21 318 r23 = step r22 0x5cb0a9dc w22; r24 = step r23 0x76f988da w23 319 r25 = step r24 0x983e5152 w24; r26 = step r25 0xa831c66d w25 320 r27 = step r26 0xb00327c8 w26; r28 = step r27 0xbf597fc7 w27 321 r29 = step r28 0xc6e00bf3 w28; r30 = step r29 0xd5a79147 w29 322 r31 = step r30 0x06ca6351 w30; r32 = step r31 0x14292967 w31 323 r33 = step r32 0x27b70a85 w32; r34 = step r33 0x2e1b2138 w33 324 r35 = step r34 0x4d2c6dfc w34; r36 = step r35 0x53380d13 w35 325 r37 = step r36 0x650a7354 w36; r38 = step r37 0x766a0abb w37 326 r39 = step r38 0x81c2c92e w38; r40 = step r39 0x92722c85 w39 327 r41 = step r40 0xa2bfe8a1 w40; r42 = step r41 0xa81a664b w41 328 r43 = step r42 0xc24b8b70 w42; r44 = step r43 0xc76c51a3 w43 329 r45 = step r44 0xd192e819 w44; r46 = step r45 0xd6990624 w45 330 r47 = step r46 0xf40e3585 w46; r48 = step r47 0x106aa070 w47 331 r49 = step r48 0x19a4c116 w48; r50 = step r49 0x1e376c08 w49 332 r51 = step r50 0x2748774c w50; r52 = step r51 0x34b0bcb5 w51 333 r53 = step r52 0x391c0cb3 w52; r54 = step r53 0x4ed8aa4a w53 334 r55 = step r54 0x5b9cca4f w54; r56 = step r55 0x682e6ff3 w55 335 r57 = step r56 0x748f82ee w56; r58 = step r57 0x78a5636f w57 336 r59 = step r58 0x84c87814 w58; r60 = step r59 0x8cc70208 w59 337 r61 = step r60 0x90befffa w60; r62 = step r61 0xa4506ceb w61 338 r63 = step r62 0xbef9a3f7 w62; r64 = step r63 0xc67178f2 w63 339 !(Registers a b c d e f g h) = r64 340 in Registers 341 (a + h0) (b + h1) (c + h2) (d + h3) 342 (e + h4) (f + h5) (g + h6) (h + h7) 343 344 step :: Registers -> Word32 -> Word32 -> Registers 345 step (Registers a b c d e f g h) k w = 346 let t1 = h + bsig1 e + ch e f g + k + w 347 t2 = bsig0 a + maj a b c 348 in Registers (t1 + t2) a b c (d + t1) e f g 349 {-# INLINE step #-} 350 351 -- RFC 6234 6.2 block pipeline 352 -- 353 -- invariant: 354 -- the input bytestring is exactly 512 bits in length 355 unsafe_hash_alg :: Registers -> BS.ByteString -> Registers 356 unsafe_hash_alg rs bs = block_hash rs (prepare_schedule (unsafe_parse bs)) 357 358 -- register concatenation 359 cat :: Registers -> BS.ByteString 360 cat Registers {..} = 361 BL.toStrict 362 -- more efficient for small builder 363 . BE.toLazyByteStringWith (BE.safeStrategy 128 BE.smallChunkSize) mempty 364 $ mconcat [ 365 BSB.word32BE h0, BSB.word32BE h1, BSB.word32BE h2, BSB.word32BE h3 366 , BSB.word32BE h4, BSB.word32BE h5, BSB.word32BE h6, BSB.word32BE h7 367 ] 368 369 -- | Compute a condensed representation of a strict bytestring via 370 -- SHA-256. 371 -- 372 -- The 256-bit output digest is returned as a strict bytestring. 373 -- 374 -- >>> hash "strict bytestring input" 375 -- "<strict 256-bit message digest>" 376 hash :: BS.ByteString -> BS.ByteString 377 hash bs = cat (go iv (pad bs)) where 378 -- proof that 'go' always terminates safely: 379 -- 380 -- let b = pad bs 381 -- then length(b) = n * 512 bits for some n >= 0 (1) 382 go :: Registers -> BS.ByteString -> Registers 383 go !acc b 384 -- if n == 0, then 'go' terminates safely (2) 385 | BS.null b = acc 386 -- if n > 0, then 387 -- 388 -- let (c, r) = unsafe_splitAt 64 b 389 -- then length(c) == 512 bits by (1) 390 -- length(r) == m * 512 bits for some m >= 0 by (1) 391 -- 392 -- note 'unsafe_hash_alg' terminates safely for bytestring (3) 393 -- input of exactly 512 bits in length 394 -- 395 -- length(c) == 512 396 -- => 'unsafe_hash_alg' terminates safely by (3) 397 -- => 'go' terminates safely (4) 398 -- length(r) == m * 512 bits for m >= 0 399 -- => next invocation of 'go' terminates safely by (2), (4) 400 -- 401 -- then by induction, 'go' always terminates safely (QED) 402 | otherwise = case unsafe_splitAt 64 b of 403 SSPair c r -> go (unsafe_hash_alg acc c) r 404 405 -- | Compute a condensed representation of a lazy bytestring via 406 -- SHA-256. 407 -- 408 -- The 256-bit output digest is returned as a strict bytestring. 409 -- 410 -- >>> hash_lazy "lazy bytestring input" 411 -- "<strict 256-bit message digest>" 412 hash_lazy :: BL.ByteString -> BS.ByteString 413 hash_lazy bl = cat (go iv (pad_lazy bl)) where 414 -- proof of safety proceeds analogously 415 go :: Registers -> BL.ByteString -> Registers 416 go !acc bs 417 | BL.null bs = acc 418 | otherwise = case splitAt64 bs of 419 SLPair c r -> go (unsafe_hash_alg acc c) r 420 421 -- HMAC ----------------------------------------------------------------------- 422 -- https://datatracker.ietf.org/doc/html/rfc2104#section-2 423 424 data KeyAndLen = KeyAndLen 425 {-# UNPACK #-} !BS.ByteString 426 {-# UNPACK #-} !Int 427 428 -- | Produce a message authentication code for a strict bytestring, 429 -- based on the provided (strict, bytestring) key, via SHA-256. 430 -- 431 -- The 256-bit MAC is returned as a strict bytestring. 432 -- 433 -- Per RFC 2104, the key /should/ be a minimum of 32 bytes long. Keys 434 -- exceeding 64 bytes in length will first be hashed (via SHA-256). 435 -- 436 -- >>> hmac "strict bytestring key" "strict bytestring input" 437 -- "<strict 256-bit MAC>" 438 hmac 439 :: BS.ByteString -- ^ key 440 -> BS.ByteString -- ^ text 441 -> BS.ByteString 442 hmac mk text = 443 let step1 = k <> BS.replicate (64 - lk) 0x00 444 step2 = BS.map (B.xor 0x36) step1 445 step3 = step2 <> text 446 step4 = hash step3 447 step5 = BS.map (B.xor 0x5C) step1 448 step6 = step5 <> step4 449 in hash step6 450 where 451 !(KeyAndLen k lk) = 452 let l = BS.length mk 453 in if l > 64 454 then KeyAndLen (hash mk) 32 455 else KeyAndLen mk l 456 457 -- | Produce a message authentication code for a lazy bytestring, based 458 -- on the provided (strict, bytestring) key, via SHA-256. 459 -- 460 -- The 256-bit MAC is returned as a strict bytestring. 461 -- 462 -- Per RFC 2104, the key /should/ be a minimum of 32 bytes long. Keys 463 -- exceeding 64 bytes in length will first be hashed (via SHA-256). 464 -- 465 -- >>> hmac_lazy "strict bytestring key" "lazy bytestring input" 466 -- "<strict 256-bit MAC>" 467 hmac_lazy 468 :: BS.ByteString -- ^ key 469 -> BL.ByteString -- ^ text 470 -> BS.ByteString 471 hmac_lazy mk text = 472 let step1 = k <> BS.replicate (64 - lk) 0x00 473 step2 = BS.map (B.xor 0x36) step1 474 step3 = BL.fromStrict step2 <> text 475 step4 = hash_lazy step3 476 step5 = BS.map (B.xor 0x5C) step1 477 step6 = step5 <> step4 478 in hash step6 479 where 480 !(KeyAndLen k lk) = 481 let l = BS.length mk 482 in if l > 64 483 then KeyAndLen (hash mk) 32 484 else KeyAndLen mk l 485