SHA512.hs (21174B)
1 {-# OPTIONS_GHC -funbox-small-strict-fields #-} 2 {-# LANGUAGE BangPatterns #-} 3 {-# LANGUAGE RecordWildCards #-} 4 {-# LANGUAGE ViewPatterns #-} 5 6 -- | 7 -- Module: Crypto.Hash.SHA512 8 -- Copyright: (c) 2024 Jared Tobin 9 -- License: MIT 10 -- Maintainer: Jared Tobin <jared@ppad.tech> 11 -- 12 -- Pure SHA-512 and HMAC-SHA512 implementations for 13 -- strict and lazy ByteStrings, as specified by RFC's 14 -- [6234](https://datatracker.ietf.org/doc/html/rfc6234) and 15 -- [2104](https://datatracker.ietf.org/doc/html/rfc2104). 16 17 module Crypto.Hash.SHA512 ( 18 -- * SHA-512 message digest functions 19 hash 20 , hash_lazy 21 22 -- * SHA512-based MAC functions 23 , hmac 24 , hmac_lazy 25 ) where 26 27 import qualified Data.Bits as B 28 import Data.Bits ((.|.), (.&.)) 29 import qualified Data.ByteString as BS 30 import qualified Data.ByteString.Builder as BSB 31 import qualified Data.ByteString.Builder.Extra as BE 32 import qualified Data.ByteString.Internal as BI 33 import qualified Data.ByteString.Lazy as BL 34 import qualified Data.ByteString.Lazy.Internal as BLI 35 import qualified Data.ByteString.Unsafe as BU 36 import Data.Word (Word64) 37 import Foreign.ForeignPtr (plusForeignPtr) 38 39 -- preliminary utils ---------------------------------------------------------- 40 41 -- keystroke saver 42 fi :: (Integral a, Num b) => a -> b 43 fi = fromIntegral 44 {-# INLINE fi #-} 45 46 -- parse strict ByteString in BE order to Word64 (verbatim from 47 -- Data.Binary) 48 -- 49 -- invariant: 50 -- the input bytestring is at least 64 bits in length 51 unsafe_word64be :: BS.ByteString -> Word64 52 unsafe_word64be s = 53 (fi (s `BU.unsafeIndex` 0) `B.unsafeShiftL` 56) .|. 54 (fi (s `BU.unsafeIndex` 1) `B.unsafeShiftL` 48) .|. 55 (fi (s `BU.unsafeIndex` 2) `B.unsafeShiftL` 40) .|. 56 (fi (s `BU.unsafeIndex` 3) `B.unsafeShiftL` 32) .|. 57 (fi (s `BU.unsafeIndex` 4) `B.unsafeShiftL` 24) .|. 58 (fi (s `BU.unsafeIndex` 5) `B.unsafeShiftL` 16) .|. 59 (fi (s `BU.unsafeIndex` 6) `B.unsafeShiftL` 8) .|. 60 (fi (s `BU.unsafeIndex` 7) ) 61 {-# INLINE unsafe_word64be #-} 62 63 -- utility types for more efficient ByteString management 64 65 data SSPair = SSPair 66 {-# UNPACK #-} !BS.ByteString 67 {-# UNPACK #-} !BS.ByteString 68 69 data SLPair = SLPair {-# UNPACK #-} !BS.ByteString !BL.ByteString 70 71 data WSPair = WSPair {-# UNPACK #-} !Word64 {-# UNPACK #-} !BS.ByteString 72 73 -- unsafe version of splitAt that does no bounds checking 74 -- 75 -- invariant: 76 -- 0 <= n <= l 77 unsafe_splitAt :: Int -> BS.ByteString -> SSPair 78 unsafe_splitAt n (BI.BS x l) = 79 SSPair (BI.BS x n) (BI.BS (plusForeignPtr x n) (l - n)) 80 81 -- variant of Data.ByteString.Lazy.splitAt that returns the initial 82 -- component as a strict, unboxed ByteString 83 splitAt128 :: BL.ByteString -> SLPair 84 splitAt128 = splitAt' (128 :: Int) where 85 splitAt' _ BLI.Empty = SLPair mempty BLI.Empty 86 splitAt' n (BLI.Chunk c cs) = 87 if n < BS.length c 88 then 89 -- n < BS.length c, so unsafe_splitAt is safe 90 let !(SSPair c0 c1) = unsafe_splitAt n c 91 in SLPair c0 (BLI.Chunk c1 cs) 92 else 93 let SLPair cs' cs'' = splitAt' (n - BS.length c) cs 94 in SLPair (c <> cs') cs'' 95 96 -- variant of Data.ByteString.splitAt that behaves like an incremental 97 -- Word64 parser 98 -- 99 -- invariant: 100 -- the input bytestring is at least 64 bits in length 101 unsafe_parseWsPair :: BS.ByteString -> WSPair 102 unsafe_parseWsPair (BI.BS x l) = 103 WSPair (unsafe_word64be (BI.BS x 8)) (BI.BS (plusForeignPtr x 8) (l - 8)) 104 {-# INLINE unsafe_parseWsPair #-} 105 106 -- message padding and parsing ------------------------------------------------ 107 -- https://datatracker.ietf.org/doc/html/rfc6234#section-4.1 108 109 -- k such that (l + 1 + k) mod 128 = 112 110 sol :: Word64 -> Word64 111 sol l = 112 let r = 112 - fi l `mod` 128 - 1 :: Integer -- fi prevents underflow 113 in fi (if r < 0 then r + 128 else r) 114 115 -- XX doesn't properly handle (> maxBound :: Word64) length 116 117 -- RFC 6234 4.1 (strict) 118 pad :: BS.ByteString -> BS.ByteString 119 pad m = BL.toStrict . BSB.toLazyByteString $ padded where 120 l = fi (BS.length m) 121 padded = BSB.byteString m <> fill (sol l) (BSB.word8 0x80) 122 123 fill j !acc 124 | j == 0 = acc <> BSB.word64BE 0x00 <> BSB.word64BE (l * 8) 125 | otherwise = fill (pred j) (acc <> BSB.word8 0x00) 126 127 -- RFC 6234 4.1 (lazy) 128 pad_lazy :: BL.ByteString -> BL.ByteString 129 pad_lazy (BL.toChunks -> m) = BL.fromChunks (walk 0 m) where 130 walk !l bs = case bs of 131 (c:cs) -> c : walk (l + fi (BS.length c)) cs 132 [] -> padding l (sol l) (BSB.word8 0x80) 133 134 padding l k bs 135 | k == 0 = 136 pure 137 . BL.toStrict 138 -- more efficient for small builder 139 . BE.toLazyByteStringWith 140 (BE.safeStrategy 128 BE.smallChunkSize) mempty 141 $ bs <> BSB.word64BE 0x00 <> BSB.word64BE (l * 8) 142 | otherwise = 143 let nacc = bs <> BSB.word8 0x00 144 in padding l (pred k) nacc 145 146 -- functions and constants used ----------------------------------------------- 147 -- https://datatracker.ietf.org/doc/html/rfc6234#section-5.1 148 149 ch :: Word64 -> Word64 -> Word64 -> Word64 150 ch x y z = (x .&. y) `B.xor` (B.complement x .&. z) 151 {-# INLINE ch #-} 152 153 -- credit to SHA authors for the following optimisation. their text: 154 -- 155 -- > note: 156 -- > the original functions is (x & y) ^ (x & z) ^ (y & z) 157 -- > if you fire off truth tables, this is equivalent to 158 -- > (x & y) | (x & z) | (y & z) 159 -- > which you can the use distribution on: 160 -- > (x & (y | z)) | (y & z) 161 -- > which saves us one operation. 162 maj :: Word64 -> Word64 -> Word64 -> Word64 163 maj x y z = (x .&. (y .|. z)) .|. (y .&. z) 164 {-# INLINE maj #-} 165 166 bsig0 :: Word64 -> Word64 167 bsig0 x = B.rotateR x 28 `B.xor` B.rotateR x 34 `B.xor` B.rotateR x 39 168 {-# INLINE bsig0 #-} 169 170 bsig1 :: Word64 -> Word64 171 bsig1 x = B.rotateR x 14 `B.xor` B.rotateR x 18 `B.xor` B.rotateR x 41 172 {-# INLINE bsig1 #-} 173 174 ssig0 :: Word64 -> Word64 175 ssig0 x = B.rotateR x 1 `B.xor` B.rotateR x 8 `B.xor` B.unsafeShiftR x 7 176 {-# INLINE ssig0 #-} 177 178 ssig1 :: Word64 -> Word64 179 ssig1 x = B.rotateR x 19 `B.xor` B.rotateR x 61 `B.xor` B.unsafeShiftR x 6 180 {-# INLINE ssig1 #-} 181 182 data Schedule = Schedule { 183 w00 :: !Word64, w01 :: !Word64, w02 :: !Word64, w03 :: !Word64 184 , w04 :: !Word64, w05 :: !Word64, w06 :: !Word64, w07 :: !Word64 185 , w08 :: !Word64, w09 :: !Word64, w10 :: !Word64, w11 :: !Word64 186 , w12 :: !Word64, w13 :: !Word64, w14 :: !Word64, w15 :: !Word64 187 , w16 :: !Word64, w17 :: !Word64, w18 :: !Word64, w19 :: !Word64 188 , w20 :: !Word64, w21 :: !Word64, w22 :: !Word64, w23 :: !Word64 189 , w24 :: !Word64, w25 :: !Word64, w26 :: !Word64, w27 :: !Word64 190 , w28 :: !Word64, w29 :: !Word64, w30 :: !Word64, w31 :: !Word64 191 , w32 :: !Word64, w33 :: !Word64, w34 :: !Word64, w35 :: !Word64 192 , w36 :: !Word64, w37 :: !Word64, w38 :: !Word64, w39 :: !Word64 193 , w40 :: !Word64, w41 :: !Word64, w42 :: !Word64, w43 :: !Word64 194 , w44 :: !Word64, w45 :: !Word64, w46 :: !Word64, w47 :: !Word64 195 , w48 :: !Word64, w49 :: !Word64, w50 :: !Word64, w51 :: !Word64 196 , w52 :: !Word64, w53 :: !Word64, w54 :: !Word64, w55 :: !Word64 197 , w56 :: !Word64, w57 :: !Word64, w58 :: !Word64, w59 :: !Word64 198 , w60 :: !Word64, w61 :: !Word64, w62 :: !Word64, w63 :: !Word64 199 , w64 :: !Word64, w65 :: !Word64, w66 :: !Word64, w67 :: !Word64 200 , w68 :: !Word64, w69 :: !Word64, w70 :: !Word64, w71 :: !Word64 201 , w72 :: !Word64, w73 :: !Word64, w74 :: !Word64, w75 :: !Word64 202 , w76 :: !Word64, w77 :: !Word64, w78 :: !Word64, w79 :: !Word64 203 } 204 205 -- initialization ------------------------------------------------------------- 206 -- https://datatracker.ietf.org/doc/html/rfc6234#section-6.1 207 208 data Registers = Registers { 209 h0 :: !Word64, h1 :: !Word64, h2 :: !Word64, h3 :: !Word64 210 , h4 :: !Word64, h5 :: !Word64, h6 :: !Word64, h7 :: !Word64 211 } 212 213 -- first 64 bits of the fractional parts of the square roots of the 214 -- first eight primes 215 iv :: Registers 216 iv = Registers 217 0x6a09e667f3bcc908 0xbb67ae8584caa73b 0x3c6ef372fe94f82b 0xa54ff53a5f1d36f1 218 0x510e527fade682d1 0x9b05688c2b3e6c1f 0x1f83d9abfb41bd6b 0x5be0cd19137e2179 219 220 -- processing ----------------------------------------------------------------- 221 -- https://datatracker.ietf.org/doc/html/rfc6234#section-6.2 222 223 data Block = Block { 224 m00 :: !Word64, m01 :: !Word64, m02 :: !Word64, m03 :: !Word64 225 , m04 :: !Word64, m05 :: !Word64, m06 :: !Word64, m07 :: !Word64 226 , m08 :: !Word64, m09 :: !Word64, m10 :: !Word64, m11 :: !Word64 227 , m12 :: !Word64, m13 :: !Word64, m14 :: !Word64, m15 :: !Word64 228 } 229 230 -- parse strict bytestring to block 231 -- 232 -- invariant: 233 -- the input bytestring is exactly 1024 bits long 234 unsafe_parse :: BS.ByteString -> Block 235 unsafe_parse bs = 236 let !(WSPair m00 t00) = unsafe_parseWsPair bs 237 !(WSPair m01 t01) = unsafe_parseWsPair t00 238 !(WSPair m02 t02) = unsafe_parseWsPair t01 239 !(WSPair m03 t03) = unsafe_parseWsPair t02 240 !(WSPair m04 t04) = unsafe_parseWsPair t03 241 !(WSPair m05 t05) = unsafe_parseWsPair t04 242 !(WSPair m06 t06) = unsafe_parseWsPair t05 243 !(WSPair m07 t07) = unsafe_parseWsPair t06 244 !(WSPair m08 t08) = unsafe_parseWsPair t07 245 !(WSPair m09 t09) = unsafe_parseWsPair t08 246 !(WSPair m10 t10) = unsafe_parseWsPair t09 247 !(WSPair m11 t11) = unsafe_parseWsPair t10 248 !(WSPair m12 t12) = unsafe_parseWsPair t11 249 !(WSPair m13 t13) = unsafe_parseWsPair t12 250 !(WSPair m14 t14) = unsafe_parseWsPair t13 251 !(WSPair m15 t15) = unsafe_parseWsPair t14 252 in if BS.null t15 253 then Block {..} 254 else error "ppad-sha512: internal error (bytes remaining)" 255 256 -- RFC 6234 6.2 step 1 257 prepare_schedule :: Block -> Schedule 258 prepare_schedule Block {..} = Schedule {..} where 259 w00 = m00; w01 = m01; w02 = m02; w03 = m03 260 w04 = m04; w05 = m05; w06 = m06; w07 = m07 261 w08 = m08; w09 = m09; w10 = m10; w11 = m11 262 w12 = m12; w13 = m13; w14 = m14; w15 = m15 263 w16 = ssig1 w14 + w09 + ssig0 w01 + w00 264 w17 = ssig1 w15 + w10 + ssig0 w02 + w01 265 w18 = ssig1 w16 + w11 + ssig0 w03 + w02 266 w19 = ssig1 w17 + w12 + ssig0 w04 + w03 267 w20 = ssig1 w18 + w13 + ssig0 w05 + w04 268 w21 = ssig1 w19 + w14 + ssig0 w06 + w05 269 w22 = ssig1 w20 + w15 + ssig0 w07 + w06 270 w23 = ssig1 w21 + w16 + ssig0 w08 + w07 271 w24 = ssig1 w22 + w17 + ssig0 w09 + w08 272 w25 = ssig1 w23 + w18 + ssig0 w10 + w09 273 w26 = ssig1 w24 + w19 + ssig0 w11 + w10 274 w27 = ssig1 w25 + w20 + ssig0 w12 + w11 275 w28 = ssig1 w26 + w21 + ssig0 w13 + w12 276 w29 = ssig1 w27 + w22 + ssig0 w14 + w13 277 w30 = ssig1 w28 + w23 + ssig0 w15 + w14 278 w31 = ssig1 w29 + w24 + ssig0 w16 + w15 279 w32 = ssig1 w30 + w25 + ssig0 w17 + w16 280 w33 = ssig1 w31 + w26 + ssig0 w18 + w17 281 w34 = ssig1 w32 + w27 + ssig0 w19 + w18 282 w35 = ssig1 w33 + w28 + ssig0 w20 + w19 283 w36 = ssig1 w34 + w29 + ssig0 w21 + w20 284 w37 = ssig1 w35 + w30 + ssig0 w22 + w21 285 w38 = ssig1 w36 + w31 + ssig0 w23 + w22 286 w39 = ssig1 w37 + w32 + ssig0 w24 + w23 287 w40 = ssig1 w38 + w33 + ssig0 w25 + w24 288 w41 = ssig1 w39 + w34 + ssig0 w26 + w25 289 w42 = ssig1 w40 + w35 + ssig0 w27 + w26 290 w43 = ssig1 w41 + w36 + ssig0 w28 + w27 291 w44 = ssig1 w42 + w37 + ssig0 w29 + w28 292 w45 = ssig1 w43 + w38 + ssig0 w30 + w29 293 w46 = ssig1 w44 + w39 + ssig0 w31 + w30 294 w47 = ssig1 w45 + w40 + ssig0 w32 + w31 295 w48 = ssig1 w46 + w41 + ssig0 w33 + w32 296 w49 = ssig1 w47 + w42 + ssig0 w34 + w33 297 w50 = ssig1 w48 + w43 + ssig0 w35 + w34 298 w51 = ssig1 w49 + w44 + ssig0 w36 + w35 299 w52 = ssig1 w50 + w45 + ssig0 w37 + w36 300 w53 = ssig1 w51 + w46 + ssig0 w38 + w37 301 w54 = ssig1 w52 + w47 + ssig0 w39 + w38 302 w55 = ssig1 w53 + w48 + ssig0 w40 + w39 303 w56 = ssig1 w54 + w49 + ssig0 w41 + w40 304 w57 = ssig1 w55 + w50 + ssig0 w42 + w41 305 w58 = ssig1 w56 + w51 + ssig0 w43 + w42 306 w59 = ssig1 w57 + w52 + ssig0 w44 + w43 307 w60 = ssig1 w58 + w53 + ssig0 w45 + w44 308 w61 = ssig1 w59 + w54 + ssig0 w46 + w45 309 w62 = ssig1 w60 + w55 + ssig0 w47 + w46 310 w63 = ssig1 w61 + w56 + ssig0 w48 + w47 311 w64 = ssig1 w62 + w57 + ssig0 w49 + w48 312 w65 = ssig1 w63 + w58 + ssig0 w50 + w49 313 w66 = ssig1 w64 + w59 + ssig0 w51 + w50 314 w67 = ssig1 w65 + w60 + ssig0 w52 + w51 315 w68 = ssig1 w66 + w61 + ssig0 w53 + w52 316 w69 = ssig1 w67 + w62 + ssig0 w54 + w53 317 w70 = ssig1 w68 + w63 + ssig0 w55 + w54 318 w71 = ssig1 w69 + w64 + ssig0 w56 + w55 319 w72 = ssig1 w70 + w65 + ssig0 w57 + w56 320 w73 = ssig1 w71 + w66 + ssig0 w58 + w57 321 w74 = ssig1 w72 + w67 + ssig0 w59 + w58 322 w75 = ssig1 w73 + w68 + ssig0 w60 + w59 323 w76 = ssig1 w74 + w69 + ssig0 w61 + w60 324 w77 = ssig1 w75 + w70 + ssig0 w62 + w61 325 w78 = ssig1 w76 + w71 + ssig0 w63 + w62 326 w79 = ssig1 w77 + w72 + ssig0 w64 + w63 327 328 -- RFC 6234 6.2 steps 2, 3, 4 329 block_hash :: Registers -> Schedule -> Registers 330 block_hash r00@Registers {..} Schedule {..} = 331 -- constants are the first 64 bits of the fractional parts of the 332 -- cube roots of the first eighty prime numbers 333 let r01 = step r00 0x428a2f98d728ae22 w00 334 r02 = step r01 0x7137449123ef65cd w01 335 r03 = step r02 0xb5c0fbcfec4d3b2f w02 336 r04 = step r03 0xe9b5dba58189dbbc w03 337 r05 = step r04 0x3956c25bf348b538 w04 338 r06 = step r05 0x59f111f1b605d019 w05 339 r07 = step r06 0x923f82a4af194f9b w06 340 r08 = step r07 0xab1c5ed5da6d8118 w07 341 r09 = step r08 0xd807aa98a3030242 w08 342 r10 = step r09 0x12835b0145706fbe w09 343 r11 = step r10 0x243185be4ee4b28c w10 344 r12 = step r11 0x550c7dc3d5ffb4e2 w11 345 r13 = step r12 0x72be5d74f27b896f w12 346 r14 = step r13 0x80deb1fe3b1696b1 w13 347 r15 = step r14 0x9bdc06a725c71235 w14 348 r16 = step r15 0xc19bf174cf692694 w15 349 r17 = step r16 0xe49b69c19ef14ad2 w16 350 r18 = step r17 0xefbe4786384f25e3 w17 351 r19 = step r18 0x0fc19dc68b8cd5b5 w18 352 r20 = step r19 0x240ca1cc77ac9c65 w19 353 r21 = step r20 0x2de92c6f592b0275 w20 354 r22 = step r21 0x4a7484aa6ea6e483 w21 355 r23 = step r22 0x5cb0a9dcbd41fbd4 w22 356 r24 = step r23 0x76f988da831153b5 w23 357 r25 = step r24 0x983e5152ee66dfab w24 358 r26 = step r25 0xa831c66d2db43210 w25 359 r27 = step r26 0xb00327c898fb213f w26 360 r28 = step r27 0xbf597fc7beef0ee4 w27 361 r29 = step r28 0xc6e00bf33da88fc2 w28 362 r30 = step r29 0xd5a79147930aa725 w29 363 r31 = step r30 0x06ca6351e003826f w30 364 r32 = step r31 0x142929670a0e6e70 w31 365 r33 = step r32 0x27b70a8546d22ffc w32 366 r34 = step r33 0x2e1b21385c26c926 w33 367 r35 = step r34 0x4d2c6dfc5ac42aed w34 368 r36 = step r35 0x53380d139d95b3df w35 369 r37 = step r36 0x650a73548baf63de w36 370 r38 = step r37 0x766a0abb3c77b2a8 w37 371 r39 = step r38 0x81c2c92e47edaee6 w38 372 r40 = step r39 0x92722c851482353b w39 373 r41 = step r40 0xa2bfe8a14cf10364 w40 374 r42 = step r41 0xa81a664bbc423001 w41 375 r43 = step r42 0xc24b8b70d0f89791 w42 376 r44 = step r43 0xc76c51a30654be30 w43 377 r45 = step r44 0xd192e819d6ef5218 w44 378 r46 = step r45 0xd69906245565a910 w45 379 r47 = step r46 0xf40e35855771202a w46 380 r48 = step r47 0x106aa07032bbd1b8 w47 381 r49 = step r48 0x19a4c116b8d2d0c8 w48 382 r50 = step r49 0x1e376c085141ab53 w49 383 r51 = step r50 0x2748774cdf8eeb99 w50 384 r52 = step r51 0x34b0bcb5e19b48a8 w51 385 r53 = step r52 0x391c0cb3c5c95a63 w52 386 r54 = step r53 0x4ed8aa4ae3418acb w53 387 r55 = step r54 0x5b9cca4f7763e373 w54 388 r56 = step r55 0x682e6ff3d6b2b8a3 w55 389 r57 = step r56 0x748f82ee5defb2fc w56 390 r58 = step r57 0x78a5636f43172f60 w57 391 r59 = step r58 0x84c87814a1f0ab72 w58 392 r60 = step r59 0x8cc702081a6439ec w59 393 r61 = step r60 0x90befffa23631e28 w60 394 r62 = step r61 0xa4506cebde82bde9 w61 395 r63 = step r62 0xbef9a3f7b2c67915 w62 396 r64 = step r63 0xc67178f2e372532b w63 397 r65 = step r64 0xca273eceea26619c w64 398 r66 = step r65 0xd186b8c721c0c207 w65 399 r67 = step r66 0xeada7dd6cde0eb1e w66 400 r68 = step r67 0xf57d4f7fee6ed178 w67 401 r69 = step r68 0x06f067aa72176fba w68 402 r70 = step r69 0x0a637dc5a2c898a6 w69 403 r71 = step r70 0x113f9804bef90dae w70 404 r72 = step r71 0x1b710b35131c471b w71 405 r73 = step r72 0x28db77f523047d84 w72 406 r74 = step r73 0x32caab7b40c72493 w73 407 r75 = step r74 0x3c9ebe0a15c9bebc w74 408 r76 = step r75 0x431d67c49c100d4c w75 409 r77 = step r76 0x4cc5d4becb3e42b6 w76 410 r78 = step r77 0x597f299cfc657e2a w77 411 r79 = step r78 0x5fcb6fab3ad6faec w78 412 r80 = step r79 0x6c44198c4a475817 w79 413 !(Registers a b c d e f g h) = r80 414 in Registers 415 (a + h0) (b + h1) (c + h2) (d + h3) 416 (e + h4) (f + h5) (g + h6) (h + h7) 417 418 step :: Registers -> Word64 -> Word64 -> Registers 419 step (Registers a b c d e f g h) k w = 420 let t1 = h + bsig1 e + ch e f g + k + w 421 t2 = bsig0 a + maj a b c 422 in Registers (t1 + t2) a b c (d + t1) e f g 423 {-# INLINE step #-} 424 425 -- RFC 6234 6.2 block pipeline 426 -- 427 -- invariant: 428 -- the input bytestring is exactly 1024 bits in length 429 unsafe_hash_alg :: Registers -> BS.ByteString -> Registers 430 unsafe_hash_alg rs bs = block_hash rs (prepare_schedule (unsafe_parse bs)) 431 432 -- register concatenation 433 cat :: Registers -> BS.ByteString 434 cat Registers {..} = 435 BL.toStrict 436 -- more efficient for small builder 437 . BE.toLazyByteStringWith (BE.safeStrategy 128 BE.smallChunkSize) mempty 438 $ mconcat [ 439 BSB.word64BE h0, BSB.word64BE h1, BSB.word64BE h2, BSB.word64BE h3 440 , BSB.word64BE h4, BSB.word64BE h5, BSB.word64BE h6, BSB.word64BE h7 441 ] 442 443 -- | Compute a condensed representation of a strict bytestring via 444 -- SHA-512. 445 -- 446 -- The 512-bit output digest is returned as a strict bytestring. 447 -- 448 -- >>> hash "strict bytestring input" 449 -- "<strict 512-bit message digest>" 450 hash :: BS.ByteString -> BS.ByteString 451 hash bs = cat (go iv (pad bs)) where 452 -- proof that 'go' always terminates safely: 453 -- 454 -- let b = pad bs 455 -- then length(b) = n * 1024 bits for some n >= 0 (1) 456 go :: Registers -> BS.ByteString -> Registers 457 go !acc b 458 -- if n == 0, then 'go' terminates safely (2) 459 | BS.null b = acc 460 -- if n > 0, then 461 -- 462 -- let (c, r) = unsafe_splitAt 128 b 463 -- then length(c) == 1024 bits by (1) 464 -- length(r) == m * 1024 bits for some m >= 0 by (1) 465 -- 466 -- note 'unsafe_hash_alg' terminates safely for bytestring (3) 467 -- input of exactly 1024 bits in length 468 -- 469 -- length(c) == 1024 470 -- => 'unsafe_hash_alg' terminates safely by (3) 471 -- => 'go' terminates safely (4) 472 -- length(r) == m * 1024 bits for m >= 0 473 -- => next invocation of 'go' terminates safely by (2), (4) 474 -- 475 -- then by induction, 'go' always terminates safely (QED) 476 | otherwise = case unsafe_splitAt 128 b of 477 SSPair c r -> go (unsafe_hash_alg acc c) r 478 479 -- | Compute a condensed representation of a lazy bytestring via 480 -- SHA-512. 481 -- 482 -- The 512-bit output digest is returned as a strict bytestring. 483 -- 484 -- >>> hash_lazy "lazy bytestring input" 485 -- "<strict 512-bit message digest>" 486 hash_lazy :: BL.ByteString -> BS.ByteString 487 hash_lazy bl = cat (go iv (pad_lazy bl)) where 488 -- proof of safety proceeds analogously 489 go :: Registers -> BL.ByteString -> Registers 490 go !acc bs 491 | BL.null bs = acc 492 | otherwise = case splitAt128 bs of 493 SLPair c r -> go (unsafe_hash_alg acc c) r 494 495 -- HMAC ----------------------------------------------------------------------- 496 -- https://datatracker.ietf.org/doc/html/rfc2104#section-2 497 498 data KeyAndLen = KeyAndLen 499 {-# UNPACK #-} !BS.ByteString 500 {-# UNPACK #-} !Int 501 502 -- | Produce a message authentication code for a strict bytestring, 503 -- based on the provided (strict, bytestring) key, via SHA-512. 504 -- 505 -- The 512-bit MAC is returned as a strict bytestring. 506 -- 507 -- Per RFC 2104, the key /should/ be a minimum of 64 bytes long. Keys 508 -- exceeding 1024 bytes in length will first be hashed (via SHA-512). 509 -- 510 -- >>> hmac "strict bytestring key" "strict bytestring input" 511 -- "<strict 512-bit MAC>" 512 hmac 513 :: BS.ByteString -- ^ key 514 -> BS.ByteString -- ^ text 515 -> BS.ByteString 516 hmac mk text = 517 let step1 = k <> BS.replicate (128 - lk) 0x00 518 step2 = BS.map (B.xor 0x36) step1 519 step3 = step2 <> text 520 step4 = hash step3 521 step5 = BS.map (B.xor 0x5C) step1 522 step6 = step5 <> step4 523 in hash step6 524 where 525 !(KeyAndLen k lk) = 526 let l = BS.length mk 527 in if l > 128 528 then KeyAndLen (hash mk) 64 529 else KeyAndLen mk l 530 531 -- | Produce a message authentication code for a lazy bytestring, based 532 -- on the provided (strict, bytestring) key, via SHA-512. 533 -- 534 -- The 512-bit MAC is returned as a strict bytestring. 535 -- 536 -- Per RFC 2104, the key /should/ be a minimum of 64 bytes long. Keys 537 -- exceeding 1024 bytes in length will first be hashed (via SHA-512). 538 -- 539 -- >>> hmac_lazy "strict bytestring key" "lazy bytestring input" 540 -- "<strict 512-bit MAC>" 541 hmac_lazy 542 :: BS.ByteString -- ^ key 543 -> BL.ByteString -- ^ text 544 -> BS.ByteString 545 hmac_lazy mk text = 546 let step1 = k <> BS.replicate (128 - lk) 0x00 547 step2 = BS.map (B.xor 0x36) step1 548 step3 = BL.fromStrict step2 <> text 549 step4 = hash_lazy step3 550 step5 = BS.map (B.xor 0x5C) step1 551 step6 = step5 <> step4 552 in hash step6 553 where 554 !(KeyAndLen k lk) = 555 let l = BS.length mk 556 in if l > 128 557 then KeyAndLen (hash mk) 64 558 else KeyAndLen mk l 559