Use digestif for SHA256 hmac · futur.blue/pegasus@96aee84

futur.blue / pegasus

fork atom

objective categorical abstract machine language personal data server

fork atom

Use digestif for SHA256 hmac

futur.blue 5 months ago 96aee84f b62e14c6

verified

+13 -39

1 changed file

expand all

unified split

kleidos

rfc6979.ml

+13 -39

kleidos/rfc6979.ml

··· 31 32 (* bits2int for qbits=256 (leftmost 256 bits is whole 32 bytes here) *) 33 let bits2int_256 (bs : bytes) : Z.t = 34 - (* If bs > 32 bytes (not the case here), we'd truncate *) 35 let len = Bytes.length bs in 36 let take = if len <= 32 then len else 32 in 37 let acc = ref Z.zero in ··· 50 let z2 = Z.(z1 mod q) in 51 z_to_bytes32 z2 52 53 - (* hmac sha256 using only hash function *) 54 - let hmac_sha256 ~(hash : bytes -> bytes) ~(key : bytes) (data : bytes) : bytes = 55 - let block_size = 64 in 56 - let key0 = if Bytes.length key > block_size then hash key else key in 57 - let key_block = 58 - if Bytes.length key0 = block_size then key0 59 - else 60 - let b = Bytes.make block_size '\x00' in 61 - Bytes.blit key0 0 b 0 (Bytes.length key0) ; 62 - b 63 - in 64 - let ipad = 0x36 and opad = 0x5c in 65 - let inner_pad = Bytes.create block_size 66 - and outer_pad = Bytes.create block_size in 67 - for i = 0 to block_size - 1 do 68 - let kc = Char.code (Bytes.get key_block i) in 69 - Bytes.set inner_pad i (Char.chr (kc lxor ipad)) ; 70 - Bytes.set outer_pad i (Char.chr (kc lxor opad)) 71 - done ; 72 - let concat a b = 73 - let out = Bytes.create (Bytes.length a + Bytes.length b) in 74 - Bytes.blit a 0 out 0 (Bytes.length a) ; 75 - Bytes.blit b 0 out (Bytes.length a) (Bytes.length b) ; 76 - out 77 - in 78 - let inner = hash (concat inner_pad data) in 79 - hash (concat outer_pad inner) 80 - 81 (* returns 32-byte k for given order q *) 82 let rfc6979_k_256_bytes ~(q : Z.t) ~(privkey : bytes) ~(msg : bytes) : bytes = 83 if Bytes.length privkey <> 32 then invalid_arg "privkey must be 32 bytes" ; 84 let x = bytes32_to_z privkey in 85 if x <= Z.zero || x >= q then invalid_arg "privkey scalar out of range" ; 86 - let module H = Hacl_star.Hacl.SHA2_256 in 87 - let hash = H.hash in 88 - let hmac = hmac_sha256 ~hash in 89 let h1 = hash msg in 90 (* 32-byte SHA-256 digest *) 91 let x_octets = privkey in ··· 104 0 parts ; 105 out 106 in 107 (* step: K = HMAC_K(V || 0x00 || x || h1); V = HMAC_K(V) *) 108 - let k = hmac ~key:k (concat [v; Bytes.of_string "\x00"; x_octets; h1_red]) in 109 - let v = hmac ~key:k v in 110 (* step: K = HMAC_K(V || 0x01 || x || h1); V = HMAC_K(V) *) 111 - let k = hmac ~key:k (concat [v; Bytes.of_string "\x01"; x_octets; h1_red]) in 112 - let v = hmac ~key:k v in 113 (* loop *) 114 let rec loop k v = 115 (* a. V = HMAC_K(V) *) 116 - let v = hmac ~key:k v in 117 let t = v in 118 let k_candidate = bits2int_256 t in 119 if Z.(k_candidate >= one && k_candidate < q) then t 120 else 121 (* K = HMAC_K(V || 0x00); V = HMAC_K(V) *) 122 - let k = hmac ~key:k (concat [v; Bytes.of_string "\x00"]) in 123 - let v = hmac ~key:k v in 124 loop k v 125 in 126 loop k v

··· 31 32 (* bits2int for qbits=256 (leftmost 256 bits is whole 32 bytes here) *) 33 let bits2int_256 (bs : bytes) : Z.t = 34 + (* if bs > 32 bytes (not the case here), we'd truncate *) 35 let len = Bytes.length bs in 36 let take = if len <= 32 then len else 32 in 37 let acc = ref Z.zero in ··· 50 let z2 = Z.(z1 mod q) in 51 z_to_bytes32 z2 52 53 (* returns 32-byte k for given order q *) 54 let rfc6979_k_256_bytes ~(q : Z.t) ~(privkey : bytes) ~(msg : bytes) : bytes = 55 if Bytes.length privkey <> 32 then invalid_arg "privkey must be 32 bytes" ; 56 let x = bytes32_to_z privkey in 57 if x <= Z.zero || x >= q then invalid_arg "privkey scalar out of range" ; 58 + let hash = Hacl_star.Hacl.SHA2_256.hash in 59 let h1 = hash msg in 60 (* 32-byte SHA-256 digest *) 61 let x_octets = privkey in ··· 74 0 parts ; 75 out 76 in 77 + let hmac k v = 78 + Digestif.SHA256.(hmac_bytes ~key:(Bytes.to_string k) v |> to_raw_string) 79 + |> Bytes.of_string 80 + in 81 (* step: K = HMAC_K(V || 0x00 || x || h1); V = HMAC_K(V) *) 82 + let k = hmac k (concat [v; Bytes.of_string "\x00"; x_octets; h1_red]) in 83 + let v = hmac k v in 84 (* step: K = HMAC_K(V || 0x01 || x || h1); V = HMAC_K(V) *) 85 + let k = hmac k (concat [v; Bytes.of_string "\x01"; x_octets; h1_red]) in 86 + let v = hmac k v in 87 (* loop *) 88 let rec loop k v = 89 (* a. V = HMAC_K(V) *) 90 + let v = hmac k v in 91 let t = v in 92 let k_candidate = bits2int_256 t in 93 if Z.(k_candidate >= one && k_candidate < q) then t 94 else 95 (* K = HMAC_K(V || 0x00); V = HMAC_K(V) *) 96 + let k = hmac k (concat [v; Bytes.of_string "\x00"]) in 97 + let v = hmac k v in 98 loop k v 99 in 100 loop k v