yescrypt 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 1ba0d0c9b88163285669166982ad7cb47cfcd51ad07935b30d5215b51a8c2c8b
+  data.tar.gz: 14f1b653e6c920e6c0f1e973b877c7d146c68006018bddbfcf5728ac33b6aeda
+SHA512:
+  metadata.gz: 412ec3b20fd3180dfac8fe5e8b5851d645027055f9f9752056059f1fb6443febec4969498b4061500e4f2664503ce41c2bebdc4590c966a239422c8e565054b8
+  data.tar.gz: 45314045bb1f25679b68336b17aa4a59e9bfa5725ef8ca5c9548bfed2d91d9b4330f1deeb34b596ee70579c98e277334bc48268b406f96865552891e33bd4e76

data/LICENSE

@@ -0,0 +1,42 @@
+MIT License
+
+Copyright (c) 2026 Suleyman Musayev
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+---
+
+The yescrypt C implementation is based on work by:
+
+Copyright (c) 2009 Colin Percival (scrypt)
+Copyright (c) 2013-2021 Alexander Peslyak (yescrypt)
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.

data/README.md

@@ -0,0 +1,325 @@
+# yescrypt
+
+A Ruby C extension wrapping the [yescrypt](https://www.openwall.com/yescrypt/) password hashing algorithm.
+
+yescrypt is the default password hash in modern Linux distributions (glibc 2.36+). It extends [scrypt](https://www.tarsnap.com/scrypt.html) with pwxform for stronger time-memory tradeoff resistance, making it significantly more costly for attackers using GPUs or custom hardware.
+
+## Features
+
+- High-level `create` / `verify` API modeled after bcrypt-ruby
+- Low-level `kdf` access for custom use cases
+- Constant-time hash comparison via `OpenSSL.fixed_length_secure_compare`
+- Thread-safe: releases the GVL during hashing so other Ruby threads can run
+- GC-compaction safe with pinned string references
+- Sensitive buffers are zeroed after use
+- Supports all three yescrypt flavors: WORM, RW, and DEFAULTS
+
+## Requirements
+
+- Ruby >= 2.7.2
+- A C99-compatible compiler (gcc, clang, etc.)
+
+## Installation
+
+Add to your Gemfile:
+
+```ruby
+gem "yescrypt"
+```
+
+Then run:
+
+```
+bundle install
+```
+
+Or install directly:
+
+```
+gem install yescrypt
+```
+
+The C extension compiles automatically during installation. No external libraries are needed -- yescrypt, SHA-256, HMAC, and PBKDF2 are all bundled.
+
+## Quick Start
+
+```ruby
+require "yescrypt"
+
+# Hash a password (uses secure defaults: N=2^12, r=32, p=1)
+hash = Yescrypt.create("my secret password")
+# => "$y$j..."
+
+# Verify a password against a stored hash
+Yescrypt.verify("my secret password", hash)  # => true
+Yescrypt.verify("wrong password", hash)       # => false
+
+# Check if a hash needs rehashing (e.g., after changing cost parameters)
+Yescrypt.cost_matches?(hash)  # => true (matches current defaults)
+Yescrypt.cost_matches?(hash, n_log2: 14, r: 32, p: 1)  # => false
+```
+
+## API Reference
+
+### `Yescrypt.create(password, **options)`
+
+Hash a password and return an encoded string suitable for storage.
+
+```ruby
+hash = Yescrypt.create("password")
+hash = Yescrypt.create("password", n_log2: 14, r: 32, p: 1, t: 0, flags: Yescrypt::DEFAULTS)
+```
+
+**Parameters:**
+
+| Parameter | Type    | Default                  | Description                                    |
+|-----------|---------|--------------------------|------------------------------------------------|
+| password  | String  | *(required)*             | The plaintext password                         |
+| n_log2:   | Integer | `12`                     | Log2 of the block count (memory cost). N = 2^n_log2 |
+| r:        | Integer | `32`                     | Block size parameter (affects memory per block) |
+| p:        | Integer | `1`                      | Parallelism parameter                          |
+| t:        | Integer | `0`                      | Time parameter (extra mixing rounds)           |
+| flags:    | Integer | `Yescrypt::DEFAULTS` (2) | Flavor flags (see [Flavors](#flavors))         |
+
+**Returns:** A frozen, US-ASCII encoded string starting with `$y$`.
+
+A random 16-byte salt is generated automatically using `SecureRandom`.
+
+### `Yescrypt.verify(password, hash)`
+
+Verify a plaintext password against an encoded hash.
+
+```ruby
+Yescrypt.verify("password", hash)  # => true or false
+```
+
+Returns `false` for any invalid input (wrong types, malformed hash, wrong password) rather than raising exceptions. Uses constant-time comparison to prevent timing attacks.
+
+### `Yescrypt.cost_matches?(hash, **options)`
+
+Check whether an existing hash was generated with the given parameters. Useful for determining if a password needs rehashing after a cost parameter change.
+
+```ruby
+if Yescrypt.verify(password, stored_hash)
+  unless Yescrypt.cost_matches?(stored_hash, n_log2: 14)
+    # Rehash with new cost parameters
+    new_hash = Yescrypt.create(password, n_log2: 14)
+    save_hash(new_hash)
+  end
+end
+```
+
+**Parameters:** Same keyword arguments as `create`. Omitted parameters default to the current defaults.
+
+**Returns:** `true` if all parameters (n_log2, r, p, t, flags) match, `false` otherwise.
+
+### `Yescrypt.default_params`
+
+Returns a frozen hash of the current default parameters:
+
+```ruby
+Yescrypt.default_params
+# => { n_log2: 12, r: 32, p: 1, t: 0, flags: 2 }
+```
+
+### `Yescrypt.decode_params(hash)`
+
+Parse the parameters from an encoded yescrypt hash string.
+
+```ruby
+params = Yescrypt.decode_params(hash)
+# => { n_log2: 12, r: 32, p: 1, t: 0, flags: 2 }
+```
+
+**Returns:** A frozen hash with `:n_log2`, `:r`, `:p`, `:t`, `:flags` keys, or `nil` if the string is not a valid yescrypt hash.
+
+### `Yescrypt.gensalt(**options)`
+
+Generate a setting/salt string for low-level use. You typically don't need this directly -- `create` calls it internally.
+
+```ruby
+salt = SecureRandom.random_bytes(16)
+setting = Yescrypt.gensalt(n_log2: 12, r: 32, p: 1, t: 0, flags: Yescrypt::DEFAULTS, salt: salt)
+```
+
+The `salt:` keyword is required and must be a binary String (typically 16 random bytes).
+
+### `Yescrypt.kdf(password, salt, **options)`
+
+Low-level KDF function that returns raw hash bytes. Unlike `create`, this gives you direct control over all parameters and returns unencoded binary output.
+
+```ruby
+raw = Yescrypt.kdf("password", "salt" * 4,
+  n: 4096, r: 32, p: 1, flags: Yescrypt::DEFAULTS, t: 0, outlen: 32)
+raw.bytesize  # => 32
+```
+
+**Parameters:**
+
+| Parameter | Type    | Default      | Description                              |
+|-----------|---------|--------------|------------------------------------------|
+| password  | String  | *(required)* | The plaintext password                   |
+| salt      | String  | *(required)* | Salt bytes (any length)                  |
+| n:        | Integer | *(required)* | Block count (must be a power of 2, >= 2) |
+| r:        | Integer | *(required)* | Block size parameter                     |
+| p:        | Integer | *(required)* | Parallelism parameter                    |
+| flags:    | Integer | *(required)* | Flavor flags                             |
+| t:        | Integer | `0`          | Time parameter                           |
+| outlen:   | Integer | `32`         | Output length in bytes (1..1024)         |
+
+**Returns:** A binary String of `outlen` bytes.
+
+Note: `n` here is the actual block count (e.g., `4096`), not the log2 value used in `create` (where you'd use `n_log2: 12`).
+
+## Flavors
+
+yescrypt supports three operational flavors:
+
+| Constant              | Value | Description                                                             |
+|-----------------------|-------|-------------------------------------------------------------------------|
+| `Yescrypt::WORM`     | 0     | Classic scrypt-compatible mode. Read-only memory access pattern.        |
+| `Yescrypt::RW`       | 1     | yescrypt with read-write memory access. Stronger against TMTO attacks.  |
+| `Yescrypt::DEFAULTS` | 2     | Recommended mode. Includes RW access plus pwxform strengthening.        |
+
+`DEFAULTS` is recommended for new applications. `WORM` is useful if you need scrypt compatibility.
+
+## Choosing Parameters
+
+The cost parameters control the trade-off between security and performance:
+
+- **n_log2** (memory cost): Each increment doubles memory usage and time. Start with `12` (4096 blocks) and increase if your server can handle it. `14` (16384 blocks) is a good choice for higher security.
+- **r** (block size): Controls memory per block (128 * r bytes). The default `32` (4 KB per block) is well-suited for modern CPUs. Increasing `r` increases memory bandwidth requirements.
+- **p** (parallelism): Number of independent mixing operations. Keep at `1` unless you specifically need parallel computation. Increasing `p` scales CPU time linearly without increasing memory.
+- **t** (time): Extra mixing rounds. Each increment of `t` adds N more mixing iterations. Keep at `0` unless you want to increase CPU time without increasing memory.
+
+### Memory usage
+
+Approximate memory per hash operation: `128 * r * N` bytes, where `N = 2^n_log2`.
+
+| n_log2 | r   | Memory     |
+|--------|-----|------------|
+| 10     | 8   | 1 MB       |
+| 12     | 32  | 16 MB      |
+| 14     | 32  | 64 MB      |
+| 16     | 32  | 256 MB     |
+
+### Benchmarking
+
+Test different parameters to find the right trade-off for your application:
+
+```ruby
+require "benchmark"
+
+[10, 12, 14].each do |n|
+  time = Benchmark.realtime { Yescrypt.create("test", n_log2: n, r: 32, p: 1) }
+  puts "n_log2=#{n}: #{(time * 1000).round}ms"
+end
+```
+
+## Thread Safety
+
+yescrypt releases the Ruby GVL (Global VM Lock) during the CPU-intensive hashing computation. This means other Ruby threads can execute while a hash is being computed:
+
+```ruby
+threads = 4.times.map do |i|
+  Thread.new { Yescrypt.create("password_#{i}", n_log2: 4, r: 1, p: 1) }
+end
+hashes = threads.map(&:value)  # all 4 run concurrently
+```
+
+Each call allocates its own working memory, so there is no shared mutable state between threads.
+
+## Hash Format
+
+The encoded hash string follows the crypt(3) modular format:
+
+```
+$y$j<params>$<salt>$<hash>
+```
+
+- `$y$` -- yescrypt identifier prefix
+- `j` -- flavor indicator
+- `<params>` -- base64-encoded N_log2, r, p, t, and flags
+- `<salt>` -- base64-encoded salt
+- `<hash>` -- base64-encoded 256-bit derived key
+
+Example:
+```
+$y$jD5.7C....$aBcDeFgHiJkLmNoPqR..$xYzAbCdEfGhIjKlMnOpQrStUvWxYz01234567890AB
+```
+
+## Error Handling
+
+The gem defines a single exception class:
+
+```ruby
+Yescrypt::Error < StandardError
+```
+
+Raised by low-level functions (`kdf`, `gensalt`, `_hash_password`) when the C library reports a failure (e.g., memory allocation failure, invalid setting string).
+
+The high-level `verify` method never raises -- it returns `false` on any error. The high-level `create` method raises `TypeError` if the password is not a String, and may raise `Yescrypt::Error` on internal failures.
+
+## Comparison with Other Password Hashing Gems
+
+| Feature                | yescrypt           | bcrypt-ruby        | scrypt             |
+|------------------------|--------------------|--------------------|--------------------|
+| Memory-hard            | Yes                | No                 | Yes                |
+| TMTO resistance        | Strong (pwxform)   | N/A                | Moderate           |
+| Linux default (2024+)  | Yes                | No                 | No                 |
+| GVL released           | Yes                | Yes                | Yes                |
+| Constant-time verify   | Yes                | Yes                | Yes                |
+
+## Development
+
+```bash
+# Clone the repository
+git clone https://github.com/msuliq/yescrypt.git
+cd yescrypt
+
+# Install dependencies
+bundle install
+
+# Compile the C extension
+bundle exec rake compile
+
+# Run tests
+bundle exec rake test
+
+# Run both (compile + test)
+bundle exec rake
+```
+
+### Project Structure
+
+```
+yescrypt/
+  ext/yescrypt/          # C extension source
+    extconf.rb           # Build configuration
+    yescrypt_ext.c       # Ruby/C bridge
+    yescrypt-opt.c       # Core yescrypt algorithm (smix, salsa20, pwxform)
+    yescrypt-common.c    # Encoding, decoding, salt generation, yescrypt_r
+    yescrypt.h           # Public C API header
+    sha256.c             # SHA-256 / HMAC / PBKDF2 implementation
+    sha256.h             # SHA-256 header
+    insecure_memzero.h   # Secure memory zeroing
+  lib/
+    yescrypt.rb          # High-level Ruby API (create, verify, cost_matches?)
+    yescrypt/version.rb  # Version constant
+  test/
+    yescrypt_test.rb     # Minitest test suite
+    test_helper.rb       # Test setup
+```
+
+## License
+
+MIT License. See [LICENSE](LICENSE) for details.
+
+The bundled yescrypt C implementation is based on work by Colin Percival and Alexander Peslyak, used under a permissive BSD-style license.
+
+## References
+
+- [yescrypt - password hashing competition](https://www.openwall.com/yescrypt/)
+- [yescrypt specification (PDF)](https://www.openwall.com/yescrypt/yescrypt-v2.pdf)
+- [scrypt: A new key derivation function](https://www.tarsnap.com/scrypt.html) by Colin Percival
+- [glibc yescrypt support (2.36+)](https://sourceware.org/glibc/wiki/Release/2.36)

data/ext/yescrypt/extconf.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+require "mkmf"
+
+$CFLAGS << " -O2 -Wall -Wextra -std=c99"
+
+create_makefile("yescrypt/yescrypt_ext")

data/ext/yescrypt/insecure_memzero.h

@@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2014 Alexander Peslyak
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.
+ */
+
+#ifndef INSECURE_MEMZERO_H
+#define INSECURE_MEMZERO_H
+
+#include <string.h>
+
+/*
+ * Securely zero memory - uses volatile pointer writes to prevent
+ * the compiler from optimizing away the clearing operation.
+ *
+ * Note: explicit_bzero/memset_s would be preferred but are not
+ * reliably available across platforms under strict C99 mode.
+ */
+static void insecure_memzero(void *buf, size_t len)
+{
+    volatile unsigned char *p = (volatile unsigned char *)buf;
+    while (len--) {
+        *p++ = 0;
+    }
+}
+
+#endif /* INSECURE_MEMZERO_H */

data/ext/yescrypt/sha256.c

@@ -0,0 +1,256 @@
+/*
+ * SHA-256 / HMAC-SHA256 / PBKDF2-HMAC-SHA256 implementation.
+ * Based on the public domain implementation by Colin Percival.
+ *
+ * Copyright (c) 2009 Colin Percival
+ * Copyright (c) 2013-2021 Alexander Peslyak
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted.
+ */
+
+#include <string.h>
+#include <stdint.h>
+
+#include "sha256.h"
+#include "insecure_memzero.h"
+
+static inline uint32_t be32dec(const void *pp)
+{
+    const uint8_t *p = (const uint8_t *)pp;
+    return ((uint32_t)p[0] << 24) | ((uint32_t)p[1] << 16) |
+           ((uint32_t)p[2] << 8) | (uint32_t)p[3];
+}
+
+static inline void be32enc(void *pp, uint32_t x)
+{
+    uint8_t *p = (uint8_t *)pp;
+    p[0] = (x >> 24) & 0xff;
+    p[1] = (x >> 16) & 0xff;
+    p[2] = (x >> 8) & 0xff;
+    p[3] = x & 0xff;
+}
+
+static inline void be64enc(void *pp, uint64_t x)
+{
+    uint8_t *p = (uint8_t *)pp;
+    p[0] = (x >> 56) & 0xff;
+    p[1] = (x >> 48) & 0xff;
+    p[2] = (x >> 40) & 0xff;
+    p[3] = (x >> 32) & 0xff;
+    p[4] = (x >> 24) & 0xff;
+    p[5] = (x >> 16) & 0xff;
+    p[6] = (x >> 8) & 0xff;
+    p[7] = x & 0xff;
+}
+
+#define ROR32(x, n) (((x) >> (n)) | ((x) << (32 - (n))))
+#define Ch(x, y, z)  ((z) ^ ((x) & ((y) ^ (z))))
+#define Maj(x, y, z) (((x) & (y)) | ((z) & ((x) | (y))))
+#define S0(x) (ROR32(x, 2) ^ ROR32(x, 13) ^ ROR32(x, 22))
+#define S1(x) (ROR32(x, 6) ^ ROR32(x, 11) ^ ROR32(x, 25))
+#define s0(x) (ROR32(x, 7) ^ ROR32(x, 18) ^ ((x) >> 3))
+#define s1(x) (ROR32(x, 17) ^ ROR32(x, 19) ^ ((x) >> 10))
+
+#define RND(a, b, c, d, e, f, g, h, k) \
+    h += S1(e) + Ch(e, f, g) + k;      \
+    d += h;                              \
+    h += S0(a) + Maj(a, b, c);
+
+#define RNDr(S, W, i, ii)                                      \
+    RND(S[(64 - i) % 8], S[(65 - i) % 8], S[(66 - i) % 8],   \
+        S[(67 - i) % 8], S[(68 - i) % 8], S[(69 - i) % 8],   \
+        S[(70 - i) % 8], S[(71 - i) % 8],                     \
+        W[i + ii] + K[i + ii])
+
+static const uint32_t K[64] = {
+    0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
+    0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
+    0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
+    0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
+    0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
+    0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
+    0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
+    0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
+    0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
+    0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
+    0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
+    0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
+    0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
+    0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
+    0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
+    0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
+};
+
+static void SHA256_Transform(uint32_t state[8], const uint8_t block[64])
+{
+    uint32_t W[64];
+    uint32_t S[8];
+    int i;
+
+    for (i = 0; i < 16; i++)
+        W[i] = be32dec(&block[i * 4]);
+    for (i = 16; i < 64; i++)
+        W[i] = s1(W[i - 2]) + W[i - 7] + s0(W[i - 15]) + W[i - 16];
+
+    memcpy(S, state, sizeof(S));
+
+    for (i = 0; i < 64; i += 8) {
+        RNDr(S, W, 0, i);
+        RNDr(S, W, 1, i);
+        RNDr(S, W, 2, i);
+        RNDr(S, W, 3, i);
+        RNDr(S, W, 4, i);
+        RNDr(S, W, 5, i);
+        RNDr(S, W, 6, i);
+        RNDr(S, W, 7, i);
+    }
+
+    for (i = 0; i < 8; i++)
+        state[i] += S[i];
+
+    insecure_memzero(W, sizeof(W));
+    insecure_memzero(S, sizeof(S));
+}
+
+void SHA256_Init(SHA256_CTX *ctx)
+{
+    ctx->count = 0;
+    ctx->state[0] = 0x6a09e667;
+    ctx->state[1] = 0xbb67ae85;
+    ctx->state[2] = 0x3c6ef372;
+    ctx->state[3] = 0xa54ff53a;
+    ctx->state[4] = 0x510e527f;
+    ctx->state[5] = 0x9b05688c;
+    ctx->state[6] = 0x1f83d9ab;
+    ctx->state[7] = 0x5be0cd19;
+}
+
+void SHA256_Update(SHA256_CTX *ctx, const void *in, size_t len)
+{
+    uint64_t bitcount = ctx->count;
+    size_t r = (bitcount >> 3) & 0x3f;
+    const uint8_t *src = (const uint8_t *)in;
+
+    ctx->count = bitcount + ((uint64_t)len << 3);
+
+    if (len < 64 - r) {
+        memcpy(&ctx->buf[r], src, len);
+        return;
+    }
+
+    memcpy(&ctx->buf[r], src, 64 - r);
+    SHA256_Transform(ctx->state, ctx->buf);
+    src += 64 - r;
+    len -= 64 - r;
+
+    while (len >= 64) {
+        SHA256_Transform(ctx->state, src);
+        src += 64;
+        len -= 64;
+    }
+
+    memcpy(ctx->buf, src, len);
+}
+
+void SHA256_Final(uint8_t digest[32], SHA256_CTX *ctx)
+{
+    uint8_t len[8];
+
+    be64enc(len, ctx->count);
+
+    SHA256_Update(ctx, "\x80", 1);
+    while ((ctx->count >> 3) % 64 != 56)
+        SHA256_Update(ctx, "\0", 1);
+    SHA256_Update(ctx, len, 8);
+
+    for (int i = 0; i < 8; i++)
+        be32enc(&digest[i * 4], ctx->state[i]);
+
+    insecure_memzero(ctx, sizeof(*ctx));
+}
+
+/* HMAC-SHA256 */
+void HMAC_SHA256_Init(HMAC_SHA256_CTX *ctx, const void *key, size_t keylen)
+{
+    uint8_t khash[32];
+    uint8_t pad[64];
+    size_t i;
+
+    if (keylen > 64) {
+        SHA256_CTX shactx;
+        SHA256_Init(&shactx);
+        SHA256_Update(&shactx, key, keylen);
+        SHA256_Final(khash, &shactx);
+        key = khash;
+        keylen = 32;
+    }
+
+    SHA256_Init(&ctx->ictx);
+    memset(pad, 0x36, 64);
+    for (i = 0; i < keylen; i++)
+        pad[i] ^= ((const uint8_t *)key)[i];
+    SHA256_Update(&ctx->ictx, pad, 64);
+
+    SHA256_Init(&ctx->octx);
+    memset(pad, 0x5c, 64);
+    for (i = 0; i < keylen; i++)
+        pad[i] ^= ((const uint8_t *)key)[i];
+    SHA256_Update(&ctx->octx, pad, 64);
+
+    insecure_memzero(khash, sizeof(khash));
+    insecure_memzero(pad, sizeof(pad));
+}
+
+void HMAC_SHA256_Update(HMAC_SHA256_CTX *ctx, const void *in, size_t len)
+{
+    SHA256_Update(&ctx->ictx, in, len);
+}
+
+void HMAC_SHA256_Final(uint8_t digest[32], HMAC_SHA256_CTX *ctx)
+{
+    uint8_t ihash[32];
+    SHA256_Final(ihash, &ctx->ictx);
+    SHA256_Update(&ctx->octx, ihash, 32);
+    SHA256_Final(digest, &ctx->octx);
+    insecure_memzero(ihash, sizeof(ihash));
+}
+
+/* PBKDF2-HMAC-SHA256 */
+void PBKDF2_SHA256(const uint8_t *passwd, size_t passwdlen,
+    const uint8_t *salt, size_t saltlen,
+    uint64_t c, uint8_t *buf, size_t dkLen)
+{
+    HMAC_SHA256_CTX PShctx, hctx;
+    uint8_t U[32], T[32];
+    uint8_t ivec[4];
+    size_t i, j, k, clen;
+
+    HMAC_SHA256_Init(&PShctx, passwd, passwdlen);
+    HMAC_SHA256_Update(&PShctx, salt, saltlen);
+
+    for (i = 0; i * 32 < dkLen; i++) {
+        be32enc(ivec, (uint32_t)(i + 1));
+        memcpy(&hctx, &PShctx, sizeof(HMAC_SHA256_CTX));
+        HMAC_SHA256_Update(&hctx, ivec, 4);
+        HMAC_SHA256_Final(U, &hctx);
+        memcpy(T, U, 32);
+
+        for (j = 2; j <= c; j++) {
+            HMAC_SHA256_Init(&hctx, passwd, passwdlen);
+            HMAC_SHA256_Update(&hctx, U, 32);
+            HMAC_SHA256_Final(U, &hctx);
+            for (k = 0; k < 32; k++)
+                T[k] ^= U[k];
+        }
+
+        clen = dkLen - i * 32;
+        if (clen > 32)
+            clen = 32;
+        memcpy(&buf[i * 32], T, clen);
+    }
+
+    insecure_memzero(&PShctx, sizeof(PShctx));
+    insecure_memzero(U, sizeof(U));
+    insecure_memzero(T, sizeof(T));
+}