# TLS stage 2
# Computes the master secret (MS).
# Outputs sha256(ms xor opad) called "ms outer hash state" to N and also outputs
# sha256(ms xor ipad) called "ms inner hash state" to C.

14 3730
2 512 640
# notary inputs
#  256: pms outer hash state
#  256: output mask
# client inputs
#  256: inner hash of p1
#  128: p2 = hmac.new(secret, a2+seed, hashlib.sha256).digest()
#  256: output mask

1 512
# all outputs go to the evaluator
# 256: ms outer hash state xor-masked by notary
# 256: ms inner hash state xor-masked by client

# pad inner hash as the last chunk for sha256

2 1 0 0 1152 XOR  # 0
1 1 1152 1153 INV # 1

# total length of bits in outer sha256: L == 512+256 == 768 should be the last 64 bits
# 768 in binary is 0000 0011 0000 0000
# to be hashed: 256 bits inner hash + 1 + 191 bits of 0 + 48 bits of 0 + 0000 0011 0000 0000
# note that inputs start in lsb position

#        8-zeros   1   1    245-zeros   1  inner hash outer hash
768 256 [1152*8] 1153 1153 [1152*245] 1153 [512|>256] [0|>256] [1154|>256] sha256.txt

# master secret == [1154|>256] + [768|>128] == p1+p2 (48 bytes)

1 8 0 [1410|>8] getIpadByte.casm
1 8 0 [1418|>8] getOpadByte.casm
8 128 [1410|>8] [1426|>128] repeatByte16Times.casm
8 128 [1418|>8] [1554|>128] repeatByte16Times.casm

# for ipad
# xor the last 16 bytes of MS 
256 128 [1426|>128] [768|>128] [1682|>128]  xor128bits.casm

# xor the first 32 bytes of MS
512 256 [1426|>128] [1426|>128] [1154|>256] [1810|>256] xor256bits.casm

# same for opad
# xor the last 16 bytes of MS
256 128 [1554|>128] [768|>128] [2066|>128] xor128bits.casm

# xor the first 32 bytes of MS
512 256 [1554|>128] [1554|>128] [1154|>256] [2194|>256] xor256bits.casm

2 256 0 1 [2450|>256] getSha256InitialState.casm

#-------10 gates at this point

768 256 [1554|>128] [2066|>384] [2450|>256] [2706|>256] sha256.txt # outer
768 256 [1426|>128] [1682|>384] [2450|>256] [2962|>256] sha256.txt # inner

512 256 [2706|>256] [256|>256] [3218|>256] xor256bits.casm
512 256 [2962|>256] [896|>256] [3474|>256] xor256bits.casm