2 * Copyright (c) 2009 Joshua Oreman <oremanj@rwcr.net>.
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License as
6 * published by the Free Software Foundation; either version 2 of the
7 * License, or any later version.
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
20 FILE_LICENCE ( GPL2_OR_LATER
);
23 #include <ipxe/crypto.h>
24 #include <ipxe/sha1.h>
25 #include <ipxe/hmac.h>
30 * SHA1 pseudorandom function for creating derived keys
32 * @v key Master key with which this call is associated
33 * @v key_len Length of key
34 * @v label NUL-terminated ASCII string describing purpose of PRF data
35 * @v data Further data that should be included in the PRF
36 * @v data_len Length of further PRF data
37 * @v prf_len Bytes of PRF to generate
38 * @ret prf Pseudorandom function bytes
40 * This is the PRF variant used by 802.11, defined in IEEE 802.11-2007
41 * 8.5.5.1. EAP-FAST uses a different SHA1-based PRF, and TLS uses an
44 void prf_sha1 ( const void *key
, size_t key_len
, const char *label
,
45 const void *data
, size_t data_len
, void *prf
, size_t prf_len
)
48 u8 keym
[key_len
]; /* modifiable copy of key */
49 u8 in
[strlen ( label
) + 1 + data_len
+ 1]; /* message to HMAC */
50 u8
*in_blknr
; /* pointer to last byte of in, block number */
51 u8 out
[SHA1_DIGEST_SIZE
]; /* HMAC-SHA1 result */
52 u8 ctx
[SHA1_CTX_SIZE
+ SHA1_BLOCK_SIZE
]; /* HMAC-SHA1 context */
53 const size_t label_len
= strlen ( label
);
55 /* The HMAC-SHA-1 is calculated using the given key on the
56 message text `label', followed by a NUL, followed by one
57 byte indicating the block number (0 for first). */
59 memcpy ( keym
, key
, key_len
);
61 memcpy ( in
, label
, strlen ( label
) + 1 );
62 memcpy ( in
+ label_len
+ 1, data
, data_len
);
63 in_blknr
= in
+ label_len
+ 1 + data_len
;
65 for ( blk
= 0 ;; blk
++ ) {
68 hmac_init ( &sha1_algorithm
, ctx
, keym
, key_len
);
69 hmac_update ( &sha1_algorithm
, ctx
, in
, sizeof ( in
) );
70 hmac_final ( &sha1_algorithm
, ctx
, out
);
72 if ( prf_len
<= sizeof ( out
) ) {
73 memcpy ( prf
, out
, prf_len
);
77 memcpy ( prf
, out
, sizeof ( out
) );
78 prf_len
-= sizeof ( out
);
79 prf
+= sizeof ( out
);
84 * PBKDF2 key derivation function inner block operation
86 * @v passphrase Passphrase from which to derive key
87 * @v pass_len Length of passphrase
88 * @v salt Salt to include in key
89 * @v salt_len Length of salt
90 * @v iterations Number of iterations of SHA1 to perform
91 * @v blocknr Index of this block, starting at 1
92 * @ret block SHA1_SIZE bytes of PBKDF2 data
94 * The operation of this function is described in RFC 2898.
96 static void pbkdf2_sha1_f ( const void *passphrase
, size_t pass_len
,
97 const void *salt
, size_t salt_len
,
98 int iterations
, u32 blocknr
, u8
*block
)
100 u8 pass
[pass_len
]; /* modifiable passphrase */
101 u8 in
[salt_len
+ 4]; /* input buffer to first round */
102 u8 last
[SHA1_DIGEST_SIZE
]; /* output of round N, input of N+1 */
103 u8 ctx
[SHA1_CTX_SIZE
+ SHA1_BLOCK_SIZE
];
104 u8
*next_in
= in
; /* changed to `last' after first round */
105 int next_size
= sizeof ( in
);
109 blocknr
= htonl ( blocknr
);
111 memcpy ( pass
, passphrase
, pass_len
);
112 memcpy ( in
, salt
, salt_len
);
113 memcpy ( in
+ salt_len
, &blocknr
, 4 );
114 memset ( block
, 0, sizeof ( last
) );
116 for ( i
= 0; i
< iterations
; i
++ ) {
117 hmac_init ( &sha1_algorithm
, ctx
, pass
, pass_len
);
118 hmac_update ( &sha1_algorithm
, ctx
, next_in
, next_size
);
119 hmac_final ( &sha1_algorithm
, ctx
, last
);
121 for ( j
= 0; j
< sizeof ( last
); j
++ ) {
126 next_size
= sizeof ( last
);
131 * PBKDF2 key derivation function using SHA1
133 * @v passphrase Passphrase from which to derive key
134 * @v pass_len Length of passphrase
135 * @v salt Salt to include in key
136 * @v salt_len Length of salt
137 * @v iterations Number of iterations of SHA1 to perform
138 * @v key_len Length of key to generate
139 * @ret key Generated key bytes
141 * This is used most notably in 802.11 WPA passphrase hashing, in
142 * which case the salt is the SSID, 4096 iterations are used, and a
143 * 32-byte key is generated that serves as the Pairwise Master Key for
144 * EAPOL authentication.
146 * The operation of this function is further described in RFC 2898.
148 void pbkdf2_sha1 ( const void *passphrase
, size_t pass_len
,
149 const void *salt
, size_t salt_len
,
150 int iterations
, void *key
, size_t key_len
)
152 u32 blocks
= ( key_len
+ SHA1_DIGEST_SIZE
- 1 ) / SHA1_DIGEST_SIZE
;
154 u8 buf
[SHA1_DIGEST_SIZE
];
156 for ( blk
= 1; blk
<= blocks
; blk
++ ) {
157 pbkdf2_sha1_f ( passphrase
, pass_len
, salt
, salt_len
,
158 iterations
, blk
, buf
);
159 if ( key_len
<= sizeof ( buf
) ) {
160 memcpy ( key
, buf
, key_len
);
164 memcpy ( key
, buf
, sizeof ( buf
) );
165 key_len
-= sizeof ( buf
);
166 key
+= sizeof ( buf
);