src/crypto/sha1extra.c

   1 /*
   2  * Copyright (c) 2009 Joshua Oreman <oremanj@rwcr.net>.
   3  *
   4  * This program is free software; you can redistribute it and/or
   5  * modify it under the terms of the GNU General Public License as
   6  * published by the Free Software Foundation; either version 2 of the
   7  * License, or any later version.
   8  *
   9  * This program is distributed in the hope that it will be useful, but
  10  * WITHOUT ANY WARRANTY; without even the implied warranty of
  11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  12  * General Public License for more details.
  13  *
  14  * You should have received a copy of the GNU General Public License
  15  * along with this program; if not, write to the Free Software
  16  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
  17  * 02110-1301, USA.
  18  */
  19
  20 FILE_LICENCE ( GPL2_OR_LATER );
  21
  22 #include <string.h>
  23 #include <ipxe/crypto.h>
  24 #include <ipxe/sha1.h>
  25 #include <ipxe/hmac.h>
  26 #include <stdint.h>
  27 #include <byteswap.h>
  28
  29 /**
  30  * SHA1 pseudorandom function for creating derived keys
  31  *
  32  * @v key       Master key with which this call is associated
  33  * @v key_len   Length of key
  34  * @v label     NUL-terminated ASCII string describing purpose of PRF data
  35  * @v data      Further data that should be included in the PRF
  36  * @v data_len  Length of further PRF data
  37  * @v prf_len   Bytes of PRF to generate
  38  * @ret prf     Pseudorandom function bytes
  39  *
  40  * This is the PRF variant used by 802.11, defined in IEEE 802.11-2007
  41  * 8.5.5.1. EAP-FAST uses a different SHA1-based PRF, and TLS uses an
  42  * MD5-based PRF.
  43  */
  44 void prf_sha1 ( const void *key, size_t key_len, const char *label,
  45                 const void *data, size_t data_len, void *prf, size_t prf_len )
  46 {
  47         u32 blk;
  48         u8 keym[key_len];       /* modifiable copy of key */
  49         u8 in[strlen ( label ) + 1 + data_len + 1]; /* message to HMAC */
  50         u8 *in_blknr;           /* pointer to last byte of in, block number */
  51         u8 out[SHA1_DIGEST_SIZE]; /* HMAC-SHA1 result */
  52         u8 ctx[SHA1_CTX_SIZE + SHA1_BLOCK_SIZE]; /* HMAC-SHA1 context */
  53         const size_t label_len = strlen ( label );
  54
  55         /* The HMAC-SHA-1 is calculated using the given key on the
  56            message text `label', followed by a NUL, followed by one
  57            byte indicating the block number (0 for first). */
  58
  59         memcpy ( keym, key, key_len );
  60
  61         memcpy ( in, label, strlen ( label ) + 1 );
  62         memcpy ( in + label_len + 1, data, data_len );
  63         in_blknr = in + label_len + 1 + data_len;
  64
  65         for ( blk = 0 ;; blk++ ) {
  66                 *in_blknr = blk;
  67
  68                 hmac_init ( &sha1_algorithm, ctx, keym, key_len );
  69                 hmac_update ( &sha1_algorithm, ctx, in, sizeof ( in ) );
  70                 hmac_final ( &sha1_algorithm, ctx, out );
  71
  72                 if ( prf_len <= sizeof ( out ) ) {
  73                         memcpy ( prf, out, prf_len );
  74                         break;
  75                 }
  76
  77                 memcpy ( prf, out, sizeof ( out ) );
  78                 prf_len -= sizeof ( out );
  79                 prf += sizeof ( out );
  80         }
  81 }
  82
  83 /**
  84  * PBKDF2 key derivation function inner block operation
  85  *
  86  * @v passphrase        Passphrase from which to derive key
  87  * @v pass_len          Length of passphrase
  88  * @v salt              Salt to include in key
  89  * @v salt_len          Length of salt
  90  * @v iterations        Number of iterations of SHA1 to perform
  91  * @v blocknr           Index of this block, starting at 1
  92  * @ret block           SHA1_SIZE bytes of PBKDF2 data
  93  *
  94  * The operation of this function is described in RFC 2898.
  95  */
  96 static void pbkdf2_sha1_f ( const void *passphrase, size_t pass_len,
  97                             const void *salt, size_t salt_len,
  98                             int iterations, u32 blocknr, u8 *block )
  99 {
 100         u8 pass[pass_len];      /* modifiable passphrase */
 101         u8 in[salt_len + 4];    /* input buffer to first round */
 102         u8 last[SHA1_DIGEST_SIZE]; /* output of round N, input of N+1 */
 103         u8 ctx[SHA1_CTX_SIZE + SHA1_BLOCK_SIZE];
 104         u8 *next_in = in;       /* changed to `last' after first round */
 105         int next_size = sizeof ( in );
 106         int i;
 107         unsigned int j;
 108
 109         blocknr = htonl ( blocknr );
 110
 111         memcpy ( pass, passphrase, pass_len );
 112         memcpy ( in, salt, salt_len );
 113         memcpy ( in + salt_len, &blocknr, 4 );
 114         memset ( block, 0, sizeof ( last ) );
 115
 116         for ( i = 0; i < iterations; i++ ) {
 117                 hmac_init ( &sha1_algorithm, ctx, pass, pass_len );
 118                 hmac_update ( &sha1_algorithm, ctx, next_in, next_size );
 119                 hmac_final ( &sha1_algorithm, ctx, last );
 120
 121                 for ( j = 0; j < sizeof ( last ); j++ ) {
 122                         block[j] ^= last[j];
 123                 }
 124
 125                 next_in = last;
 126                 next_size = sizeof ( last );
 127         }
 128 }
 129
 130 /**
 131  * PBKDF2 key derivation function using SHA1
 132  *
 133  * @v passphrase        Passphrase from which to derive key
 134  * @v pass_len          Length of passphrase
 135  * @v salt              Salt to include in key
 136  * @v salt_len          Length of salt
 137  * @v iterations        Number of iterations of SHA1 to perform
 138  * @v key_len           Length of key to generate
 139  * @ret key             Generated key bytes
 140  *
 141  * This is used most notably in 802.11 WPA passphrase hashing, in
 142  * which case the salt is the SSID, 4096 iterations are used, and a
 143  * 32-byte key is generated that serves as the Pairwise Master Key for
 144  * EAPOL authentication.
 145  *
 146  * The operation of this function is further described in RFC 2898.
 147  */
 148 void pbkdf2_sha1 ( const void *passphrase, size_t pass_len,
 149                    const void *salt, size_t salt_len,
 150                    int iterations, void *key, size_t key_len )
 151 {
 152         u32 blocks = ( key_len + SHA1_DIGEST_SIZE - 1 ) / SHA1_DIGEST_SIZE;
 153         u32 blk;
 154         u8 buf[SHA1_DIGEST_SIZE];
 155
 156         for ( blk = 1; blk <= blocks; blk++ ) {
 157                 pbkdf2_sha1_f ( passphrase, pass_len, salt, salt_len,
 158                                 iterations, blk, buf );
 159                 if ( key_len <= sizeof ( buf ) ) {
 160                         memcpy ( key, buf, key_len );
 161                         break;
 162                 }
 163
 164                 memcpy ( key, buf, sizeof ( buf ) );
 165                 key_len -= sizeof ( buf );
 166                 key += sizeof ( buf );
 167         }
 168 }