hostapd: remove version tag from directory
[dragonfly.git] / contrib / hostapd / sha256.c
CommitLineData
ebfa2275
SZ
1/*
2 * SHA-256 hash implementation and interface functions
3 * Copyright (c) 2003-2006, Jouni Malinen <j@w1.fi>
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
8 *
9 * Alternatively, this software may be distributed under the terms of BSD
10 * license.
11 *
12 * See README and COPYING for more details.
13 */
14
15#include "includes.h"
16
17#include "common.h"
18#include "sha256.h"
19#include "crypto.h"
20
21
22/**
23 * hmac_sha256_vector - HMAC-SHA256 over data vector (RFC 2104)
24 * @key: Key for HMAC operations
25 * @key_len: Length of the key in bytes
26 * @num_elem: Number of elements in the data vector
27 * @addr: Pointers to the data areas
28 * @len: Lengths of the data blocks
29 * @mac: Buffer for the hash (32 bytes)
30 */
31void hmac_sha256_vector(const u8 *key, size_t key_len, size_t num_elem,
32 const u8 *addr[], const size_t *len, u8 *mac)
33{
34 unsigned char k_pad[64]; /* padding - key XORd with ipad/opad */
35 unsigned char tk[32];
36 const u8 *_addr[6];
37 size_t _len[6], i;
38
39 if (num_elem > 5) {
40 /*
41 * Fixed limit on the number of fragments to avoid having to
42 * allocate memory (which could fail).
43 */
44 return;
45 }
46
47 /* if key is longer than 64 bytes reset it to key = SHA256(key) */
48 if (key_len > 64) {
49 sha256_vector(1, &key, &key_len, tk);
50 key = tk;
51 key_len = 32;
52 }
53
54 /* the HMAC_SHA256 transform looks like:
55 *
56 * SHA256(K XOR opad, SHA256(K XOR ipad, text))
57 *
58 * where K is an n byte key
59 * ipad is the byte 0x36 repeated 64 times
60 * opad is the byte 0x5c repeated 64 times
61 * and text is the data being protected */
62
63 /* start out by storing key in ipad */
64 memset(k_pad, 0, sizeof(k_pad));
65 memcpy(k_pad, key, key_len);
66 /* XOR key with ipad values */
67 for (i = 0; i < 64; i++)
68 k_pad[i] ^= 0x36;
69
70 /* perform inner SHA256 */
71 _addr[0] = k_pad;
72 _len[0] = 64;
73 for (i = 0; i < num_elem; i++) {
74 _addr[i + 1] = addr[i];
75 _len[i + 1] = len[i];
76 }
77 sha256_vector(1 + num_elem, _addr, _len, mac);
78
79 memset(k_pad, 0, sizeof(k_pad));
80 memcpy(k_pad, key, key_len);
81 /* XOR key with opad values */
82 for (i = 0; i < 64; i++)
83 k_pad[i] ^= 0x5c;
84
85 /* perform outer SHA256 */
86 _addr[0] = k_pad;
87 _len[0] = 64;
88 _addr[1] = mac;
89 _len[1] = SHA256_MAC_LEN;
90 sha256_vector(2, _addr, _len, mac);
91}
92
93
94/**
95 * hmac_sha256 - HMAC-SHA256 over data buffer (RFC 2104)
96 * @key: Key for HMAC operations
97 * @key_len: Length of the key in bytes
98 * @data: Pointers to the data area
99 * @data_len: Length of the data area
100 * @mac: Buffer for the hash (20 bytes)
101 */
102void hmac_sha256(const u8 *key, size_t key_len, const u8 *data,
103 size_t data_len, u8 *mac)
104{
105 hmac_sha256_vector(key, key_len, 1, &data, &data_len, mac);
106}
107
108
109/**
110 * sha256_prf - SHA256-based Pseudo-Random Function (IEEE 802.11r, 8.5A.3)
111 * @key: Key for PRF
112 * @key_len: Length of the key in bytes
113 * @label: A unique label for each purpose of the PRF
114 * @data: Extra data to bind into the key
115 * @data_len: Length of the data
116 * @buf: Buffer for the generated pseudo-random key
117 * @buf_len: Number of bytes of key to generate
118 *
119 * This function is used to derive new, cryptographically separate keys from a
120 * given key.
121 */
122void sha256_prf(const u8 *key, size_t key_len, const char *label,
123 const u8 *data, size_t data_len, u8 *buf, size_t buf_len)
124{
125 u16 counter = 0;
126 size_t pos, plen;
127 u8 hash[SHA256_MAC_LEN];
128 const u8 *addr[3];
129 size_t len[3];
130 u8 counter_le[2];
131
132 addr[0] = counter_le;
133 len[0] = 2;
134 addr[1] = (u8 *) label;
135 len[1] = strlen(label) + 1;
136 addr[2] = data;
137 len[2] = data_len;
138
139 pos = 0;
140 while (pos < buf_len) {
141 plen = buf_len - pos;
142 WPA_PUT_LE16(counter_le, counter);
143 if (plen >= SHA256_MAC_LEN) {
144 hmac_sha256_vector(key, key_len, 3, addr, len,
145 &buf[pos]);
146 pos += SHA256_MAC_LEN;
147 } else {
148 hmac_sha256_vector(key, key_len, 3, addr, len, hash);
149 memcpy(&buf[pos], hash, plen);
150 break;
151 }
152 counter++;
153 }
154}
155
156
157#ifdef INTERNAL_SHA256
158
159struct sha256_state {
160 u64 length;
161 u32 state[8], curlen;
162 u8 buf[64];
163};
164
165static void sha256_init(struct sha256_state *md);
166static int sha256_process(struct sha256_state *md, const unsigned char *in,
167 unsigned long inlen);
168static int sha256_done(struct sha256_state *md, unsigned char *out);
169
170
171/**
172 * sha256_vector - SHA256 hash for data vector
173 * @num_elem: Number of elements in the data vector
174 * @addr: Pointers to the data areas
175 * @len: Lengths of the data blocks
176 * @mac: Buffer for the hash
177 */
178void sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len,
179 u8 *mac)
180{
181 struct sha256_state ctx;
182 size_t i;
183
184 sha256_init(&ctx);
185 for (i = 0; i < num_elem; i++)
186 sha256_process(&ctx, addr[i], len[i]);
187 sha256_done(&ctx, mac);
188}
189
190
191/* ===== start - public domain SHA256 implementation ===== */
192
193/* This is based on SHA256 implementation in LibTomCrypt that was released into
194 * public domain by Tom St Denis. */
195
196/* the K array */
197static const unsigned long K[64] = {
198 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL,
199 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL,
200 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL,
201 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
202 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL,
203 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL,
204 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL,
205 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
206 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL,
207 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL,
208 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL,
209 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
210 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
211};
212
213
214/* Various logical functions */
215#define RORc(x, y) \
216( ((((unsigned long) (x) & 0xFFFFFFFFUL) >> (unsigned long) ((y) & 31)) | \
217 ((unsigned long) (x) << (unsigned long) (32 - ((y) & 31)))) & 0xFFFFFFFFUL)
218#define Ch(x,y,z) (z ^ (x & (y ^ z)))
219#define Maj(x,y,z) (((x | y) & z) | (x & y))
220#define S(x, n) RORc((x), (n))
221#define R(x, n) (((x)&0xFFFFFFFFUL)>>(n))
222#define Sigma0(x) (S(x, 2) ^ S(x, 13) ^ S(x, 22))
223#define Sigma1(x) (S(x, 6) ^ S(x, 11) ^ S(x, 25))
224#define Gamma0(x) (S(x, 7) ^ S(x, 18) ^ R(x, 3))
225#define Gamma1(x) (S(x, 17) ^ S(x, 19) ^ R(x, 10))
226#ifndef MIN
227#define MIN(x, y) (((x) < (y)) ? (x) : (y))
228#endif
229
230/* compress 512-bits */
231static int sha256_compress(struct sha256_state *md, unsigned char *buf)
232{
233 u32 S[8], W[64], t0, t1;
234 u32 t;
235 int i;
236
237 /* copy state into S */
238 for (i = 0; i < 8; i++) {
239 S[i] = md->state[i];
240 }
241
242 /* copy the state into 512-bits into W[0..15] */
243 for (i = 0; i < 16; i++)
244 W[i] = WPA_GET_BE32(buf + (4 * i));
245
246 /* fill W[16..63] */
247 for (i = 16; i < 64; i++) {
248 W[i] = Gamma1(W[i - 2]) + W[i - 7] + Gamma0(W[i - 15]) +
249 W[i - 16];
250 }
251
252 /* Compress */
253#define RND(a,b,c,d,e,f,g,h,i) \
254 t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i]; \
255 t1 = Sigma0(a) + Maj(a, b, c); \
256 d += t0; \
257 h = t0 + t1;
258
259 for (i = 0; i < 64; ++i) {
260 RND(S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], i);
261 t = S[7]; S[7] = S[6]; S[6] = S[5]; S[5] = S[4];
262 S[4] = S[3]; S[3] = S[2]; S[2] = S[1]; S[1] = S[0]; S[0] = t;
263 }
264
265 /* feedback */
266 for (i = 0; i < 8; i++) {
267 md->state[i] = md->state[i] + S[i];
268 }
269 return 0;
270}
271
272
273/* Initialize the hash state */
274static void sha256_init(struct sha256_state *md)
275{
276 md->curlen = 0;
277 md->length = 0;
278 md->state[0] = 0x6A09E667UL;
279 md->state[1] = 0xBB67AE85UL;
280 md->state[2] = 0x3C6EF372UL;
281 md->state[3] = 0xA54FF53AUL;
282 md->state[4] = 0x510E527FUL;
283 md->state[5] = 0x9B05688CUL;
284 md->state[6] = 0x1F83D9ABUL;
285 md->state[7] = 0x5BE0CD19UL;
286}
287
288/**
289 Process a block of memory though the hash
290 @param md The hash state
291 @param in The data to hash
292 @param inlen The length of the data (octets)
293 @return CRYPT_OK if successful
294*/
295static int sha256_process(struct sha256_state *md, const unsigned char *in,
296 unsigned long inlen)
297{
298 unsigned long n;
299#define block_size 64
300
301 if (md->curlen > sizeof(md->buf))
302 return -1;
303
304 while (inlen > 0) {
305 if (md->curlen == 0 && inlen >= block_size) {
306 if (sha256_compress(md, (unsigned char *) in) < 0)
307 return -1;
308 md->length += block_size * 8;
309 in += block_size;
310 inlen -= block_size;
311 } else {
312 n = MIN(inlen, (block_size - md->curlen));
313 memcpy(md->buf + md->curlen, in, n);
314 md->curlen += n;
315 in += n;
316 inlen -= n;
317 if (md->curlen == block_size) {
318 if (sha256_compress(md, md->buf) < 0)
319 return -1;
320 md->length += 8 * block_size;
321 md->curlen = 0;
322 }
323 }
324 }
325
326 return 0;
327}
328
329
330/**
331 Terminate the hash to get the digest
332 @param md The hash state
333 @param out [out] The destination of the hash (32 bytes)
334 @return CRYPT_OK if successful
335*/
336static int sha256_done(struct sha256_state *md, unsigned char *out)
337{
338 int i;
339
340 if (md->curlen >= sizeof(md->buf))
341 return -1;
342
343 /* increase the length of the message */
344 md->length += md->curlen * 8;
345
346 /* append the '1' bit */
347 md->buf[md->curlen++] = (unsigned char) 0x80;
348
349 /* if the length is currently above 56 bytes we append zeros
350 * then compress. Then we can fall back to padding zeros and length
351 * encoding like normal.
352 */
353 if (md->curlen > 56) {
354 while (md->curlen < 64) {
355 md->buf[md->curlen++] = (unsigned char) 0;
356 }
357 sha256_compress(md, md->buf);
358 md->curlen = 0;
359 }
360
361 /* pad upto 56 bytes of zeroes */
362 while (md->curlen < 56) {
363 md->buf[md->curlen++] = (unsigned char) 0;
364 }
365
366 /* store length */
367 WPA_PUT_BE64(md->buf + 56, md->length);
368 sha256_compress(md, md->buf);
369
370 /* copy output */
371 for (i = 0; i < 8; i++)
372 WPA_PUT_BE32(out + (4 * i), md->state[i]);
373
374 return 0;
375}
376
377/* ===== end - public domain SHA256 implementation ===== */
378
379#endif /* INTERNAL_SHA256 */