| 1 | /* |
| 2 | * SHA-256 hash implementation and interface functions |
| 3 | * Copyright (c) 2003-2006, Jouni Malinen <j@w1.fi> |
| 4 | * |
| 5 | * This program is free software; you can redistribute it and/or modify |
| 6 | * it under the terms of the GNU General Public License version 2 as |
| 7 | * published by the Free Software Foundation. |
| 8 | * |
| 9 | * Alternatively, this software may be distributed under the terms of BSD |
| 10 | * license. |
| 11 | * |
| 12 | * See README and COPYING for more details. |
| 13 | */ |
| 14 | |
| 15 | #include "includes.h" |
| 16 | |
| 17 | #include "common.h" |
| 18 | #include "sha256.h" |
| 19 | #include "crypto.h" |
| 20 | |
| 21 | |
| 22 | /** |
| 23 | * hmac_sha256_vector - HMAC-SHA256 over data vector (RFC 2104) |
| 24 | * @key: Key for HMAC operations |
| 25 | * @key_len: Length of the key in bytes |
| 26 | * @num_elem: Number of elements in the data vector |
| 27 | * @addr: Pointers to the data areas |
| 28 | * @len: Lengths of the data blocks |
| 29 | * @mac: Buffer for the hash (32 bytes) |
| 30 | */ |
| 31 | void hmac_sha256_vector(const u8 *key, size_t key_len, size_t num_elem, |
| 32 | const u8 *addr[], const size_t *len, u8 *mac) |
| 33 | { |
| 34 | unsigned char k_pad[64]; /* padding - key XORd with ipad/opad */ |
| 35 | unsigned char tk[32]; |
| 36 | const u8 *_addr[6]; |
| 37 | size_t _len[6], i; |
| 38 | |
| 39 | if (num_elem > 5) { |
| 40 | /* |
| 41 | * Fixed limit on the number of fragments to avoid having to |
| 42 | * allocate memory (which could fail). |
| 43 | */ |
| 44 | return; |
| 45 | } |
| 46 | |
| 47 | /* if key is longer than 64 bytes reset it to key = SHA256(key) */ |
| 48 | if (key_len > 64) { |
| 49 | sha256_vector(1, &key, &key_len, tk); |
| 50 | key = tk; |
| 51 | key_len = 32; |
| 52 | } |
| 53 | |
| 54 | /* the HMAC_SHA256 transform looks like: |
| 55 | * |
| 56 | * SHA256(K XOR opad, SHA256(K XOR ipad, text)) |
| 57 | * |
| 58 | * where K is an n byte key |
| 59 | * ipad is the byte 0x36 repeated 64 times |
| 60 | * opad is the byte 0x5c repeated 64 times |
| 61 | * and text is the data being protected */ |
| 62 | |
| 63 | /* start out by storing key in ipad */ |
| 64 | memset(k_pad, 0, sizeof(k_pad)); |
| 65 | memcpy(k_pad, key, key_len); |
| 66 | /* XOR key with ipad values */ |
| 67 | for (i = 0; i < 64; i++) |
| 68 | k_pad[i] ^= 0x36; |
| 69 | |
| 70 | /* perform inner SHA256 */ |
| 71 | _addr[0] = k_pad; |
| 72 | _len[0] = 64; |
| 73 | for (i = 0; i < num_elem; i++) { |
| 74 | _addr[i + 1] = addr[i]; |
| 75 | _len[i + 1] = len[i]; |
| 76 | } |
| 77 | sha256_vector(1 + num_elem, _addr, _len, mac); |
| 78 | |
| 79 | memset(k_pad, 0, sizeof(k_pad)); |
| 80 | memcpy(k_pad, key, key_len); |
| 81 | /* XOR key with opad values */ |
| 82 | for (i = 0; i < 64; i++) |
| 83 | k_pad[i] ^= 0x5c; |
| 84 | |
| 85 | /* perform outer SHA256 */ |
| 86 | _addr[0] = k_pad; |
| 87 | _len[0] = 64; |
| 88 | _addr[1] = mac; |
| 89 | _len[1] = SHA256_MAC_LEN; |
| 90 | sha256_vector(2, _addr, _len, mac); |
| 91 | } |
| 92 | |
| 93 | |
| 94 | /** |
| 95 | * hmac_sha256 - HMAC-SHA256 over data buffer (RFC 2104) |
| 96 | * @key: Key for HMAC operations |
| 97 | * @key_len: Length of the key in bytes |
| 98 | * @data: Pointers to the data area |
| 99 | * @data_len: Length of the data area |
| 100 | * @mac: Buffer for the hash (20 bytes) |
| 101 | */ |
| 102 | void hmac_sha256(const u8 *key, size_t key_len, const u8 *data, |
| 103 | size_t data_len, u8 *mac) |
| 104 | { |
| 105 | hmac_sha256_vector(key, key_len, 1, &data, &data_len, mac); |
| 106 | } |
| 107 | |
| 108 | |
| 109 | /** |
| 110 | * sha256_prf - SHA256-based Pseudo-Random Function (IEEE 802.11r, 8.5A.3) |
| 111 | * @key: Key for PRF |
| 112 | * @key_len: Length of the key in bytes |
| 113 | * @label: A unique label for each purpose of the PRF |
| 114 | * @data: Extra data to bind into the key |
| 115 | * @data_len: Length of the data |
| 116 | * @buf: Buffer for the generated pseudo-random key |
| 117 | * @buf_len: Number of bytes of key to generate |
| 118 | * |
| 119 | * This function is used to derive new, cryptographically separate keys from a |
| 120 | * given key. |
| 121 | */ |
| 122 | void sha256_prf(const u8 *key, size_t key_len, const char *label, |
| 123 | const u8 *data, size_t data_len, u8 *buf, size_t buf_len) |
| 124 | { |
| 125 | u16 counter = 0; |
| 126 | size_t pos, plen; |
| 127 | u8 hash[SHA256_MAC_LEN]; |
| 128 | const u8 *addr[3]; |
| 129 | size_t len[3]; |
| 130 | u8 counter_le[2]; |
| 131 | |
| 132 | addr[0] = counter_le; |
| 133 | len[0] = 2; |
| 134 | addr[1] = (u8 *) label; |
| 135 | len[1] = strlen(label) + 1; |
| 136 | addr[2] = data; |
| 137 | len[2] = data_len; |
| 138 | |
| 139 | pos = 0; |
| 140 | while (pos < buf_len) { |
| 141 | plen = buf_len - pos; |
| 142 | WPA_PUT_LE16(counter_le, counter); |
| 143 | if (plen >= SHA256_MAC_LEN) { |
| 144 | hmac_sha256_vector(key, key_len, 3, addr, len, |
| 145 | &buf[pos]); |
| 146 | pos += SHA256_MAC_LEN; |
| 147 | } else { |
| 148 | hmac_sha256_vector(key, key_len, 3, addr, len, hash); |
| 149 | memcpy(&buf[pos], hash, plen); |
| 150 | break; |
| 151 | } |
| 152 | counter++; |
| 153 | } |
| 154 | } |
| 155 | |
| 156 | |
| 157 | #ifdef INTERNAL_SHA256 |
| 158 | |
| 159 | struct sha256_state { |
| 160 | u64 length; |
| 161 | u32 state[8], curlen; |
| 162 | u8 buf[64]; |
| 163 | }; |
| 164 | |
| 165 | static void sha256_init(struct sha256_state *md); |
| 166 | static int sha256_process(struct sha256_state *md, const unsigned char *in, |
| 167 | unsigned long inlen); |
| 168 | static int sha256_done(struct sha256_state *md, unsigned char *out); |
| 169 | |
| 170 | |
| 171 | /** |
| 172 | * sha256_vector - SHA256 hash for data vector |
| 173 | * @num_elem: Number of elements in the data vector |
| 174 | * @addr: Pointers to the data areas |
| 175 | * @len: Lengths of the data blocks |
| 176 | * @mac: Buffer for the hash |
| 177 | */ |
| 178 | void sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len, |
| 179 | u8 *mac) |
| 180 | { |
| 181 | struct sha256_state ctx; |
| 182 | size_t i; |
| 183 | |
| 184 | sha256_init(&ctx); |
| 185 | for (i = 0; i < num_elem; i++) |
| 186 | sha256_process(&ctx, addr[i], len[i]); |
| 187 | sha256_done(&ctx, mac); |
| 188 | } |
| 189 | |
| 190 | |
| 191 | /* ===== start - public domain SHA256 implementation ===== */ |
| 192 | |
| 193 | /* This is based on SHA256 implementation in LibTomCrypt that was released into |
| 194 | * public domain by Tom St Denis. */ |
| 195 | |
| 196 | /* the K array */ |
| 197 | static const unsigned long K[64] = { |
| 198 | 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL, |
| 199 | 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL, |
| 200 | 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, |
| 201 | 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, |
| 202 | 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL, |
| 203 | 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL, |
| 204 | 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, |
| 205 | 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, |
| 206 | 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL, |
| 207 | 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL, |
| 208 | 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, |
| 209 | 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, |
| 210 | 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL |
| 211 | }; |
| 212 | |
| 213 | |
| 214 | /* Various logical functions */ |
| 215 | #define RORc(x, y) \ |
| 216 | ( ((((unsigned long) (x) & 0xFFFFFFFFUL) >> (unsigned long) ((y) & 31)) | \ |
| 217 | ((unsigned long) (x) << (unsigned long) (32 - ((y) & 31)))) & 0xFFFFFFFFUL) |
| 218 | #define Ch(x,y,z) (z ^ (x & (y ^ z))) |
| 219 | #define Maj(x,y,z) (((x | y) & z) | (x & y)) |
| 220 | #define S(x, n) RORc((x), (n)) |
| 221 | #define R(x, n) (((x)&0xFFFFFFFFUL)>>(n)) |
| 222 | #define Sigma0(x) (S(x, 2) ^ S(x, 13) ^ S(x, 22)) |
| 223 | #define Sigma1(x) (S(x, 6) ^ S(x, 11) ^ S(x, 25)) |
| 224 | #define Gamma0(x) (S(x, 7) ^ S(x, 18) ^ R(x, 3)) |
| 225 | #define Gamma1(x) (S(x, 17) ^ S(x, 19) ^ R(x, 10)) |
| 226 | #ifndef MIN |
| 227 | #define MIN(x, y) (((x) < (y)) ? (x) : (y)) |
| 228 | #endif |
| 229 | |
| 230 | /* compress 512-bits */ |
| 231 | static int sha256_compress(struct sha256_state *md, unsigned char *buf) |
| 232 | { |
| 233 | u32 S[8], W[64], t0, t1; |
| 234 | u32 t; |
| 235 | int i; |
| 236 | |
| 237 | /* copy state into S */ |
| 238 | for (i = 0; i < 8; i++) { |
| 239 | S[i] = md->state[i]; |
| 240 | } |
| 241 | |
| 242 | /* copy the state into 512-bits into W[0..15] */ |
| 243 | for (i = 0; i < 16; i++) |
| 244 | W[i] = WPA_GET_BE32(buf + (4 * i)); |
| 245 | |
| 246 | /* fill W[16..63] */ |
| 247 | for (i = 16; i < 64; i++) { |
| 248 | W[i] = Gamma1(W[i - 2]) + W[i - 7] + Gamma0(W[i - 15]) + |
| 249 | W[i - 16]; |
| 250 | } |
| 251 | |
| 252 | /* Compress */ |
| 253 | #define RND(a,b,c,d,e,f,g,h,i) \ |
| 254 | t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i]; \ |
| 255 | t1 = Sigma0(a) + Maj(a, b, c); \ |
| 256 | d += t0; \ |
| 257 | h = t0 + t1; |
| 258 | |
| 259 | for (i = 0; i < 64; ++i) { |
| 260 | RND(S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], i); |
| 261 | t = S[7]; S[7] = S[6]; S[6] = S[5]; S[5] = S[4]; |
| 262 | S[4] = S[3]; S[3] = S[2]; S[2] = S[1]; S[1] = S[0]; S[0] = t; |
| 263 | } |
| 264 | |
| 265 | /* feedback */ |
| 266 | for (i = 0; i < 8; i++) { |
| 267 | md->state[i] = md->state[i] + S[i]; |
| 268 | } |
| 269 | return 0; |
| 270 | } |
| 271 | |
| 272 | |
| 273 | /* Initialize the hash state */ |
| 274 | static void sha256_init(struct sha256_state *md) |
| 275 | { |
| 276 | md->curlen = 0; |
| 277 | md->length = 0; |
| 278 | md->state[0] = 0x6A09E667UL; |
| 279 | md->state[1] = 0xBB67AE85UL; |
| 280 | md->state[2] = 0x3C6EF372UL; |
| 281 | md->state[3] = 0xA54FF53AUL; |
| 282 | md->state[4] = 0x510E527FUL; |
| 283 | md->state[5] = 0x9B05688CUL; |
| 284 | md->state[6] = 0x1F83D9ABUL; |
| 285 | md->state[7] = 0x5BE0CD19UL; |
| 286 | } |
| 287 | |
| 288 | /** |
| 289 | Process a block of memory though the hash |
| 290 | @param md The hash state |
| 291 | @param in The data to hash |
| 292 | @param inlen The length of the data (octets) |
| 293 | @return CRYPT_OK if successful |
| 294 | */ |
| 295 | static int sha256_process(struct sha256_state *md, const unsigned char *in, |
| 296 | unsigned long inlen) |
| 297 | { |
| 298 | unsigned long n; |
| 299 | #define block_size 64 |
| 300 | |
| 301 | if (md->curlen > sizeof(md->buf)) |
| 302 | return -1; |
| 303 | |
| 304 | while (inlen > 0) { |
| 305 | if (md->curlen == 0 && inlen >= block_size) { |
| 306 | if (sha256_compress(md, (unsigned char *) in) < 0) |
| 307 | return -1; |
| 308 | md->length += block_size * 8; |
| 309 | in += block_size; |
| 310 | inlen -= block_size; |
| 311 | } else { |
| 312 | n = MIN(inlen, (block_size - md->curlen)); |
| 313 | memcpy(md->buf + md->curlen, in, n); |
| 314 | md->curlen += n; |
| 315 | in += n; |
| 316 | inlen -= n; |
| 317 | if (md->curlen == block_size) { |
| 318 | if (sha256_compress(md, md->buf) < 0) |
| 319 | return -1; |
| 320 | md->length += 8 * block_size; |
| 321 | md->curlen = 0; |
| 322 | } |
| 323 | } |
| 324 | } |
| 325 | |
| 326 | return 0; |
| 327 | } |
| 328 | |
| 329 | |
| 330 | /** |
| 331 | Terminate the hash to get the digest |
| 332 | @param md The hash state |
| 333 | @param out [out] The destination of the hash (32 bytes) |
| 334 | @return CRYPT_OK if successful |
| 335 | */ |
| 336 | static int sha256_done(struct sha256_state *md, unsigned char *out) |
| 337 | { |
| 338 | int i; |
| 339 | |
| 340 | if (md->curlen >= sizeof(md->buf)) |
| 341 | return -1; |
| 342 | |
| 343 | /* increase the length of the message */ |
| 344 | md->length += md->curlen * 8; |
| 345 | |
| 346 | /* append the '1' bit */ |
| 347 | md->buf[md->curlen++] = (unsigned char) 0x80; |
| 348 | |
| 349 | /* if the length is currently above 56 bytes we append zeros |
| 350 | * then compress. Then we can fall back to padding zeros and length |
| 351 | * encoding like normal. |
| 352 | */ |
| 353 | if (md->curlen > 56) { |
| 354 | while (md->curlen < 64) { |
| 355 | md->buf[md->curlen++] = (unsigned char) 0; |
| 356 | } |
| 357 | sha256_compress(md, md->buf); |
| 358 | md->curlen = 0; |
| 359 | } |
| 360 | |
| 361 | /* pad upto 56 bytes of zeroes */ |
| 362 | while (md->curlen < 56) { |
| 363 | md->buf[md->curlen++] = (unsigned char) 0; |
| 364 | } |
| 365 | |
| 366 | /* store length */ |
| 367 | WPA_PUT_BE64(md->buf + 56, md->length); |
| 368 | sha256_compress(md, md->buf); |
| 369 | |
| 370 | /* copy output */ |
| 371 | for (i = 0; i < 8; i++) |
| 372 | WPA_PUT_BE32(out + (4 * i), md->state[i]); |
| 373 | |
| 374 | return 0; |
| 375 | } |
| 376 | |
| 377 | /* ===== end - public domain SHA256 implementation ===== */ |
| 378 | |
| 379 | #endif /* INTERNAL_SHA256 */ |