Eric | c3fa007 | 2021-05-19 17:45:38 +0200 | [diff] [blame] | 1 | /* |
| 2 | * SHA1 hash implementation and interface functions |
| 3 | * Copyright (c) 2003-2005, Jouni Malinen <j@w1.fi> |
| 4 | * |
| 5 | * This program is free software; you can redistribute it and/or modify |
| 6 | * it under the terms of the GNU General Public License version 2 as |
| 7 | * published by the Free Software Foundation. |
| 8 | * |
| 9 | * Alternatively, this software may be distributed under the terms of BSD |
| 10 | * license. |
| 11 | * |
| 12 | * See README and COPYING for more details. |
| 13 | */ |
| 14 | |
| 15 | |
| 16 | #include "common.h" |
| 17 | #include "sha1.h" |
| 18 | #include "crypto.h" |
| 19 | |
| 20 | |
| 21 | /** |
| 22 | * hmac_sha1_vector - HMAC-SHA1 over data vector (RFC 2104) |
| 23 | * @key: Key for HMAC operations |
| 24 | * @key_len: Length of the key in bytes |
| 25 | * @num_elem: Number of elements in the data vector |
| 26 | * @addr: Pointers to the data areas |
| 27 | * @len: Lengths of the data blocks |
| 28 | * @mac: Buffer for the hash (20 bytes) |
| 29 | * Returns: 0 on success, -1 on failure |
| 30 | */ |
| 31 | int hmac_sha1_vector(const u8 *key, size_t key_len, size_t num_elem, |
| 32 | const u8 *addr[], const size_t *len, u8 *mac) |
| 33 | { |
| 34 | unsigned char k_pad[64]; /* padding - key XORd with ipad/opad */ |
| 35 | unsigned char tk[20]; |
| 36 | const u8 *_addr[6]; |
| 37 | size_t _len[6], i; |
| 38 | |
| 39 | if (num_elem > 5) { |
| 40 | /* |
| 41 | * Fixed limit on the number of fragments to avoid having to |
| 42 | * allocate memory (which could fail). |
| 43 | */ |
| 44 | return -1; |
| 45 | } |
| 46 | |
| 47 | /* if key is longer than 64 bytes reset it to key = SHA1(key) */ |
| 48 | if (key_len > 64) { |
| 49 | if (sha1_vector(1, &key, &key_len, tk)) |
| 50 | return -1; |
| 51 | key = tk; |
| 52 | key_len = 20; |
| 53 | } |
| 54 | |
| 55 | /* the HMAC_SHA1 transform looks like: |
| 56 | * |
| 57 | * SHA1(K XOR opad, SHA1(K XOR ipad, text)) |
| 58 | * |
| 59 | * where K is an n byte key |
| 60 | * ipad is the byte 0x36 repeated 64 times |
| 61 | * opad is the byte 0x5c repeated 64 times |
| 62 | * and text is the data being protected */ |
| 63 | |
| 64 | /* start out by storing key in ipad */ |
| 65 | os_memset(k_pad, 0, sizeof(k_pad)); |
| 66 | os_memcpy(k_pad, key, key_len); |
| 67 | /* XOR key with ipad values */ |
| 68 | for (i = 0; i < 64; i++) |
| 69 | k_pad[i] ^= 0x36; |
| 70 | |
| 71 | /* perform inner SHA1 */ |
| 72 | _addr[0] = k_pad; |
| 73 | _len[0] = 64; |
| 74 | for (i = 0; i < num_elem; i++) { |
| 75 | _addr[i + 1] = addr[i]; |
| 76 | _len[i + 1] = len[i]; |
| 77 | } |
| 78 | if (sha1_vector(1 + num_elem, _addr, _len, mac)) |
| 79 | return -1; |
| 80 | |
| 81 | os_memset(k_pad, 0, sizeof(k_pad)); |
| 82 | os_memcpy(k_pad, key, key_len); |
| 83 | /* XOR key with opad values */ |
| 84 | for (i = 0; i < 64; i++) |
| 85 | k_pad[i] ^= 0x5c; |
| 86 | |
| 87 | /* perform outer SHA1 */ |
| 88 | _addr[0] = k_pad; |
| 89 | _len[0] = 64; |
| 90 | _addr[1] = mac; |
| 91 | _len[1] = SHA1_MAC_LEN; |
| 92 | return sha1_vector(2, _addr, _len, mac); |
| 93 | } |
| 94 | |
| 95 | |
| 96 | /** |
| 97 | * hmac_sha1 - HMAC-SHA1 over data buffer (RFC 2104) |
| 98 | * @key: Key for HMAC operations |
| 99 | * @key_len: Length of the key in bytes |
| 100 | * @data: Pointers to the data area |
| 101 | * @data_len: Length of the data area |
| 102 | * @mac: Buffer for the hash (20 bytes) |
| 103 | * Returns: 0 on success, -1 of failure |
| 104 | */ |
| 105 | int hmac_sha1(const u8 *key, size_t key_len, const u8 *data, size_t data_len, |
| 106 | u8 *mac) |
| 107 | { |
| 108 | return hmac_sha1_vector(key, key_len, 1, &data, &data_len, mac); |
| 109 | } |
| 110 | |
| 111 | |
| 112 | /** |
| 113 | * sha1_prf - SHA1-based Pseudo-Random Function (PRF) (IEEE 802.11i, 8.5.1.1) |
| 114 | * @key: Key for PRF |
| 115 | * @key_len: Length of the key in bytes |
| 116 | * @label: A unique label for each purpose of the PRF |
| 117 | * @data: Extra data to bind into the key |
| 118 | * @data_len: Length of the data |
| 119 | * @buf: Buffer for the generated pseudo-random key |
| 120 | * @buf_len: Number of bytes of key to generate |
| 121 | * Returns: 0 on success, -1 of failure |
| 122 | * |
| 123 | * This function is used to derive new, cryptographically separate keys from a |
| 124 | * given key (e.g., PMK in IEEE 802.11i). |
| 125 | */ |
| 126 | int sha1_prf(const u8 *key, size_t key_len, const char *label, |
| 127 | const u8 *data, size_t data_len, u8 *buf, size_t buf_len) |
| 128 | { |
| 129 | u8 counter = 0; |
| 130 | size_t pos, plen; |
| 131 | u8 hash[SHA1_MAC_LEN]; |
| 132 | size_t label_len = os_strlen(label) + 1; |
| 133 | const unsigned char *addr[3]; |
| 134 | size_t len[3]; |
| 135 | |
| 136 | addr[0] = (u8 *) label; |
| 137 | len[0] = label_len; |
| 138 | addr[1] = data; |
| 139 | len[1] = data_len; |
| 140 | addr[2] = &counter; |
| 141 | len[2] = 1; |
| 142 | |
| 143 | pos = 0; |
| 144 | while (pos < buf_len) { |
| 145 | plen = buf_len - pos; |
| 146 | if (plen >= SHA1_MAC_LEN) { |
| 147 | if (hmac_sha1_vector(key, key_len, 3, addr, len, |
| 148 | &buf[pos])) |
| 149 | return -1; |
| 150 | pos += SHA1_MAC_LEN; |
| 151 | } else { |
| 152 | if (hmac_sha1_vector(key, key_len, 3, addr, len, |
| 153 | hash)) |
| 154 | return -1; |
| 155 | os_memcpy(&buf[pos], hash, plen); |
| 156 | break; |
| 157 | } |
| 158 | counter++; |
| 159 | } |
| 160 | |
| 161 | return 0; |
| 162 | } |