iPXE
sha1extra.c
Go to the documentation of this file.
00001 /*
00002  * Copyright (c) 2009 Joshua Oreman <oremanj@rwcr.net>.
00003  *
00004  * This program is free software; you can redistribute it and/or
00005  * modify it under the terms of the GNU General Public License as
00006  * published by the Free Software Foundation; either version 2 of the
00007  * License, or any later version.
00008  *
00009  * This program is distributed in the hope that it will be useful, but
00010  * WITHOUT ANY WARRANTY; without even the implied warranty of
00011  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
00012  * General Public License for more details.
00013  *
00014  * You should have received a copy of the GNU General Public License
00015  * along with this program; if not, write to the Free Software
00016  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
00017  * 02110-1301, USA.
00018  */
00019 
00020 FILE_LICENCE ( GPL2_OR_LATER );
00021 
00022 #include <string.h>
00023 #include <ipxe/crypto.h>
00024 #include <ipxe/sha1.h>
00025 #include <ipxe/hmac.h>
00026 #include <stdint.h>
00027 #include <byteswap.h>
00028 
00029 /**
00030  * SHA1 pseudorandom function for creating derived keys
00031  *
00032  * @v key       Master key with which this call is associated
00033  * @v key_len   Length of key
00034  * @v label     NUL-terminated ASCII string describing purpose of PRF data
00035  * @v data      Further data that should be included in the PRF
00036  * @v data_len  Length of further PRF data
00037  * @v prf_len   Bytes of PRF to generate
00038  * @ret prf     Pseudorandom function bytes
00039  *
00040  * This is the PRF variant used by 802.11, defined in IEEE 802.11-2007
00041  * 8.5.5.1. EAP-FAST uses a different SHA1-based PRF, and TLS uses an
00042  * MD5-based PRF.
00043  */
00044 void prf_sha1 ( const void *key, size_t key_len, const char *label,
00045                 const void *data, size_t data_len, void *prf, size_t prf_len )
00046 {
00047         u32 blk;
00048         u8 keym[key_len];       /* modifiable copy of key */
00049         u8 in[strlen ( label ) + 1 + data_len + 1]; /* message to HMAC */
00050         u8 *in_blknr;           /* pointer to last byte of in, block number */
00051         u8 out[SHA1_DIGEST_SIZE]; /* HMAC-SHA1 result */
00052         u8 sha1_ctx[SHA1_CTX_SIZE]; /* SHA1 context */
00053         const size_t label_len = strlen ( label );
00054 
00055         /* The HMAC-SHA-1 is calculated using the given key on the
00056            message text `label', followed by a NUL, followed by one
00057            byte indicating the block number (0 for first). */
00058 
00059         memcpy ( keym, key, key_len );
00060 
00061         memcpy ( in, label, strlen ( label ) + 1 );
00062         memcpy ( in + label_len + 1, data, data_len );
00063         in_blknr = in + label_len + 1 + data_len;
00064 
00065         for ( blk = 0 ;; blk++ ) {
00066                 *in_blknr = blk;
00067 
00068                 hmac_init ( &sha1_algorithm, sha1_ctx, keym, &key_len );
00069                 hmac_update ( &sha1_algorithm, sha1_ctx, in, sizeof ( in ) );
00070                 hmac_final ( &sha1_algorithm, sha1_ctx, keym, &key_len, out );
00071 
00072                 if ( prf_len <= sizeof ( out ) ) {
00073                         memcpy ( prf, out, prf_len );
00074                         break;
00075                 }
00076 
00077                 memcpy ( prf, out, sizeof ( out ) );
00078                 prf_len -= sizeof ( out );
00079                 prf += sizeof ( out );
00080         }
00081 }
00082 
00083 /**
00084  * PBKDF2 key derivation function inner block operation
00085  *
00086  * @v passphrase        Passphrase from which to derive key
00087  * @v pass_len          Length of passphrase
00088  * @v salt              Salt to include in key
00089  * @v salt_len          Length of salt
00090  * @v iterations        Number of iterations of SHA1 to perform
00091  * @v blocknr           Index of this block, starting at 1
00092  * @ret block           SHA1_SIZE bytes of PBKDF2 data
00093  *
00094  * The operation of this function is described in RFC 2898.
00095  */
00096 static void pbkdf2_sha1_f ( const void *passphrase, size_t pass_len,
00097                             const void *salt, size_t salt_len,
00098                             int iterations, u32 blocknr, u8 *block )
00099 {
00100         u8 pass[pass_len];      /* modifiable passphrase */
00101         u8 in[salt_len + 4];    /* input buffer to first round */
00102         u8 last[SHA1_DIGEST_SIZE]; /* output of round N, input of N+1 */
00103         u8 sha1_ctx[SHA1_CTX_SIZE];
00104         u8 *next_in = in;       /* changed to `last' after first round */
00105         int next_size = sizeof ( in );
00106         int i;
00107         unsigned int j;
00108 
00109         blocknr = htonl ( blocknr );
00110 
00111         memcpy ( pass, passphrase, pass_len );
00112         memcpy ( in, salt, salt_len );
00113         memcpy ( in + salt_len, &blocknr, 4 );
00114         memset ( block, 0, sizeof ( last ) );
00115 
00116         for ( i = 0; i < iterations; i++ ) {
00117                 hmac_init ( &sha1_algorithm, sha1_ctx, pass, &pass_len );
00118                 hmac_update ( &sha1_algorithm, sha1_ctx, next_in, next_size );
00119                 hmac_final ( &sha1_algorithm, sha1_ctx, pass, &pass_len, last );
00120 
00121                 for ( j = 0; j < sizeof ( last ); j++ ) {
00122                         block[j] ^= last[j];
00123                 }
00124 
00125                 next_in = last;
00126                 next_size = sizeof ( last );
00127         }
00128 }
00129 
00130 /**
00131  * PBKDF2 key derivation function using SHA1
00132  *
00133  * @v passphrase        Passphrase from which to derive key
00134  * @v pass_len          Length of passphrase
00135  * @v salt              Salt to include in key
00136  * @v salt_len          Length of salt
00137  * @v iterations        Number of iterations of SHA1 to perform
00138  * @v key_len           Length of key to generate
00139  * @ret key             Generated key bytes
00140  *
00141  * This is used most notably in 802.11 WPA passphrase hashing, in
00142  * which case the salt is the SSID, 4096 iterations are used, and a
00143  * 32-byte key is generated that serves as the Pairwise Master Key for
00144  * EAPOL authentication.
00145  *
00146  * The operation of this function is further described in RFC 2898.
00147  */
00148 void pbkdf2_sha1 ( const void *passphrase, size_t pass_len,
00149                    const void *salt, size_t salt_len,
00150                    int iterations, void *key, size_t key_len )
00151 {
00152         u32 blocks = ( key_len + SHA1_DIGEST_SIZE - 1 ) / SHA1_DIGEST_SIZE;
00153         u32 blk;
00154         u8 buf[SHA1_DIGEST_SIZE];
00155 
00156         for ( blk = 1; blk <= blocks; blk++ ) {
00157                 pbkdf2_sha1_f ( passphrase, pass_len, salt, salt_len,
00158                                 iterations, blk, buf );
00159                 if ( key_len <= sizeof ( buf ) ) {
00160                         memcpy ( key, buf, key_len );
00161                         break;
00162                 }
00163 
00164                 memcpy ( key, buf, sizeof ( buf ) );
00165                 key_len -= sizeof ( buf );
00166                 key += sizeof ( buf );
00167         }
00168 }