iPXE
sha1extra.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2009 Joshua Oreman <oremanj@rwcr.net>.
3  *
4  * This program is free software; you can redistribute it and/or
5  * modify it under the terms of the GNU General Public License as
6  * published by the Free Software Foundation; either version 2 of the
7  * License, or any later version.
8  *
9  * This program is distributed in the hope that it will be useful, but
10  * WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12  * General Public License for more details.
13  *
14  * You should have received a copy of the GNU General Public License
15  * along with this program; if not, write to the Free Software
16  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17  * 02110-1301, USA.
18  */
19 
20 FILE_LICENCE ( GPL2_OR_LATER );
21 
22 #include <string.h>
23 #include <ipxe/crypto.h>
24 #include <ipxe/sha1.h>
25 #include <ipxe/hmac.h>
26 #include <stdint.h>
27 #include <byteswap.h>
28 
29 /**
30  * SHA1 pseudorandom function for creating derived keys
31  *
32  * @v key Master key with which this call is associated
33  * @v key_len Length of key
34  * @v label NUL-terminated ASCII string describing purpose of PRF data
35  * @v data Further data that should be included in the PRF
36  * @v data_len Length of further PRF data
37  * @v prf_len Bytes of PRF to generate
38  * @ret prf Pseudorandom function bytes
39  *
40  * This is the PRF variant used by 802.11, defined in IEEE 802.11-2007
41  * 8.5.5.1. EAP-FAST uses a different SHA1-based PRF, and TLS uses an
42  * MD5-based PRF.
43  */
44 void prf_sha1 ( const void *key, size_t key_len, const char *label,
45  const void *data, size_t data_len, void *prf, size_t prf_len )
46 {
47  u32 blk;
48  u8 keym[key_len]; /* modifiable copy of key */
49  u8 in[strlen ( label ) + 1 + data_len + 1]; /* message to HMAC */
50  u8 *in_blknr; /* pointer to last byte of in, block number */
51  u8 out[SHA1_DIGEST_SIZE]; /* HMAC-SHA1 result */
52  u8 ctx[SHA1_CTX_SIZE + SHA1_BLOCK_SIZE]; /* HMAC-SHA1 context */
53  const size_t label_len = strlen ( label );
54 
55  /* The HMAC-SHA-1 is calculated using the given key on the
56  message text `label', followed by a NUL, followed by one
57  byte indicating the block number (0 for first). */
58 
59  memcpy ( keym, key, key_len );
60 
61  memcpy ( in, label, strlen ( label ) + 1 );
62  memcpy ( in + label_len + 1, data, data_len );
63  in_blknr = in + label_len + 1 + data_len;
64 
65  for ( blk = 0 ;; blk++ ) {
66  *in_blknr = blk;
67 
68  hmac_init ( &sha1_algorithm, ctx, keym, key_len );
69  hmac_update ( &sha1_algorithm, ctx, in, sizeof ( in ) );
71 
72  if ( prf_len <= sizeof ( out ) ) {
73  memcpy ( prf, out, prf_len );
74  break;
75  }
76 
77  memcpy ( prf, out, sizeof ( out ) );
78  prf_len -= sizeof ( out );
79  prf += sizeof ( out );
80  }
81 }
82 
83 /**
84  * PBKDF2 key derivation function inner block operation
85  *
86  * @v passphrase Passphrase from which to derive key
87  * @v pass_len Length of passphrase
88  * @v salt Salt to include in key
89  * @v salt_len Length of salt
90  * @v iterations Number of iterations of SHA1 to perform
91  * @v blocknr Index of this block, starting at 1
92  * @ret block SHA1_SIZE bytes of PBKDF2 data
93  *
94  * The operation of this function is described in RFC 2898.
95  */
96 static void pbkdf2_sha1_f ( const void *passphrase, size_t pass_len,
97  const void *salt, size_t salt_len,
98  int iterations, u32 blocknr, u8 *block )
99 {
100  u8 pass[pass_len]; /* modifiable passphrase */
101  u8 in[salt_len + 4]; /* input buffer to first round */
102  u8 last[SHA1_DIGEST_SIZE]; /* output of round N, input of N+1 */
104  u8 *next_in = in; /* changed to `last' after first round */
105  int next_size = sizeof ( in );
106  int i;
107  unsigned int j;
108 
109  blocknr = htonl ( blocknr );
110 
111  memcpy ( pass, passphrase, pass_len );
112  memcpy ( in, salt, salt_len );
113  memcpy ( in + salt_len, &blocknr, 4 );
114  memset ( block, 0, sizeof ( last ) );
115 
116  for ( i = 0; i < iterations; i++ ) {
117  hmac_init ( &sha1_algorithm, ctx, pass, pass_len );
118  hmac_update ( &sha1_algorithm, ctx, next_in, next_size );
119  hmac_final ( &sha1_algorithm, ctx, last );
120 
121  for ( j = 0; j < sizeof ( last ); j++ ) {
122  block[j] ^= last[j];
123  }
124 
125  next_in = last;
126  next_size = sizeof ( last );
127  }
128 }
129 
130 /**
131  * PBKDF2 key derivation function using SHA1
132  *
133  * @v passphrase Passphrase from which to derive key
134  * @v pass_len Length of passphrase
135  * @v salt Salt to include in key
136  * @v salt_len Length of salt
137  * @v iterations Number of iterations of SHA1 to perform
138  * @v key_len Length of key to generate
139  * @ret key Generated key bytes
140  *
141  * This is used most notably in 802.11 WPA passphrase hashing, in
142  * which case the salt is the SSID, 4096 iterations are used, and a
143  * 32-byte key is generated that serves as the Pairwise Master Key for
144  * EAPOL authentication.
145  *
146  * The operation of this function is further described in RFC 2898.
147  */
148 void pbkdf2_sha1 ( const void *passphrase, size_t pass_len,
149  const void *salt, size_t salt_len,
150  int iterations, void *key, size_t key_len )
151 {
152  u32 blocks = ( key_len + SHA1_DIGEST_SIZE - 1 ) / SHA1_DIGEST_SIZE;
153  u32 blk;
154  u8 buf[SHA1_DIGEST_SIZE];
155 
156  for ( blk = 1; blk <= blocks; blk++ ) {
157  pbkdf2_sha1_f ( passphrase, pass_len, salt, salt_len,
158  iterations, blk, buf );
159  if ( key_len <= sizeof ( buf ) ) {
160  memcpy ( key, buf, key_len );
161  break;
162  }
163 
164  memcpy ( key, buf, sizeof ( buf ) );
165  key_len -= sizeof ( buf );
166  key += sizeof ( buf );
167  }
168 }
void hmac_init(struct digest_algorithm *digest, void *ctx, const void *key, size_t key_len)
Initialise HMAC.
Definition: hmac.c:57
A text label widget.
Definition: label.h:16
#define SHA1_BLOCK_SIZE
Definition: Tpm20.h:26
__be32 in[4]
Definition: CIB_PRM.h:35
static void pbkdf2_sha1_f(const void *passphrase, size_t pass_len, const void *salt, size_t salt_len, int iterations, u32 blocknr, u8 *block)
PBKDF2 key derivation function inner block operation.
Definition: sha1extra.c:96
Cryptographic API.
uint32_t data_len
Microcode data size (or 0 to indicate 2000 bytes)
Definition: ucode.h:26
struct golan_eq_context ctx
Definition: CIB_PRM.h:28
FILE_LICENCE(GPL2_OR_LATER)
#define htonl(value)
Definition: byteswap.h:133
void * memcpy(void *dest, const void *src, size_t len) __nonnull
Keyed-Hashing for Message Authentication.
__be32 out[4]
Definition: CIB_PRM.h:36
void pbkdf2_sha1(const void *passphrase, size_t pass_len, const void *salt, size_t salt_len, int iterations, void *key, size_t key_len)
PBKDF2 key derivation function using SHA1.
Definition: sha1extra.c:148
static void hmac_update(struct digest_algorithm *digest, void *ctx, const void *data, size_t len)
Update HMAC.
Definition: hmac.h:42
size_t strlen(const char *src)
Get length of string.
Definition: string.c:243
void prf_sha1(const void *key, size_t key_len, const char *label, const void *data, size_t data_len, void *prf, size_t prf_len)
SHA1 pseudorandom function for creating derived keys.
Definition: sha1extra.c:44
#define SHA1_DIGEST_SIZE
Definition: Tpm20.h:25
uint8_t block[3][8]
DES-encrypted blocks.
Definition: mschapv2.h:12
SHA-1 algorithm.
#define SHA1_CTX_SIZE
SHA-1 context size.
Definition: sha1.h:66
uint8_t data[48]
Additional event data.
Definition: ena.h:22
void hmac_final(struct digest_algorithm *digest, void *ctx, void *hmac)
Finalise HMAC.
Definition: hmac.c:87
String functions.
uint8_t u8
Definition: stdint.h:19
union @383 key
Sense key.
Definition: scsi.h:18
uint32_t u32
Definition: stdint.h:23
struct digest_algorithm sha1_algorithm
SHA-1 algorithm.
Definition: sha1.c:257
void * memset(void *dest, int character, size_t len) __nonnull