169 lines
5.3 KiB
C
169 lines
5.3 KiB
C
/*
|
|
* Copyright (c) 2009 Joshua Oreman <oremanj@rwcr.net>.
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License as
|
|
* published by the Free Software Foundation; either version 2 of the
|
|
* License, or any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful, but
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
|
* 02110-1301, USA.
|
|
*/
|
|
|
|
FILE_LICENCE ( GPL2_OR_LATER );
|
|
|
|
#include <string.h>
|
|
#include <ipxe/crypto.h>
|
|
#include <ipxe/sha1.h>
|
|
#include <ipxe/hmac.h>
|
|
#include <stdint.h>
|
|
#include <byteswap.h>
|
|
|
|
/**
|
|
* SHA1 pseudorandom function for creating derived keys
|
|
*
|
|
* @v key Master key with which this call is associated
|
|
* @v key_len Length of key
|
|
* @v label NUL-terminated ASCII string describing purpose of PRF data
|
|
* @v data Further data that should be included in the PRF
|
|
* @v data_len Length of further PRF data
|
|
* @v prf_len Bytes of PRF to generate
|
|
* @ret prf Pseudorandom function bytes
|
|
*
|
|
* This is the PRF variant used by 802.11, defined in IEEE 802.11-2007
|
|
* 8.5.5.1. EAP-FAST uses a different SHA1-based PRF, and TLS uses an
|
|
* MD5-based PRF.
|
|
*/
|
|
void prf_sha1 ( const void *key, size_t key_len, const char *label,
|
|
const void *data, size_t data_len, void *prf, size_t prf_len )
|
|
{
|
|
u32 blk;
|
|
u8 keym[key_len]; /* modifiable copy of key */
|
|
u8 in[strlen ( label ) + 1 + data_len + 1]; /* message to HMAC */
|
|
u8 *in_blknr; /* pointer to last byte of in, block number */
|
|
u8 out[SHA1_DIGEST_SIZE]; /* HMAC-SHA1 result */
|
|
u8 sha1_ctx[SHA1_CTX_SIZE]; /* SHA1 context */
|
|
const size_t label_len = strlen ( label );
|
|
|
|
/* The HMAC-SHA-1 is calculated using the given key on the
|
|
message text `label', followed by a NUL, followed by one
|
|
byte indicating the block number (0 for first). */
|
|
|
|
memcpy ( keym, key, key_len );
|
|
|
|
memcpy ( in, label, strlen ( label ) + 1 );
|
|
memcpy ( in + label_len + 1, data, data_len );
|
|
in_blknr = in + label_len + 1 + data_len;
|
|
|
|
for ( blk = 0 ;; blk++ ) {
|
|
*in_blknr = blk;
|
|
|
|
hmac_init ( &sha1_algorithm, sha1_ctx, keym, &key_len );
|
|
hmac_update ( &sha1_algorithm, sha1_ctx, in, sizeof ( in ) );
|
|
hmac_final ( &sha1_algorithm, sha1_ctx, keym, &key_len, out );
|
|
|
|
if ( prf_len <= sizeof ( out ) ) {
|
|
memcpy ( prf, out, prf_len );
|
|
break;
|
|
}
|
|
|
|
memcpy ( prf, out, sizeof ( out ) );
|
|
prf_len -= sizeof ( out );
|
|
prf += sizeof ( out );
|
|
}
|
|
}
|
|
|
|
/**
|
|
* PBKDF2 key derivation function inner block operation
|
|
*
|
|
* @v passphrase Passphrase from which to derive key
|
|
* @v pass_len Length of passphrase
|
|
* @v salt Salt to include in key
|
|
* @v salt_len Length of salt
|
|
* @v iterations Number of iterations of SHA1 to perform
|
|
* @v blocknr Index of this block, starting at 1
|
|
* @ret block SHA1_SIZE bytes of PBKDF2 data
|
|
*
|
|
* The operation of this function is described in RFC 2898.
|
|
*/
|
|
static void pbkdf2_sha1_f ( const void *passphrase, size_t pass_len,
|
|
const void *salt, size_t salt_len,
|
|
int iterations, u32 blocknr, u8 *block )
|
|
{
|
|
u8 pass[pass_len]; /* modifiable passphrase */
|
|
u8 in[salt_len + 4]; /* input buffer to first round */
|
|
u8 last[SHA1_DIGEST_SIZE]; /* output of round N, input of N+1 */
|
|
u8 sha1_ctx[SHA1_CTX_SIZE];
|
|
u8 *next_in = in; /* changed to `last' after first round */
|
|
int next_size = sizeof ( in );
|
|
int i;
|
|
unsigned int j;
|
|
|
|
blocknr = htonl ( blocknr );
|
|
|
|
memcpy ( pass, passphrase, pass_len );
|
|
memcpy ( in, salt, salt_len );
|
|
memcpy ( in + salt_len, &blocknr, 4 );
|
|
memset ( block, 0, sizeof ( last ) );
|
|
|
|
for ( i = 0; i < iterations; i++ ) {
|
|
hmac_init ( &sha1_algorithm, sha1_ctx, pass, &pass_len );
|
|
hmac_update ( &sha1_algorithm, sha1_ctx, next_in, next_size );
|
|
hmac_final ( &sha1_algorithm, sha1_ctx, pass, &pass_len, last );
|
|
|
|
for ( j = 0; j < sizeof ( last ); j++ ) {
|
|
block[j] ^= last[j];
|
|
}
|
|
|
|
next_in = last;
|
|
next_size = sizeof ( last );
|
|
}
|
|
}
|
|
|
|
/**
|
|
* PBKDF2 key derivation function using SHA1
|
|
*
|
|
* @v passphrase Passphrase from which to derive key
|
|
* @v pass_len Length of passphrase
|
|
* @v salt Salt to include in key
|
|
* @v salt_len Length of salt
|
|
* @v iterations Number of iterations of SHA1 to perform
|
|
* @v key_len Length of key to generate
|
|
* @ret key Generated key bytes
|
|
*
|
|
* This is used most notably in 802.11 WPA passphrase hashing, in
|
|
* which case the salt is the SSID, 4096 iterations are used, and a
|
|
* 32-byte key is generated that serves as the Pairwise Master Key for
|
|
* EAPOL authentication.
|
|
*
|
|
* The operation of this function is further described in RFC 2898.
|
|
*/
|
|
void pbkdf2_sha1 ( const void *passphrase, size_t pass_len,
|
|
const void *salt, size_t salt_len,
|
|
int iterations, void *key, size_t key_len )
|
|
{
|
|
u32 blocks = ( key_len + SHA1_DIGEST_SIZE - 1 ) / SHA1_DIGEST_SIZE;
|
|
u32 blk;
|
|
u8 buf[SHA1_DIGEST_SIZE];
|
|
|
|
for ( blk = 1; blk <= blocks; blk++ ) {
|
|
pbkdf2_sha1_f ( passphrase, pass_len, salt, salt_len,
|
|
iterations, blk, buf );
|
|
if ( key_len <= sizeof ( buf ) ) {
|
|
memcpy ( key, buf, key_len );
|
|
break;
|
|
}
|
|
|
|
memcpy ( key, buf, sizeof ( buf ) );
|
|
key_len -= sizeof ( buf );
|
|
key += sizeof ( buf );
|
|
}
|
|
}
|