xref: /freebsd/contrib/wpa/src/crypto/fips_prf_openssl.c (revision 87b759f0fa1f7554d50ce640c40138512bbded44) 
1 /*
2  * FIPS 186-2 PRF for libcrypto
3  * Copyright (c) 2004-2005, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 #include <openssl/opensslv.h>
11 
12 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
13 
14 /* OpenSSL 3.0 has deprecated the low-level SHA1 functions and does not
15  * include an upper layer interface that could be used to use the
16  * SHA1_Transform() function. Use the internal SHA-1 implementation instead
17  * as a workaround. */
18 #include "sha1-internal.c"
19 #include "fips_prf_internal.c"
20 
21 #else /* OpenSSL version >= 3.0 */
22 
23 #include <openssl/sha.h>
24 
25 #include "common.h"
26 #include "crypto.h"
27 
28 
29 static void sha1_transform(u32 *state, const u8 data[64])
30 {
31 	SHA_CTX context;
32 	os_memset(&context, 0, sizeof(context));
33 #if defined(OPENSSL_IS_BORINGSSL) && !defined(ANDROID)
34 	context.h[0] = state[0];
35 	context.h[1] = state[1];
36 	context.h[2] = state[2];
37 	context.h[3] = state[3];
38 	context.h[4] = state[4];
39 	SHA1_Transform(&context, data);
40 	state[0] = context.h[0];
41 	state[1] = context.h[1];
42 	state[2] = context.h[2];
43 	state[3] = context.h[3];
44 	state[4] = context.h[4];
45 #else
46 	context.h0 = state[0];
47 	context.h1 = state[1];
48 	context.h2 = state[2];
49 	context.h3 = state[3];
50 	context.h4 = state[4];
51 	SHA1_Transform(&context, data);
52 	state[0] = context.h0;
53 	state[1] = context.h1;
54 	state[2] = context.h2;
55 	state[3] = context.h3;
56 	state[4] = context.h4;
57 #endif
58 }
59 
60 
61 int fips186_2_prf(const u8 *seed, size_t seed_len, u8 *x, size_t xlen)
62 {
63 	u8 xkey[64];
64 	u32 t[5], _t[5];
65 	int i, j, m, k;
66 	u8 *xpos = x;
67 	u32 carry;
68 
69 	if (seed_len < sizeof(xkey))
70 		os_memset(xkey + seed_len, 0, sizeof(xkey) - seed_len);
71 	else
72 		seed_len = sizeof(xkey);
73 
74 	/* FIPS 186-2 + change notice 1 */
75 
76 	os_memcpy(xkey, seed, seed_len);
77 	t[0] = 0x67452301;
78 	t[1] = 0xEFCDAB89;
79 	t[2] = 0x98BADCFE;
80 	t[3] = 0x10325476;
81 	t[4] = 0xC3D2E1F0;
82 
83 	m = xlen / 40;
84 	for (j = 0; j < m; j++) {
85 		/* XSEED_j = 0 */
86 		for (i = 0; i < 2; i++) {
87 			/* XVAL = (XKEY + XSEED_j) mod 2^b */
88 
89 			/* w_i = G(t, XVAL) */
90 			os_memcpy(_t, t, 20);
91 			sha1_transform(_t, xkey);
92 			WPA_PUT_BE32(xpos, _t[0]);
93 			WPA_PUT_BE32(xpos + 4, _t[1]);
94 			WPA_PUT_BE32(xpos + 8, _t[2]);
95 			WPA_PUT_BE32(xpos + 12, _t[3]);
96 			WPA_PUT_BE32(xpos + 16, _t[4]);
97 
98 			/* XKEY = (1 + XKEY + w_i) mod 2^b */
99 			carry = 1;
100 			for (k = 19; k >= 0; k--) {
101 				carry += xkey[k] + xpos[k];
102 				xkey[k] = carry & 0xff;
103 				carry >>= 8;
104 			}
105 
106 			xpos += 20;
107 		}
108 		/* x_j = w_0|w_1 */
109 	}
110 
111 	return 0;
112 }
113 
114 #endif /* OpenSSL version >= 3.0 */
115