xref: /freebsd/contrib/wpa/src/crypto/sha1.c (revision e28a4053b110e06768631ac8401ed4a3c05e68a5) 
1 /*
2  * SHA1 hash implementation and interface functions
3  * Copyright (c) 2003-2005, Jouni Malinen <j@w1.fi>
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License version 2 as
7  * published by the Free Software Foundation.
8  *
9  * Alternatively, this software may be distributed under the terms of BSD
10  * license.
11  *
12  * See README and COPYING for more details.
13  */
14 
15 #include "includes.h"
16 
17 #include "common.h"
18 #include "sha1.h"
19 #include "crypto.h"
20 
21 
22 /**
23  * hmac_sha1_vector - HMAC-SHA1 over data vector (RFC 2104)
24  * @key: Key for HMAC operations
25  * @key_len: Length of the key in bytes
26  * @num_elem: Number of elements in the data vector
27  * @addr: Pointers to the data areas
28  * @len: Lengths of the data blocks
29  * @mac: Buffer for the hash (20 bytes)
30  * Returns: 0 on success, -1 on failure
31  */
32 int hmac_sha1_vector(const u8 *key, size_t key_len, size_t num_elem,
33 		     const u8 *addr[], const size_t *len, u8 *mac)
34 {
35 	unsigned char k_pad[64]; /* padding - key XORd with ipad/opad */
36 	unsigned char tk[20];
37 	const u8 *_addr[6];
38 	size_t _len[6], i;
39 
40 	if (num_elem > 5) {
41 		/*
42 		 * Fixed limit on the number of fragments to avoid having to
43 		 * allocate memory (which could fail).
44 		 */
45 		return -1;
46 	}
47 
48         /* if key is longer than 64 bytes reset it to key = SHA1(key) */
49         if (key_len > 64) {
50 		if (sha1_vector(1, &key, &key_len, tk))
51 			return -1;
52 		key = tk;
53 		key_len = 20;
54         }
55 
56 	/* the HMAC_SHA1 transform looks like:
57 	 *
58 	 * SHA1(K XOR opad, SHA1(K XOR ipad, text))
59 	 *
60 	 * where K is an n byte key
61 	 * ipad is the byte 0x36 repeated 64 times
62 	 * opad is the byte 0x5c repeated 64 times
63 	 * and text is the data being protected */
64 
65 	/* start out by storing key in ipad */
66 	os_memset(k_pad, 0, sizeof(k_pad));
67 	os_memcpy(k_pad, key, key_len);
68 	/* XOR key with ipad values */
69 	for (i = 0; i < 64; i++)
70 		k_pad[i] ^= 0x36;
71 
72 	/* perform inner SHA1 */
73 	_addr[0] = k_pad;
74 	_len[0] = 64;
75 	for (i = 0; i < num_elem; i++) {
76 		_addr[i + 1] = addr[i];
77 		_len[i + 1] = len[i];
78 	}
79 	if (sha1_vector(1 + num_elem, _addr, _len, mac))
80 		return -1;
81 
82 	os_memset(k_pad, 0, sizeof(k_pad));
83 	os_memcpy(k_pad, key, key_len);
84 	/* XOR key with opad values */
85 	for (i = 0; i < 64; i++)
86 		k_pad[i] ^= 0x5c;
87 
88 	/* perform outer SHA1 */
89 	_addr[0] = k_pad;
90 	_len[0] = 64;
91 	_addr[1] = mac;
92 	_len[1] = SHA1_MAC_LEN;
93 	return sha1_vector(2, _addr, _len, mac);
94 }
95 
96 
97 /**
98  * hmac_sha1 - HMAC-SHA1 over data buffer (RFC 2104)
99  * @key: Key for HMAC operations
100  * @key_len: Length of the key in bytes
101  * @data: Pointers to the data area
102  * @data_len: Length of the data area
103  * @mac: Buffer for the hash (20 bytes)
104  * Returns: 0 on success, -1 of failure
105  */
106 int hmac_sha1(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
107 	       u8 *mac)
108 {
109 	return hmac_sha1_vector(key, key_len, 1, &data, &data_len, mac);
110 }
111 
112 
113 /**
114  * sha1_prf - SHA1-based Pseudo-Random Function (PRF) (IEEE 802.11i, 8.5.1.1)
115  * @key: Key for PRF
116  * @key_len: Length of the key in bytes
117  * @label: A unique label for each purpose of the PRF
118  * @data: Extra data to bind into the key
119  * @data_len: Length of the data
120  * @buf: Buffer for the generated pseudo-random key
121  * @buf_len: Number of bytes of key to generate
122  * Returns: 0 on success, -1 of failure
123  *
124  * This function is used to derive new, cryptographically separate keys from a
125  * given key (e.g., PMK in IEEE 802.11i).
126  */
127 int sha1_prf(const u8 *key, size_t key_len, const char *label,
128 	     const u8 *data, size_t data_len, u8 *buf, size_t buf_len)
129 {
130 	u8 counter = 0;
131 	size_t pos, plen;
132 	u8 hash[SHA1_MAC_LEN];
133 	size_t label_len = os_strlen(label) + 1;
134 	const unsigned char *addr[3];
135 	size_t len[3];
136 
137 	addr[0] = (u8 *) label;
138 	len[0] = label_len;
139 	addr[1] = data;
140 	len[1] = data_len;
141 	addr[2] = &counter;
142 	len[2] = 1;
143 
144 	pos = 0;
145 	while (pos < buf_len) {
146 		plen = buf_len - pos;
147 		if (plen >= SHA1_MAC_LEN) {
148 			if (hmac_sha1_vector(key, key_len, 3, addr, len,
149 					     &buf[pos]))
150 				return -1;
151 			pos += SHA1_MAC_LEN;
152 		} else {
153 			if (hmac_sha1_vector(key, key_len, 3, addr, len,
154 					     hash))
155 				return -1;
156 			os_memcpy(&buf[pos], hash, plen);
157 			break;
158 		}
159 		counter++;
160 	}
161 
162 	return 0;
163 }
164