xref: /freebsd/contrib/wpa/src/crypto/sha256.c (revision 7d99ab9fd0cc2c1ce2ecef0ed6d0672c2a50b0cb) 
1 /*
2  * SHA-256 hash implementation and interface functions
3  * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi>
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License version 2 as
7  * published by the Free Software Foundation.
8  *
9  * Alternatively, this software may be distributed under the terms of BSD
10  * license.
11  *
12  * See README and COPYING for more details.
13  */
14 
15 #include "includes.h"
16 
17 #include "common.h"
18 #include "sha256.h"
19 #include "crypto.h"
20 
21 
22 /**
23  * hmac_sha256_vector - HMAC-SHA256 over data vector (RFC 2104)
24  * @key: Key for HMAC operations
25  * @key_len: Length of the key in bytes
26  * @num_elem: Number of elements in the data vector
27  * @addr: Pointers to the data areas
28  * @len: Lengths of the data blocks
29  * @mac: Buffer for the hash (32 bytes)
30  */
31 void hmac_sha256_vector(const u8 *key, size_t key_len, size_t num_elem,
32 			const u8 *addr[], const size_t *len, u8 *mac)
33 {
34 	unsigned char k_pad[64]; /* padding - key XORd with ipad/opad */
35 	unsigned char tk[32];
36 	const u8 *_addr[6];
37 	size_t _len[6], i;
38 
39 	if (num_elem > 5) {
40 		/*
41 		 * Fixed limit on the number of fragments to avoid having to
42 		 * allocate memory (which could fail).
43 		 */
44 		return;
45 	}
46 
47         /* if key is longer than 64 bytes reset it to key = SHA256(key) */
48         if (key_len > 64) {
49 		sha256_vector(1, &key, &key_len, tk);
50 		key = tk;
51 		key_len = 32;
52         }
53 
54 	/* the HMAC_SHA256 transform looks like:
55 	 *
56 	 * SHA256(K XOR opad, SHA256(K XOR ipad, text))
57 	 *
58 	 * where K is an n byte key
59 	 * ipad is the byte 0x36 repeated 64 times
60 	 * opad is the byte 0x5c repeated 64 times
61 	 * and text is the data being protected */
62 
63 	/* start out by storing key in ipad */
64 	os_memset(k_pad, 0, sizeof(k_pad));
65 	os_memcpy(k_pad, key, key_len);
66 	/* XOR key with ipad values */
67 	for (i = 0; i < 64; i++)
68 		k_pad[i] ^= 0x36;
69 
70 	/* perform inner SHA256 */
71 	_addr[0] = k_pad;
72 	_len[0] = 64;
73 	for (i = 0; i < num_elem; i++) {
74 		_addr[i + 1] = addr[i];
75 		_len[i + 1] = len[i];
76 	}
77 	sha256_vector(1 + num_elem, _addr, _len, mac);
78 
79 	os_memset(k_pad, 0, sizeof(k_pad));
80 	os_memcpy(k_pad, key, key_len);
81 	/* XOR key with opad values */
82 	for (i = 0; i < 64; i++)
83 		k_pad[i] ^= 0x5c;
84 
85 	/* perform outer SHA256 */
86 	_addr[0] = k_pad;
87 	_len[0] = 64;
88 	_addr[1] = mac;
89 	_len[1] = SHA256_MAC_LEN;
90 	sha256_vector(2, _addr, _len, mac);
91 }
92 
93 
94 /**
95  * hmac_sha256 - HMAC-SHA256 over data buffer (RFC 2104)
96  * @key: Key for HMAC operations
97  * @key_len: Length of the key in bytes
98  * @data: Pointers to the data area
99  * @data_len: Length of the data area
100  * @mac: Buffer for the hash (20 bytes)
101  */
102 void hmac_sha256(const u8 *key, size_t key_len, const u8 *data,
103 		 size_t data_len, u8 *mac)
104 {
105 	hmac_sha256_vector(key, key_len, 1, &data, &data_len, mac);
106 }
107 
108 
109 /**
110  * sha256_prf - SHA256-based Pseudo-Random Function (IEEE 802.11r, 8.5.1.5.2)
111  * @key: Key for PRF
112  * @key_len: Length of the key in bytes
113  * @label: A unique label for each purpose of the PRF
114  * @data: Extra data to bind into the key
115  * @data_len: Length of the data
116  * @buf: Buffer for the generated pseudo-random key
117  * @buf_len: Number of bytes of key to generate
118  *
119  * This function is used to derive new, cryptographically separate keys from a
120  * given key.
121  */
122 void sha256_prf(const u8 *key, size_t key_len, const char *label,
123 		const u8 *data, size_t data_len, u8 *buf, size_t buf_len)
124 {
125 	u16 counter = 1;
126 	size_t pos, plen;
127 	u8 hash[SHA256_MAC_LEN];
128 	const u8 *addr[4];
129 	size_t len[4];
130 	u8 counter_le[2], length_le[2];
131 
132 	addr[0] = counter_le;
133 	len[0] = 2;
134 	addr[1] = (u8 *) label;
135 	len[1] = os_strlen(label);
136 	addr[2] = data;
137 	len[2] = data_len;
138 	addr[3] = length_le;
139 	len[3] = sizeof(length_le);
140 
141 	WPA_PUT_LE16(length_le, buf_len * 8);
142 	pos = 0;
143 	while (pos < buf_len) {
144 		plen = buf_len - pos;
145 		WPA_PUT_LE16(counter_le, counter);
146 		if (plen >= SHA256_MAC_LEN) {
147 			hmac_sha256_vector(key, key_len, 4, addr, len,
148 					   &buf[pos]);
149 			pos += SHA256_MAC_LEN;
150 		} else {
151 			hmac_sha256_vector(key, key_len, 4, addr, len, hash);
152 			os_memcpy(&buf[pos], hash, plen);
153 			break;
154 		}
155 		counter++;
156 	}
157 }
158