search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Reduce amount of macro magic. Use the same special characters as nroff
[netbsd-mini2440.git] / dist / wpa / src / crypto / sha256.c
blob3d3958f91910cd6ca57220996b5102169a386896
1 /*
2 * SHA-256 hash implementation and interface functions
3 * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi>
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
8 *
9 * Alternatively, this software may be distributed under the terms of BSD
10 * license.
11 *
12 * See README and COPYING for more details.
13 */
14
15 #include "includes.h"
16
17 #include "common.h"
18 #include "sha256.h"
19 #include "crypto.h"
20
21
22 /**
23 * hmac_sha256_vector - HMAC-SHA256 over data vector (RFC 2104)
24 * @key: Key for HMAC operations
25 * @key_len: Length of the key in bytes
26 * @num_elem: Number of elements in the data vector
27 * @addr: Pointers to the data areas
28 * @len: Lengths of the data blocks
29 * @mac: Buffer for the hash (32 bytes)
30 */
31 void hmac_sha256_vector(const u8 *key, size_t key_len, size_t num_elem,
32 const u8 *addr[], const size_t *len, u8 *mac)
33 {
34 unsigned char k_pad[64]; /* padding - key XORd with ipad/opad */
35 unsigned char tk[32];
36 const u8 *_addr[6];
37 size_t _len[6], i;
38
39 if (num_elem > 5) {
40 /*
41 * Fixed limit on the number of fragments to avoid having to
42 * allocate memory (which could fail).
43 */
44 return;
45 }
46
47 /* if key is longer than 64 bytes reset it to key = SHA256(key) */
48 if (key_len > 64) {
49 sha256_vector(1, &key, &key_len, tk);
50 key = tk;
51 key_len = 32;
52 }
53
54 /* the HMAC_SHA256 transform looks like:
55 *
56 * SHA256(K XOR opad, SHA256(K XOR ipad, text))
57 *
58 * where K is an n byte key
59 * ipad is the byte 0x36 repeated 64 times
60 * opad is the byte 0x5c repeated 64 times
61 * and text is the data being protected */
62
63 /* start out by storing key in ipad */
64 os_memset(k_pad, 0, sizeof(k_pad));
65 os_memcpy(k_pad, key, key_len);
66 /* XOR key with ipad values */
67 for (i = 0; i < 64; i++)
68 k_pad[i] ^= 0x36;
69
70 /* perform inner SHA256 */
71 _addr[0] = k_pad;
72 _len[0] = 64;
73 for (i = 0; i < num_elem; i++) {
74 _addr[i + 1] = addr[i];
75 _len[i + 1] = len[i];
76 }
77 sha256_vector(1 + num_elem, _addr, _len, mac);
78
79 os_memset(k_pad, 0, sizeof(k_pad));
80 os_memcpy(k_pad, key, key_len);
81 /* XOR key with opad values */
82 for (i = 0; i < 64; i++)
83 k_pad[i] ^= 0x5c;
84
85 /* perform outer SHA256 */
86 _addr[0] = k_pad;
87 _len[0] = 64;
88 _addr[1] = mac;
89 _len[1] = SHA256_MAC_LEN;
90 sha256_vector(2, _addr, _len, mac);
91 }
92
93
94 /**
95 * hmac_sha256 - HMAC-SHA256 over data buffer (RFC 2104)
96 * @key: Key for HMAC operations
97 * @key_len: Length of the key in bytes
98 * @data: Pointers to the data area
99 * @data_len: Length of the data area
100 * @mac: Buffer for the hash (20 bytes)
101 */
102 void hmac_sha256(const u8 *key, size_t key_len, const u8 *data,
103 size_t data_len, u8 *mac)
104 {
105 hmac_sha256_vector(key, key_len, 1, &data, &data_len, mac);
106 }
107
108
109 /**
110 * sha256_prf - SHA256-based Pseudo-Random Function (IEEE 802.11r, 8.5.1.5.2)
111 * @key: Key for PRF
112 * @key_len: Length of the key in bytes
113 * @label: A unique label for each purpose of the PRF
114 * @data: Extra data to bind into the key
115 * @data_len: Length of the data
116 * @buf: Buffer for the generated pseudo-random key
117 * @buf_len: Number of bytes of key to generate
118 *
119 * This function is used to derive new, cryptographically separate keys from a
120 * given key.
121 */
122 void sha256_prf(const u8 *key, size_t key_len, const char *label,
123 const u8 *data, size_t data_len, u8 *buf, size_t buf_len)
124 {
125 u16 counter = 0;
126 size_t pos, plen;
127 u8 hash[SHA256_MAC_LEN];
128 const u8 *addr[4];
129 size_t len[4];
130 u8 counter_le[2], length_le[2];
131
132 addr[0] = counter_le;
133 len[0] = 2;
134 addr[1] = (u8 *) label;
135 len[1] = os_strlen(label);
136 addr[2] = data;
137 len[2] = data_len;
138 addr[3] = length_le;
139 len[3] = sizeof(length_le);
140
141 WPA_PUT_LE16(length_le, buf_len * 8);
142 pos = 0;
143 while (pos < buf_len) {
144 plen = buf_len - pos;
145 WPA_PUT_LE16(counter_le, counter);
146 if (plen >= SHA256_MAC_LEN) {
147 hmac_sha256_vector(key, key_len, 4, addr, len,
148 &buf[pos]);
149 pos += SHA256_MAC_LEN;
150 } else {
151 hmac_sha256_vector(key, key_len, 4, addr, len, hash);
152 os_memcpy(&buf[pos], hash, plen);
153 break;
154 }
155 counter++;
156 }
157 }
158
159
160 #ifdef INTERNAL_SHA256
161
162 struct sha256_state {
163 u64 length;
164 u32 state[8], curlen;
165 u8 buf[64];
166 };
167
168 static void sha256_init(struct sha256_state *md);
169 static int sha256_process(struct sha256_state *md, const unsigned char *in,
170 unsigned long inlen);
171 static int sha256_done(struct sha256_state *md, unsigned char *out);
172
173
174 /**
175 * sha256_vector - SHA256 hash for data vector
176 * @num_elem: Number of elements in the data vector
177 * @addr: Pointers to the data areas
178 * @len: Lengths of the data blocks
179 * @mac: Buffer for the hash
180 */
181 void sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len,
182 u8 *mac)
183 {
184 struct sha256_state ctx;
185 size_t i;
186
187 sha256_init(&ctx);
188 for (i = 0; i < num_elem; i++)
189 sha256_process(&ctx, addr[i], len[i]);
190 sha256_done(&ctx, mac);
191 }
192
193
194 /* ===== start - public domain SHA256 implementation ===== */
195
196 /* This is based on SHA256 implementation in LibTomCrypt that was released into
197 * public domain by Tom St Denis. */
198
199 /* the K array */
200 static const unsigned long K[64] = {
201 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL,
202 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL,
203 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL,
204 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
205 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL,
206 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL,
207 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL,
208 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
209 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL,
210 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL,
211 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL,
212 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
213 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
214 };
215
216
217 /* Various logical functions */
218 #define RORc(x, y) \
219 ( ((((unsigned long) (x) & 0xFFFFFFFFUL) >> (unsigned long) ((y) & 31)) | \
220 ((unsigned long) (x) << (unsigned long) (32 - ((y) & 31)))) & 0xFFFFFFFFUL)
221 #define Ch(x,y,z) (z ^ (x & (y ^ z)))
222 #define Maj(x,y,z) (((x | y) & z) | (x & y))
223 #define S(x, n) RORc((x), (n))
224 #define R(x, n) (((x)&0xFFFFFFFFUL)>>(n))
225 #define Sigma0(x) (S(x, 2) ^ S(x, 13) ^ S(x, 22))
226 #define Sigma1(x) (S(x, 6) ^ S(x, 11) ^ S(x, 25))
227 #define Gamma0(x) (S(x, 7) ^ S(x, 18) ^ R(x, 3))
228 #define Gamma1(x) (S(x, 17) ^ S(x, 19) ^ R(x, 10))
229 #ifndef MIN
230 #define MIN(x, y) (((x) < (y)) ? (x) : (y))
231 #endif
232
233 /* compress 512-bits */
234 static int sha256_compress(struct sha256_state *md, unsigned char *buf)
235 {
236 u32 S[8], W[64], t0, t1;
237 u32 t;
238 int i;
239
240 /* copy state into S */
241 for (i = 0; i < 8; i++) {
242 S[i] = md->state[i];
243 }
244
245 /* copy the state into 512-bits into W[0..15] */
246 for (i = 0; i < 16; i++)
247 W[i] = WPA_GET_BE32(buf + (4 * i));
248
249 /* fill W[16..63] */
250 for (i = 16; i < 64; i++) {
251 W[i] = Gamma1(W[i - 2]) + W[i - 7] + Gamma0(W[i - 15]) +
252 W[i - 16];
253 }
254
255 /* Compress */
256 #define RND(a,b,c,d,e,f,g,h,i) \
257 t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i]; \
258 t1 = Sigma0(a) + Maj(a, b, c); \
259 d += t0; \
260 h = t0 + t1;
261
262 for (i = 0; i < 64; ++i) {
263 RND(S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], i);
264 t = S[7]; S[7] = S[6]; S[6] = S[5]; S[5] = S[4];
265 S[4] = S[3]; S[3] = S[2]; S[2] = S[1]; S[1] = S[0]; S[0] = t;
266 }
267
268 /* feedback */
269 for (i = 0; i < 8; i++) {
270 md->state[i] = md->state[i] + S[i];
271 }
272 return 0;
273 }
274
275
276 /* Initialize the hash state */
277 static void sha256_init(struct sha256_state *md)
278 {
279 md->curlen = 0;
280 md->length = 0;
281 md->state[0] = 0x6A09E667UL;
282 md->state[1] = 0xBB67AE85UL;
283 md->state[2] = 0x3C6EF372UL;
284 md->state[3] = 0xA54FF53AUL;
285 md->state[4] = 0x510E527FUL;
286 md->state[5] = 0x9B05688CUL;
287 md->state[6] = 0x1F83D9ABUL;
288 md->state[7] = 0x5BE0CD19UL;
289 }
290
291 /**
292 Process a block of memory though the hash
293 @param md The hash state
294 @param in The data to hash
295 @param inlen The length of the data (octets)
296 @return CRYPT_OK if successful
297 */
298 static int sha256_process(struct sha256_state *md, const unsigned char *in,
299 unsigned long inlen)
300 {
301 unsigned long n;
302 #define block_size 64
303
304 if (md->curlen > sizeof(md->buf))
305 return -1;
306
307 while (inlen > 0) {
308 if (md->curlen == 0 && inlen >= block_size) {
309 if (sha256_compress(md, (unsigned char *) in) < 0)
310 return -1;
311 md->length += block_size * 8;
312 in += block_size;
313 inlen -= block_size;
314 } else {
315 n = MIN(inlen, (block_size - md->curlen));
316 os_memcpy(md->buf + md->curlen, in, n);
317 md->curlen += n;
318 in += n;
319 inlen -= n;
320 if (md->curlen == block_size) {
321 if (sha256_compress(md, md->buf) < 0)
322 return -1;
323 md->length += 8 * block_size;
324 md->curlen = 0;
325 }
326 }
327 }
328
329 return 0;
330 }
331
332
333 /**
334 Terminate the hash to get the digest
335 @param md The hash state
336 @param out [out] The destination of the hash (32 bytes)
337 @return CRYPT_OK if successful
338 */
339 static int sha256_done(struct sha256_state *md, unsigned char *out)
340 {
341 int i;
342
343 if (md->curlen >= sizeof(md->buf))
344 return -1;
345
346 /* increase the length of the message */
347 md->length += md->curlen * 8;
348
349 /* append the '1' bit */
350 md->buf[md->curlen++] = (unsigned char) 0x80;
351
352 /* if the length is currently above 56 bytes we append zeros
353 * then compress. Then we can fall back to padding zeros and length
354 * encoding like normal.
355 */
356 if (md->curlen > 56) {
357 while (md->curlen < 64) {
358 md->buf[md->curlen++] = (unsigned char) 0;
359 }
360 sha256_compress(md, md->buf);
361 md->curlen = 0;
362 }
363
364 /* pad upto 56 bytes of zeroes */
365 while (md->curlen < 56) {
366 md->buf[md->curlen++] = (unsigned char) 0;
367 }
368
369 /* store length */
370 WPA_PUT_BE64(md->buf + 56, md->length);
371 sha256_compress(md, md->buf);
372
373 /* copy output */
374 for (i = 0; i < 8; i++)
375 WPA_PUT_BE32(out + (4 * i), md->state[i]);
376
377 return 0;
378 }
379
380 /* ===== end - public domain SHA256 implementation ===== */
381
382 #endif /* INTERNAL_SHA256 */
NetBSD on the FriendlyARM MINI2440