123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165 |
- /*
- * Copyright (c) 2009 Joshua Oreman <oremanj@rwcr.net>.
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation; either version 2 of the
- * License, or any later version.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
- */
-
- FILE_LICENCE ( GPL2_OR_LATER );
-
- #include <ipxe/crypto.h>
- #include <ipxe/sha1.h>
- #include <ipxe/hmac.h>
- #include <stdint.h>
- #include <byteswap.h>
-
- /**
- * SHA1 pseudorandom function for creating derived keys
- *
- * @v key Master key with which this call is associated
- * @v key_len Length of key
- * @v label NUL-terminated ASCII string describing purpose of PRF data
- * @v data Further data that should be included in the PRF
- * @v data_len Length of further PRF data
- * @v prf_len Bytes of PRF to generate
- * @ret prf Pseudorandom function bytes
- *
- * This is the PRF variant used by 802.11, defined in IEEE 802.11-2007
- * 8.5.5.1. EAP-FAST uses a different SHA1-based PRF, and TLS uses an
- * MD5-based PRF.
- */
- void prf_sha1 ( const void *key, size_t key_len, const char *label,
- const void *data, size_t data_len, void *prf, size_t prf_len )
- {
- u32 blk;
- u8 keym[key_len]; /* modifiable copy of key */
- u8 in[strlen ( label ) + 1 + data_len + 1]; /* message to HMAC */
- u8 *in_blknr; /* pointer to last byte of in, block number */
- u8 out[SHA1_SIZE]; /* HMAC-SHA1 result */
- u8 sha1_ctx[SHA1_CTX_SIZE]; /* SHA1 context */
- const size_t label_len = strlen ( label );
-
- /* The HMAC-SHA-1 is calculated using the given key on the
- message text `label', followed by a NUL, followed by one
- byte indicating the block number (0 for first). */
-
- memcpy ( keym, key, key_len );
-
- memcpy ( in, label, strlen ( label ) + 1 );
- memcpy ( in + label_len + 1, data, data_len );
- in_blknr = in + label_len + 1 + data_len;
-
- for ( blk = 0 ;; blk++ ) {
- *in_blknr = blk;
-
- hmac_init ( &sha1_algorithm, sha1_ctx, keym, &key_len );
- hmac_update ( &sha1_algorithm, sha1_ctx, in, sizeof ( in ) );
- hmac_final ( &sha1_algorithm, sha1_ctx, keym, &key_len, out );
-
- if ( prf_len <= SHA1_SIZE ) {
- memcpy ( prf, out, prf_len );
- break;
- }
-
- memcpy ( prf, out, SHA1_SIZE );
- prf_len -= SHA1_SIZE;
- prf += SHA1_SIZE;
- }
- }
-
- /**
- * PBKDF2 key derivation function inner block operation
- *
- * @v passphrase Passphrase from which to derive key
- * @v pass_len Length of passphrase
- * @v salt Salt to include in key
- * @v salt_len Length of salt
- * @v iterations Number of iterations of SHA1 to perform
- * @v blocknr Index of this block, starting at 1
- * @ret block SHA1_SIZE bytes of PBKDF2 data
- *
- * The operation of this function is described in RFC 2898.
- */
- static void pbkdf2_sha1_f ( const void *passphrase, size_t pass_len,
- const void *salt, size_t salt_len,
- int iterations, u32 blocknr, u8 *block )
- {
- u8 pass[pass_len]; /* modifiable passphrase */
- u8 in[salt_len + 4]; /* input buffer to first round */
- u8 last[SHA1_SIZE]; /* output of round N, input of N+1 */
- u8 sha1_ctx[SHA1_CTX_SIZE];
- u8 *next_in = in; /* changed to `last' after first round */
- int next_size = sizeof ( in );
- int i, j;
-
- blocknr = htonl ( blocknr );
-
- memcpy ( pass, passphrase, pass_len );
- memcpy ( in, salt, salt_len );
- memcpy ( in + salt_len, &blocknr, 4 );
- memset ( block, 0, SHA1_SIZE );
-
- for ( i = 0; i < iterations; i++ ) {
- hmac_init ( &sha1_algorithm, sha1_ctx, pass, &pass_len );
- hmac_update ( &sha1_algorithm, sha1_ctx, next_in, next_size );
- hmac_final ( &sha1_algorithm, sha1_ctx, pass, &pass_len, last );
-
- for ( j = 0; j < SHA1_SIZE; j++ ) {
- block[j] ^= last[j];
- }
-
- next_in = last;
- next_size = SHA1_SIZE;
- }
- }
-
- /**
- * PBKDF2 key derivation function using SHA1
- *
- * @v passphrase Passphrase from which to derive key
- * @v pass_len Length of passphrase
- * @v salt Salt to include in key
- * @v salt_len Length of salt
- * @v iterations Number of iterations of SHA1 to perform
- * @v key_len Length of key to generate
- * @ret key Generated key bytes
- *
- * This is used most notably in 802.11 WPA passphrase hashing, in
- * which case the salt is the SSID, 4096 iterations are used, and a
- * 32-byte key is generated that serves as the Pairwise Master Key for
- * EAPOL authentication.
- *
- * The operation of this function is further described in RFC 2898.
- */
- void pbkdf2_sha1 ( const void *passphrase, size_t pass_len,
- const void *salt, size_t salt_len,
- int iterations, void *key, size_t key_len )
- {
- u32 blocks = ( key_len + SHA1_SIZE - 1 ) / SHA1_SIZE;
- u32 blk;
- u8 buf[SHA1_SIZE];
-
- for ( blk = 1; blk <= blocks; blk++ ) {
- pbkdf2_sha1_f ( passphrase, pass_len, salt, salt_len,
- iterations, blk, buf );
- if ( key_len <= SHA1_SIZE ) {
- memcpy ( key, buf, key_len );
- break;
- }
-
- memcpy ( key, buf, SHA1_SIZE );
- key_len -= SHA1_SIZE;
- key += SHA1_SIZE;
- }
- }
|