source: mainline/uspace/lib/crypto/crypto.c@ bf22cb78

lfn serial ticket/834-toolchain-update topic/msim-upgrade topic/simplify-dev-export
Last change on this file since bf22cb78 was a4cf312, checked in by Jiří Zárevúcky <zarevucky.jiri@…>, 6 years ago

Fix build with -fsanitize=undefined

  • Property mode set to 100644
File size: 10.6 KB
RevLine 
[1dcc0b9]1/*
2 * Copyright (c) 2015 Jan Kolarik
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * - Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * - Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 * - The name of the author may not be used to endorse or promote products
15 * derived from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 */
28
29/** @file crypto.c
[8a64320e]30 *
[1dcc0b9]31 * Cryptographic functions library.
32 */
33
[a4cf312]34#include <assert.h>
[1dcc0b9]35#include <str.h>
36#include <macros.h>
37#include <errno.h>
38#include <byteorder.h>
[a4cf312]39#include <limits.h>
[1dcc0b9]40#include "crypto.h"
41
[8a64320e]42/** Hash function procedure definition. */
43typedef void (*hash_fnc_t)(uint32_t *, uint32_t *);
[1dcc0b9]44
[8a64320e]45/** Length of HMAC block. */
46#define HMAC_BLOCK_LENGTH 64
[d7dadcb4]47
[8a64320e]48/** Ceiling for uint32_t. */
49#define ceil_uint32(val) \
50 (((val) - (uint32_t) (val)) > 0 ? \
51 (uint32_t) ((val) + 1) : (uint32_t) (val))
[d7dadcb4]52
[8a64320e]53/** Floor for uint32_t. */
54#define floor_uint32(val) \
55 (((val) - (uint32_t) (val)) < 0 ? \
56 (uint32_t) ((val) - 1) : (uint32_t) (val))
[d7dadcb4]57
[8a64320e]58/** Pick value at specified index from array or zero if out of bounds. */
59#define get_at(input, size, i) \
60 ((i) < (size) ? (input[i]) : 0)
[1dcc0b9]61
[8a64320e]62/** Init values used in SHA1 and MD5 functions. */
[d7dadcb4]63static const uint32_t hash_init[] = {
[8a64320e]64 0x67452301, 0xefcdab89, 0x98badcfe, 0x10325476, 0xc3d2e1f0
[d7dadcb4]65};
66
[8a64320e]67/** Shift amount array for MD5 algorithm. */
[d7dadcb4]68static const uint32_t md5_shift[] = {
69 7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22,
70 5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14, 20,
71 4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23,
72 6, 10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21
73};
74
[8a64320e]75/** Substitution box for MD5 algorithm. */
[d7dadcb4]76static const uint32_t md5_sbox[] = {
77 0xd76aa478, 0xe8c7b756, 0x242070db, 0xc1bdceee,
78 0xf57c0faf, 0x4787c62a, 0xa8304613, 0xfd469501,
79 0x698098d8, 0x8b44f7af, 0xffff5bb1, 0x895cd7be,
80 0x6b901122, 0xfd987193, 0xa679438e, 0x49b40821,
81 0xf61e2562, 0xc040b340, 0x265e5a51, 0xe9b6c7aa,
82 0xd62f105d, 0x02441453, 0xd8a1e681, 0xe7d3fbc8,
83 0x21e1cde6, 0xc33707d6, 0xf4d50d87, 0x455a14ed,
84 0xa9e3e905, 0xfcefa3f8, 0x676f02d9, 0x8d2a4c8a,
85 0xfffa3942, 0x8771f681, 0x6d9d6122, 0xfde5380c,
86 0xa4beea44, 0x4bdecfa9, 0xf6bb4b60, 0xbebfbc70,
87 0x289b7ec6, 0xeaa127fa, 0xd4ef3085, 0x04881d05,
88 0xd9d4d039, 0xe6db99e5, 0x1fa27cf8, 0xc4ac5665,
89 0xf4292244, 0x432aff97, 0xab9423a7, 0xfc93a039,
90 0x655b59c3, 0x8f0ccc92, 0xffeff47d, 0x85845dd1,
91 0x6fa87e4f, 0xfe2ce6e0, 0xa3014314, 0x4e0811a1,
92 0xf7537e82, 0xbd3af235, 0x2ad7d2bb, 0xeb86d391
93};
94
[8a64320e]95/** Working procedure of MD5 cryptographic hash function.
96 *
97 * @param h Working array with interim hash parts values.
[d7dadcb4]98 * @param sched_arr Input array with scheduled values from input string.
[8a64320e]99 *
[1dcc0b9]100 */
[d7dadcb4]101static void md5_proc(uint32_t *h, uint32_t *sched_arr)
[1dcc0b9]102{
[d7dadcb4]103 uint32_t f, g, temp;
[8a64320e]104 uint32_t w[HASH_MD5 / 4];
[a35b458]105
[8a64320e]106 memcpy(w, h, (HASH_MD5 / 4) * sizeof(uint32_t));
[a35b458]107
[8a64320e]108 for (size_t k = 0; k < 64; k++) {
109 if (k < 16) {
[d7dadcb4]110 f = (w[1] & w[2]) | (~w[1] & w[3]);
111 g = k;
[8a64320e]112 } else if ((k >= 16) && (k < 32)) {
[d7dadcb4]113 f = (w[1] & w[3]) | (w[2] & ~w[3]);
[8a64320e]114 g = (5 * k + 1) % 16;
115 } else if ((k >= 32) && (k < 48)) {
[d7dadcb4]116 f = w[1] ^ w[2] ^ w[3];
[8a64320e]117 g = (3 * k + 5) % 16;
[d7dadcb4]118 } else {
119 f = w[2] ^ (w[1] | ~w[3]);
[8a64320e]120 g = 7 * k % 16;
[d7dadcb4]121 }
[a35b458]122
[d7dadcb4]123 temp = w[3];
124 w[3] = w[2];
125 w[2] = w[1];
[8a64320e]126 w[1] += rotl_uint32(w[0] + f + md5_sbox[k] +
127 uint32_t_byteorder_swap(sched_arr[g]),
128 md5_shift[k]);
[d7dadcb4]129 w[0] = temp;
[1dcc0b9]130 }
[a35b458]131
[8a64320e]132 for (uint8_t k = 0; k < HASH_MD5 / 4; k++)
[d7dadcb4]133 h[k] += w[k];
[1dcc0b9]134}
135
[8a64320e]136/** Working procedure of SHA-1 cryptographic hash function.
137 *
138 * @param h Working array with interim hash parts values.
[d7dadcb4]139 * @param sched_arr Input array with scheduled values from input string.
[8a64320e]140 *
[1dcc0b9]141 */
[d7dadcb4]142static void sha1_proc(uint32_t *h, uint32_t *sched_arr)
[1dcc0b9]143{
[d7dadcb4]144 uint32_t f, cf, temp;
[8a64320e]145 uint32_t w[HASH_SHA1 / 4];
[a35b458]146
[8a64320e]147 for (size_t k = 16; k < 80; k++) {
[d7dadcb4]148 sched_arr[k] = rotl_uint32(
[1433ecda]149 sched_arr[k - 3] ^
150 sched_arr[k - 8] ^
151 sched_arr[k - 14] ^
152 sched_arr[k - 16],
[8a64320e]153 1);
[d7dadcb4]154 }
[a35b458]155
[8a64320e]156 memcpy(w, h, (HASH_SHA1 / 4) * sizeof(uint32_t));
[a35b458]157
[8a64320e]158 for (size_t k = 0; k < 80; k++) {
159 if (k < 20) {
[d7dadcb4]160 f = (w[1] & w[2]) | (~w[1] & w[3]);
161 cf = 0x5A827999;
[8a64320e]162 } else if ((k >= 20) && (k < 40)) {
[d7dadcb4]163 f = w[1] ^ w[2] ^ w[3];
[8a64320e]164 cf = 0x6ed9eba1;
165 } else if ((k >= 40) && (k < 60)) {
[d7dadcb4]166 f = (w[1] & w[2]) | (w[1] & w[3]) | (w[2] & w[3]);
[8a64320e]167 cf = 0x8f1bbcdc;
[d7dadcb4]168 } else {
169 f = w[1] ^ w[2] ^ w[3];
[8a64320e]170 cf = 0xca62c1d6;
[d7dadcb4]171 }
[a35b458]172
[d7dadcb4]173 temp = rotl_uint32(w[0], 5) + f + w[4] + cf + sched_arr[k];
[a35b458]174
[d7dadcb4]175 w[4] = w[3];
176 w[3] = w[2];
177 w[2] = rotl_uint32(w[1], 30);
178 w[1] = w[0];
179 w[0] = temp;
180 }
[a35b458]181
[8a64320e]182 for (uint8_t k = 0; k < HASH_SHA1 / 4; k++)
[d7dadcb4]183 h[k] += w[k];
[1dcc0b9]184}
185
[8a64320e]186/** Create hash based on selected algorithm.
187 *
188 * @param input Input message byte sequence.
[d7dadcb4]189 * @param input_size Size of message sequence.
[8a64320e]190 * @param output Result hash byte sequence.
191 * @param hash_sel Hash function selector.
192 *
193 * @return EINVAL when input not specified,
194 * ENOMEM when pointer for output hash result
195 * is not allocated, otherwise EOK.
196 *
[1dcc0b9]197 */
[b7fd2a0]198errno_t create_hash(uint8_t *input, size_t input_size, uint8_t *output,
[8a64320e]199 hash_func_t hash_sel)
[1dcc0b9]200{
[a4cf312]201 assert(input_size < SSIZE_MAX);
202
[8a64320e]203 if (!input)
[1dcc0b9]204 return EINVAL;
[a35b458]205
[8a64320e]206 if (!output)
[1dcc0b9]207 return ENOMEM;
[a35b458]208
[8a64320e]209 hash_fnc_t hash_func = (hash_sel == HASH_MD5) ? md5_proc : sha1_proc;
[a35b458]210
[d7dadcb4]211 /* Prepare scheduled input. */
[1dcc0b9]212 uint8_t work_input[input_size + 1];
213 memcpy(work_input, input, input_size);
214 work_input[input_size] = 0x80;
[a35b458]215
[8a64320e]216 // FIXME: double?
217 size_t blocks = ceil_uint32((((double) input_size + 1) / 4 + 2) / 16);
[d7dadcb4]218 uint32_t work_arr[blocks * 16];
[8a64320e]219 for (size_t i = 0; i < blocks; i++) {
220 for (size_t j = 0; j < 16; j++) {
[1433ecda]221 work_arr[i * 16 + j] =
[8a64320e]222 (get_at(work_input, input_size + 1, i * 64 + j * 4) << 24) |
223 (get_at(work_input, input_size + 1, i * 64 + j * 4 + 1) << 16) |
224 (get_at(work_input, input_size + 1, i * 64 + j * 4 + 2) << 8) |
225 get_at(work_input, input_size + 1, i * 64 + j * 4 + 3);
[1dcc0b9]226 }
227 }
[a35b458]228
[8a64320e]229 uint64_t bits_size = (uint64_t) (input_size * 8);
230 if (hash_sel == HASH_MD5)
[d7dadcb4]231 bits_size = uint64_t_byteorder_swap(bits_size);
[a35b458]232
[d7dadcb4]233 work_arr[(blocks - 1) * 16 + 14] = bits_size >> 32;
[8a64320e]234 work_arr[(blocks - 1) * 16 + 15] = bits_size & 0xffffffff;
[a35b458]235
[d7dadcb4]236 /* Hash computation. */
[8a64320e]237 uint32_t h[hash_sel / 4];
238 memcpy(h, hash_init, (hash_sel / 4) * sizeof(uint32_t));
[d7dadcb4]239 uint32_t sched_arr[80];
[8a64320e]240 for (size_t i = 0; i < blocks; i++) {
241 for (size_t k = 0; k < 16; k++)
242 sched_arr[k] = work_arr[i * 16 + k];
[a35b458]243
[d7dadcb4]244 hash_func(h, sched_arr);
[1dcc0b9]245 }
[a35b458]246
[d7dadcb4]247 /* Copy hash parts into final result. */
[8a64320e]248 for (size_t i = 0; i < hash_sel / 4; i++) {
249 if (hash_sel == HASH_SHA1)
[d7dadcb4]250 h[i] = uint32_t_byteorder_swap(h[i]);
[a35b458]251
[8a64320e]252 memcpy(output + i * sizeof(uint32_t), &h[i], sizeof(uint32_t));
[1dcc0b9]253 }
[a35b458]254
[1dcc0b9]255 return EOK;
256}
257
[8a64320e]258/** Hash-based message authentication code.
259 *
260 * @param key Cryptographic key sequence.
[1dcc0b9]261 * @param key_size Size of key sequence.
[8a64320e]262 * @param msg Message sequence.
[1dcc0b9]263 * @param msg_size Size of message sequence.
[8a64320e]264 * @param hash Output parameter for result hash.
[1dcc0b9]265 * @param hash_sel Hash function selector.
[8a64320e]266 *
267 * @return EINVAL when key or message not specified,
268 * ENOMEM when pointer for output hash result
269 * is not allocated, otherwise EOK.
270 *
[1dcc0b9]271 */
[1b20da0]272errno_t hmac(uint8_t *key, size_t key_size, uint8_t *msg, size_t msg_size,
[8a64320e]273 uint8_t *hash, hash_func_t hash_sel)
[1dcc0b9]274{
[8a64320e]275 if ((!key) || (!msg))
[1dcc0b9]276 return EINVAL;
[a35b458]277
[8a64320e]278 if (!hash)
[1dcc0b9]279 return ENOMEM;
[a35b458]280
[1dcc0b9]281 uint8_t work_key[HMAC_BLOCK_LENGTH];
282 uint8_t o_key_pad[HMAC_BLOCK_LENGTH];
283 uint8_t i_key_pad[HMAC_BLOCK_LENGTH];
[d7dadcb4]284 uint8_t temp_hash[hash_sel];
[1dcc0b9]285 memset(work_key, 0, HMAC_BLOCK_LENGTH);
[a35b458]286
[1433ecda]287 if (key_size > HMAC_BLOCK_LENGTH)
[d7dadcb4]288 create_hash(key, key_size, work_key, hash_sel);
[8a64320e]289 else
[1dcc0b9]290 memcpy(work_key, key, key_size);
[a35b458]291
[8a64320e]292 for (size_t i = 0; i < HMAC_BLOCK_LENGTH; i++) {
293 o_key_pad[i] = work_key[i] ^ 0x5c;
[1dcc0b9]294 i_key_pad[i] = work_key[i] ^ 0x36;
295 }
[a35b458]296
[cc575ef9]297 uint8_t temp_work[HMAC_BLOCK_LENGTH + max(msg_size, hash_sel)];
[1dcc0b9]298 memcpy(temp_work, i_key_pad, HMAC_BLOCK_LENGTH);
299 memcpy(temp_work + HMAC_BLOCK_LENGTH, msg, msg_size);
[a35b458]300
[8a64320e]301 create_hash(temp_work, HMAC_BLOCK_LENGTH + msg_size, temp_hash,
302 hash_sel);
[a35b458]303
[1dcc0b9]304 memcpy(temp_work, o_key_pad, HMAC_BLOCK_LENGTH);
[d7dadcb4]305 memcpy(temp_work + HMAC_BLOCK_LENGTH, temp_hash, hash_sel);
[a35b458]306
[d7dadcb4]307 create_hash(temp_work, HMAC_BLOCK_LENGTH + hash_sel, hash, hash_sel);
[a35b458]308
[1dcc0b9]309 return EOK;
310}
311
[8a64320e]312/** Password-Based Key Derivation Function 2.
313 *
314 * As defined in RFC 2898, using HMAC-SHA1 with 4096 iterations
315 * and 32 bytes key result used for WPA/WPA2.
316 *
317 * @param pass Password sequence.
[1dcc0b9]318 * @param pass_size Password sequence length.
[8a64320e]319 * @param salt Salt sequence to be used with password.
[1dcc0b9]320 * @param salt_size Salt sequence length.
[8a64320e]321 * @param hash Output parameter for result hash (32 byte value).
322 *
323 * @return EINVAL when pass or salt not specified,
324 * ENOMEM when pointer for output hash result
325 * is not allocated, otherwise EOK.
326 *
[1dcc0b9]327 */
[b7fd2a0]328errno_t pbkdf2(uint8_t *pass, size_t pass_size, uint8_t *salt, size_t salt_size,
[8a64320e]329 uint8_t *hash)
[1dcc0b9]330{
[8a64320e]331 if ((!pass) || (!salt))
[1dcc0b9]332 return EINVAL;
[a35b458]333
[8a64320e]334 if (!hash)
[1dcc0b9]335 return ENOMEM;
[a35b458]336
[cc575ef9]337 uint8_t work_salt[salt_size + 4];
[1dcc0b9]338 memcpy(work_salt, salt, salt_size);
[a931b7b]339 uint8_t work_hmac[HASH_SHA1];
340 uint8_t temp_hmac[HASH_SHA1];
341 uint8_t xor_hmac[HASH_SHA1];
[8a64320e]342 uint8_t temp_hash[HASH_SHA1 * 2];
[a35b458]343
[8a64320e]344 for (size_t i = 0; i < 2; i++) {
345 uint32_t be_i = host2uint32_t_be(i + 1);
[a35b458]346
[cc575ef9]347 memcpy(work_salt + salt_size, &be_i, 4);
348 hmac(pass, pass_size, work_salt, salt_size + 4,
[8a64320e]349 work_hmac, HASH_SHA1);
[a931b7b]350 memcpy(xor_hmac, work_hmac, HASH_SHA1);
[a35b458]351
[8a64320e]352 for (size_t k = 1; k < 4096; k++) {
[a931b7b]353 memcpy(temp_hmac, work_hmac, HASH_SHA1);
[8a64320e]354 hmac(pass, pass_size, temp_hmac, HASH_SHA1,
355 work_hmac, HASH_SHA1);
[a35b458]356
[8a64320e]357 for (size_t t = 0; t < HASH_SHA1; t++)
[1dcc0b9]358 xor_hmac[t] ^= work_hmac[t];
359 }
[a35b458]360
[8a64320e]361 memcpy(temp_hash + i * HASH_SHA1, xor_hmac, HASH_SHA1);
[1dcc0b9]362 }
[a35b458]363
[1dcc0b9]364 memcpy(hash, temp_hash, PBKDF2_KEY_LENGTH);
[a35b458]365
[1dcc0b9]366 return EOK;
367}
Note: See TracBrowser for help on using the repository browser.